diff --git a/.ci/jobs/beats.yml b/.ci/jobs/beats.yml
index 29dc703c515..e9a26c87a0d 100644
--- a/.ci/jobs/beats.yml
+++ b/.ci/jobs/beats.yml
@@ -17,7 +17,7 @@
discover-pr-forks-strategy: 'merge-current'
discover-pr-forks-trust: 'permission'
discover-pr-origin: 'merge-current'
- head-filter-regex: '(master|6\.[89]|7\.[x789]|7\.1\d|8\.\d+|PR-.*|v\d+\.\d+\.\d+)'
+ head-filter-regex: '(master|6\.[89]|7\.16|8\.\d+|PR-.*|v\d+\.\d+\.\d+)'
discover-tags: true
notification-context: "beats-ci"
repo: 'beats'
diff --git a/.ci/schedule-daily.groovy b/.ci/schedule-daily.groovy
index adad76cbd76..2211dec4c49 100644
--- a/.ci/schedule-daily.groovy
+++ b/.ci/schedule-daily.groovy
@@ -21,8 +21,11 @@ pipeline {
stage('Nighly beats builds') {
steps {
runBuild(quietPeriod: 0, job: 'Beats/beats/master')
- runBuild(quietPeriod: 2000, job: 'Beats/beats/7.16')
- runBuild(quietPeriod: 4000, job: 'Beats/beats/7.15')
+ // This should be `current_8` bump.getCurrentMinorReleaseFor8
+ runBuild(quietPeriod: 2000, job: 'Beats/beats/8.0')
+ // This should be `current_7` bump.getCurrentMinorReleaseFor7 or
+ // `next_minor_7` bump.getNextMinorReleaseFor7
+ runBuild(quietPeriod: 4000, job: 'Beats/beats/7.16')
}
}
}
diff --git a/.ci/schedule-weekly.groovy b/.ci/schedule-weekly.groovy
index 74293ab7b9f..c2d96964575 100644
--- a/.ci/schedule-weekly.groovy
+++ b/.ci/schedule-weekly.groovy
@@ -21,8 +21,11 @@ pipeline {
stage('Weekly beats builds') {
steps {
runBuild(quietPeriod: 0, job: 'Beats/beats/master')
- runBuild(quietPeriod: 1000, job: 'Beats/beats/7.16')
- runBuild(quietPeriod: 2000, job: 'Beats/beats/7.15')
+ // This should be `current_8` bump.getCurrentMinorReleaseFor8
+ runBuild(quietPeriod: 1000, job: 'Beats/beats/8.0')
+ // This should be `current_7` bump.getCurrentMinorReleaseFor7 or
+ // `next_minor_7` bump.getNextMinorReleaseFor7
+ runBuild(quietPeriod: 2000, job: 'Beats/beats/7.16')
}
}
}
diff --git a/.mergify.yml b/.mergify.yml
index c438000f415..15ef4cd538a 100644
--- a/.mergify.yml
+++ b/.mergify.yml
@@ -101,10 +101,24 @@ pull_request_rules:
- files~=^\.mergify\.yml$
actions:
delete_head_branch:
+ - name: notify the backport has not been merged yet
+ conditions:
+ - -merged
+ - -closed
+ - author=mergify[bot]
+ - "#check-success>0"
+ - schedule=Mon-Mon 06:00-10:00[Europe/Paris]
+ - "#assignee>=1"
+ actions:
+ comment:
+ message: |
+ This pull request has not been merged yet. Could you please review and merge it @{{ assignee | join(', @') }}? 🙏
- name: notify the backport policy
conditions:
- -label~=^backport
- base=master
+ - -merged
+ - -closed
actions:
comment:
message: |
@@ -120,6 +134,8 @@ pull_request_rules:
- name: remove-backport label
conditions:
- label~=backport-v
+ - -merged
+ - -closed
actions:
label:
remove:
diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
index fc952f28646..8f0348c51b1 100644
--- a/CHANGELOG.asciidoc
+++ b/CHANGELOG.asciidoc
@@ -3,6 +3,11 @@
:issue: https://github.com/elastic/beats/issues/
:pull: https://github.com/elastic/beats/pull/
+[[release-notes-8.0.0-beta1]]
+=== Beats version 8.0.0-beta1
+
+Changes will be described in a later RC / GA.
+
[[release-notes-8.0.0-alpha2]]
=== Beats version 8.0.0-alpha2
@@ -12,6 +17,37 @@ Changes will be described in a later alpha / beta.
=== Beats version 8.0.0-alpha1
Changes will be described in a later alpha / beta.
+[[release-notes-7.15.2]]
+=== Beats version 7.15.2
+https://github.com/elastic/beats/compare/v7.15.1...v7.15.2[View commits]
+
+==== Bugfixes
+
+*Affecting all Beats*
+
+- Beats dashboards use custom index when `setup.dashboards.index` is set. {issue}21232[21232] {pull}27901[27901]
+- Fix handling of float data types within processors. {issue}28279[28279] {pull}28280[28280]
+- Allow `clone3` syscall in seccomp filters. {pull}28117[28117]
+- Remove unnecessary escaping step in dashboard loading, so they can be displayed in Kibana. {pull}28395[28395]
+- Fix AWS proxy_url config from url to string type. {pull}28725[28725]
+- Fix `fingerprint` processor to give it access to the `@timestamp` field. {issue}28683[28683]
+
+*Filebeat*
+
+- Fix initialization of http client in Cloudfoundry input. {issue}28271[28271] {pull}28277[28277]
+- Fix aws-s3 input by checking if GetObject API call response content type exists. {pull}28457[28457]
+- Set `url` as a pointer in the `httpjson` template context to ensure access to all methods. {pull}28695[28695]
+- Fix `google_workspace` documentation links. {pull}28657[28657]
+
+*Metricbeat*
+
+- Divide RDS metric cpu.total.pct by 100. {pull}28456[28456]
+
+*Packetbeat*
+
+- Handle truncated DNS records more gracefully. {issue}21495[21495] {pull}28297[28297]
+- Fix data stream name for network flows when running under Elastic Agent and Fleet. {pull}28408[28408]
+
[[release-notes-7.15.1]]
=== Beats version 7.15.1
https://github.com/elastic/beats/compare/v7.15.0...v7.15.1[View commits]
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index b0b60113c7c..f97755a0e02 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -27,6 +27,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- add_process_metadata processor: Replace usage of deprecated `process.ppid` field with `process.parent.pid`. {pull}28620[28620]
- add_docker_metadata processor: Replace usage of deprecated `process.ppid` field with `process.parent.pid`. {pull}28620[28620]
- Index template's default_fields setting is only populated with ECS fields. {pull}28596[28596] {issue}28215[28215]
+- Remove options `logging.files.suffix` and default to datetime endings. {pull}28927[28927]
*Auditbeat*
@@ -37,6 +38,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fix handling of long file names on Windows. {issue}25334[25334] {pull}28517[28517]
- System/socket dataset: Fix uninstallation of return kprobes. {issue}28608[28608] {pull}28609[28609]
- Replace usage of deprecated `process.ppid` field with `process.parent.pid`. {pull}28620[28620]
+- Fix auditbeat tracing struct decoding. {pull}28580[28580]
*Filebeat*
@@ -61,6 +63,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- All modules: Replace usages of deprecated ECS fields `process.ppid` and `log.original` with `process.parent.pid` and `event.original`. {pull}28620[28620]
- Replace usages of `host.user.*` fields with `user.*` in `cisco`, `microsoft` and `oracle` modules. {pull}28620[28620]
- Remove `docker` input. Please use `filestream` input with `container` parser or `container` input. {pull}28817[28817]
+- Change `threatintel` module to use new `threat.*` ECS fields. {pull}29014[29014]
+- `filestream` and `log` inputs accept null (`\u0000`) as line terminator. {pull}28998[28998]
*Heartbeat*
@@ -134,15 +138,10 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Output errors when Kibana index pattern setup fails. {pull}20121[20121]
- Fix issue in autodiscover that kept inputs stopped after config updates. {pull}20305[20305]
- Add service resource in k8s cluster role. {pull}20546[20546]
-- Fixed documentation for commands in beats dev guide {pull}22194[22194]
- Periodic metrics in logs will now report `libbeat.output.events.active` and `beat.memstats.rss`
-- Beats dashboards use custom index when `setup.dashboards.index` is set. {issue}21232[21232] {pull}27901[27901]
-- Fix handling of float data types within processors. {issue}28279[28279] {pull}28280[28280]
-- Allow `clone3` syscall in seccomp filters. {pull}28117[28117]
-- Remove unnecessary escaping step in dashboard loading, so they can be displayed in Kibana. {pull}28395[28395]
- Allows disable pod events enrichment with deployment name {pull}28521[28521]
-- Fix AWS proxy_url config from url to string type. {pull}28725[28725]
- Fix `fingerprint` processor to give it access to the `@timestamp` field. {issue}28683[28683]
+- Fix the wrong beat name on monitoring and state endpoint {issue}27755[27755]
*Auditbeat*
@@ -184,10 +183,10 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add support for username in cisco asa security negotiation logs {pull}26975[26975]
- Relax time parsing and capture group and session type in Cisco ASA module {issue}24710[24710] {pull}28325[28325]
- Correctly track bytes read when max_bytes is exceeded. {issue}28317[28317] {pull}28352[28352]
-- Fix initialization of http client in Cloudfoundry input. {issue}28271[28271] {pull}28277[28277]
-- Fix aws-s3 input by checking if GetObject API call response content type exists. {pull}28457[28457]
-- Set `url` as a pointer in the `httpjson` template context to ensure access to all methods. {pull}28695[28695]
-- Fix `google_workspace` documentation links. {pull}28657[28657]
+- Upgrade azure-eventhub sdk reference, contains potential checkpoint fixes. {pull}28919[28919]
+- Revert usageDetails api version to 2019-01-01. {pull}28995[28995]
+- Fix in `aws-s3` input regarding provider discovery through endpoint {pull}28963[28963]
+- Fix `threatintel.misp` filters configuration. {issue}27970[27970]
*Heartbeat*
@@ -195,6 +194,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Log browser `zip_url` download failures as `warn` instead of as `info`. {pull}28440[28440]
- Properly locate base stream in fleet configs. {pull}28455[28455]
- Stop logging params values. {pull}28774[28774]
+- Remove accidentally included cups library in docker images. {pull}28853[pull]
+- Fix broken monitors with newer versions of image relying on dup3. {pull}28938[pull]
*Journalbeat*
@@ -230,19 +231,19 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Groups same timestamp metric values to one event in the app_insights metricset. {pull}20403[20403]
- `beat` module respects `basepath` config option. {pull}28162[28162]
- Fix list_docker.go {pull}28374[28374]
-- Divide RDS metric cpu.total.pct by 100. {pull}28456[28456]
- Use xpack.enabled on SM modules to write into .monitoring indices when using Metricbeat standalone {pull}28365[28365]
+- Fix in rename processor to ingest metrics for `write.iops` to proper field instead of `write_iops` in rds metricset. {pull}28960[28960]
*Packetbeat*
-- Handle truncated DNS records more gracefully. {issue}21495[21495] {pull}28297[28297]
-- Fix data stream name for network flows when running under Elastic Agent and Fleet. {pull}28408[28408]
*Winlogbeat*
- Add source.ip validation for event ID 4778 in the Security module. {issue}19627[19627]
- Tolerate faults when Windows Event Log session is interrupted {issue}27947[27947] {pull}28191[28191]
- Add ECS 1.9 new users fields {pull}26509[26509]
+- Don't split hyphenated tokens {pull}28483[28483]
+- Correctly handle AccessMask if it is an integer or list of masks. {pull}29016[29016]
*Functionbeat*
@@ -282,6 +283,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Update kubernetes scheduler and controllermanager endpoints in elastic-agent-standalone-kubernetes.yaml with secure ports {pull}28675[28675]
- Add options to configure k8s client qps/burst. {pull}28151[28151]
- Update to ECS 8.0 fields. {pull}28620[28620]
+- Add http.pprof.enabled option to libbeat to allow http/pprof endpoints on the socket that libbeat creates for metrics. {issue}21965[21965]
+- Support custom analyzers in fields.yml. {issue}28540[28540] {pull}28926[28926]
*Auditbeat*
@@ -335,6 +338,11 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Update `aws-s3` input to connect to non AWS S3 buckets {issue}28222[28222] {pull}28234[28234]
- Sophos UTM: Support logs containing hostname in syslog header. {pull}28638[28638]
- Moving Oracle Filebeat module to GA. {pull}28754[28754]
+- Add support for '/var/log/pods/' path for add_kubernetes_metadata processor with `resource_type: pod`. {pull}28868[28868]
+- Add documentation for add_kubernetes_metadata processors `log_path` matcher. {pull}28868[28868]
+- Add support in aws-s3 input for s3 notification from SNS to SQS. {pull}28800[28800]
+- Add support in aws-s3 input for custom script parsing of s3 notifications. {pull}28946[28946]
+- Improve error handling in aws-s3 input for malformed s3 notifications. {issue}28828[28828] {pull}28946[28946]
*Heartbeat*
@@ -359,6 +367,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Added a new beta `enterprisesearch` module for Elastic Enterprise Search {pull}27549[27549]
- Preliminary AIX support {pull}27954[27954]
- Register additional name for `storage` metricset in the azure module. {pull}28447[28447]
+- Update reference to gosigar pacakge for filesystem windows fix. {pull}28909[28909]
*Packetbeat*
diff --git a/Jenkinsfile b/Jenkinsfile
index 4b809935de4..35ae38cb840 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -836,7 +836,7 @@ def archiveTestOutput(Map args = [:]) {
def fileName = 'build/system-tests-*.tar.gz' // see dev-tools/mage/target/common/package.go#PackageSystemTests method
def files = findFiles(glob: "${fileName}")
- if (files?.length() > 0) {
+ if (files?.length > 0) {
googleStorageUploadExt(
bucket: "gs://${JOB_GCS_BUCKET}/${env.JOB_NAME}-${env.BUILD_ID}",
credentialsId: "${JOB_GCS_EXT_CREDENTIALS}",
diff --git a/NOTICE.txt b/NOTICE.txt
index 89473d4b95f..e4d0e19c26c 100644
--- a/NOTICE.txt
+++ b/NOTICE.txt
@@ -832,11 +832,11 @@ Contents of probable licence file $GOMODCACHE/code.cloudfoundry.org/go-loggregat
--------------------------------------------------------------------------------
Dependency : github.com/Azure/azure-event-hubs-go/v3
-Version: v3.1.2
+Version: v3.3.15
Licence type (autodetected): MIT
--------------------------------------------------------------------------------
-Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-event-hubs-go/v3@v3.1.2/LICENSE:
+Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-event-hubs-go/v3@v3.3.15/LICENSE:
MIT License
@@ -863,15 +863,15 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-event-hubs
--------------------------------------------------------------------------------
Dependency : github.com/Azure/azure-sdk-for-go
-Version: v57.0.0+incompatible
+Version: v59.0.0+incompatible
Licence type (autodetected): MIT
--------------------------------------------------------------------------------
-Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-sdk-for-go@v57.0.0+incompatible/LICENSE.txt:
+Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-sdk-for-go@v59.0.0+incompatible/LICENSE.txt:
The MIT License (MIT)
-Copyright (c) 2021 Microsoft
+Copyright (c) Microsoft Corporation.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
@@ -891,6 +891,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
+
--------------------------------------------------------------------------------
Dependency : github.com/Azure/azure-storage-blob-go
Version: v0.8.0
@@ -8065,11 +8066,11 @@ Contents of probable licence file $GOMODCACHE/github.com/elastic/go-windows@v1.0
--------------------------------------------------------------------------------
Dependency : github.com/elastic/gosigar
-Version: v0.14.1
+Version: v0.14.2
Licence type (autodetected): Apache-2.0
--------------------------------------------------------------------------------
-Contents of probable licence file $GOMODCACHE/github.com/elastic/gosigar@v0.14.1/LICENSE:
+Contents of probable licence file $GOMODCACHE/github.com/elastic/gosigar@v0.14.2/LICENSE:
Apache License
Version 2.0, January 2004
@@ -20039,11 +20040,11 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--------------------------------------------------------------------------------
Dependency : github.com/Azure/azure-amqp-common-go/v3
-Version: v3.0.0
+Version: v3.2.1
Licence type (autodetected): MIT
--------------------------------------------------------------------------------
-Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-amqp-common-go/v3@v3.0.0/LICENSE:
+Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-amqp-common-go/v3@v3.2.1/LICENSE:
MIT License
@@ -20100,15 +20101,16 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-pipeline-g
--------------------------------------------------------------------------------
Dependency : github.com/Azure/go-amqp
-Version: v0.12.6
+Version: v0.16.0
Licence type (autodetected): MIT
--------------------------------------------------------------------------------
-Contents of probable licence file $GOMODCACHE/github.com/!azure/go-amqp@v0.12.6/LICENSE:
+Contents of probable licence file $GOMODCACHE/github.com/!azure/go-amqp@v0.16.0/LICENSE:
MIT License
- Copyright (c) Microsoft Corporation.
+ Copyright (C) 2017 Kale Blankenship
+ Portions Copyright (C) Microsoft Corporation
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
diff --git a/README.md b/README.md
index 35cba184321..32d411d74ac 100644
--- a/README.md
+++ b/README.md
@@ -74,14 +74,6 @@ create your own Beat.
Please start by reading our [CONTRIBUTING](CONTRIBUTING.md) file.
-If you are creating a new Beat, you don't need to submit the code to this
-repository. You can simply start working in a new repository and make use of the
-libbeat packages, by following our [developer
-guide](https://www.elastic.co/guide/en/beats/libbeat/current/new-beat.html).
-After you have a working prototype, open a pull request to add your Beat to the
-list of [community
-Beats](https://github.com/elastic/beats/blob/master/libbeat/docs/communitybeats.asciidoc).
-
## Building Beats from the Source
See our [CONTRIBUTING](CONTRIBUTING.md) file for information about setting up
diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml
index 274935e571a..24bfac14414 100644
--- a/auditbeat/auditbeat.reference.yml
+++ b/auditbeat/auditbeat.reference.yml
@@ -1383,11 +1383,6 @@ logging.files:
# file. Defaults to true.
# rotateonstartup: true
- # Rotated files are either suffixed with a number e.g. auditbeat.1 when
- # renamed during rotation. Or when set to date, the date is added to
- # the end of the file. On rotation a new file is created, older files are untouched.
- #suffix: count
-
# ============================= X-Pack Monitoring ==============================
# Auditbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
@@ -1572,6 +1567,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
# ============================== Process Security ==============================
# Enable or disable seccomp system call filtering on Linux. Default is enabled.
diff --git a/dev-tools/mage/crossbuild.go b/dev-tools/mage/crossbuild.go
index c2f87784063..b2349310abc 100644
--- a/dev-tools/mage/crossbuild.go
+++ b/dev-tools/mage/crossbuild.go
@@ -134,16 +134,37 @@ func CrossBuild(options ...CrossBuildOption) error {
opt(¶ms)
}
- // Docker is required for this target.
- if err := HaveDocker(); err != nil {
- return err
- }
-
if len(params.Platforms) == 0 {
log.Printf("Skipping cross-build of target=%v because platforms list is empty.", params.Target)
return nil
}
+ // AIX can't really be crossbuilt, due to cgo and various compiler shortcomings.
+ // If we have a singular AIX platform set, revert to a native build toolchain
+ if runtime.GOOS == "aix" {
+ for _, platform := range params.Platforms {
+ if platform.GOOS() == "aix" {
+ if len(params.Platforms) != 1 {
+ return errors.New("AIX cannot be crossbuilt with other platforms. Set PLATFORMS='aix/ppc64'")
+ } else {
+ // This is basically a short-out so we can attempt to build on AIX in a relatively generic way
+ log.Printf("Target is building for AIX, skipping normal crossbuild process")
+ args := DefaultBuildArgs()
+ args.OutputDir = filepath.Join("build", "golang-crossbuild")
+ args.Name += "-" + Platform.GOOS + "-" + Platform.Arch
+ return Build(args)
+ }
+ }
+ }
+ // If we're here, something isn't set.
+ return errors.New("Cannot crossbuild on AIX. Either run `mage build` or set PLATFORMS='aix/ppc64'")
+ }
+
+ // Docker is required for this target.
+ if err := HaveDocker(); err != nil {
+ return err
+ }
+
if CrossBuildMountModcache {
// Make sure the module dependencies are downloaded on the host,
// as they will be mounted into the container read-only.
diff --git a/dev-tools/mage/pkgtypes.go b/dev-tools/mage/pkgtypes.go
index c2c454c873d..1fc5fe79e50 100644
--- a/dev-tools/mage/pkgtypes.go
+++ b/dev-tools/mage/pkgtypes.go
@@ -176,6 +176,11 @@ var OSArchNames = map[string]map[PackageType]map[string]string{
"arm64": "arm64",
},
},
+ "aix": map[PackageType]map[string]string{
+ TarGz: map[string]string{
+ "ppc64": "ppc64",
+ },
+ },
}
// getOSArchName returns the architecture name to use in a package.
diff --git a/dev-tools/mage/platforms.go b/dev-tools/mage/platforms.go
index 4be617ada83..f583ed6d02d 100644
--- a/dev-tools/mage/platforms.go
+++ b/dev-tools/mage/platforms.go
@@ -27,6 +27,7 @@ import (
// BuildPlatforms is a list of GOOS/GOARCH pairs supported by Go.
// The list originated from 'go tool dist list -json'.
var BuildPlatforms = BuildPlatformList{
+ {"aix/ppc64", CGOSupported},
{"android/386", CGOSupported},
{"android/amd64", CGOSupported},
{"android/arm", CGOSupported},
@@ -256,7 +257,6 @@ func (list BuildPlatformList) Remove(name string) BuildPlatformList {
// Select returns a new list containing the platforms that match name.
func (list BuildPlatformList) Select(name string) BuildPlatformList {
attrs := BuildPlatform{Name: name}.Attributes()
-
if attrs.Arch == "" {
// Filter by GOOS only.
return list.filter(func(bp BuildPlatform) bool {
@@ -353,8 +353,11 @@ func NewPlatformList(expr string) BuildPlatformList {
var out BuildPlatformList
if len(pe.Add) == 0 || (len(pe.Select) == 0 && len(pe.Remove) == 0) {
- // Bootstrap list with default platforms when the expression is
+ // Bootstrap list with platforms when the expression is
// exclusively adds OR exclusively selects and removes.
+ out = BuildPlatforms
+ }
+ if len(pe.Remove) > 0 || len(pe.Add) > 0 {
out = BuildPlatforms.Defaults()
}
@@ -375,7 +378,6 @@ func NewPlatformList(expr string) BuildPlatformList {
}
out = selected
}
-
for _, name := range pe.Remove {
if name == "defaults" {
for _, defaultBP := range all.Defaults() {
diff --git a/dev-tools/mage/pytest.go b/dev-tools/mage/pytest.go
index fa0e57dc3bc..d4b8dd3fcee 100644
--- a/dev-tools/mage/pytest.go
+++ b/dev-tools/mage/pytest.go
@@ -41,7 +41,8 @@ import (
// to point to somewhere on C:\.
const (
- libbeatRequirements = "{{ elastic_beats_dir}}/libbeat/tests/system/requirements.txt"
+ libbeatRequirements = "{{ elastic_beats_dir}}/libbeat/tests/system/requirements.txt"
+ aixLibbeatRequirements = "{{ elastic_beats_dir}}/libbeat/tests/system/requirements_aix.txt"
)
var (
@@ -199,11 +200,12 @@ func PythonVirtualenv() (string, error) {
pythonVirtualenvLock.Lock()
defer pythonVirtualenvLock.Unlock()
- // When upgrading pip we might run into an error with the cryptography package
- // (pip dependency) will not compile if no recent rust development environment is available.
- // We set `CRYPTOGRAPHY_DONT_BUILD_RUST=1`, to disable the need for python.
- // See: https://github.com/pyca/cryptography/issues/5771
- os.Setenv("CRYPTOGRAPHY_DONT_BUILD_RUST", "1")
+ // Certain docker requirements simply won't build on AIX
+ // Skipping them here will obviously break the components that require docker-compose,
+ // But at least the components that don't require it will still run
+ if runtime.GOOS == "aix" {
+ VirtualenvReqs[0] = aixLibbeatRequirements
+ }
// Determine the location of the virtualenv.
ve, err := pythonVirtualenvPath()
diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml
index 938075fbb81..4978d4ffb4d 100644
--- a/dev-tools/packaging/packages.yml
+++ b/dev-tools/packaging/packages.yml
@@ -712,6 +712,11 @@ specs:
spec:
<<: *docker_spec
+ - os: aix
+ types: [tgz]
+ spec:
+ <<: *binary_spec
+
# Elastic Beat with Apache License (OSS) and binary taken the current
# directory.
elastic_beat_oss:
@@ -758,6 +763,13 @@ specs:
<<: *apache_license_for_binaries
name: '{{.BeatName}}-oss'
+ - os: aix
+ types: [tgz]
+ spec:
+ <<: *binary_spec
+ <<: *apache_license_for_binaries
+ name: '{{.BeatName}}-oss'
+
# Elastic Beat with Elastic License and binary taken the current directory.
elastic_beat_xpack:
###
@@ -827,6 +839,12 @@ specs:
<<: *elastic_docker_spec
<<: *elastic_license_for_binaries
+ - os: aix
+ types: [tgz]
+ spec:
+ <<: *binary_spec
+ <<: *elastic_license_for_binaries
+
# Elastic Beat with Elastic License and binary taken the current directory.
elastic_beat_xpack_reduced:
###
@@ -850,6 +868,12 @@ specs:
<<: *binary_spec
<<: *elastic_license_for_binaries
+ - os: aix
+ types: [tgz]
+ spec:
+ <<: *binary_spec
+ <<: *elastic_license_for_binaries
+
# Elastic Beat with Elastic License and binary taken from the x-pack dir.
elastic_beat_xpack_separate_binaries:
###
@@ -947,6 +971,15 @@ specs:
'{{.BeatName}}{{.BinaryExt}}':
source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
+ - os: aix
+ types: [tgz]
+ spec:
+ <<: *binary_spec
+ <<: *elastic_license_for_binaries
+ files:
+ '{{.BeatName}}{{.BinaryExt}}':
+ source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
+
# Elastic Beat with Elastic License and binary taken from the x-pack dir.
elastic_beat_agent_binaries:
###
@@ -1105,6 +1138,17 @@ specs:
'{{.BeatName}}{{.BinaryExt}}':
source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
+ - os: aix
+ types: [tgz]
+ spec:
+ <<: *agent_binary_spec
+ <<: *elastic_license_for_binaries
+ files:
+ '{{.BeatName}}{{.BinaryExt}}':
+ source: data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}}
+ symlink: true
+ mode: 0755
+
# Elastic Beat with Elastic License and binary taken from the x-pack dir.
elastic_beat_agent_demo_binaries:
@@ -1130,3 +1174,12 @@ specs:
files:
'{{.BeatName}}{{.BinaryExt}}':
source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
+
+ - os: aix
+ types: [tgz]
+ spec:
+ <<: *agent_binary_spec
+ <<: *elastic_license_for_binaries
+ files:
+ '{{.BeatName}}{{.BinaryExt}}':
+ source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
\ No newline at end of file
diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl
index 614062c3f02..38f7934a9d7 100644
--- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl
+++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl
@@ -57,8 +57,8 @@ RUN case $(arch) in aarch64) YUM_FLAGS="-x bind-license";; esac; \
{{- if (and (contains .image_name "-complete") (not (contains .from "ubi-minimal"))) }}
RUN for iter in {1..10}; do \
- yum -y install atk cups gtk gdk xrandr pango libXcomposite libXcursor libXdamage \
- libXext libXi libXtst cups-libs libXScrnSaver libXrandr GConf2 \
+ yum -y install atk gtk gdk xrandr pango libXcomposite libXcursor libXdamage \
+ libXext libXi libXtst libXScrnSaver libXrandr GConf2 \
alsa-lib atk gtk3 ipa-gothic-fonts xorg-x11-fonts-100dpi xorg-x11-fonts-75dpi xorg-x11-utils \
xorg-x11-fonts-cyrillic xorg-x11-fonts-Type1 xorg-x11-fonts-misc \
yum clean all && \
diff --git a/dev-tools/packaging/templates/docker/Dockerfile.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.tmpl
index ae3e4cf9100..91a636f50b0 100644
--- a/dev-tools/packaging/templates/docker/Dockerfile.tmpl
+++ b/dev-tools/packaging/templates/docker/Dockerfile.tmpl
@@ -38,8 +38,8 @@ RUN case $(arch) in aarch64) YUM_FLAGS="-x bind-license";; esac; \
yum -y update $YUM_FLAGS \
{{- if (eq .BeatName "heartbeat") }}
&& yum -y install epel-release \
- && yum -y install atk cups gtk gdk xrandr pango libXcomposite libXcursor libXdamage \
- libXext libXi libXtst cups-libs libXScrnSaver libXrandr GConf2 \
+ && yum -y install atk gtk gdk xrandr pango libXcomposite libXcursor libXdamage \
+ libXext libXi libXtst libXScrnSaver libXrandr GConf2 \
alsa-lib atk gtk3 ipa-gothic-fonts xorg-x11-fonts-100dpi xorg-x11-fonts-75dpi xorg-x11-utils \
xorg-x11-fonts-cyrillic xorg-x11-fonts-Type1 xorg-x11-fonts-misc \
{{- end }}
diff --git a/docs/devguide/fields-yml.asciidoc b/docs/devguide/fields-yml.asciidoc
index caaca6624bb..87197fc2fe9 100644
--- a/docs/devguide/fields-yml.asciidoc
+++ b/docs/devguide/fields-yml.asciidoc
@@ -121,3 +121,43 @@ use in aggregations or ordering, you can use a multi-field mapping:
For more information, see the {ref}/multi-fields.html[{es} documentation about
multi-fields].
+
+==== Defining a text analyzer in-line
+
+It is possible to define a new text analyzer or search analyzer in-line with
+the field definition in the field's mapping parameters.
+
+For example, you can define a new text analyzer that does not break hyphenated names:
+
+[source,yaml]
+----------------------------------------------------------------------
+- key: mybeat
+ title: mybeat
+ description: These are the fields used by mybeat.
+ fields:
+ - name: last_name
+ type: text
+ required: true
+ description: >
+ The last name.
+ analyzer:
+ mybeat_hyphenated_name: <1>
+ type: pattern <2>
+ pattern: "[\\W&&[^-]]+" <3>
+ search_analyzer:
+ mybeat_hyphenated_name: <4>
+ type: pattern
+ pattern: "[\\W&&[^-]]+"
+----------------------------------------------------------------------
+<1> Use a newly defined text analyzer
+<2> Define the custome analyzer type
+<3> Specify the analyzer behaviour
+<4> Use the same analyzer for the search
+
+The names of custom analyzers that are defined in-line may not be reused for a different
+text analyzer. If a text analyzer name is reused it is checked for matching existing
+instances of the analyzer. It is recommended that the analyzer name is prefixed with the
+beat name to avoid name clashes.
+
+For more information, see {ref}/analysis-custom-analyzer.html[{es} documentation about
+defining custom text analyzers].
diff --git a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl
index a47e70d98c2..8da4a2e75fd 100644
--- a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl
+++ b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl
@@ -94,7 +94,8 @@ filebeat.inputs:
#max_bytes: 10485760
# Characters which separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed,
- # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator.
+ # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator,
+ # null_terminator
#line_terminator: auto
### Recursive glob configuration
@@ -348,7 +349,8 @@ filebeat.inputs:
#message_max_bytes: 10485760
# Characters which separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed,
- # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator.
+ # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator,
+ # null_terminator
#line_terminator: auto
# The ingest pipeline ID associated with this input. If this is set, it
diff --git a/filebeat/_meta/test/docs/01_playground/filebeat.yaml b/filebeat/_meta/test/docs/01_playground/filebeat.yaml
new file mode 100644
index 00000000000..c16b68757e4
--- /dev/null
+++ b/filebeat/_meta/test/docs/01_playground/filebeat.yaml
@@ -0,0 +1,227 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: filebeat-config
+ namespace: kube-system
+ labels:
+ k8s-app: filebeat
+data:
+ filebeat.yml: |-
+ filebeat.inputs:
+ - type: container
+ paths:
+ - /var/log/containers/*.log
+ processors:
+ - add_kubernetes_metadata:
+ host: ${NODE_NAME}
+ matchers:
+ - logs_path:
+ logs_path: "/var/log/containers/"
+
+ # To enable hints based autodiscover, remove `filebeat.inputs` configuration and uncomment this:
+ #filebeat.autodiscover:
+ # providers:
+ # - type: kubernetes
+ # node: ${NODE_NAME}
+ # hints.enabled: true
+ # hints.default_config:
+ # type: container
+ # paths:
+ # - /var/log/containers/*${data.kubernetes.container.id}.log
+
+ processors:
+ - add_cloud_metadata:
+ - add_host_metadata:
+
+ cloud.id: ${ELASTIC_CLOUD_ID}
+ cloud.auth: ${ELASTIC_CLOUD_AUTH}
+
+ output.elasticsearch:
+ hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
+ username: ${ELASTICSEARCH_USERNAME}
+ password: ${ELASTICSEARCH_PASSWORD}
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: filebeat
+ namespace: kube-system
+ labels:
+ k8s-app: filebeat
+spec:
+ selector:
+ matchLabels:
+ k8s-app: filebeat
+ template:
+ metadata:
+ labels:
+ k8s-app: filebeat
+ spec:
+ serviceAccountName: filebeat
+ terminationGracePeriodSeconds: 30
+ hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
+ containers:
+ - name: filebeat
+ image: docker.elastic.co/beats/filebeat:8.0.0-SNAPSHOT
+ command: [ "sleep" ]
+ args: [ "infinity" ]
+ env:
+ - name: ELASTICSEARCH_HOST
+ value: elasticsearch.default.svc.cluster.local
+ - name: ELASTICSEARCH_PORT
+ value: "9200"
+ - name: ELASTICSEARCH_USERNAME
+ value: elastic
+ - name: ELASTICSEARCH_PASSWORD
+ value: changeme
+ - name: ELASTIC_CLOUD_ID
+ value:
+ - name: ELASTIC_CLOUD_AUTH
+ value:
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ securityContext:
+ runAsUser: 0
+ # If using Red Hat OpenShift uncomment this:
+ #privileged: true
+ resources:
+ limits:
+ memory: 200Mi
+ requests:
+ cpu: 100m
+ memory: 100Mi
+ volumeMounts:
+ - name: config
+ mountPath: /etc/filebeat.yml
+ readOnly: true
+ subPath: filebeat.yml
+ - name: data
+ mountPath: /usr/share/filebeat/data
+ - name: varlibdockercontainers
+ mountPath: /var/lib/docker/containers
+ readOnly: true
+ - name: varlog
+ mountPath: /var/log
+ readOnly: true
+ volumes:
+ - name: config
+ configMap:
+ defaultMode: 0640
+ name: filebeat-config
+ - name: varlibdockercontainers
+ hostPath:
+ path: /var/lib/docker/containers
+ - name: varlog
+ hostPath:
+ path: /var/log
+ # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart
+ - name: data
+ hostPath:
+ # When filebeat runs as non-root user, this directory needs to be writable by group (g+w).
+ path: /var/lib/filebeat-data
+ type: DirectoryOrCreate
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: filebeat
+subjects:
+- kind: ServiceAccount
+ name: filebeat
+ namespace: kube-system
+roleRef:
+ kind: ClusterRole
+ name: filebeat
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: filebeat
+ namespace: kube-system
+subjects:
+ - kind: ServiceAccount
+ name: filebeat
+ namespace: kube-system
+roleRef:
+ kind: Role
+ name: filebeat
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: filebeat-kubeadm-config
+ namespace: kube-system
+subjects:
+ - kind: ServiceAccount
+ name: filebeat
+ namespace: kube-system
+roleRef:
+ kind: Role
+ name: filebeat-kubeadm-config
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: filebeat
+ labels:
+ k8s-app: filebeat
+rules:
+- apiGroups: [""] # "" indicates the core API group
+ resources:
+ - namespaces
+ - pods
+ - nodes
+ verbs:
+ - get
+ - watch
+ - list
+- apiGroups: ["apps"]
+ resources:
+ - replicasets
+ verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: filebeat
+ # should be the namespace where filebeat is running
+ namespace: kube-system
+ labels:
+ k8s-app: filebeat
+rules:
+ - apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs: ["get", "create", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: filebeat-kubeadm-config
+ namespace: kube-system
+ labels:
+ k8s-app: filebeat
+rules:
+ - apiGroups: [""]
+ resources:
+ - configmaps
+ resourceNames:
+ - kubeadm-config
+ verbs: ["get"]
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: filebeat
+ namespace: kube-system
+ labels:
+ k8s-app: filebeat
+---
diff --git a/filebeat/_meta/test/docs/testing.md b/filebeat/_meta/test/docs/testing.md
new file mode 100644
index 00000000000..05836fcd65a
--- /dev/null
+++ b/filebeat/_meta/test/docs/testing.md
@@ -0,0 +1,55 @@
+# Testing Filebeat
+
+## Testing on Kubernetes
+
+### Prerequisites
+- create kubernetes cluster using kind, check [here](https://github.com/elastic/beats/blob/master/metricbeat/module/kubernetes/_meta/test/docs/README.md) for details
+- deploy ELK stack, check [here](https://github.com/elastic/beats/blob/master/metricbeat/module/kubernetes/_meta/test/docs/README.md) for details
+
+## Playground Filebeat Pod
+
+A slightly modified (comparing to beats/deploy/kubernetes/filebeat-kubernetes.yaml) all-in-one filebeat manifest resides under `01_playground` directory.
+Modifications:
+- the daemonset executes an infinite sleep command instead of starting filebeat.
+- variables `ELASTICSEARCH_HOST`, `ELASTICSEARCH_PORT`, `ELASTICSEARCH_USERNAME`, `ELASTICSEARCH_PASSWORD` variables are set according to local kind EK stack.
+
+> Note: In case of using Elastic Cloud deployment configure the variables `ELASTIC_CLOUD_ID` and `ELASTIC_CLOUD_AUTH` accordingly.
+
+Deploy filebeat:
+```bash
+cd filebeat/_meta/test/docs
+kubectl apply -f 01_playground/filebeat.yaml
+```
+
+## Build and launch filebeat process
+
+1. Build filebeat binary and copy it in the running filebeat pod.
+Under beats/filebeat execute:
+```bash
+# Build filebeat
+GOOS=linux GOARCH=amd64 go build
+
+# Copy binary in pod
+kubectl cp ./filebeat `kubectl get pod -n kube-system -l k8s-app=filebeat -o jsonpath='{.items[].metadata.name}'`:/usr/share/filebeat/ -n kube-system
+````
+The above command only copies filebeat binary.
+
+2. For configuration files updates modify `filebeat.yml`, defined in the `ConfigMap` and execute again:
+```
+kubectl apply -f 01_playground/filebeat.yaml
+```
+> Note: Filebeat on kubernetes can be running with one of the configurations:
+> 1. Filebeat use [container input](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-container.html) to read container logs under the given
+> path in combination with [`add_kubernetes_metadata` processor](https://www.elastic.co/guide/en/beats/filebeat/current/add-kubernetes-metadata.html) to enrich logs
+> with relevant Kubernetes pod metadata.
+> 2. Filebeat use autodiscover [kubernetes provider](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-autodiscover.html#_kubernetes).
+
+3. Start filebeat.
+```bash
+# Exec in the container and launch filebeat
+kubectl exec `kubectl get pod -n kube-system -l k8s-app=filebeat -o jsonpath='{.items[].metadata.name}'` -n kube-system -- bash -c "filebeat -e -c /etc/filebeat.yml"
+```
+Filebeat will launch and the process logs will appear in the terminal.
+
+You can as well exec in filebeat pod with bash command and then run filebeat.
+This gives the flexibility to easily start and stop the process.
\ No newline at end of file
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
index d89839516fe..34b05a0fd24 100644
--- a/filebeat/docs/fields.asciidoc
+++ b/filebeat/docs/fields.asciidoc
@@ -150641,385 +150641,8 @@ Threat intelligence Filebeat Module.
-[float]
-=== threatintel
-
-Fields from the threatintel Filebeat module.
-
-
-
-*`threatintel.indicator.first_seen`*::
-+
---
-The date and time when intelligence source first reported sighting this indicator.
-
-
-type: date
-
---
-
-*`threatintel.indicator.last_seen`*::
-+
---
-The date and time when intelligence source last reported sighting this indicator.
-
-
-type: date
-
---
-
-*`threatintel.indicator.sightings`*::
-+
---
-Number of times this indicator was observed conducting threat activity.
-
-
-type: long
-
---
-
-*`threatintel.indicator.type`*::
-+
---
-Type of indicator as represented by Cyber Observable in STIX 2.0. Expected values
- * autonomous-system
- * artifact
- * directory
- * domain-name
- * email-addr
- * file
- * ipv4-addr
- * ipv6-addr
- * mac-addr
- * mutex
- * process
- * software
- * url
- * user-account
- * windows-registry-key
- * x-509-certificate
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.description`*::
-+
---
-Describes the type of action conducted by the threat.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.scanner_stats`*::
-+
---
-Count of AV/EDR vendors that successfully detected malicious file or URL.
-
-
-type: long
-
---
-
-*`threatintel.indicator.provider`*::
-+
---
-Identifies the name of the intelligence provider.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.confidence`*::
-+
---
-Identifies the confidence rating assigned by the provider using STIX confidence scales. Expected values
- * Not Specified, None, Low, Medium, High
- * 0-10
- * Admirality Scale (1-6)
- * DNI Scale (5-95)
- * WEP Scale (Impossible - Certain)
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.module`*::
-+
---
-Identifies the name of specific module this data is coming from.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.dataset`*::
-+
---
-Identifies the name of specific dataset from the intelligence source.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.reference`*::
-+
---
-Reference URL linking to additional information about this indicator.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.ip`*::
-+
---
-Identifies a threat indicator as an IP address (irrespective of direction).
-
-
-type: ip
-
---
-
-*`threatintel.indicator.port`*::
-+
---
-Identifies a threat indicator as a port number (irrespective of direction).
-
-
-type: long
-
---
-
-*`threatintel.indicator.email.address`*::
-+
---
-Identifies a threat indicator as an email address (irrespective of direction).
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.marking.tlp`*::
-+
---
-Traffic Light Protocol sharing markings. Expected values are:
- * White
- * Green
- * Amber
- * Red
-
-
-type: keyword
-
---
-
-
-*`threatintel.indicator.matched.atomic`*::
-+
---
-Identifies the atomic indicator that matched a local environment endpoint or network event.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.matched.field`*::
-+
---
-Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.matched.type`*::
-+
---
-Identifies the type of the atomic indicator that matched a local environment endpoint or network event.
-
-
-type: keyword
-
---
-
-
-*`threatintel.indicator.as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`threatintel.indicator.as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`threatintel.indicator.as.organization.name.text`*::
-+
---
-type: text
-
---
-
-
-*`threatintel.indicator.registry.data.strings`*::
-+
---
-Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
-
-
-type: keyword
-
-example: ["C:\rta\red_ttp\bin\myapp.exe"]
-
---
-
-*`threatintel.indicator.registry.path`*::
-+
---
-Full path, including hive, key and value
-
-type: keyword
-
-example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
-
---
-
-*`threatintel.indicator.registry.value`*::
-+
---
-Name of the value written.
-
-type: keyword
-
-example: Debugger
-
---
-
-*`threatintel.indicator.registry.key`*::
-+
---
-Registry key value
-
-type: keyword
-
---
-
-
-*`threatintel.indicator.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`threatintel.indicator.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`threatintel.indicator.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`threatintel.indicator.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`threatintel.indicator.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`threatintel.indicator.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`threatintel.indicator.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`threatintel.indicator.file.pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-
-*`threatintel.indicator.file.hash.tlsh`*::
+*`threat.indicator.file.hash.tlsh`*::
+
--
The file's import tlsh, if available.
@@ -151029,47 +150652,7 @@ type: keyword
--
-*`threatintel.indicator.file.hash.ssdeep`*::
-+
---
-The file's ssdeep hash, if available.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.file.hash.md5`*::
-+
---
-The file's md5 hash, if available.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.file.hash.sha1`*::
-+
---
-The file's sha1 hash, if available.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.file.hash.sha256`*::
-+
---
-The file's sha256 hash, if available.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.file.hash.sha384`*::
+*`threat.indicator.file.hash.sha384`*::
+
--
The file's sha384 hash, if available.
@@ -151079,272 +150662,28 @@ type: keyword
--
-*`threatintel.indicator.file.hash.sha512`*::
-+
---
-The file's sha512 hash, if available.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.file.type`*::
-+
---
-The file type.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.file.size`*::
-+
---
-The file's total size.
-
-
-type: long
-
---
-
-*`threatintel.indicator.file.name`*::
-+
---
-The file's name.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.file.extension`*::
-+
---
-The file's extension.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.file.mime_type`*::
-+
---
-The file's MIME type.
-
-
-type: keyword
-
---
-
-
-*`threatintel.indicator.url.domain`*::
-+
---
-Domain of the url, such as "www.elastic.co".
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.url.extension`*::
-+
---
-The field contains the file extension from the original request
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.url.fragment`*::
-+
---
-Portion of the url after the `#`, such as "top".
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.url.full`*::
-+
---
-If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.url.original`*::
-+
---
-Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.url.password`*::
-+
---
-Password of the request.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.url.path`*::
-+
---
-Path of the request, such as "/search".
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.url.port`*::
-+
---
-Port of the request, such as 443.
-
-
-type: long
-
-format: string
-
---
-
-*`threatintel.indicator.url.query`*::
-+
---
-The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.url.registered_domain`*::
-+
---
-The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.url.scheme`*::
-+
---
-Scheme of the request, such as "https".
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.url.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.url.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-
-type: keyword
-
---
-
-*`threatintel.indicator.url.username`*::
-+
---
-Username of the request.
-
-
-type: keyword
-
---
-
-
-*`threatintel.indicator.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`threatintel.indicator.x509.issuer`*::
-+
---
-Name of issuing certificate authority. Could be either Distinguished Name (DN) or Common Name (CN), depending on source.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`threatintel.indicator.x509.subject`*::
-+
---
-Name of the certificate subject entity. Could be either Distinguished Name (DN) or Common Name (CN), depending on source.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`threatintel.indicator.x509.alternative_names`*::
+*`threat.feed.name`*::
+
--
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
type: keyword
-example: *.elastic.co
-
--
-*`threatintel.indicator.signature`*::
+*`threat.feed.dashboard_id`*::
+
--
-Malware family of sample (if available).
-
-
type: keyword
--
[float]
-=== abusemalware
+=== abusech.malware
Fields for AbuseCH Malware Threat Intel
-*`threatintel.abusemalware.file_type`*::
+*`abusech.malware.file_type`*::
+
--
File type guessed by URLhaus.
@@ -151354,7 +150693,7 @@ type: keyword
--
-*`threatintel.abusemalware.signature`*::
+*`abusech.malware.signature`*::
+
--
Malware familiy.
@@ -151364,7 +150703,7 @@ type: keyword
--
-*`threatintel.abusemalware.urlhaus_download`*::
+*`abusech.malware.urlhaus_download`*::
+
--
Location (URL) where you can download a copy of this file.
@@ -151374,7 +150713,7 @@ type: keyword
--
-*`threatintel.abusemalware.virustotal.result`*::
+*`abusech.malware.virustotal.result`*::
+
--
AV detection ration.
@@ -151384,7 +150723,7 @@ type: keyword
--
-*`threatintel.abusemalware.virustotal.percent`*::
+*`abusech.malware.virustotal.percent`*::
+
--
AV detection in percent.
@@ -151394,7 +150733,7 @@ type: float
--
-*`threatintel.abusemalware.virustotal.link`*::
+*`abusech.malware.virustotal.link`*::
+
--
Link to the Virustotal report.
@@ -151405,13 +150744,13 @@ type: keyword
--
[float]
-=== abuseurl
+=== abusech.url
Fields for AbuseCH Malware Threat Intel
-*`threatintel.abuseurl.id`*::
+*`abusech.url.id`*::
+
--
The ID of the url.
@@ -151421,7 +150760,7 @@ type: keyword
--
-*`threatintel.abuseurl.urlhaus_reference`*::
+*`abusech.url.urlhaus_reference`*::
+
--
Link to URLhaus entry.
@@ -151431,7 +150770,7 @@ type: keyword
--
-*`threatintel.abuseurl.url_status`*::
+*`abusech.url.url_status`*::
+
--
The current status of the URL. Possible values are: online, offline and unknown.
@@ -151441,7 +150780,7 @@ type: keyword
--
-*`threatintel.abuseurl.threat`*::
+*`abusech.url.threat`*::
+
--
The threat corresponding to this malware URL.
@@ -151451,7 +150790,7 @@ type: keyword
--
-*`threatintel.abuseurl.blacklists.surbl`*::
+*`abusech.url.blacklists.surbl`*::
+
--
SURBL blacklist status. Possible values are: listed and not_listed
@@ -151461,7 +150800,7 @@ type: keyword
--
-*`threatintel.abuseurl.blacklists.spamhaus_dbl`*::
+*`abusech.url.blacklists.spamhaus_dbl`*::
+
--
Spamhaus DBL blacklist status.
@@ -151471,7 +150810,7 @@ type: keyword
--
-*`threatintel.abuseurl.reporter`*::
+*`abusech.url.reporter`*::
+
--
The Twitter handle of the reporter that has reported this malware URL (or anonymous).
@@ -151481,7 +150820,7 @@ type: keyword
--
-*`threatintel.abuseurl.larted`*::
+*`abusech.url.larted`*::
+
--
Indicates whether the malware URL has been reported to the hosting provider (true or false)
@@ -151491,7 +150830,7 @@ type: boolean
--
-*`threatintel.abuseurl.tags`*::
+*`abusech.url.tags`*::
+
--
A list of tags associated with the queried malware URL
@@ -151502,13 +150841,13 @@ type: keyword
--
[float]
-=== anomali
+=== anomali.limo
Fields for Anomali Threat Intel
-*`threatintel.anomali.id`*::
+*`anomali.limo.id`*::
+
--
The ID of the indicator.
@@ -151518,7 +150857,7 @@ type: keyword
--
-*`threatintel.anomali.name`*::
+*`anomali.limo.name`*::
+
--
The name of the indicator.
@@ -151528,7 +150867,7 @@ type: keyword
--
-*`threatintel.anomali.pattern`*::
+*`anomali.limo.pattern`*::
+
--
The pattern ID of the indicator.
@@ -151538,7 +150877,7 @@ type: keyword
--
-*`threatintel.anomali.valid_from`*::
+*`anomali.limo.valid_from`*::
+
--
When the indicator was first found or is considered valid.
@@ -151548,7 +150887,7 @@ type: date
--
-*`threatintel.anomali.modified`*::
+*`anomali.limo.modified`*::
+
--
When the indicator was last modified
@@ -151558,7 +150897,7 @@ type: date
--
-*`threatintel.anomali.labels`*::
+*`anomali.limo.labels`*::
+
--
The labels related to the indicator
@@ -151568,7 +150907,7 @@ type: keyword
--
-*`threatintel.anomali.indicator`*::
+*`anomali.limo.indicator`*::
+
--
The value of the indicator, for example if the type is domain, this would be the value.
@@ -151578,7 +150917,7 @@ type: keyword
--
-*`threatintel.anomali.description`*::
+*`anomali.limo.description`*::
+
--
A description of the indicator.
@@ -151588,7 +150927,7 @@ type: keyword
--
-*`threatintel.anomali.title`*::
+*`anomali.limo.title`*::
+
--
Title describing the indicator.
@@ -151598,7 +150937,7 @@ type: keyword
--
-*`threatintel.anomali.content`*::
+*`anomali.limo.content`*::
+
--
Extra text or descriptive content related to the indicator.
@@ -151608,7 +150947,7 @@ type: keyword
--
-*`threatintel.anomali.type`*::
+*`anomali.limo.type`*::
+
--
The indicator type, can for example be "domain, email, FileHash-SHA256".
@@ -151618,7 +150957,7 @@ type: keyword
--
-*`threatintel.anomali.object_marking_refs`*::
+*`anomali.limo.object_marking_refs`*::
+
--
The STIX reference object.
@@ -151629,13 +150968,13 @@ type: keyword
--
[float]
-=== anomalithreatstream
+=== anomali.threatstream
Fields for Anomali ThreatStream
-*`threatintel.anomalithreatstream.classification`*::
+*`anomali.threatstream.classification`*::
+
--
Indicates whether an indicator is private or from a public feed and available publicly. Possible values: private, public.
@@ -151647,7 +150986,7 @@ example: private
--
-*`threatintel.anomalithreatstream.confidence`*::
+*`anomali.threatstream.confidence`*::
+
--
The measure of the accuracy (from 0 to 100) assigned by ThreatStream's predictive analytics technology to indicators.
@@ -151657,7 +150996,7 @@ type: short
--
-*`threatintel.anomalithreatstream.detail2`*::
+*`anomali.threatstream.detail2`*::
+
--
Detail text for indicator.
@@ -151669,7 +151008,7 @@ example: Imported by user 42.
--
-*`threatintel.anomalithreatstream.id`*::
+*`anomali.threatstream.id`*::
+
--
The ID of the indicator.
@@ -151679,7 +151018,7 @@ type: keyword
--
-*`threatintel.anomalithreatstream.import_session_id`*::
+*`anomali.threatstream.import_session_id`*::
+
--
ID of the import session that created the indicator on ThreatStream.
@@ -151689,7 +151028,7 @@ type: keyword
--
-*`threatintel.anomalithreatstream.itype`*::
+*`anomali.threatstream.itype`*::
+
--
Indicator type. Possible values: "apt_domain", "apt_email", "apt_ip", "apt_url", "bot_ip", "c2_domain", "c2_ip", "c2_url", "i2p_ip", "mal_domain", "mal_email", "mal_ip", "mal_md5", "mal_url", "parked_ip", "phish_email", "phish_ip", "phish_url", "scan_ip", "spam_domain", "ssh_ip", "suspicious_domain", "tor_ip" and "torrent_tracker_url".
@@ -151699,7 +151038,7 @@ type: keyword
--
-*`threatintel.anomalithreatstream.maltype`*::
+*`anomali.threatstream.maltype`*::
+
--
Information regarding a malware family, a CVE ID, or another attack or threat, associated with the indicator.
@@ -151709,7 +151048,7 @@ type: wildcard
--
-*`threatintel.anomalithreatstream.md5`*::
+*`anomali.threatstream.md5`*::
+
--
Hash for the indicator.
@@ -151719,7 +151058,7 @@ type: keyword
--
-*`threatintel.anomalithreatstream.resource_uri`*::
+*`anomali.threatstream.resource_uri`*::
+
--
Relative URI for the indicator details.
@@ -151729,7 +151068,7 @@ type: keyword
--
-*`threatintel.anomalithreatstream.severity`*::
+*`anomali.threatstream.severity`*::
+
--
Criticality associated with the threat feed that supplied the indicator. Possible values: low, medium, high, very-high.
@@ -151739,7 +151078,7 @@ type: keyword
--
-*`threatintel.anomalithreatstream.source`*::
+*`anomali.threatstream.source`*::
+
--
Source for the indicator.
@@ -151751,7 +151090,7 @@ example: Analyst
--
-*`threatintel.anomalithreatstream.source_feed_id`*::
+*`anomali.threatstream.source_feed_id`*::
+
--
ID for the integrator source.
@@ -151761,7 +151100,7 @@ type: keyword
--
-*`threatintel.anomalithreatstream.state`*::
+*`anomali.threatstream.state`*::
+
--
State for this indicator.
@@ -151773,7 +151112,7 @@ example: active
--
-*`threatintel.anomalithreatstream.trusted_circle_ids`*::
+*`anomali.threatstream.trusted_circle_ids`*::
+
--
ID of the trusted circle that imported the indicator.
@@ -151783,7 +151122,7 @@ type: keyword
--
-*`threatintel.anomalithreatstream.update_id`*::
+*`anomali.threatstream.update_id`*::
+
--
Update ID.
@@ -151793,7 +151132,7 @@ type: keyword
--
-*`threatintel.anomalithreatstream.url`*::
+*`anomali.threatstream.url`*::
+
--
URL for the indicator.
@@ -151803,7 +151142,7 @@ type: keyword
--
-*`threatintel.anomalithreatstream.value_type`*::
+*`anomali.threatstream.value_type`*::
+
--
Data type of the indicator. Possible values: ip, domain, url, email, md5.
@@ -151814,13 +151153,13 @@ type: keyword
--
[float]
-=== malwarebazaar
+=== abusech.malwarebazaar
Fields for Malware Bazaar Threat Intel
-*`threatintel.malwarebazaar.file_type`*::
+*`abusech.malwarebazaar.file_type`*::
+
--
File type guessed by Malware Bazaar.
@@ -151830,7 +151169,7 @@ type: keyword
--
-*`threatintel.malwarebazaar.signature`*::
+*`abusech.malwarebazaar.signature`*::
+
--
Malware familiy.
@@ -151840,7 +151179,7 @@ type: keyword
--
-*`threatintel.malwarebazaar.tags`*::
+*`abusech.malwarebazaar.tags`*::
+
--
A list of tags associated with the queried malware sample.
@@ -151851,7 +151190,7 @@ type: keyword
--
-*`threatintel.malwarebazaar.intelligence.downloads`*::
+*`abusech.malwarebazaar.intelligence.downloads`*::
+
--
Number of downloads from MalwareBazaar.
@@ -151861,7 +151200,7 @@ type: long
--
-*`threatintel.malwarebazaar.intelligence.uploads`*::
+*`abusech.malwarebazaar.intelligence.uploads`*::
+
--
Number of uploads from MalwareBazaar.
@@ -151872,7 +151211,7 @@ type: long
--
-*`threatintel.malwarebazaar.intelligence.mail.Generic`*::
+*`abusech.malwarebazaar.intelligence.mail.Generic`*::
+
--
Malware seen in generic spam traffic.
@@ -151882,7 +151221,7 @@ type: keyword
--
-*`threatintel.malwarebazaar.intelligence.mail.IT`*::
+*`abusech.malwarebazaar.intelligence.mail.IT`*::
+
--
Malware seen in IT spam traffic.
@@ -151892,7 +151231,7 @@ type: keyword
--
-*`threatintel.malwarebazaar.anonymous`*::
+*`abusech.malwarebazaar.anonymous`*::
+
--
Identifies if the sample was submitted anonymously.
@@ -151902,7 +151241,7 @@ type: long
--
-*`threatintel.malwarebazaar.code_sign`*::
+*`abusech.malwarebazaar.code_sign`*::
+
--
Code signing information for the sample.
@@ -151919,7 +151258,7 @@ Fields for MISP Threat Intel
-*`threatintel.misp.id`*::
+*`misp.id`*::
+
--
Attribute ID.
@@ -151929,7 +151268,7 @@ type: keyword
--
-*`threatintel.misp.orgc_id`*::
+*`misp.orgc_id`*::
+
--
Organization Community ID of the event.
@@ -151939,7 +151278,7 @@ type: keyword
--
-*`threatintel.misp.org_id`*::
+*`misp.org_id`*::
+
--
Organization ID of the event.
@@ -151949,7 +151288,7 @@ type: keyword
--
-*`threatintel.misp.threat_level_id`*::
+*`misp.threat_level_id`*::
+
--
Threat level from 5 to 1, where 1 is the most critical.
@@ -151959,7 +151298,7 @@ type: long
--
-*`threatintel.misp.info`*::
+*`misp.info`*::
+
--
Additional text or information related to the event.
@@ -151969,7 +151308,7 @@ type: keyword
--
-*`threatintel.misp.published`*::
+*`misp.published`*::
+
--
When the event was published.
@@ -151979,7 +151318,7 @@ type: boolean
--
-*`threatintel.misp.uuid`*::
+*`misp.uuid`*::
+
--
The UUID of the event object.
@@ -151989,7 +151328,7 @@ type: keyword
--
-*`threatintel.misp.date`*::
+*`misp.date`*::
+
--
The date of when the event object was created.
@@ -151999,7 +151338,7 @@ type: date
--
-*`threatintel.misp.attribute_count`*::
+*`misp.attribute_count`*::
+
--
How many attributes are included in a single event object.
@@ -152009,7 +151348,7 @@ type: long
--
-*`threatintel.misp.timestamp`*::
+*`misp.timestamp`*::
+
--
The timestamp of when the event object was created.
@@ -152019,7 +151358,7 @@ type: date
--
-*`threatintel.misp.distribution`*::
+*`misp.distribution`*::
+
--
Distribution type related to MISP.
@@ -152029,7 +151368,7 @@ type: keyword
--
-*`threatintel.misp.proposal_email_lock`*::
+*`misp.proposal_email_lock`*::
+
--
Settings configured on MISP for email lock on this event object.
@@ -152039,7 +151378,7 @@ type: boolean
--
-*`threatintel.misp.locked`*::
+*`misp.locked`*::
+
--
If the current MISP event object is locked or not.
@@ -152049,7 +151388,7 @@ type: boolean
--
-*`threatintel.misp.publish_timestamp`*::
+*`misp.publish_timestamp`*::
+
--
At what time the event object was published
@@ -152059,7 +151398,7 @@ type: date
--
-*`threatintel.misp.sharing_group_id`*::
+*`misp.sharing_group_id`*::
+
--
The ID of the grouped events or sources of the event.
@@ -152069,7 +151408,7 @@ type: keyword
--
-*`threatintel.misp.disable_correlation`*::
+*`misp.disable_correlation`*::
+
--
If correlation is disabled on the MISP event object.
@@ -152079,7 +151418,7 @@ type: boolean
--
-*`threatintel.misp.extends_uuid`*::
+*`misp.extends_uuid`*::
+
--
The UUID of the event object it might extend.
@@ -152089,7 +151428,7 @@ type: keyword
--
-*`threatintel.misp.org.id`*::
+*`misp.org.id`*::
+
--
The organization ID related to the event object.
@@ -152099,7 +151438,7 @@ type: keyword
--
-*`threatintel.misp.org.name`*::
+*`misp.org.name`*::
+
--
The organization name related to the event object.
@@ -152109,7 +151448,7 @@ type: keyword
--
-*`threatintel.misp.org.uuid`*::
+*`misp.org.uuid`*::
+
--
The UUID of the organization related to the event object.
@@ -152119,7 +151458,7 @@ type: keyword
--
-*`threatintel.misp.org.local`*::
+*`misp.org.local`*::
+
--
If the event object is local or from a remote source.
@@ -152129,7 +151468,7 @@ type: boolean
--
-*`threatintel.misp.orgc.id`*::
+*`misp.orgc.id`*::
+
--
The Organization Community ID in which the event object was reported from.
@@ -152139,7 +151478,7 @@ type: keyword
--
-*`threatintel.misp.orgc.name`*::
+*`misp.orgc.name`*::
+
--
The Organization Community name in which the event object was reported from.
@@ -152149,7 +151488,7 @@ type: keyword
--
-*`threatintel.misp.orgc.uuid`*::
+*`misp.orgc.uuid`*::
+
--
The Organization Community UUID in which the event object was reported from.
@@ -152159,7 +151498,7 @@ type: keyword
--
-*`threatintel.misp.orgc.local`*::
+*`misp.orgc.local`*::
+
--
If the Organization Community was local or synced from a remote source.
@@ -152169,7 +151508,7 @@ type: boolean
--
-*`threatintel.misp.attribute.id`*::
+*`misp.attribute.id`*::
+
--
The ID of the attribute related to the event object.
@@ -152179,7 +151518,7 @@ type: keyword
--
-*`threatintel.misp.attribute.type`*::
+*`misp.attribute.type`*::
+
--
The type of the attribute related to the event object. For example email, ipv4, sha1 and such.
@@ -152189,7 +151528,7 @@ type: keyword
--
-*`threatintel.misp.attribute.category`*::
+*`misp.attribute.category`*::
+
--
The category of the attribute related to the event object. For example "Network Activity".
@@ -152199,7 +151538,7 @@ type: keyword
--
-*`threatintel.misp.attribute.to_ids`*::
+*`misp.attribute.to_ids`*::
+
--
If the attribute should be automatically synced with an IDS.
@@ -152209,7 +151548,7 @@ type: boolean
--
-*`threatintel.misp.attribute.uuid`*::
+*`misp.attribute.uuid`*::
+
--
The UUID of the attribute related to the event.
@@ -152219,7 +151558,7 @@ type: keyword
--
-*`threatintel.misp.attribute.event_id`*::
+*`misp.attribute.event_id`*::
+
--
The local event ID of the attribute related to the event.
@@ -152229,7 +151568,7 @@ type: keyword
--
-*`threatintel.misp.attribute.distribution`*::
+*`misp.attribute.distribution`*::
+
--
How the attribute has been distributed, represented by integer numbers.
@@ -152239,7 +151578,7 @@ type: long
--
-*`threatintel.misp.attribute.timestamp`*::
+*`misp.attribute.timestamp`*::
+
--
The timestamp in which the attribute was attached to the event object.
@@ -152249,7 +151588,7 @@ type: date
--
-*`threatintel.misp.attribute.comment`*::
+*`misp.attribute.comment`*::
+
--
Comments made to the attribute itself.
@@ -152259,7 +151598,7 @@ type: keyword
--
-*`threatintel.misp.attribute.sharing_group_id`*::
+*`misp.attribute.sharing_group_id`*::
+
--
The group ID of the sharing group related to the specific attribute.
@@ -152269,7 +151608,7 @@ type: keyword
--
-*`threatintel.misp.attribute.deleted`*::
+*`misp.attribute.deleted`*::
+
--
If the attribute has been removed from the event object.
@@ -152279,7 +151618,7 @@ type: boolean
--
-*`threatintel.misp.attribute.disable_correlation`*::
+*`misp.attribute.disable_correlation`*::
+
--
If correlation has been enabled on the attribute related to the event object.
@@ -152289,7 +151628,7 @@ type: boolean
--
-*`threatintel.misp.attribute.object_id`*::
+*`misp.attribute.object_id`*::
+
--
The ID of the Object in which the attribute is attached.
@@ -152299,7 +151638,7 @@ type: keyword
--
-*`threatintel.misp.attribute.object_relation`*::
+*`misp.attribute.object_relation`*::
+
--
The type of relation the attribute has with the event object itself.
@@ -152309,7 +151648,7 @@ type: keyword
--
-*`threatintel.misp.attribute.value`*::
+*`misp.attribute.value`*::
+
--
The value of the attribute, depending on the type like "url, sha1, email-src".
@@ -152319,7 +151658,7 @@ type: keyword
--
-*`threatintel.misp.context.attribute.id`*::
+*`misp.context.attribute.id`*::
+
--
The ID of the secondary attribute related to the event object.
@@ -152329,7 +151668,7 @@ type: keyword
--
-*`threatintel.misp.context.attribute.type`*::
+*`misp.context.attribute.type`*::
+
--
The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such.
@@ -152339,7 +151678,7 @@ type: keyword
--
-*`threatintel.misp.context.attribute.category`*::
+*`misp.context.attribute.category`*::
+
--
The category of the secondary attribute related to the event object. For example "Network Activity".
@@ -152349,7 +151688,7 @@ type: keyword
--
-*`threatintel.misp.context.attribute.to_ids`*::
+*`misp.context.attribute.to_ids`*::
+
--
If the secondary attribute should be automatically synced with an IDS.
@@ -152359,7 +151698,7 @@ type: boolean
--
-*`threatintel.misp.context.attribute.uuid`*::
+*`misp.context.attribute.uuid`*::
+
--
The UUID of the secondary attribute related to the event.
@@ -152369,7 +151708,7 @@ type: keyword
--
-*`threatintel.misp.context.attribute.event_id`*::
+*`misp.context.attribute.event_id`*::
+
--
The local event ID of the secondary attribute related to the event.
@@ -152379,7 +151718,7 @@ type: keyword
--
-*`threatintel.misp.context.attribute.distribution`*::
+*`misp.context.attribute.distribution`*::
+
--
How the secondary attribute has been distributed, represented by integer numbers.
@@ -152389,7 +151728,7 @@ type: long
--
-*`threatintel.misp.context.attribute.timestamp`*::
+*`misp.context.attribute.timestamp`*::
+
--
The timestamp in which the secondary attribute was attached to the event object.
@@ -152399,7 +151738,7 @@ type: date
--
-*`threatintel.misp.context.attribute.comment`*::
+*`misp.context.attribute.comment`*::
+
--
Comments made to the secondary attribute itself.
@@ -152409,7 +151748,7 @@ type: keyword
--
-*`threatintel.misp.context.attribute.sharing_group_id`*::
+*`misp.context.attribute.sharing_group_id`*::
+
--
The group ID of the sharing group related to the specific secondary attribute.
@@ -152419,7 +151758,7 @@ type: keyword
--
-*`threatintel.misp.context.attribute.deleted`*::
+*`misp.context.attribute.deleted`*::
+
--
If the secondary attribute has been removed from the event object.
@@ -152429,7 +151768,7 @@ type: boolean
--
-*`threatintel.misp.context.attribute.disable_correlation`*::
+*`misp.context.attribute.disable_correlation`*::
+
--
If correlation has been enabled on the secondary attribute related to the event object.
@@ -152439,7 +151778,7 @@ type: boolean
--
-*`threatintel.misp.context.attribute.object_id`*::
+*`misp.context.attribute.object_id`*::
+
--
The ID of the Object in which the secondary attribute is attached.
@@ -152449,7 +151788,7 @@ type: keyword
--
-*`threatintel.misp.context.attribute.object_relation`*::
+*`misp.context.attribute.object_relation`*::
+
--
The type of relation the secondary attribute has with the event object itself.
@@ -152459,7 +151798,7 @@ type: keyword
--
-*`threatintel.misp.context.attribute.value`*::
+*`misp.context.attribute.value`*::
+
--
The value of the attribute, depending on the type like "url, sha1, email-src".
@@ -152476,7 +151815,7 @@ Fields for OTX Threat Intel
-*`threatintel.otx.id`*::
+*`otx.id`*::
+
--
The ID of the indicator.
@@ -152486,7 +151825,7 @@ type: keyword
--
-*`threatintel.otx.indicator`*::
+*`otx.indicator`*::
+
--
The value of the indicator, for example if the type is domain, this would be the value.
@@ -152496,7 +151835,7 @@ type: keyword
--
-*`threatintel.otx.description`*::
+*`otx.description`*::
+
--
A description of the indicator.
@@ -152506,7 +151845,7 @@ type: keyword
--
-*`threatintel.otx.title`*::
+*`otx.title`*::
+
--
Title describing the indicator.
@@ -152516,7 +151855,7 @@ type: keyword
--
-*`threatintel.otx.content`*::
+*`otx.content`*::
+
--
Extra text or descriptive content related to the indicator.
@@ -152526,7 +151865,7 @@ type: keyword
--
-*`threatintel.otx.type`*::
+*`otx.type`*::
+
--
The indicator type, can for example be "domain, email, FileHash-SHA256".
@@ -152550,7 +151889,7 @@ Entity that represents a threat.
-*`threatintel.recordedfuture.entity.id`*::
+*`recordedfuture.entity.id`*::
+
--
Entity ID.
@@ -152562,7 +151901,7 @@ example: ip:192.0.2.13
--
-*`threatintel.recordedfuture.entity.name`*::
+*`recordedfuture.entity.name`*::
+
--
Entity name. Value for the entity.
@@ -152574,7 +151913,7 @@ example: 192.0.2.13
--
-*`threatintel.recordedfuture.entity.type`*::
+*`recordedfuture.entity.type`*::
+
--
Entity type.
@@ -152586,7 +151925,7 @@ example: IpAddress
--
-*`threatintel.recordedfuture.intelCard`*::
+*`recordedfuture.intelCard`*::
+
--
Link to the Recorded Future Intelligence Card for to this indicator.
@@ -152596,7 +151935,7 @@ type: keyword
--
-*`threatintel.recordedfuture.ip_range`*::
+*`recordedfuture.ip_range`*::
+
--
Range of IPs for this indicator.
@@ -152615,7 +151954,7 @@ Risk fields.
-*`threatintel.recordedfuture.risk.criticality`*::
+*`recordedfuture.risk.criticality`*::
+
--
Risk criticality (0-4).
@@ -152625,7 +151964,7 @@ type: byte
--
-*`threatintel.recordedfuture.risk.criticalityLabel`*::
+*`recordedfuture.risk.criticalityLabel`*::
+
--
Risk criticality label. One of None, Unusual, Suspicious, Malicious, Very Malicious.
@@ -152635,7 +151974,7 @@ type: keyword
--
-*`threatintel.recordedfuture.risk.evidenceDetails`*::
+*`recordedfuture.risk.evidenceDetails`*::
+
--
Risk's evidence details.
@@ -152645,7 +151984,7 @@ type: flattened
--
-*`threatintel.recordedfuture.risk.score`*::
+*`recordedfuture.risk.score`*::
+
--
Risk score (0-99).
@@ -152655,7 +151994,7 @@ type: short
--
-*`threatintel.recordedfuture.risk.riskString`*::
+*`recordedfuture.risk.riskString`*::
+
--
Number of Risk Rules observed as a factor of total number of rules.
@@ -152667,7 +152006,7 @@ example: 1/54
--
-*`threatintel.recordedfuture.risk.riskSummary`*::
+*`recordedfuture.risk.riskSummary`*::
+
--
Risk summary.
@@ -152679,14 +152018,14 @@ example: 1 of 54 Risk Rules currently observed.
--
-*`threatintel.recordedfuture.risk.riskSummary.text`*::
+*`recordedfuture.risk.riskSummary.text`*::
+
--
type: text
--
-*`threatintel.recordedfuture.risk.rules`*::
+*`recordedfuture.risk.rules`*::
+
--
Number of rules observed.
@@ -152703,7 +152042,7 @@ Fields for ThreatQ Threat Library
-*`threatintel.threatq.updated_at`*::
+*`threatq.updated_at`*::
+
--
Last modification time
@@ -152713,7 +152052,7 @@ type: date
--
-*`threatintel.threatq.created_at`*::
+*`threatq.created_at`*::
+
--
Object creation time
@@ -152723,7 +152062,7 @@ type: date
--
-*`threatintel.threatq.expires_at`*::
+*`threatq.expires_at`*::
+
--
Expiration time
@@ -152733,7 +152072,7 @@ type: date
--
-*`threatintel.threatq.expires_calculated_at`*::
+*`threatq.expires_calculated_at`*::
+
--
Expiration calculation time
@@ -152743,7 +152082,7 @@ type: date
--
-*`threatintel.threatq.published_at`*::
+*`threatq.published_at`*::
+
--
Object publication time
@@ -152753,7 +152092,7 @@ type: date
--
-*`threatintel.threatq.status`*::
+*`threatq.status`*::
+
--
Object status within the Threat Library
@@ -152763,7 +152102,7 @@ type: keyword
--
-*`threatintel.threatq.indicator_value`*::
+*`threatq.indicator_value`*::
+
--
Original indicator value
@@ -152773,7 +152112,7 @@ type: keyword
--
-*`threatintel.threatq.adversaries`*::
+*`threatq.adversaries`*::
+
--
Adversaries that are linked to the object
@@ -152783,7 +152122,7 @@ type: keyword
--
-*`threatintel.threatq.attributes`*::
+*`threatq.attributes`*::
+
--
These provide additional context about an object
diff --git a/filebeat/docs/modules/barracuda.asciidoc b/filebeat/docs/modules/barracuda.asciidoc
index fc5529cf059..e1732beb061 100644
--- a/filebeat/docs/modules/barracuda.asciidoc
+++ b/filebeat/docs/modules/barracuda.asciidoc
@@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "barracudawaf" devic
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
@@ -78,7 +78,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "barracudasf" device
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/filebeat/docs/modules/bluecoat.asciidoc b/filebeat/docs/modules/bluecoat.asciidoc
index b6e1e23e50a..4f7c7e243b5 100644
--- a/filebeat/docs/modules/bluecoat.asciidoc
+++ b/filebeat/docs/modules/bluecoat.asciidoc
@@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "bluecoatdirector" d
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc
index e2a0a89acba..ae06741b09e 100644
--- a/filebeat/docs/modules/cisco.asciidoc
+++ b/filebeat/docs/modules/cisco.asciidoc
@@ -305,7 +305,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "cisconxos" device r
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
@@ -350,7 +350,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "ciscomeraki" device
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/filebeat/docs/modules/cylance.asciidoc b/filebeat/docs/modules/cylance.asciidoc
index 641c369f4e5..3e70754430f 100644
--- a/filebeat/docs/modules/cylance.asciidoc
+++ b/filebeat/docs/modules/cylance.asciidoc
@@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "cylance" device rev
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/filebeat/docs/modules/f5.asciidoc b/filebeat/docs/modules/f5.asciidoc
index 5b886f8cae6..611239e2c21 100644
--- a/filebeat/docs/modules/f5.asciidoc
+++ b/filebeat/docs/modules/f5.asciidoc
@@ -37,7 +37,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "bigipapm" device re
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
@@ -82,7 +82,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "bigipafm" device re
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/filebeat/docs/modules/fortinet.asciidoc b/filebeat/docs/modules/fortinet.asciidoc
index 8a5da7b80f7..9dc8c1e3f26 100644
--- a/filebeat/docs/modules/fortinet.asciidoc
+++ b/filebeat/docs/modules/fortinet.asciidoc
@@ -85,7 +85,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "forticlientendpoint
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
@@ -130,7 +130,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "fortinetfortimail"
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
@@ -175,7 +175,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "fortinetmgr" device
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/filebeat/docs/modules/imperva.asciidoc b/filebeat/docs/modules/imperva.asciidoc
index bdbf16b0bec..480ed29d30d 100644
--- a/filebeat/docs/modules/imperva.asciidoc
+++ b/filebeat/docs/modules/imperva.asciidoc
@@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "impervawaf" device
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/filebeat/docs/modules/infoblox.asciidoc b/filebeat/docs/modules/infoblox.asciidoc
index 745a52e0c96..a830d765247 100644
--- a/filebeat/docs/modules/infoblox.asciidoc
+++ b/filebeat/docs/modules/infoblox.asciidoc
@@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "infobloxnios" devic
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/filebeat/docs/modules/juniper.asciidoc b/filebeat/docs/modules/juniper.asciidoc
index a97baa17de5..113fe33c513 100644
--- a/filebeat/docs/modules/juniper.asciidoc
+++ b/filebeat/docs/modules/juniper.asciidoc
@@ -146,7 +146,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "junosrouter" device
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
@@ -191,7 +191,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "netscreen" device r
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/filebeat/docs/modules/microsoft.asciidoc b/filebeat/docs/modules/microsoft.asciidoc
index ff00507119f..7a1170c67d9 100644
--- a/filebeat/docs/modules/microsoft.asciidoc
+++ b/filebeat/docs/modules/microsoft.asciidoc
@@ -224,7 +224,7 @@ include::../include/var-paths.asciidoc[]
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/filebeat/docs/modules/netscout.asciidoc b/filebeat/docs/modules/netscout.asciidoc
index a1d4d3dcdd5..13e78e5b116 100644
--- a/filebeat/docs/modules/netscout.asciidoc
+++ b/filebeat/docs/modules/netscout.asciidoc
@@ -31,7 +31,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "arborpeakflowsp" de
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/filebeat/docs/modules/proofpoint.asciidoc b/filebeat/docs/modules/proofpoint.asciidoc
index 905288fab3d..b5ebebc6ccd 100644
--- a/filebeat/docs/modules/proofpoint.asciidoc
+++ b/filebeat/docs/modules/proofpoint.asciidoc
@@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "proofpoint" device
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/filebeat/docs/modules/radware.asciidoc b/filebeat/docs/modules/radware.asciidoc
index 3d1dbc4dcbc..d76a5b96fe0 100644
--- a/filebeat/docs/modules/radware.asciidoc
+++ b/filebeat/docs/modules/radware.asciidoc
@@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "radwaredp" device r
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/filebeat/docs/modules/snort.asciidoc b/filebeat/docs/modules/snort.asciidoc
index ff9d5809ae8..aa6a08f8f26 100644
--- a/filebeat/docs/modules/snort.asciidoc
+++ b/filebeat/docs/modules/snort.asciidoc
@@ -31,7 +31,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "snort" device revis
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/filebeat/docs/modules/sonicwall.asciidoc b/filebeat/docs/modules/sonicwall.asciidoc
index a50c6477307..17e953dcfc1 100644
--- a/filebeat/docs/modules/sonicwall.asciidoc
+++ b/filebeat/docs/modules/sonicwall.asciidoc
@@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "sonicwall" device r
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/filebeat/docs/modules/sophos.asciidoc b/filebeat/docs/modules/sophos.asciidoc
index 88572fee06a..4e8a2367424 100644
--- a/filebeat/docs/modules/sophos.asciidoc
+++ b/filebeat/docs/modules/sophos.asciidoc
@@ -156,7 +156,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "astarosg" device re
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/filebeat/docs/modules/squid.asciidoc b/filebeat/docs/modules/squid.asciidoc
index b72a4412537..4bf202b262a 100644
--- a/filebeat/docs/modules/squid.asciidoc
+++ b/filebeat/docs/modules/squid.asciidoc
@@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "squid" device revis
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/filebeat/docs/modules/threatintel.asciidoc b/filebeat/docs/modules/threatintel.asciidoc
index a05384ff446..b8b5b6f950d 100644
--- a/filebeat/docs/modules/threatintel.asciidoc
+++ b/filebeat/docs/modules/threatintel.asciidoc
@@ -17,7 +17,7 @@ https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-ind
Match rules], but is also compatible with other features like
https://www.elastic.co/guide/en/elasticsearch/reference/current/enrich-processor.html[Enrich
Processors]. The related threat intel attribute that is meant to be used for
-matching incoming source data is stored under the `threatintel.indicator.*`
+matching incoming source data is stored under the `threat.indicator.*`
fields.
The available filesets are:
@@ -73,9 +73,9 @@ Abuse.ch URL Threat Intel is mapped to the following ECS fields.
[options="header"]
|==============================================================
| URL Threat Intel Fields | ECS Fields
-| url | threatintel.indicator.url.full
+| url | threat.indicator.url.full
| date_added | @timestamp
-| host | threatintel.indicator.ip/domain
+| host | threat.indicator.ip/domain
|==============================================================
[[abusemalware]]
@@ -117,9 +117,9 @@ Abuse.ch Malware Threat Intel is mapped to the following ECS fields.
[options="header"]
|================================================================
| Malware Threat IntelFields | ECS Fields
-| md5_hash | threatintel.indicator.file.hash.md5
-| sha256_hash | threatintel.indicator.file.hash.sha256
-| file_size | threatintel.indicator.file.size
+| md5_hash | threat.indicator.file.hash.md5
+| sha256_hash | threat.indicator.file.hash.sha256
+| file_size | threat.indicator.file.size
|================================================================
[[malwarebazaar]]
@@ -161,24 +161,25 @@ Malware Bazaar Threat Intel is mapped to the following ECS fields.
[options="header"]
|================================================================
| Malware Threat IntelFields | ECS Fields
-| md5_hash | threatintel.indicator.file.hash.md5
-| sha256_hash | threatintel.indicator.file.hash.sha256
-| tlsh | threatintel.indicator.file.hash.tlsh
-| ssdeep | threatintel.indicator.file.hash.ssdeep
-| imphash | threatintel.indicator.file.pe.imphash
-| file_size | threatintel.indicator.file.size
-| file_name | threatintel.indicator.file.name
-| file_type_mime | threatintel.indicator.file.mime_type
-| file_type | threatintel.indicator.file.type
-| reporter | threatintel.indicator.provider
-| origin_country | threatintel.indicator.geo.country_iso_code
-| signature | threatintel.indicator.signature
-| code_sign.subject_cn | threatintel.indicator.file.x509.subject.common_name
-| code_sign.issuer_cn | threatintel.indicator.file.x509.issuer.common_name
-| code_sign.algorithm | threatintel.indicator.file.x509.public_key_algorithm
-| code_sign.valid_from | threatintel.indicator.file.x509.not_before
-| code_sign.valid_to | threatintel.indicator.file.x509.not_after
-| code_sign.serial_number | threatintel.indicator.file.x509.serial_number
+| md5_hash | threat.indicator.file.hash.md5
+| sha256_hash | threat.indicator.file.hash.sha256
+| sha384_hash | threat.indicator.file.hash.sha384
+| tlsh | threat.indicator.file.hash.tlsh
+| ssdeep | threat.indicator.file.hash.ssdeep
+| imphash | threat.indicator.file.pe.imphash
+| file_size | threat.indicator.file.size
+| file_name | threat.indicator.file.name
+| file_type_mime | threat.indicator.file.mime_type
+| file_type | threat.indicator.file.type
+| reporter | threat.indicator.provider
+| origin_country | threat.indicator.geo.country_iso_code
+| signature | threat.indicator.signature
+| code_sign.subject_cn | threat.indicator.file.x509.subject.common_name
+| code_sign.issuer_cn | threat.indicator.file.x509.issuer.common_name
+| code_sign.algorithm | threat.indicator.file.x509.public_key_algorithm
+| code_sign.valid_from | threat.indicator.file.x509.not_before
+| code_sign.valid_to | threat.indicator.file.x509.not_after
+| code_sign.serial_number | threat.indicator.file.x509.serial_number
|================================================================
[[misp]]
@@ -255,10 +256,10 @@ MISP Threat Intel is mapped to the following ECS fields.
[options="header"]
|==============================================================
| Malware Threat IntelFields | ECS Fields
-| misp.first_seen | threatintel.indicator.first_seen
-| misp.last_seen | threatintel.indicator.last_seen
+| misp.first_seen | threat.indicator.first_seen
+| misp.last_seen | threat.indicator.last_seen
| misp.tag | tag
-| misp.value | threatintel.indicator.*
+| misp.value | threat.indicator.*
|==============================================================
`misp.value` is mapped to the appropriate field dependent on attribute type.
@@ -336,9 +337,9 @@ OTX Threat Intel is mapped to the following ECS fields.
[options="header"]
|============================================================
| Malware Threat Intel Fields | ECS Fields
-| otx.type | threatintel.indicator.type
-| otx.description | threatintel.indicator.description
-| otx.indicator | threatintel.indicator.*
+| otx.type | threat.indicator.type
+| otx.description | threat.indicator.description
+| otx.indicator | threat.indicator.*
|============================================================
`otx.indicator` is mapped to the appropriate field dependent on attribute type.
@@ -420,10 +421,10 @@ Anomali Threat Intel is mapped to the following ECS fields.
[options="header"]
|=============================================================
| Malware Threat Intel Fields | ECS Fields
-| anomali.description | threatintel.indicator.description
-| anomali.created | threatintel.indicator.first_seen
-| anomali.modified | threatintel.indicator.last_seen
-| anomali.pattern | threatintel.indicator.*
+| anomali.description | threat.indicator.description
+| anomali.created | threat.indicator.first_seen
+| anomali.modified | threat.indicator.last_seen
+| anomali.pattern | threat.indicator.*
| anomali.labels | tags
|=============================================================
@@ -491,24 +492,24 @@ Anomali ThreatStream fields are mapped to the following ECS fields:
[options="header"]
|=============================================================
| ThreatStream fields | ECS Fields
-| asn | threatintel.indicator.as.number
-| classification<> | threatintel.indicator.marking.tlp
-| confidence<> | threatintel.indicator.confidence
-| country | threatintel.indicator.geo.country_iso_code
-| date_first | threatintel.indicator.first_seen
-| date_last | threatintel.indicator.last_seen
+| asn | threat.indicator.as.number
+| classification<> | threat.indicator.marking.tlp
+| confidence<> | threat.indicator.confidence
+| country | threat.indicator.geo.country_iso_code
+| date_first | threat.indicator.first_seen
+| date_last | threat.indicator.last_seen
| detail | tags
-| domain | threatintel.indicator.url.domain
-| email | threatintel.indicator.email.address
-| itype<> | threatintel.indicator.type
-| lat | threatintel.indicator.geo.location.lat
-| lon | threatintel.indicator.geo.location.lon
-| md5 | threatintel.indicator.file.hash
-| org | threatintel.indicator.as.organization.name
+| domain | threat.indicator.url.domain
+| email | threat.indicator.email.address
+| itype<> | threat.indicator.type
+| lat | threat.indicator.geo.location.lat
+| lon | threat.indicator.geo.location.lon
+| md5 | threat.indicator.file.hash
+| org | threat.indicator.as.organization.name
| severity<> | event.severity
-| source | threatintel.indicator.provider
-| srcip | threatintel.indicator.ip
-| url | threatintel.indicator.url.original
+| source | threat.indicator.provider
+| srcip | threat.indicator.ip
+| url | threat.indicator.url.original
|=============================================================
[[a]]
@@ -590,16 +591,16 @@ Recorded Future fields are mapped to the following ECS fields:
[options="header"]
|=============================================================
| Recorded Future fields | ECS Fields
-| entity.name | threatintel.indicator.{url,ip,domain,file.hash}
-| entity.type | threatintel.indicator.type
-| fileHashes | threatintel.indicator.file.hash
+| entity.name | threat.indicator.{url,ip,domain,file.hash}
+| entity.type | threat.indicator.type
+| fileHashes | threat.indicator.file.hash
| intelCard | event.reference
-| location.asn | threatintel.indicator.as.number
-| location.location | threatintel.indicator.geo
-| location.organization | threatintel.indicator.as.organization.name
+| location.asn | threat.indicator.as.number
+| location.location | threat.indicator.geo
+| location.organization | threat.indicator.as.organization.name
| risk.score | event.risk_score
-| timestamps.firstSeen | threatintel.indicator.first_seen
-| timestamps.lastSeen | threatintel.indicator.last_seen
+| timestamps.firstSeen | threat.indicator.first_seen
+| timestamps.lastSeen | threat.indicator.last_seen
|=============================================================
:has-dashboards!:
@@ -707,11 +708,11 @@ Recorded Future fields are mapped to the following ECS fields:
[options="header"]
|=============================================================
| ThreatQ fields | ECS Fields
-| type.name | threatintel.indicator.type
-| description | threatintel.indicator.description
-| score | threatintel.indicator.confidence
-| value | threatintel.indicator.{url,ip,domain,file.hash}
-| sources | threatintel.indicator.provider
+| type.name | threat.indicator.type
+| description | threat.indicator.description
+| score | threat.indicator.confidence
+| value | threat.indicator.{url,ip,domain,file.hash}
+| sources | threat.indicator.provider
|=============================================================
:has-dashboards!:
diff --git a/filebeat/docs/modules/tomcat.asciidoc b/filebeat/docs/modules/tomcat.asciidoc
index 7f80711b1c4..f3057c08be8 100644
--- a/filebeat/docs/modules/tomcat.asciidoc
+++ b/filebeat/docs/modules/tomcat.asciidoc
@@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "apachetomcat" devic
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.paths`*::
diff --git a/filebeat/docs/modules/zscaler.asciidoc b/filebeat/docs/modules/zscaler.asciidoc
index 3586f16d6d1..0a09654200d 100644
--- a/filebeat/docs/modules/zscaler.asciidoc
+++ b/filebeat/docs/modules/zscaler.asciidoc
@@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "zscalernss" device
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml
index d970fe2cead..45d679cc194 100644
--- a/filebeat/filebeat.reference.yml
+++ b/filebeat/filebeat.reference.yml
@@ -501,7 +501,8 @@ filebeat.inputs:
#max_bytes: 10485760
# Characters which separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed,
- # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator.
+ # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator,
+ # null_terminator
#line_terminator: auto
### Recursive glob configuration
@@ -755,7 +756,8 @@ filebeat.inputs:
#message_max_bytes: 10485760
# Characters which separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed,
- # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator.
+ # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator,
+ # null_terminator
#line_terminator: auto
# The ingest pipeline ID associated with this input. If this is set, it
@@ -2295,11 +2297,6 @@ logging.files:
# file. Defaults to true.
# rotateonstartup: true
- # Rotated files are either suffixed with a number e.g. filebeat.1 when
- # renamed during rotation. Or when set to date, the date is added to
- # the end of the file. On rotation a new file is created, older files are untouched.
- #suffix: count
-
# ============================= X-Pack Monitoring ==============================
# Filebeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
@@ -2484,6 +2481,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
# ============================== Process Security ==============================
# Enable or disable seccomp system call filtering on Linux. Default is enabled.
diff --git a/filebeat/processor/add_kubernetes_metadata/matchers.go b/filebeat/processor/add_kubernetes_metadata/matchers.go
index 55336c3a315..7e7996fede7 100644
--- a/filebeat/processor/add_kubernetes_metadata/matchers.go
+++ b/filebeat/processor/add_kubernetes_metadata/matchers.go
@@ -78,59 +78,78 @@ func newLogsPathMatcher(cfg common.Config) (add_kubernetes_metadata.Matcher, err
// Docker container ID is a 64-character-long hexadecimal string
const containerIdLen = 64
-// Pod UID is on the 5th index of the path directories
-const podUIDPos = 5
-
func (f *LogPathMatcher) MetadataIndex(event common.MapStr) string {
value, err := event.GetValue("log.file.path")
- if err == nil {
- source := value.(string)
- f.logger.Debugf("Incoming log.file.path value: %s", source)
+ if err != nil {
+ f.logger.Debugf("Error extracting log.file.path from the event: %s.", event)
+ return ""
+ }
- if !strings.Contains(source, f.LogsPath) {
- f.logger.Errorf("Error extracting container id - source value does not contain matcher's logs_path '%s'.", f.LogsPath)
- return ""
- }
+ source := value.(string)
+ f.logger.Debugf("Incoming log.file.path value: %s", source)
+
+ if !strings.Contains(source, f.LogsPath) {
+ f.logger.Errorf("Error extracting container id - source value does not contain matcher's logs_path '%s'.", f.LogsPath)
+ return ""
+ }
- sourceLen := len(source)
- logsPathLen := len(f.LogsPath)
+ sourceLen := len(source)
+ logsPathLen := len(f.LogsPath)
- if f.ResourceType == "pod" {
- // Specify a pod resource type when manually mounting log volumes and they end up under "/var/lib/kubelet/pods/"
- // This will extract only the pod UID, which offers less granularity of metadata when compared to the container ID
- if strings.HasPrefix(f.LogsPath, podLogsPath()) && strings.HasSuffix(source, ".log") {
+ if f.ResourceType == "pod" {
+ // Pod resource type will extract only the pod UID, which offers less granularity of metadata when compared to the container ID
+ if strings.HasSuffix(source, ".log") {
+ // Specify a pod resource type when writting logs into manually mounted log volume,
+ // those logs apper under under "/var/lib/kubelet/pods//volumes/..."
+ if strings.HasPrefix(f.LogsPath, podKubeletLogsPath()) {
pathDirs := strings.Split(source, pathSeparator)
+ podUIDPos := 5
if len(pathDirs) > podUIDPos {
podUID := strings.Split(source, pathSeparator)[podUIDPos]
-
f.logger.Debugf("Using pod uid: %s", podUID)
return podUID
}
-
- f.logger.Error("Error extracting pod uid - source value contains matcher's logs_path, however it is too short to contain a Pod UID.")
- }
- } else {
- // In case of the Kubernetes log path "/var/log/containers/",
- // the container ID will be located right before the ".log" extension.
- if strings.HasPrefix(f.LogsPath, containerLogsPath()) && strings.HasSuffix(source, ".log") && sourceLen >= containerIdLen+4 {
- containerIDEnd := sourceLen - 4
- cid := source[containerIDEnd-containerIdLen : containerIDEnd]
- f.logger.Debugf("Using container id: %s", cid)
- return cid
}
-
- // In any other case, we assume the container ID will follow right after the log path.
- // However we need to check the length to prevent "slice bound out of range" runtime errors.
- if sourceLen >= logsPathLen+containerIdLen {
- cid := source[logsPathLen : logsPathLen+containerIdLen]
- f.logger.Debugf("Using container id: %s", cid)
- return cid
+ // In case of the Kubernetes log path "/var/log/pods/",
+ // the pod ID will be extracted from the directory name,
+ // file name example: "/var/log/pods/'__'/container_name/0.log".
+ if strings.HasPrefix(f.LogsPath, podLogsPath()) {
+ pathDirs := strings.Split(source, pathSeparator)
+ podUIDPos := 4
+ if len(pathDirs) > podUIDPos {
+ podUID := strings.Split(pathDirs[podUIDPos], "_")
+ if len(podUID) > 2 {
+ f.logger.Debugf("Using pod uid: %s", podUID[2])
+ return podUID[2]
+ }
+ }
}
- f.logger.Error("Error extracting container id - source value contains matcher's logs_path, however it is too short to contain a Docker container ID.")
+ f.logger.Error("Error extracting pod uid - source value does not contains matcher's logs_path")
+ return ""
}
}
+ // In case of the Kubernetes log path "/var/log/containers/",
+ // the container ID will be located right before the ".log" extension.
+ // file name example: /var/log/containers/__-.log
+ if strings.HasPrefix(f.LogsPath, containerLogsPath()) && strings.HasSuffix(source, ".log") && sourceLen >= containerIdLen+4 {
+ containerIDEnd := sourceLen - 4
+ cid := source[containerIDEnd-containerIdLen : containerIDEnd]
+ f.logger.Debugf("Using container id: %s", cid)
+ return cid
+ }
+ // In any other case, we assume the container ID will follow right after the log path.
+ // However we need to check the length to prevent "slice bound out of range" runtime errors.
+ // for the default log path /var/lib/docker/containers/ container ID will follow right after the log path.
+ // file name example: /var/lib/docker/containers//-json.log
+ if sourceLen >= logsPathLen+containerIdLen {
+ cid := source[logsPathLen : logsPathLen+containerIdLen]
+ f.logger.Debugf("Using container id: %s", cid)
+ return cid
+ }
+
+ f.logger.Error("Error extracting container id - source value contains matcher's logs_path, however it is too short to contain a Docker container ID.")
return ""
}
@@ -141,13 +160,20 @@ func defaultLogPath() string {
return "/var/lib/docker/containers/"
}
-func podLogsPath() string {
+func podKubeletLogsPath() string {
if runtime.GOOS == "windows" {
return "C:\\var\\lib\\kubelet\\pods\\"
}
return "/var/lib/kubelet/pods/"
}
+func podLogsPath() string {
+ if runtime.GOOS == "windows" {
+ return "C:\\var\\log\\pods\\"
+ }
+ return "/var/log/pods/"
+}
+
func containerLogsPath() string {
if runtime.GOOS == "windows" {
return "C:\\var\\log\\containers\\"
diff --git a/filebeat/processor/add_kubernetes_metadata/matchers_test.go b/filebeat/processor/add_kubernetes_metadata/matchers_test.go
index 5fc76514377..27e376c8816 100644
--- a/filebeat/processor/add_kubernetes_metadata/matchers_test.go
+++ b/filebeat/processor/add_kubernetes_metadata/matchers_test.go
@@ -117,6 +117,36 @@ func TestLogsPathMatcher_InvalidSource4(t *testing.T) {
executeTestWithResourceType(t, cfgLogsPath, cfgResourceType, source, expectedResult)
}
+func TestLogsPathMatcher_InvalidVarLogPodSource(t *testing.T) {
+ cfgLogsPath := "/var/log/pods/"
+ cfgResourceType := "pod"
+ source := fmt.Sprintf("/invalid/dir/namespace_pod-name_%s/container/0.log", puid)
+ expectedResult := ""
+ executeTestWithResourceType(t, cfgLogsPath, cfgResourceType, source, expectedResult)
+}
+
+func TestLogsPathMatcher_InvalidVarLogPodIDFormat(t *testing.T) {
+ cfgLogsPath := "/var/log/pods/"
+ cfgResourceType := "pod"
+ source := fmt.Sprintf("/var/log/pods/%s/container/0.log", puid)
+ expectedResult := ""
+ executeTestWithResourceType(t, cfgLogsPath, cfgResourceType, source, expectedResult)
+}
+
+func TestLogsPathMatcher_ValidVarLogPod(t *testing.T) {
+ cfgLogsPath := "/var/log/pods/"
+ cfgResourceType := "pod"
+ sourcePath := "/var/log/pods/namespace_pod-name_%s/container/0.log"
+
+ if runtime.GOOS == "windows" {
+ cfgLogsPath = "C:\\var\\log\\pods\\"
+ sourcePath = "C:\\var\\log\\pods\\namespace_pod-name_%s\\container\\0.log"
+ }
+ source := fmt.Sprintf(sourcePath, puid)
+ expectedResult := puid
+ executeTestWithResourceType(t, cfgLogsPath, cfgResourceType, source, expectedResult)
+}
+
func executeTest(t *testing.T, cfgLogsPath string, source string, expectedResult string) {
executeTestWithResourceType(t, cfgLogsPath, "", source, expectedResult)
}
diff --git a/filebeat/tests/system/filebeat.py b/filebeat/tests/system/filebeat.py
index 92df15911bb..9f1f7905d16 100644
--- a/filebeat/tests/system/filebeat.py
+++ b/filebeat/tests/system/filebeat.py
@@ -36,7 +36,7 @@ def access_registry(self, name=None, data_path=None):
return Registry(data_path, name)
def log_access(self, file=None):
- file = file if file else self.beat_name + ".log"
+ file = file if file else self.beat_name + "-" + self.today + ".ndjson"
return LogState(os.path.join(self.working_dir, file))
def has_registry(self, name=None, data_path=None):
diff --git a/filebeat/tests/system/test_harvester.py b/filebeat/tests/system/test_harvester.py
index f56a51d0fe0..ecbb23fab77 100644
--- a/filebeat/tests/system/test_harvester.py
+++ b/filebeat/tests/system/test_harvester.py
@@ -493,11 +493,11 @@ def test_boms(self, fb_encoding, py_encoding, bom):
filebeat = self.start_beat(output=fb_encoding + ".log")
self.wait_until(
- lambda: self.output_has(lines=1, output_file="output/" + fb_encoding),
+ lambda: self.output_has(lines=1, output_file="output/" + fb_encoding + "-" + self.today + ".ndjson"),
max_timeout=10)
# Verify that output does not contain bom
- output = self.read_output_json(output_file="output/" + fb_encoding)
+ output = self.read_output_json(output_file="output/" + fb_encoding + "-" + self.today + ".ndjson")
assert output[0]["message"] == message
filebeat.kill_and_wait()
diff --git a/filebeat/tests/system/test_input.py b/filebeat/tests/system/test_input.py
index f9dbd138a2e..a4215587735 100644
--- a/filebeat/tests/system/test_input.py
+++ b/filebeat/tests/system/test_input.py
@@ -633,10 +633,10 @@ def test_restart_recursive_glob(self):
with open(testfile_path, 'a') as testfile:
testfile.write("entry2\n")
- filebeat = self.start_beat(output="filebeat2.log")
+ filebeat = self.start_beat()
self.wait_until(
- lambda: self.output_has_message("entry2"),
+ lambda: self.output_has_message("entry2", output_file="output/filebeat-"+self.today+"-1.ndjson"),
max_timeout=10,
name="output contains 'entry2'")
@@ -783,7 +783,7 @@ def test_inode_marker_based_identity_tracking_to_path_based(self):
proc = self.start_beat()
# on startup output is rotated
- self.wait_until(lambda: self.output_has(lines=1, output_file="output/filebeat.1"))
+ self.wait_until(lambda: self.output_has(lines=1, output_file="output/filebeat-" + self.today + "-1.ndjson"))
self.wait_until(lambda: self.output_has(lines=1))
proc.check_kill_and_wait()
diff --git a/filebeat/tests/system/test_load.py b/filebeat/tests/system/test_load.py
index 6a35a6ce250..b48b83e2659 100644
--- a/filebeat/tests/system/test_load.py
+++ b/filebeat/tests/system/test_load.py
@@ -72,7 +72,7 @@ def test_no_missing_events(self):
entry_list = []
- with open(self.working_dir + "/output/filebeat") as f:
+ with open(self.working_dir + "/output/filebeat-" + self.today + ".ndjson") as f:
for line in f:
content = json.loads(line)
v = int(content["message"])
diff --git a/filebeat/tests/system/test_multiline.py b/filebeat/tests/system/test_multiline.py
index ee5384ef5ef..31d4f0258ca 100644
--- a/filebeat/tests/system/test_multiline.py
+++ b/filebeat/tests/system/test_multiline.py
@@ -148,11 +148,11 @@ def test_max_lines(self):
# Checks line 3 is sent
assert True == self.log_contains(
- "MetaDataMappingService.java:388", "output/filebeat")
+ "MetaDataMappingService.java:388", "output/filebeat-" + self.today + ".ndjson")
# Checks line 4 is not sent anymore
assert False == self.log_contains(
- "InternalClusterService.java:388", "output/filebeat")
+ "InternalClusterService.java:388", "output/filebeat-" + self.today + ".ndjson")
# Check that output file has the same number of lines as the log file
assert 20 == len(output)
@@ -231,10 +231,10 @@ def test_max_bytes(self):
output = self.read_output()
# Check that first 60 chars are sent
- assert True == self.log_contains("cluster.metadata", "output/filebeat")
+ assert True == self.log_contains("cluster.metadata", "output/filebeat-" + self.today + ".ndjson")
# Checks that chars afterwards are not sent
- assert False == self.log_contains("Zach", "output/filebeat")
+ assert False == self.log_contains("Zach", "output/filebeat-" + self.today + ".ndjson")
# Check that output file has the same number of lines as the log file
assert 20 == len(output)
diff --git a/filebeat/tests/system/test_registrar.py b/filebeat/tests/system/test_registrar.py
index 02d07a32446..bb55ef547b3 100644
--- a/filebeat/tests/system/test_registrar.py
+++ b/filebeat/tests/system/test_registrar.py
@@ -486,11 +486,11 @@ def test_restart_continue(self):
# Output file was rotated
self.wait_until(
- lambda: self.output_has(lines=1, output_file="output/filebeat.1"),
+ lambda: self.output_has(lines=1, output_file="output/filebeat-" + self.today + ".ndjson"),
max_timeout=10)
self.wait_until(
- lambda: self.output_has(lines=1),
+ lambda: self.output_has(lines=1, output_file="output/filebeat-" + self.today + "-1.ndjson"),
max_timeout=10)
filebeat.check_kill_and_wait()
@@ -505,7 +505,7 @@ def test_restart_continue(self):
# should never have been detected
assert len(data) == 1
- output = self.read_output()
+ output = self.read_output(output_file="output/filebeat-" + self.today + "-1.ndjson")
# Check that output file has the same number of lines as the log file
assert len(output) == 1
@@ -592,15 +592,15 @@ def test_rotating_file_with_restart(self):
with open(testfile_path, 'w') as testfile:
testfile.write("entry3\n")
- filebeat = self.start_beat(output="filebeat2.log")
+ filebeat = self.start_beat()
# Output file was rotated
self.wait_until(
- lambda: self.output_has(lines=2, output_file="output/filebeat.1"),
+ lambda: self.output_has(lines=2),
max_timeout=10)
self.wait_until(
- lambda: self.output_has(lines=1),
+ lambda: self.output_has(lines=1, output_file="output/filebeat-" + self.today + "-1.ndjson"),
max_timeout=10)
filebeat.check_kill_and_wait()
@@ -951,8 +951,8 @@ def test_restart_state(self):
clean_inactive="3s",
)
- filebeat = self.start_beat(output="filebeat2.log")
- logs = self.log_access("filebeat2.log")
+ filebeat = self.start_beat()
+ logs = self.log_access()
# Write additional file
for name in restart_files:
diff --git a/go.mod b/go.mod
index dcb29623f7a..c47fcd15bc8 100644
--- a/go.mod
+++ b/go.mod
@@ -9,8 +9,8 @@ require (
code.cloudfoundry.org/go-diodes v0.0.0-20190809170250-f77fb823c7ee // indirect
code.cloudfoundry.org/go-loggregator v7.4.0+incompatible
code.cloudfoundry.org/rfc5424 v0.0.0-20180905210152-236a6d29298a // indirect
- github.com/Azure/azure-event-hubs-go/v3 v3.1.2
- github.com/Azure/azure-sdk-for-go v57.0.0+incompatible
+ github.com/Azure/azure-event-hubs-go/v3 v3.3.15
+ github.com/Azure/azure-sdk-for-go v59.0.0+incompatible
github.com/Azure/azure-storage-blob-go v0.8.0
github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
github.com/Azure/go-autorest/autorest v0.11.19
@@ -74,7 +74,7 @@ require (
github.com/elastic/go-sysinfo v1.7.1
github.com/elastic/go-ucfg v0.8.3
github.com/elastic/go-windows v1.0.1
- github.com/elastic/gosigar v0.14.1
+ github.com/elastic/gosigar v0.14.2
github.com/fatih/color v1.9.0
github.com/fearful-symmetry/gorapl v0.0.4
github.com/fsnotify/fsevents v0.1.1
@@ -195,9 +195,9 @@ require (
require (
code.cloudfoundry.org/gofileutils v0.0.0-20170111115228-4d0c80011a0f // indirect
- github.com/Azure/azure-amqp-common-go/v3 v3.0.0 // indirect
+ github.com/Azure/azure-amqp-common-go/v3 v3.2.1 // indirect
github.com/Azure/azure-pipeline-go v0.2.1 // indirect
- github.com/Azure/go-amqp v0.12.6 // indirect
+ github.com/Azure/go-amqp v0.16.0 // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
github.com/Azure/go-autorest/autorest/azure/cli v0.3.1 // indirect
github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
diff --git a/go.sum b/go.sum
index ff81dbb5d18..3ba3d94b54e 100644
--- a/go.sum
+++ b/go.sum
@@ -55,25 +55,25 @@ code.cloudfoundry.org/rfc5424 v0.0.0-20180905210152-236a6d29298a h1:8rqv2w8xEceN
code.cloudfoundry.org/rfc5424 v0.0.0-20180905210152-236a6d29298a/go.mod h1:tkZo8GtzBjySJ7USvxm4E36lNQw1D3xM6oKHGqdaAJ4=
collectd.org v0.3.0/go.mod h1:A/8DzQBkF6abtvrT2j/AU/4tiBgJWYyh0y/oB/4MlWE=
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/Azure/azure-amqp-common-go/v3 v3.0.0 h1:j9tjcwhypb/jek3raNrwlCIl7iKQYOug7CLpSyBBodc=
-github.com/Azure/azure-amqp-common-go/v3 v3.0.0/go.mod h1:SY08giD/XbhTz07tJdpw1SoxQXHPN30+DI3Z04SYqyg=
-github.com/Azure/azure-event-hubs-go/v3 v3.1.2 h1:S/NjCZ1Z2R4rHJd2Hbbad6rIhxJ4lZZebKTsKHweX4A=
-github.com/Azure/azure-event-hubs-go/v3 v3.1.2/go.mod h1:hR40byNJjKkS74+3RhloPQ8sJ8zFQeJ920Uk3oYY0+k=
+github.com/Azure/azure-amqp-common-go/v3 v3.2.1 h1:uQyDk81yn5hTP1pW4Za+zHzy97/f4vDz9o1d/exI4j4=
+github.com/Azure/azure-amqp-common-go/v3 v3.2.1/go.mod h1:O6X1iYHP7s2x7NjUKsXVhkwWrQhxrd+d8/3rRadj4CI=
+github.com/Azure/azure-event-hubs-go/v3 v3.3.15 h1:2yAik9gS5Qjs4Z6EM1B6d0tfZJ506B/0oA08JlRQxb8=
+github.com/Azure/azure-event-hubs-go/v3 v3.3.15/go.mod h1:xgDvUi1+8/bb11WTEaU7VwZREYufzKzjWE4YiPZixb0=
github.com/Azure/azure-pipeline-go v0.1.8/go.mod h1:XA1kFWRVhSK+KNFiOhfv83Fv8L9achrP7OxIzeTn1Yg=
github.com/Azure/azure-pipeline-go v0.1.9/go.mod h1:XA1kFWRVhSK+KNFiOhfv83Fv8L9achrP7OxIzeTn1Yg=
github.com/Azure/azure-pipeline-go v0.2.1 h1:OLBdZJ3yvOn2MezlWvbrBMTEUQC72zAftRZOMdj5HYo=
github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiUVpqIlpz/HKHylF4=
github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go v37.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go v41.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
+github.com/Azure/azure-sdk-for-go v51.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go v55.2.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go v57.0.0+incompatible h1:isVki3PbIFrwKvKdVP1byxo73/pt+Nn174YxW1k4PNw=
-github.com/Azure/azure-sdk-for-go v57.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
+github.com/Azure/azure-sdk-for-go v59.0.0+incompatible h1:I1ULJqny1qQhUBFy11yDXHhW3pLvbhwV0PTn7mjp9V0=
+github.com/Azure/azure-sdk-for-go v59.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-storage-blob-go v0.6.0/go.mod h1:oGfmITT1V6x//CswqY2gtAHND+xIP64/qL7a5QJix0Y=
github.com/Azure/azure-storage-blob-go v0.8.0 h1:53qhf0Oxa0nOjgbDeeYPUeyiNmafAFEY95rZLK0Tj6o=
github.com/Azure/azure-storage-blob-go v0.8.0/go.mod h1:lPI3aLPpuLTeUwh1sViKXFxwl2B6teiRqI0deQUvsw0=
-github.com/Azure/go-amqp v0.12.6 h1:34yItuwhA/nusvq2sPSNPQxZLCf/CtaogYH8n578mnY=
-github.com/Azure/go-amqp v0.12.6/go.mod h1:qApuH6OFTSKZFmCOxccvAv5rLizBQf4v8pRmG138DPo=
+github.com/Azure/go-amqp v0.16.0 h1:6mhxUxaKLjMtHlGqzeih/LKqjUPLZxbM6zwfz5/C4NQ=
+github.com/Azure/go-amqp v0.16.0/go.mod h1:9YJ3RhxRT1gquYnzpZO1vcYMMpAdJT+QEg6fwmw9Zlg=
github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
github.com/Azure/go-autorest v10.8.1+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
@@ -85,6 +85,7 @@ github.com/Azure/go-autorest/autorest v0.10.0/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUd
github.com/Azure/go-autorest/autorest v0.10.1/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630=
github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw=
github.com/Azure/go-autorest/autorest v0.11.12/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw=
+github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA=
github.com/Azure/go-autorest/autorest v0.11.19 h1:7/IqD2fEYVha1EPeaiytVKhzmPV223pfkRIQUGOK2IE=
github.com/Azure/go-autorest/autorest v0.11.19/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA=
github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
@@ -534,8 +535,8 @@ github.com/elastic/go-ucfg v0.8.3/go.mod h1:iaiY0NBIYeasNgycLyTvhJftQlQEUO2hpF+F
github.com/elastic/go-windows v1.0.0/go.mod h1:TsU0Nrp7/y3+VwE82FoZF8gC/XFg/Elz6CcloAxnPgU=
github.com/elastic/go-windows v1.0.1 h1:AlYZOldA+UJ0/2nBuqWdo90GFCgG9xuyw9SYzGUtJm0=
github.com/elastic/go-windows v1.0.1/go.mod h1:FoVvqWSun28vaDQPbj2Elfc0JahhPB7WQEGa3c814Ss=
-github.com/elastic/gosigar v0.14.1 h1:T0aQ7n/n2ZA9W7DmAnj60v+qzqKERdBgJBO1CG2W6rc=
-github.com/elastic/gosigar v0.14.1/go.mod h1:iXRIGg2tLnu7LBdpqzyQfGDEidKCfWcCMS0WKyPWoMs=
+github.com/elastic/gosigar v0.14.2 h1:Dg80n8cr90OZ7x+bAax/QjoW/XqTI11RmA79ZwIm9/4=
+github.com/elastic/gosigar v0.14.2/go.mod h1:iXRIGg2tLnu7LBdpqzyQfGDEidKCfWcCMS0WKyPWoMs=
github.com/elastic/sarama v1.19.1-0.20210823122811-11c3ef800752 h1:5/RUNg7rkIvayjPhAIoI3v8p45NfWcfWs5DZSElycis=
github.com/elastic/sarama v1.19.1-0.20210823122811-11c3ef800752/go.mod h1:mdtqvCSg8JOxk8PmpTNGyo6wzd4BMm4QXSfDnTXmgkE=
github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
diff --git a/heartbeat/docs/monitors/monitor-browser.asciidoc b/heartbeat/docs/monitors/monitor-browser.asciidoc
index 3bd4e183f97..49f31668d47 100644
--- a/heartbeat/docs/monitors/monitor-browser.asciidoc
+++ b/heartbeat/docs/monitors/monitor-browser.asciidoc
@@ -4,7 +4,7 @@
TIP: Want to get started with synthetic monitoring?
See the {observability-guide}/synthetics-quickstart.html[quick start guide].
-The options described here configure {beatname_uc} to run the synthetic
+beta[] The options described here configure {beatname_uc} to run the synthetic
monitoring test suites via Synthetic Agent on the Chromium browser.
Additional shared options are defined in <>.
Example configuration:
diff --git a/heartbeat/hbtest/hbtestutil.go b/heartbeat/hbtest/hbtestutil.go
index 80753294d8e..7b73f79514f 100644
--- a/heartbeat/hbtest/hbtestutil.go
+++ b/heartbeat/hbtest/hbtestutil.go
@@ -83,9 +83,12 @@ func SizedResponseHandler(bytes int) http.HandlerFunc {
)
}
-func CustomResponseHandler(body []byte, status int) http.HandlerFunc {
+func CustomResponseHandler(body []byte, status int, extraHeaders map[string]string) http.HandlerFunc {
return http.HandlerFunc(
func(w http.ResponseWriter, r *http.Request) {
+ for key, val := range extraHeaders {
+ w.Header().Add(key, val)
+ }
w.WriteHeader(status)
w.Write(body)
},
diff --git a/heartbeat/heartbeat.reference.yml b/heartbeat/heartbeat.reference.yml
index dc6622a50b3..8f0f019626b 100644
--- a/heartbeat/heartbeat.reference.yml
+++ b/heartbeat/heartbeat.reference.yml
@@ -1529,11 +1529,6 @@ logging.files:
# file. Defaults to true.
# rotateonstartup: true
- # Rotated files are either suffixed with a number e.g. heartbeat.1 when
- # renamed during rotation. Or when set to date, the date is added to
- # the end of the file. On rotation a new file is created, older files are untouched.
- #suffix: count
-
# ============================= X-Pack Monitoring ==============================
# Heartbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
@@ -1718,6 +1713,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
# ============================== Process Security ==============================
# Enable or disable seccomp system call filtering on Linux. Default is enabled.
diff --git a/heartbeat/monitors/active/http/http_test.go b/heartbeat/monitors/active/http/http_test.go
index c715fc6bf50..8d25d876358 100644
--- a/heartbeat/monitors/active/http/http_test.go
+++ b/heartbeat/monitors/active/http/http_test.go
@@ -18,6 +18,8 @@
package http
import (
+ "bytes"
+ "compress/gzip"
"crypto/tls"
"crypto/x509"
"fmt"
@@ -412,7 +414,7 @@ func TestJsonBody(t *testing.T) {
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
- server := httptest.NewServer(hbtest.CustomResponseHandler([]byte(tc.responseBody), 200))
+ server := httptest.NewServer(hbtest.CustomResponseHandler([]byte(tc.responseBody), 200, nil))
defer server.Close()
jsonCheck := common.MapStr{"description": tc.name}
@@ -808,6 +810,87 @@ func mustParseURL(t *testing.T, url string) *url.URL {
return parsed
}
+// helper that compresses some content as gzip
+func gzipBuffer(t *testing.T, toZip string) *bytes.Buffer {
+ var gzipBuffer bytes.Buffer
+ gzipWriter := gzip.NewWriter(&gzipBuffer)
+ defer gzipWriter.Close()
+ _, err := gzipWriter.Write([]byte(toZip))
+ if err != nil {
+ t.Fatal(err)
+ }
+ return &gzipBuffer
+}
+
+/*
+ * This test ensures Heartbeat will decode the response body if the server specifies
+ * that it is gzip encoded. This is a test of the happy path where client/server behave as expected. */
+func TestDecodesGzip(t *testing.T) {
+ gzBuffer := gzipBuffer(t, "TestEncodingAccept")
+
+ server := httptest.NewServer(hbtest.CustomResponseHandler(gzBuffer.Bytes(), 200, map[string]string{
+ "Content-Encoding": "gzip",
+ }))
+ defer server.Close()
+
+ evt := sendTLSRequest(t, server.URL, false, map[string]interface{}{
+ "response.include_body": "always",
+ "check.request.headers": map[string]interface{}{"Accept-Encoding": "gzip"},
+ })
+
+ content, err := evt.Fields.GetValue("http.response.body.content")
+
+ assert.NoError(t, err)
+ assert.Exactly(t, content, "TestEncodingAccept")
+}
+
+/*
+ * This test verifies that, in the absence of the response header `Content-Encoding: gzip`, Heartbeat
+ * will not decode the response body. */
+func TestNoGzipDecodeWithoutHeader(t *testing.T) {
+ gzBuffer := gzipBuffer(t, "TestEncodingAccept")
+
+ // here Heartbeat asks the server for a `gzip` body, but the server omits the appropriate response header
+ server := httptest.NewServer(hbtest.CustomResponseHandler(gzBuffer.Bytes(), 200, map[string]string{}))
+ defer server.Close()
+
+ evt := sendTLSRequest(t, server.URL, false, map[string]interface{}{
+ "response.include_body": "always",
+ "check.request.headers": map[string]interface{}{"Accept-Encoding": "gzip"},
+ })
+
+ content, err := evt.Fields.GetValue("http.response.body.content")
+
+ assert.NoError(t, err)
+
+ // doesn't decode gzip text without content header
+ assert.Exactly(t, content, "\x1f\x8b\b\x00\x00\x00\x00\x00\x00\xff\nI-.q\xcdK\xceO\xc9\xccKwLNN-(\x01\x04\x00\x00\xff\xffW\xbeE\x0e\x12\x00\x00\x00")
+}
+
+/* When Heartbeat doesn't request `gzip`, and the server responds with a `gzip` body/header anyway,
+ * Heartbeat will still decode it gracefully. This is a case where the server behaved inappropriately,
+ * but as long as the header is included Heartbeat tries to do the right thing. */
+func TestGzipDecodeWithoutRequestHeader(t *testing.T) {
+ gzBuffer := gzipBuffer(t, "TestEncodingAccept")
+
+ server := httptest.NewServer(hbtest.CustomResponseHandler(gzBuffer.Bytes(), 200, map[string]string{
+ "Content-Encoding": "gzip",
+ }))
+ defer server.Close()
+
+ evt := sendTLSRequest(t, server.URL, false, map[string]interface{}{
+ // no header here from Heartbeat asking the server for `gzip`
+ "response.include_body": "always",
+ })
+
+ content, err := evt.Fields.GetValue("http.response.body.content")
+
+ assert.NoError(t, err)
+
+ // Heartbeat decoded the `gzip` even without requesting it
+ assert.Exactly(t, content, "TestEncodingAccept")
+}
+
func TestUserAgentInject(t *testing.T) {
ua := ""
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
diff --git a/heartbeat/monitors/active/http/simple_transp.go b/heartbeat/monitors/active/http/simple_transp.go
index a16ccb350ce..45aafcb0f31 100644
--- a/heartbeat/monitors/active/http/simple_transp.go
+++ b/heartbeat/monitors/active/http/simple_transp.go
@@ -39,8 +39,7 @@ const (
// SimpleTransport contains the dialer and read/write callbacks
type SimpleTransport struct {
- Dialer transport.Dialer
- DisableCompression bool
+ Dialer transport.Dialer
OnStartWrite func()
OnEndWrite func()
@@ -86,17 +85,6 @@ func (t *SimpleTransport) RoundTrip(req *http.Request) (*http.Response, error) {
return nil, err
}
- requestedGzip := false
- if t.DisableCompression &&
- req.Header.Get("Accept-Encoding") == "" &&
- req.Header.Get("Range") == "" &&
- req.Method != "HEAD" {
-
- requestedGzip = true
- req.Header.Add("Accept-Encoding", gzipEncoding)
- defer req.Header.Del("Accept-Encoding")
- }
-
done := req.Context().Done()
readerDone := make(chan readReturn, 1)
writerDone := make(chan error, 1)
@@ -108,7 +96,7 @@ func (t *SimpleTransport) RoundTrip(req *http.Request) (*http.Response, error) {
// read response
go func() {
- resp, err := t.readResponse(conn, req, requestedGzip)
+ resp, err := t.readResponse(conn, req)
readerDone <- readReturn{resp, err}
}()
@@ -180,7 +168,6 @@ func (c comboConnReadCloser) Close() error {
func (t *SimpleTransport) readResponse(
conn net.Conn,
req *http.Request,
- requestedGzip bool,
) (*http.Response, error) {
reader := bufio.NewReader(conn)
resp, err := http.ReadResponse(reader, req)
@@ -191,11 +178,7 @@ func (t *SimpleTransport) readResponse(
t.sigStartRead()
- if requestedGzip && resp.Header.Get("Content-Encoding") == gzipEncoding {
- resp.Header.Del("Content-Encoding")
- resp.Header.Del("Content-Length")
- resp.ContentLength = -1
-
+ if resp.Header.Get("Content-Encoding") == gzipEncoding {
unzipper, err := gzip.NewReader(resp.Body)
if err != nil {
resp.Body.Close()
diff --git a/heartbeat/security/security.go b/heartbeat/security/security.go
index 00b70c698b6..7d151121354 100644
--- a/heartbeat/security/security.go
+++ b/heartbeat/security/security.go
@@ -147,7 +147,9 @@ func setSeccompRules() error {
"close",
"connect",
"creat",
+ "dup",
"dup2",
+ "dup3",
"epoll_ctl",
"epoll_pwait",
"eventfd2",
diff --git a/journalbeat/journalbeat.reference.yml b/journalbeat/journalbeat.reference.yml
index 26c27de77e7..19692cfec94 100644
--- a/journalbeat/journalbeat.reference.yml
+++ b/journalbeat/journalbeat.reference.yml
@@ -1326,11 +1326,6 @@ logging.files:
# file. Defaults to true.
# rotateonstartup: true
- # Rotated files are either suffixed with a number e.g. journalbeat.1 when
- # renamed during rotation. Or when set to date, the date is added to
- # the end of the file. On rotation a new file is created, older files are untouched.
- #suffix: count
-
# ============================= X-Pack Monitoring ==============================
# Journalbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
@@ -1515,6 +1510,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
# ============================== Process Security ==============================
# Enable or disable seccomp system call filtering on Linux. Default is enabled.
diff --git a/libbeat/_meta/config/http.reference.yml.tmpl b/libbeat/_meta/config/http.reference.yml.tmpl
index 19a9f5fcd50..ccf85bb6189 100644
--- a/libbeat/_meta/config/http.reference.yml.tmpl
+++ b/libbeat/_meta/config/http.reference.yml.tmpl
@@ -22,3 +22,7 @@
# Descriptor Definition Language (SDDL) to define the permission. This option cannot be used with
# `http.user`.
#http.named_pipe.security_descriptor:
+
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
diff --git a/libbeat/_meta/config/logging.reference.yml.tmpl b/libbeat/_meta/config/logging.reference.yml.tmpl
index 9a1e91a0af8..f4ca435be01 100644
--- a/libbeat/_meta/config/logging.reference.yml.tmpl
+++ b/libbeat/_meta/config/logging.reference.yml.tmpl
@@ -67,8 +67,3 @@ logging.files:
# Rotate existing logs on startup rather than appending to the existing
# file. Defaults to true.
# rotateonstartup: true
-
- # Rotated files are either suffixed with a number e.g. {{.BeatName}}.1 when
- # renamed during rotation. Or when set to date, the date is added to
- # the end of the file. On rotation a new file is created, older files are untouched.
- #suffix: count
diff --git a/libbeat/api/routes.go b/libbeat/api/routes.go
index bc72347cf28..14b213b1928 100644
--- a/libbeat/api/routes.go
+++ b/libbeat/api/routes.go
@@ -20,6 +20,7 @@ package api
import (
"fmt"
"net/http"
+ _ "net/http/pprof"
"net/url"
"github.com/elastic/beats/v7/libbeat/common"
@@ -47,6 +48,14 @@ func NewWithDefaultRoutes(log *logp.Logger, config *common.Config, ns lookupFunc
return New(log, mux, config)
}
+func (s *Server) AttachPprof() {
+ s.log.Info("Attaching pprof endpoints")
+ s.mux.HandleFunc("/debug/pprof/", func(w http.ResponseWriter, r *http.Request) {
+ http.DefaultServeMux.ServeHTTP(w, r)
+ })
+
+}
+
func makeRootAPIHandler(handler handlerFunc) handlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path != "/" {
diff --git a/libbeat/cmd/instance/beat.go b/libbeat/cmd/instance/beat.go
index 9b4d05494f5..3e1da0f62fb 100644
--- a/libbeat/cmd/instance/beat.go
+++ b/libbeat/cmd/instance/beat.go
@@ -105,6 +105,7 @@ type beatConfig struct {
// beat internal components configurations
HTTP *common.Config `config:"http"`
+ HTTPPprof *common.Config `config:"http.pprof"`
Path paths.Path `config:"path"`
Logging *common.Config `config:"logging"`
MetricLogging *common.Config `config:"logging.metrics"`
@@ -162,19 +163,14 @@ func Run(settings Settings, bt beat.Creator) error {
return errw.Wrap(err, "could not set umask")
}
- name := settings.Name
- idxPrefix := settings.IndexPrefix
- agentVersion := settings.Version
- elasticLicensed := settings.ElasticLicensed
-
return handleError(func() error {
defer func() {
if r := recover(); r != nil {
- logp.NewLogger(name).Fatalw("Failed due to panic.",
+ logp.NewLogger(settings.Name).Fatalw("Failed due to panic.",
"panic", r, zap.Stack("stack"))
}
}()
- b, err := NewBeat(name, idxPrefix, agentVersion, elasticLicensed)
+ b, err := NewInitializedBeat(settings)
if err != nil {
return err
}
@@ -409,10 +405,6 @@ func (b *Beat) launch(settings Settings, bt beat.Creator) error {
defer logp.Sync()
defer logp.Info("%s stopped.", b.Info.Beat)
- err := b.InitWithSettings(settings)
- if err != nil {
- return err
- }
defer func() {
if err := b.processing.Close(); err != nil {
logp.Warn("Failed to close global processing: %v", err)
@@ -428,7 +420,7 @@ func (b *Beat) launch(settings Settings, bt beat.Creator) error {
// Try to acquire exclusive lock on data path to prevent another beat instance
// sharing same data path.
bl := newLocker(b)
- err = bl.lock()
+ err := bl.lock()
if err != nil {
return err
}
@@ -455,6 +447,9 @@ func (b *Beat) launch(settings Settings, bt beat.Creator) error {
}
s.Start()
defer s.Stop()
+ if b.Config.HTTPPprof.Enabled() {
+ s.AttachPprof()
+ }
}
if err = seccomp.LoadFilter(b.Config.Seccomp); err != nil {
diff --git a/libbeat/cmd/instance/beat_integration_test.go b/libbeat/cmd/instance/beat_integration_test.go
new file mode 100644
index 00000000000..7e7db83daa4
--- /dev/null
+++ b/libbeat/cmd/instance/beat_integration_test.go
@@ -0,0 +1,130 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package instance_test
+
+import (
+ "encoding/json"
+ "flag"
+ "net/http"
+ "sync"
+ "testing"
+ "time"
+
+ "github.com/elastic/beats/v7/libbeat/beat"
+ "github.com/elastic/beats/v7/libbeat/cmd/instance"
+ "github.com/elastic/beats/v7/libbeat/common"
+ "github.com/elastic/beats/v7/libbeat/mock"
+)
+
+type mockbeat struct {
+ done chan struct{}
+ initDone chan struct{}
+}
+
+func (mb mockbeat) Run(b *beat.Beat) error {
+ client, err := b.Publisher.Connect()
+ if err != nil {
+ return err
+ }
+
+ ticker := time.NewTicker(1 * time.Second)
+ go func() {
+ // unblocks mb.waitUntilRunning
+ close(mb.initDone)
+ for {
+ select {
+ case <-ticker.C:
+ client.Publish(beat.Event{
+ Timestamp: time.Now(),
+ Fields: common.MapStr{
+ "type": "mock",
+ "message": "Mockbeat is alive!",
+ },
+ })
+ case <-mb.done:
+ ticker.Stop()
+ return
+ }
+ }
+ }()
+
+ <-mb.done
+ return nil
+}
+
+func (mb mockbeat) waitUntilRunning() {
+ <-mb.initDone
+}
+
+func (mb mockbeat) Stop() {
+ close(mb.done)
+}
+
+func TestMonitoringNameFromConfig(t *testing.T) {
+ mockBeat := mockbeat{
+ done: make(chan struct{}),
+ initDone: make(chan struct{}),
+ }
+ var wg sync.WaitGroup
+ wg.Add(1)
+
+ // Make sure the beat has stopped before finishing the test
+ t.Cleanup(wg.Wait)
+
+ go func() {
+ defer wg.Done()
+
+ // Set the configuration file path flag so the beat can read it
+ flag.Set("c", "testdata/mockbeat.yml")
+ instance.Run(mock.Settings, func(_ *beat.Beat, _ *common.Config) (beat.Beater, error) {
+ return &mockBeat, nil
+ })
+ }()
+
+ t.Cleanup(func() {
+ mockBeat.Stop()
+ })
+
+ // Make sure the beat is running
+ mockBeat.waitUntilRunning()
+
+ // As the HTTP server runs in a different goroutine from the
+ // beat main loop, give the scheduler another chance to schedule
+ // the HTTP server goroutine
+ time.Sleep(10 * time.Millisecond)
+
+ resp, err := http.Get("http://localhost:5066/state")
+ if err != nil {
+ t.Fatal("calling state endpoint: ", err.Error())
+ }
+ defer resp.Body.Close()
+
+ beatName := struct {
+ Beat struct {
+ Name string
+ }
+ }{}
+
+ if err := json.NewDecoder(resp.Body).Decode(&beatName); err != nil {
+ t.Fatalf("could not decode response body: %s", err.Error())
+ }
+
+ if got, want := beatName.Beat.Name, "TestMonitoringNameFromConfig"; got != want {
+ t.Fatalf("expecting '%s', got '%s'", want, got)
+ }
+}
diff --git a/libbeat/cmd/instance/testdata/mockbeat.yml b/libbeat/cmd/instance/testdata/mockbeat.yml
new file mode 100644
index 00000000000..a5016eb7f91
--- /dev/null
+++ b/libbeat/cmd/instance/testdata/mockbeat.yml
@@ -0,0 +1,24 @@
+############################# Mockbeat ######################################
+mockbeat:
+############################# General ############################################
+
+# The name of the shipper that publishes the network data. It can be used to group
+# all the transactions sent by a single shipper in the web interface.
+# If this options is not defined, the hostname is used.
+
+name: TestMonitoringNameFromConfig
+
+# The tags of the shipper are included in their own field with each
+# transaction published. Tags make it easy to group servers by different
+# logical properties.
+# tags: []
+
+############################# Output ############################################
+
+# Configure what outputs to use when sending the data collected by mockbeat.
+# Multiple outputs may NOT be enabled.
+output.elasticsearch:
+ hosts: ["localhost:9200"]
+http:
+ enabled: true
+ port: 5066
diff --git a/libbeat/common/file/interval_rotator.go b/libbeat/common/file/interval_rotator.go
deleted file mode 100644
index e5105beb0a7..00000000000
--- a/libbeat/common/file/interval_rotator.go
+++ /dev/null
@@ -1,192 +0,0 @@
-// Licensed to Elasticsearch B.V. under one or more contributor
-// license agreements. See the NOTICE file distributed with
-// this work for additional information regarding copyright
-// ownership. Elasticsearch B.V. licenses this file to you under
-// the Apache License, Version 2.0 (the "License"); you may
-// not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-
-package file
-
-import (
- "fmt"
- "os"
- "path/filepath"
- "sort"
- "strconv"
- "time"
-
- "github.com/pkg/errors"
-)
-
-type intervalRotator struct {
- log Logger
- interval time.Duration
- lastRotate time.Time
- filename string
- fileFormat string
- clock clock
- weekly bool
- arbitrary bool
-}
-
-func newIntervalRotator(log Logger, interval time.Duration, filename string) rotater {
- ir := &intervalRotator{
- filename: filename,
- log: log,
- interval: (interval / time.Second) * time.Second, // drop fractional seconds
- clock: realClock{},
- }
- ir.initialize()
- return ir
-}
-
-func (r *intervalRotator) initialize() {
- switch r.interval {
- case time.Second:
- r.fileFormat = "2006-01-02-15-04-05"
- case time.Minute:
- r.fileFormat = "2006-01-02-15-04"
- case time.Hour:
- r.fileFormat = "2006-01-02-15"
- case 24 * time.Hour: // calendar day
- r.fileFormat = "2006-01-02"
- case 7 * 24 * time.Hour: // calendar week
- r.fileFormat = ""
- r.weekly = true
- case 30 * 24 * time.Hour: // calendar month
- r.fileFormat = "2006-01"
- case 365 * 24 * time.Hour: // calendar year
- r.fileFormat = "2006"
- default:
- r.arbitrary = true
- r.fileFormat = "2006-01-02-15-04-05"
- }
-
- fi, err := os.Stat(r.filename)
- if err != nil {
- if r.log != nil {
- r.log.Debugw("Not attempting to find last rotated time, configured logs dir cannot be opened: %v", err)
- }
- return
- }
- r.lastRotate = fi.ModTime()
-}
-
-func (r *intervalRotator) ActiveFile() string {
- return r.filename
-}
-
-func (r *intervalRotator) LogPrefix(filename string, modTime time.Time) string {
- var t time.Time
- if r.lastRotate.IsZero() {
- t = modTime
- } else {
- t = r.lastRotate
- }
-
- if r.weekly {
- y, w := t.ISOWeek()
- return fmt.Sprintf("%s-%04d-%02d-", filename, y, w)
- }
- if r.arbitrary {
- intervalNumber := t.Unix() / (int64(r.interval) / int64(time.Second))
- intervalStart := time.Unix(0, intervalNumber*int64(r.interval))
- return fmt.Sprintf("%s-%s-", filename, intervalStart.Format(r.fileFormat))
- }
- return fmt.Sprintf("%s-%s-", filename, t.Format(r.fileFormat))
-}
-
-func (r *intervalRotator) RotatedFiles() []string {
- files, err := filepath.Glob(r.filename + "*")
- if err != nil {
- if r.log != nil {
- r.log.Debugw("failed to list existing logs: %+v", err)
- }
- }
- r.SortIntervalLogs(files)
- return files
-}
-
-func (r *intervalRotator) Rotate(reason rotateReason, t time.Time) error {
- fi, err := os.Stat(r.ActiveFile())
- if os.IsNotExist(err) {
- return nil
- } else if err != nil {
- return errors.Wrap(err, "failed to rotate backups")
- }
-
- logPrefix := r.LogPrefix(r.ActiveFile(), fi.ModTime())
- files, err := filepath.Glob(logPrefix + "*")
- if err != nil {
- return errors.Wrap(err, "failed to list logs during rotation")
- }
-
- var targetFilename string
- if len(files) == 0 {
- targetFilename = logPrefix + "1"
- } else {
- r.SortIntervalLogs(files)
- lastLogIndex, _, err := IntervalLogIndex(files[len(files)-1])
- if err != nil {
- return errors.Wrap(err, "failed to locate last log index during rotation")
- }
- targetFilename = logPrefix + strconv.Itoa(int(lastLogIndex)+1)
- }
-
- if err := os.Rename(r.ActiveFile(), targetFilename); err != nil {
- return errors.Wrap(err, "failed to rotate backups")
- }
-
- if r.log != nil {
- r.log.Debugw("Rotating file", "filename", r.ActiveFile(), "reason", reason)
- }
-
- r.lastRotate = t
- return nil
-}
-
-func (r *intervalRotator) SortIntervalLogs(strings []string) {
- sort.Slice(
- strings,
- func(i, j int) bool {
- return OrderIntervalLogs(strings[i]) < OrderIntervalLogs(strings[j])
- },
- )
-}
-
-// OrderIntervalLogs, when given a log filename in the form [prefix]-[formattedDate]-n
-// returns the filename after zero-padding the trailing n so that foo-[date]-2 sorts
-// before foo-[date]-10.
-func OrderIntervalLogs(filename string) string {
- index, i, err := IntervalLogIndex(filename)
- if err == nil {
- return filename[:i] + fmt.Sprintf("%020d", index)
- }
-
- return ""
-}
-
-// IntervalLogIndex returns n as int given a log filename in the form [prefix]-[formattedDate]-n
-func IntervalLogIndex(filename string) (uint64, int, error) {
- i := len(filename) - 1
- for ; i >= 0; i-- {
- if '0' > filename[i] || filename[i] > '9' {
- break
- }
- }
- i++
-
- s64 := filename[i:]
- u64, err := strconv.ParseUint(s64, 10, 64)
- return u64, i, err
-}
diff --git a/libbeat/common/file/interval_rotator_test.go b/libbeat/common/file/interval_rotator_test.go
deleted file mode 100644
index 729d8c713b7..00000000000
--- a/libbeat/common/file/interval_rotator_test.go
+++ /dev/null
@@ -1,154 +0,0 @@
-// Licensed to Elasticsearch B.V. under one or more contributor
-// license agreements. See the NOTICE file distributed with
-// this work for additional information regarding copyright
-// ownership. Elasticsearch B.V. licenses this file to you under
-// the Apache License, Version 2.0 (the "License"); you may
-// not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-
-package file
-
-import (
- "testing"
- "time"
-
- "github.com/stretchr/testify/assert"
-)
-
-func TestSecondRotator(t *testing.T) {
- a := newMockIntervalRotator(time.Second)
-
- clock := &testClock{time.Date(2018, 12, 31, 0, 0, 1, 100, time.Local)}
- a.clock = clock
- a.lastRotate = a.clock.Now()
- assert.Equal(t, "foo-2018-12-31-00-00-01-", a.LogPrefix("foo", time.Now()))
-}
-
-func TestMinuteRotator(t *testing.T) {
- a := newMockIntervalRotator(time.Minute)
-
- clock := &testClock{time.Date(2018, 12, 31, 0, 1, 1, 0, time.Local)}
- a.clock = clock
- a.lastRotate = a.clock.Now()
- assert.Equal(t, "foo-2018-12-31-00-01-", a.LogPrefix("foo", time.Now()))
-}
-
-func TestHourlyRotator(t *testing.T) {
- a := newMockIntervalRotator(time.Hour)
-
- clock := &testClock{time.Date(2018, 12, 31, 1, 0, 1, 0, time.Local)}
- a.clock = clock
- a.lastRotate = a.clock.Now()
- assert.Equal(t, "foo-2018-12-31-01-", a.LogPrefix("foo", time.Now()))
-}
-
-func TestDailyRotator(t *testing.T) {
- a := newMockIntervalRotator(24 * time.Hour)
-
- clock := &testClock{time.Date(2018, 12, 31, 0, 0, 0, 0, time.Local)}
- a.clock = clock
- a.lastRotate = a.clock.Now()
- assert.Equal(t, "foo-2018-12-31-", a.LogPrefix("foo", time.Now()))
-}
-
-func TestWeeklyRotator(t *testing.T) {
- a := newMockIntervalRotator(7 * 24 * time.Hour)
-
- // Monday, 2018-Dec-31
- clock := &testClock{time.Date(2018, 12, 31, 0, 0, 0, 0, time.Local)}
- a.clock = clock
- a.lastRotate = a.clock.Now()
- assert.Equal(t, "foo-2019-01-", a.LogPrefix("foo", time.Now()))
-
- // Monday, 2019-Jan-7
- clock.time = clock.time.Add(7 * 24 * time.Hour)
- a.lastRotate = a.clock.Now()
- assert.Equal(t, "foo-2019-02-", a.LogPrefix("foo", time.Now()))
-}
-
-func TestMonthlyRotator(t *testing.T) {
- a := newMockIntervalRotator(30 * 24 * time.Hour)
-
- clock := &testClock{time.Date(2018, 12, 1, 0, 0, 0, 0, time.Local)}
- a.clock = clock
- a.lastRotate = a.clock.Now()
- assert.Equal(t, "foo-2018-12-", a.LogPrefix("foo", time.Now()))
-
- clock.time = clock.time.Add(30 * 24 * time.Hour)
- assert.Equal(t, "foo-2018-12-", a.LogPrefix("foo", time.Now()))
-
- clock.time = clock.time.Add(24 * time.Hour)
- a.lastRotate = a.clock.Now()
- assert.Equal(t, "foo-2019-01-", a.LogPrefix("foo", time.Now()))
-}
-
-func TestYearlyRotator(t *testing.T) {
- a := newMockIntervalRotator(365 * 24 * time.Hour)
-
- clock := &testClock{time.Date(2018, 12, 31, 0, 0, 0, 0, time.Local)}
- a.clock = clock
- a.lastRotate = a.clock.Now()
- assert.Equal(t, "foo-2018-", a.LogPrefix("foo", time.Now()))
-
- clock.time = clock.time.Add(23 * time.Hour)
- assert.Equal(t, "foo-2018-", a.LogPrefix("foo", time.Now()))
-
- clock.time = clock.time.Add(time.Hour)
- a.lastRotate = a.clock.Now()
- assert.Equal(t, "foo-2019-", a.LogPrefix("foo", time.Now()))
-}
-
-func TestArbitraryIntervalRotator(t *testing.T) {
- a := newMockIntervalRotator(3 * time.Second)
-
- // Monday, 2018-Dec-31
- clock := &testClock{time.Date(2018, 12, 31, 0, 0, 1, 0, time.Local)}
- a.clock = clock
- assert.Equal(t, "foo-2018-12-30-00-00-00-", a.LogPrefix("foo", time.Date(2018, 12, 30, 0, 0, 0, 0, time.Local)))
- a.lastRotate = a.clock.Now()
- assert.Equal(t, "foo-2018-12-31-00-00-00-", a.LogPrefix("foo", time.Now()))
-
- clock.time = clock.time.Add(time.Second)
- assert.Equal(t, "foo-2018-12-31-00-00-00-", a.LogPrefix("foo", time.Now()))
-
- clock.time = clock.time.Add(time.Second)
- a.lastRotate = a.clock.Now()
- assert.Equal(t, "foo-2018-12-31-00-00-03-", a.LogPrefix("foo", time.Now()))
-
- clock.time = clock.time.Add(time.Second)
- assert.Equal(t, "foo-2018-12-31-00-00-03-", a.LogPrefix("foo", time.Now()))
-
- clock.time = clock.time.Add(time.Second)
- assert.Equal(t, "foo-2018-12-31-00-00-03-", a.LogPrefix("foo", time.Now()))
-
- clock.time = clock.time.Add(time.Second)
- a.lastRotate = a.clock.Now()
- assert.Equal(t, "foo-2018-12-31-00-00-06-", a.LogPrefix("foo", time.Now()))
-}
-
-func TestIntervalIsTruncatedToSeconds(t *testing.T) {
- a := newMockIntervalRotator(2345 * time.Millisecond)
- assert.Equal(t, 2*time.Second, a.interval)
-}
-
-type testClock struct {
- time time.Time
-}
-
-func (t testClock) Now() time.Time {
- return t.time
-}
-
-func newMockIntervalRotator(interval time.Duration) *intervalRotator {
- r := newIntervalRotator(nil, interval, "foo").(*intervalRotator)
- return r
-}
diff --git a/libbeat/common/file/rotator.go b/libbeat/common/file/rotator.go
index 633f94232ef..e32e317dbfb 100644
--- a/libbeat/common/file/rotator.go
+++ b/libbeat/common/file/rotator.go
@@ -29,22 +29,13 @@ import (
"github.com/pkg/errors"
)
-type SuffixType uint32
-
const (
// MaxBackupsLimit is the upper bound on the number of backup files. Any values
// greater will result in an error.
MaxBackupsLimit = 1024
-
- SuffixCount SuffixType = iota + 1
- SuffixDate
+ DateFormat = "20060102"
)
-var suffixes = map[string]SuffixType{
- "count": SuffixCount,
- "date": SuffixDate,
-}
-
// rotater is the interface responsible for rotating and finding files.
type rotater interface {
// ActiveFile returns the path to the file that is actively written.
@@ -69,9 +60,9 @@ type Rotator struct {
interval time.Duration
permissions os.FileMode
log Logger // Optional Logger (may be nil).
- suffix SuffixType
rotateOnStartup bool
redirectStderr bool
+ clock clock
file *os.File
mutex sync.Mutex
@@ -85,14 +76,6 @@ type Logger interface {
// RotatorOption is a configuration option for Rotator.
type RotatorOption func(r *Rotator)
-// Interval sets the time interval for log rotation in addition to log
-// rotation by size. The default is 0 for disabled.
-func Suffix(s SuffixType) RotatorOption {
- return func(r *Rotator) {
- r.suffix = s
- }
-}
-
// MaxSizeBytes configures the maximum number of bytes that a file should
// contain before being rotated. The default is 10 MiB.
func MaxSizeBytes(n uint) RotatorOption {
@@ -150,6 +133,12 @@ func RedirectStderr(redirect bool) RotatorOption {
}
}
+func WithClock(clock clock) RotatorOption {
+ return func(r *Rotator) {
+ r.clock = clock
+ }
+}
+
// NewFileRotator returns a new Rotator.
func NewFileRotator(filename string, options ...RotatorOption) (*Rotator, error) {
r := &Rotator{
@@ -158,7 +147,7 @@ func NewFileRotator(filename string, options ...RotatorOption) (*Rotator, error)
permissions: 0600,
interval: 0,
rotateOnStartup: true,
- suffix: SuffixCount,
+ clock: &realClock{},
}
for _, opt := range options {
@@ -179,14 +168,14 @@ func NewFileRotator(filename string, options ...RotatorOption) (*Rotator, error)
return nil, errors.New("the minimum time interval for log rotation is 1 second")
}
- r.rot = newRotater(r.log, r.suffix, filename, r.maxBackups, r.interval)
+ r.rot = newDateRotater(r.log, filename, r.clock)
shouldRotateOnStart := r.rotateOnStartup
if _, err := os.Stat(r.rot.ActiveFile()); os.IsNotExist(err) {
shouldRotateOnStart = false
}
- r.triggers = newTriggers(shouldRotateOnStart, r.interval, r.maxSizeBytes)
+ r.triggers = newTriggers(shouldRotateOnStart, r.interval, r.maxSizeBytes, r.clock)
if r.log != nil {
r.log.Debugw("Initialized file rotator",
@@ -194,7 +183,6 @@ func NewFileRotator(filename string, options ...RotatorOption) (*Rotator, error)
"max_size_bytes", r.maxSizeBytes,
"max_backups", r.maxBackups,
"permissions", r.permissions,
- "suffix", r.suffix,
)
}
@@ -292,7 +280,7 @@ func (r *Rotator) openFile() error {
}
func (r *Rotator) rotate(reason rotateReason) error {
- return r.rotateWithTime(reason, time.Now())
+ return r.rotateWithTime(reason, r.clock.Now())
}
// rotateWithTime closes the actively written file, and rotates it along with exising
@@ -339,7 +327,7 @@ func (r *Rotator) isRotationTriggered(dataLen uint) (rotateReason, time.Time) {
for _, t := range r.triggers {
reason := t.TriggerRotation(dataLen)
if reason != rotateReasonNoRotate {
- return reason, time.Now()
+ return reason, r.clock.Now()
}
}
return rotateReasonNoRotate, time.Time{}
@@ -395,52 +383,37 @@ func (r *Rotator) closeFile() error {
return errors.Wrap(err, "failed to close active file")
}
-type countRotator struct {
- log Logger
- filename string
- intervalRotator *intervalRotator
- maxBackups uint
-}
-
type dateRotator struct {
log Logger
+ clock clock
format string
filenamePrefix string
currentFilename string
- intervalRotator *intervalRotator
-}
+ extension string
-func newRotater(log Logger, s SuffixType, filename string, maxBackups uint, interval time.Duration) rotater {
- switch s {
- case SuffixCount:
- if interval > 0 {
- return newIntervalRotator(log, interval, filename)
- }
- return &countRotator{
- log: log,
- filename: filename,
- maxBackups: maxBackups,
- }
- case SuffixDate:
- return newDateRotater(log, filename)
- default:
- return &countRotator{
- log: log,
- filename: filename,
- maxBackups: maxBackups,
- }
- }
+ prefixLen int
+ filenameLen int
+ extensionLen int
+
+ // logOrderCache is used to cache log file meta information between rotations
+ logOrderCache map[string]logOrder
}
-func newDateRotater(log Logger, filename string) rotater {
+func newDateRotater(log Logger, filename string, clock clock) rotater {
d := &dateRotator{
log: log,
+ clock: clock,
filenamePrefix: filename + "-",
- format: "20060102150405",
+ extension: ".ndjson",
+ format: DateFormat,
+ logOrderCache: make(map[string]logOrder),
}
+ d.prefixLen = len(d.filenamePrefix)
+ d.filenameLen = d.prefixLen + len(DateFormat)
+ d.extensionLen = len(d.extension)
- d.currentFilename = d.filenamePrefix + time.Now().Format(d.format)
- files, err := filepath.Glob(d.filenamePrefix + "*")
+ d.currentFilename = d.filenamePrefix + d.clock.Now().Format(d.format) + d.extension
+ files, err := filepath.Glob(d.filenamePrefix + "*" + d.extension)
if err != nil {
return d
}
@@ -467,7 +440,24 @@ func (d *dateRotator) Rotate(reason rotateReason, rotateTime time.Time) error {
d.log.Debugw("Rotating file", "filename", d.currentFilename, "reason", reason)
}
- d.currentFilename = d.filenamePrefix + rotateTime.Format(d.format)
+ d.logOrderCache = make(map[string]logOrder, 0)
+
+ newFileNamePrefix := d.filenamePrefix + rotateTime.Format(d.format)
+ files, err := filepath.Glob(newFileNamePrefix + "*" + d.extension)
+ if err != nil {
+ return fmt.Errorf("failed to get possible files: %+v", err)
+ }
+
+ if len(files) == 0 {
+ d.currentFilename = newFileNamePrefix + d.extension
+ return nil
+ }
+
+ d.SortModTimeLogs(files)
+ order := d.OrderLog(files[len(files)-1])
+
+ d.currentFilename = newFileNamePrefix + "-" + strconv.Itoa(order.index+1) + d.extension
+
return nil
}
@@ -479,10 +469,18 @@ func (d *dateRotator) RotatedFiles() []string {
}
}
+ for i, name := range files {
+ if name == d.ActiveFile() {
+ files = append(files[:i], files[i+1:]...)
+ break
+ }
+ }
+
d.SortModTimeLogs(files)
return files
}
+// SortModTimeLogs puts newest file to the last
func (d *dateRotator) SortModTimeLogs(strings []string) {
sort.Slice(
strings,
@@ -492,88 +490,53 @@ func (d *dateRotator) SortModTimeLogs(strings []string) {
)
}
-func (d *dateRotator) OrderLog(filename string) time.Time {
- ts, err := time.Parse(d.filenamePrefix+d.format, filepath.Base(filename))
- if err != nil {
- return time.Time{}
- }
- return ts
-}
-
-func (c *countRotator) ActiveFile() string {
- return c.filename
+// logOrder stores information required to sort log files
+// parsed out from the following format {filename}-{datetime}-{index}.ndjson
+type logOrder struct {
+ index int
+ datetime time.Time
}
-func (c *countRotator) RotatedFiles() []string {
- files := make([]string, 0)
- for i := c.maxBackups + 1; i >= 1; i-- {
- name := c.backupName(i)
- if _, err := os.Stat(name); os.IsNotExist(err) {
- continue
- } else if err != nil {
- c.log.Debugw("failed to stat rotated file")
- return files
- }
- files = append(files, name)
+func (o logOrder) After(other logOrder) bool {
+ if o.datetime.Equal(other.datetime) {
+ return other.index > o.index
}
-
- return files
+ return !o.datetime.After(other.datetime)
}
-func (c *countRotator) backupName(n uint) string {
- if n == 0 {
- return c.ActiveFile()
+func (d *dateRotator) OrderLog(filename string) logOrder {
+ if o, ok := d.logOrderCache[filename]; ok {
+ return o
}
- return c.ActiveFile() + "." + strconv.Itoa(int(n))
-}
-func (c *countRotator) Rotate(reason rotateReason, _ time.Time) error {
- for i := c.maxBackups + 1; i > 0; i-- {
- old := c.backupName(i - 1)
- older := c.backupName(i)
+ var o logOrder
+ var err error
- if _, err := os.Stat(old); os.IsNotExist(err) {
- continue
- } else if err != nil {
- return errors.Wrap(err, "failed to rotate backups")
- }
+ o.datetime, err = time.Parse(d.format, filename[d.prefixLen:d.filenameLen])
+ if err != nil {
+ return o
+ }
- if err := os.Remove(older); err != nil && !os.IsNotExist(err) {
- return errors.Wrap(err, "failed to rotate backups")
- }
- if err := os.Rename(old, older); err != nil {
- return errors.Wrap(err, "failed to rotate backups")
- } else if i == 1 {
- // Log when rotation of the main file occurs.
- if c.log != nil {
- c.log.Debugw("Rotating file", "filename", old, "reason", reason)
- }
+ if d.isFilenameWithIndex(filename) {
+ o.index, err = d.filenameIndex(filename)
+ if err != nil {
+ return o
}
}
- return nil
-}
-func (s *SuffixType) Unpack(v string) error {
- i, err := strconv.Atoi(v)
- if err == nil {
- t := SuffixType(i)
- v = t.String()
- }
+ d.logOrderCache[filename] = o
- val, ok := suffixes[v]
- if !ok {
- return fmt.Errorf("invalid suffix type: %+v", v)
- }
+ return o
+}
- *s = val
- return nil
+func (d *dateRotator) isFilenameWithIndex(filename string) bool {
+ return d.filenameLen+d.extensionLen < len(filename)
}
-func (s *SuffixType) String() string {
- for k, v := range suffixes {
- if v == *s {
- return k
- }
+func (d *dateRotator) filenameIndex(filename string) (int, error) {
+ indexStr := filename[d.filenameLen+1 : len(filename)-d.extensionLen]
+ if len(indexStr) > 0 {
+ return strconv.Atoi(indexStr)
}
- return ""
+ return 0, nil
}
diff --git a/libbeat/common/file/rotator_test.go b/libbeat/common/file/rotator_test.go
index 585d1690e78..6294b042d13 100644
--- a/libbeat/common/file/rotator_test.go
+++ b/libbeat/common/file/rotator_test.go
@@ -21,8 +21,6 @@ import (
"fmt"
"os"
"path/filepath"
- "regexp"
- "sort"
"sync"
"testing"
"time"
@@ -39,43 +37,57 @@ func TestFileRotator(t *testing.T) {
logp.TestingSetup()
dir := t.TempDir()
+ logname := "sample"
+ c := &testClock{time.Date(2021, 11, 11, 0, 0, 0, 0, time.Local)}
- filename := filepath.Join(dir, "sample.log")
+ filename := filepath.Join(dir, logname)
r, err := file.NewFileRotator(filename,
file.MaxBackups(2),
file.WithLogger(logp.NewLogger("rotator").With(logp.Namespace("rotator"))),
+ file.WithClock(c),
)
if err != nil {
t.Fatal(err)
}
defer r.Close()
+ firstFile := fmt.Sprintf("%s-%s.ndjson", logname, c.Now().Format(file.DateFormat))
+
WriteMsg(t, r)
- AssertDirContents(t, dir, "sample.log")
+ AssertDirContents(t, dir, firstFile)
+
+ c.time = time.Date(2021, 11, 12, 0, 0, 0, 0, time.Local)
Rotate(t, r)
- AssertDirContents(t, dir, "sample.log.1")
+ AssertDirContents(t, dir, firstFile)
WriteMsg(t, r)
- AssertDirContents(t, dir, "sample.log", "sample.log.1")
+
+ secondFile := fmt.Sprintf("%s-%s.ndjson", logname, c.Now().Format(file.DateFormat))
+ AssertDirContents(t, dir, firstFile, secondFile)
+
+ c.time = time.Date(2021, 11, 13, 0, 0, 0, 0, time.Local)
Rotate(t, r)
- AssertDirContents(t, dir, "sample.log.1", "sample.log.2")
+ AssertDirContents(t, dir, firstFile, secondFile)
WriteMsg(t, r)
- AssertDirContents(t, dir, "sample.log", "sample.log.1", "sample.log.2")
+ thirdFile := fmt.Sprintf("%s-%s.ndjson", logname, c.Now().Format(file.DateFormat))
+ AssertDirContents(t, dir, firstFile, secondFile, thirdFile)
+ c.time = time.Date(2021, 11, 14, 0, 0, 0, 0, time.Local)
Rotate(t, r)
- AssertDirContents(t, dir, "sample.log.1", "sample.log.2")
+ AssertDirContents(t, dir, secondFile, thirdFile)
+ c.time = time.Date(2021, 11, 15, 0, 0, 0, 0, time.Local)
Rotate(t, r)
- AssertDirContents(t, dir, "sample.log.2", "sample.log.3")
+ AssertDirContents(t, dir, secondFile, thirdFile)
}
func TestFileRotatorConcurrently(t *testing.T) {
dir := t.TempDir()
- filename := filepath.Join(dir, "sample.log")
+ filename := filepath.Join(dir, "sample")
r, err := file.NewFileRotator(filename, file.MaxBackups(2))
if err != nil {
t.Fatal(err)
@@ -97,29 +109,27 @@ func TestDailyRotation(t *testing.T) {
dir := t.TempDir()
logname := "daily"
- dateFormat := "2006-01-02"
- today := time.Now().Format(dateFormat)
- yesterday := time.Now().AddDate(0, 0, -1).Format(dateFormat)
- twoDaysAgo := time.Now().AddDate(0, 0, -2).Format(dateFormat)
+ yesterday := time.Now().AddDate(0, 0, -1).Format(file.DateFormat)
+ twoDaysAgo := time.Now().AddDate(0, 0, -2).Format(file.DateFormat)
// seed directory with existing log files
files := []string{
- logname + "-" + yesterday + "-1",
- logname + "-" + yesterday + "-2",
- logname + "-" + yesterday + "-3",
- logname + "-" + yesterday + "-4",
- logname + "-" + yesterday + "-5",
- logname + "-" + yesterday + "-6",
- logname + "-" + yesterday + "-7",
- logname + "-" + yesterday + "-8",
- logname + "-" + yesterday + "-9",
- logname + "-" + yesterday + "-10",
- logname + "-" + yesterday + "-11",
- logname + "-" + yesterday + "-12",
- logname + "-" + yesterday + "-13",
- logname + "-" + twoDaysAgo + "-1",
- logname + "-" + twoDaysAgo + "-2",
- logname + "-" + twoDaysAgo + "-3",
+ logname + "-" + yesterday + "-1.ndjson",
+ logname + "-" + yesterday + "-2.ndjson",
+ logname + "-" + yesterday + "-3.ndjson",
+ logname + "-" + yesterday + "-4.ndjson",
+ logname + "-" + yesterday + "-5.ndjson",
+ logname + "-" + yesterday + "-6.ndjson",
+ logname + "-" + yesterday + "-7.ndjson",
+ logname + "-" + yesterday + "-8.ndjson",
+ logname + "-" + yesterday + "-9.ndjson",
+ logname + "-" + yesterday + "-10.ndjson",
+ logname + "-" + yesterday + "-11.ndjson",
+ logname + "-" + yesterday + "-12.ndjson",
+ logname + "-" + yesterday + "-13.ndjson",
+ logname + "-" + twoDaysAgo + "-1.ndjson",
+ logname + "-" + twoDaysAgo + "-2.ndjson",
+ logname + "-" + twoDaysAgo + "-3.ndjson",
}
for _, f := range files {
@@ -139,25 +149,26 @@ func TestDailyRotation(t *testing.T) {
Rotate(t, r)
- AssertDirContents(t, dir, logname+"-"+yesterday+"-12", logname+"-"+yesterday+"-13")
+ AssertDirContents(t, dir, logname+"-"+yesterday+"-12.ndjson", logname+"-"+yesterday+"-13.ndjson")
WriteMsg(t, r)
- AssertDirContents(t, dir, logname+"-"+yesterday+"-12", logname+"-"+yesterday+"-13", logname)
+ today := time.Now().Format(file.DateFormat)
+ AssertDirContents(t, dir, logname+"-"+yesterday+"-12.ndjson", logname+"-"+yesterday+"-13.ndjson", logname+"-"+today+".ndjson")
Rotate(t, r)
- AssertDirContents(t, dir, logname+"-"+yesterday+"-13", logname+"-"+today+"-1")
+ AssertDirContents(t, dir, logname+"-"+yesterday+"-13.ndjson", logname+"-"+today+".ndjson")
WriteMsg(t, r)
- AssertDirContents(t, dir, logname+"-"+yesterday+"-13", logname+"-"+today+"-1", logname)
+ AssertDirContents(t, dir, logname+"-"+yesterday+"-13.ndjson", logname+"-"+today+".ndjson", logname+"-"+today+"-1.ndjson")
for i := 0; i < (int(maxSizeBytes)/len(logMessage))+1; i++ {
WriteMsg(t, r)
}
- AssertDirContents(t, dir, logname+"-"+today+"-1", logname+"-"+today+"-2", logname)
+ AssertDirContents(t, dir, logname+"-"+today+"-1.ndjson", logname+"-"+today+"-2.ndjson", logname+"-"+today+"-3.ndjson")
}
// Tests the FileConfig.RotateOnStartup parameter
@@ -165,13 +176,15 @@ func TestRotateOnStartup(t *testing.T) {
dir := t.TempDir()
logname := "rotate_on_open"
- filename := filepath.Join(dir, logname)
+ c := &testClock{time.Date(2021, 11, 11, 0, 0, 0, 0, time.Local)}
+ firstFile := fmt.Sprintf("%s-%s.ndjson", logname, c.Now().Format(file.DateFormat))
+ filename := filepath.Join(dir, firstFile)
// Create an existing log file with this name.
CreateFile(t, filename)
- AssertDirContents(t, dir, logname)
+ AssertDirContents(t, dir, firstFile)
- r, err := file.NewFileRotator(filename, file.RotateOnStartup(false))
+ r, err := file.NewFileRotator(filepath.Join(dir, logname), file.RotateOnStartup(false), file.WithClock(c))
if err != nil {
t.Fatal(err)
}
@@ -179,33 +192,37 @@ func TestRotateOnStartup(t *testing.T) {
WriteMsg(t, r)
// The line should have been appended to the existing file without rotation.
- AssertDirContents(t, dir, logname)
+ AssertDirContents(t, dir, firstFile)
// Close the first rotator early (the deferred close will be a no-op if
// we haven't hit an error by now), so it can't interfere with the second one.
r.Close()
// Create a second rotator with the default setting of rotateOnStartup=true
- r, err = file.NewFileRotator(filename)
+ c = &testClock{time.Date(2021, 11, 12, 0, 0, 0, 0, time.Local)}
+ r, err = file.NewFileRotator(filepath.Join(dir, logname), file.WithClock(c))
if err != nil {
t.Fatal(err)
}
defer r.Close()
// The directory contents shouldn't change until the first Write.
- AssertDirContents(t, dir, logname)
+ AssertDirContents(t, dir, firstFile)
+
+ secondFile := fmt.Sprintf("%s-%s.ndjson", logname, c.Now().Format(file.DateFormat))
WriteMsg(t, r)
- AssertDirContents(t, dir, logname, logname+".1")
+ AssertDirContents(t, dir, firstFile, secondFile)
}
-func TestRotateDateSuffix(t *testing.T) {
+func TestRotate(t *testing.T) {
dir := t.TempDir()
logname := "beatname"
filename := filepath.Join(dir, logname)
- r, err := file.NewFileRotator(filename, file.Suffix(file.SuffixDate), file.MaxBackups(1))
+ c := &testClock{time.Date(2021, 11, 11, 0, 0, 0, 0, time.Local)}
+ r, err := file.NewFileRotator(filename, file.MaxBackups(1), file.WithClock(c))
if err != nil {
t.Fatal(err)
}
@@ -213,24 +230,24 @@ func TestRotateDateSuffix(t *testing.T) {
WriteMsg(t, r)
- firstExpectedPattern := fmt.Sprintf("%s-%s.*", logname, time.Now().Format("20060102150405"))
- AssertDirContentsPattern(t, dir, firstExpectedPattern)
+ firstFile := fmt.Sprintf("%s-%s.ndjson", logname, c.Now().Format(file.DateFormat))
+ AssertDirContents(t, dir, firstFile)
- time.Sleep(2 * time.Second)
- secondExpectedPattern := fmt.Sprintf("%s-%s.*", logname, time.Now().Format("20060102150405"))
+ c.time = time.Date(2021, 11, 13, 0, 0, 0, 0, time.Local)
+ secondFile := fmt.Sprintf("%s-%s.ndjson", logname, c.Now().Format(file.DateFormat))
Rotate(t, r)
WriteMsg(t, r)
- AssertDirContentsPattern(t, dir, firstExpectedPattern, secondExpectedPattern)
+ AssertDirContents(t, dir, firstFile, secondFile)
- time.Sleep(2 * time.Second)
- thirdExpectedPattern := fmt.Sprintf("%s-%s.*", logname, time.Now().Format("20060102150405"))
+ c.time = time.Date(2021, 11, 15, 0, 0, 0, 0, time.Local)
+ thirdFile := fmt.Sprintf("%s-%s.ndjson", logname, c.Now().Format(file.DateFormat))
Rotate(t, r)
WriteMsg(t, r)
- AssertDirContentsPattern(t, dir, secondExpectedPattern, thirdExpectedPattern)
+ AssertDirContents(t, dir, secondFile, thirdFile)
}
func CreateFile(t *testing.T, filename string) {
@@ -258,36 +275,7 @@ func AssertDirContents(t *testing.T, dir string, files ...string) {
t.Fatal(err)
}
- sort.Strings(files)
- sort.Strings(names)
- assert.EqualValues(t, files, names)
-}
-
-func AssertDirContentsPattern(t *testing.T, dir string, patterns ...string) {
- t.Helper()
-
- f, err := os.Open(dir)
- if err != nil {
- t.Fatal(err)
- }
-
- names, err := f.Readdirnames(-1)
- if err != nil {
- t.Fatal(err)
- }
- if len(patterns) != len(names) {
- t.Fatal("unexpected number of files")
- }
-
- sort.Strings(patterns)
- sort.Strings(names)
- for i := 0; i < len(patterns); i++ {
- matches, err := regexp.MatchString(patterns[i], names[i])
- if err != nil {
- t.Fatal(err)
- }
- assert.True(t, matches, "pattern: %s name: %s", patterns[i], names[i])
- }
+ assert.ElementsMatch(t, files, names)
}
func WriteMsg(t *testing.T, r *file.Rotator) {
@@ -307,3 +295,11 @@ func Rotate(t *testing.T, r *file.Rotator) {
t.Fatal(err)
}
}
+
+type testClock struct {
+ time time.Time
+}
+
+func (t testClock) Now() time.Time {
+ return t.time
+}
diff --git a/libbeat/common/file/trigger.go b/libbeat/common/file/trigger.go
index d96d748f922..22c128a334b 100644
--- a/libbeat/common/file/trigger.go
+++ b/libbeat/common/file/trigger.go
@@ -52,14 +52,14 @@ type trigger interface {
TriggerRotation(dataLen uint) rotateReason
}
-func newTriggers(rotateOnStartup bool, interval time.Duration, maxSizeBytes uint) []trigger {
+func newTriggers(rotateOnStartup bool, interval time.Duration, maxSizeBytes uint, clock clock) []trigger {
triggers := make([]trigger, 0)
if rotateOnStartup {
triggers = append(triggers, &initTrigger{})
}
if interval > 0 {
- triggers = append(triggers, newIntervalTrigger(interval))
+ triggers = append(triggers, newIntervalTrigger(interval, clock))
}
if maxSizeBytes > 0 {
triggers = append(triggers, &sizeTrigger{maxSizeBytes: maxSizeBytes, size: 0})
@@ -113,8 +113,8 @@ func (realClock) Now() time.Time {
return time.Now()
}
-func newIntervalTrigger(interval time.Duration) trigger {
- t := intervalTrigger{interval: interval, clock: realClock{}}
+func newIntervalTrigger(interval time.Duration, clock clock) trigger {
+ t := intervalTrigger{interval: interval, clock: clock}
switch interval {
case time.Second:
diff --git a/libbeat/common/fmtstr/formatevents_test.go b/libbeat/common/fmtstr/formatevents_test.go
index 6e78eb5713f..a644676db75 100644
--- a/libbeat/common/fmtstr/formatevents_test.go
+++ b/libbeat/common/fmtstr/formatevents_test.go
@@ -109,7 +109,7 @@ func TestEventFormatString(t *testing.T) {
"test timestamp formatter",
"%{[key]}: %{+YYYY.MM.dd}",
beat.Event{
- Timestamp: time.Date(2015, 5, 1, 20, 12, 34, 0, time.Local),
+ Timestamp: time.Date(2015, 5, 1, 20, 12, 34, 0, time.UTC),
Fields: common.MapStr{
"key": "timestamp",
},
@@ -121,7 +121,7 @@ func TestEventFormatString(t *testing.T) {
"test timestamp formatter",
"%{[@timestamp]}: %{+YYYY.MM.dd}",
beat.Event{
- Timestamp: time.Date(2015, 5, 1, 20, 12, 34, 0, time.Local),
+ Timestamp: time.Date(2015, 5, 1, 20, 12, 34, 0, time.UTC),
Fields: common.MapStr{
"key": "timestamp",
},
diff --git a/libbeat/common/fmtstr/formattimestamp_test.go b/libbeat/common/fmtstr/formattimestamp_test.go
index 4df8e6b3fdc..1a2c91decdd 100644
--- a/libbeat/common/fmtstr/formattimestamp_test.go
+++ b/libbeat/common/fmtstr/formattimestamp_test.go
@@ -73,14 +73,14 @@ func TestTimestampFormatString(t *testing.T) {
"test timestamp formatter",
"%{[key]}: %{+YYYY.MM.dd}",
common.MapStr{"key": "timestamp"},
- time.Date(2015, 5, 1, 20, 12, 34, 0, time.Local),
+ time.Date(2015, 5, 1, 20, 12, 34, 0, time.UTC),
"timestamp: 2015.05.01",
},
{
"test timestamp formatter",
"%{[@timestamp]}: %{+YYYY.MM.dd}",
common.MapStr{"key": "timestamp"},
- time.Date(2015, 5, 1, 20, 12, 34, 0, time.Local),
+ time.Date(2015, 5, 1, 20, 12, 34, 0, time.UTC),
"2015-05-01T20:12:34.000Z: 2015.05.01",
},
}
diff --git a/libbeat/docs/http-endpoint.asciidoc b/libbeat/docs/http-endpoint.asciidoc
index 0db4e705935..853e7d3c2d9 100644
--- a/libbeat/docs/http-endpoint.asciidoc
+++ b/libbeat/docs/http-endpoint.asciidoc
@@ -32,6 +32,7 @@ It is recommended to use only localhost. Default is `localhost`
current user.
`http.named_pipe.security_descriptor`:: (Optional) Windows Security descriptor string defined in the SDDL format. Default to
read and write permission for the current user.
+`http.pprof.enabled`:: (Optional) Enable the `/debug/pprof/` endpoints when serving HTTP. It is recommended that this is only enabled on localhost as these endpoints may leak data. Default is `false`.
This is the list of paths you can access. For pretty JSON output append `?pretty` to the URL.
diff --git a/libbeat/docs/loggingconfig.asciidoc b/libbeat/docs/loggingconfig.asciidoc
index 4b47c45d5fb..d6232e2cb07 100644
--- a/libbeat/docs/loggingconfig.asciidoc
+++ b/libbeat/docs/loggingconfig.asciidoc
@@ -246,15 +246,6 @@ Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
are boundary-aligned with minutes, hours, days, weeks, months, and years as
reported by the local system clock. All other intervals are calculated from the
unix epoch. Defaults to disabled.
-
-[float]
-==== `logging.files.suffix`
-
-When a log rotation happens it can either rename older files with
-an incresing index if `count` is configured. The other option is `date`
-that appends the current date and time to the end of the filename.
-When the log is rotated a new file is created and older files
-remain untouched.
endif::serverless[]
[float]
diff --git a/libbeat/docs/release.asciidoc b/libbeat/docs/release.asciidoc
index d6c3a0d5922..aed042ea25b 100644
--- a/libbeat/docs/release.asciidoc
+++ b/libbeat/docs/release.asciidoc
@@ -8,8 +8,10 @@ This section summarizes the changes in each release. Also read
<> for more detail about changes that affect
upgrade.
+* <>
* <>
* <>
+* <>
* <>
* <>
* <>
diff --git a/libbeat/logp/config.go b/libbeat/logp/config.go
index c5de43ae51a..1e82b6e7dd8 100644
--- a/libbeat/logp/config.go
+++ b/libbeat/logp/config.go
@@ -19,8 +19,6 @@ package logp
import (
"time"
-
- "github.com/elastic/beats/v7/libbeat/common/file"
)
// Config contains the configuration options for the logger. To create a Config
@@ -47,15 +45,14 @@ type Config struct {
// FileConfig contains the configuration options for the file output.
type FileConfig struct {
- Path string `config:"path" yaml:"path"`
- Name string `config:"name" yaml:"name"`
- Suffix file.SuffixType `config:"suffix" yaml:"suffix"`
- MaxSize uint `config:"rotateeverybytes" yaml:"rotateeverybytes" validate:"min=1"`
- MaxBackups uint `config:"keepfiles" yaml:"keepfiles" validate:"max=1024"`
- Permissions uint32 `config:"permissions"`
- Interval time.Duration `config:"interval"`
- RotateOnStartup bool `config:"rotateonstartup"`
- RedirectStderr bool `config:"redirect_stderr" yaml:"redirect_stderr"`
+ Path string `config:"path" yaml:"path"`
+ Name string `config:"name" yaml:"name"`
+ MaxSize uint `config:"rotateeverybytes" yaml:"rotateeverybytes" validate:"min=1"`
+ MaxBackups uint `config:"keepfiles" yaml:"keepfiles" validate:"max=1024"`
+ Permissions uint32 `config:"permissions"`
+ Interval time.Duration `config:"interval"`
+ RotateOnStartup bool `config:"rotateonstartup"`
+ RedirectStderr bool `config:"redirect_stderr" yaml:"redirect_stderr"`
}
// MetricsConfig contains configuration used by the monitor to output metrics into the logstream.
@@ -76,7 +73,6 @@ func DefaultConfig(environment Environment) Config {
return Config{
Level: defaultLevel,
Files: FileConfig{
- Suffix: file.SuffixCount,
MaxSize: 10 * 1024 * 1024,
MaxBackups: 7,
Permissions: 0600,
diff --git a/libbeat/logp/core.go b/libbeat/logp/core.go
index c85a5feeaec..552c81e9201 100644
--- a/libbeat/logp/core.go
+++ b/libbeat/logp/core.go
@@ -241,7 +241,6 @@ func makeFileOutput(cfg Config) (zapcore.Core, error) {
file.Interval(cfg.Files.Interval),
file.RotateOnStartup(cfg.Files.RotateOnStartup),
file.RedirectStderr(cfg.Files.RedirectStderr),
- file.Suffix(cfg.Files.Suffix),
)
if err != nil {
return nil, errors.Wrap(err, "failed to create file rotator")
diff --git a/libbeat/logp/core_test.go b/libbeat/logp/core_test.go
index 293f57098eb..f8537eb6aa7 100644
--- a/libbeat/logp/core_test.go
+++ b/libbeat/logp/core_test.go
@@ -153,7 +153,7 @@ func TestLoggingECSFields(t *testing.T) {
Level: DebugLevel,
development: true,
Files: FileConfig{
- Name: "beat1.log",
+ Name: "beat1",
},
}
ToObserverOutput()(&cfg)
diff --git a/libbeat/mapping/field.go b/libbeat/mapping/field.go
index 13342a5f9be..9ac27d86ace 100644
--- a/libbeat/mapping/field.go
+++ b/libbeat/mapping/field.go
@@ -24,13 +24,14 @@ import (
"github.com/joeshaw/multierror"
"github.com/pkg/errors"
+ "github.com/elastic/beats/v7/libbeat/common"
"github.com/elastic/go-ucfg/yaml"
)
-//This reflects allowed attributes for field definitions in the fields.yml.
-//No logic is put into this data structure.
-//The purpose is to enable using different kinds of transformation, on top of the same data structure.
-//Current transformation:
+// This reflects allowed attributes for field definitions in the fields.yml.
+// No logic is put into this data structure.
+// The purpose is to enable using different kinds of transformation, on top of the same data structure.
+// Current transformation:
// -ElasticSearch Template
// -Kibana Index Pattern
@@ -44,8 +45,8 @@ type Field struct {
Fields Fields `config:"fields"`
MultiFields Fields `config:"multi_fields"`
Enabled *bool `config:"enabled"`
- Analyzer string `config:"analyzer"`
- SearchAnalyzer string `config:"search_analyzer"`
+ Analyzer Analyzer `config:"analyzer"`
+ SearchAnalyzer Analyzer `config:"search_analyzer"`
Norms bool `config:"norms"`
Dynamic DynamicType `config:"dynamic"`
Index *bool `config:"index"`
@@ -125,6 +126,35 @@ func (d *DynamicType) Unpack(s string) error {
return nil
}
+type Analyzer struct {
+ Name string
+ Definition interface{}
+}
+
+func (a *Analyzer) Unpack(v interface{}) error {
+ var m common.MapStr
+ switch v := v.(type) {
+ case string:
+ a.Name = v
+ return nil
+ case common.MapStr:
+ m = v
+ case map[string]interface{}:
+ m = common.MapStr(v)
+ default:
+ return fmt.Errorf("'%v' is invalid analyzer setting", v)
+ }
+
+ if len(m) != 1 {
+ return fmt.Errorf("'%v' is invalid analyzer setting", v)
+ }
+ for a.Name, a.Definition = range m {
+ break
+ }
+
+ return nil
+}
+
// Validate ensures objectTypeParams are not mixed with top level objectType configuration
func (f *Field) Validate() error {
if err := f.validateType(); err != nil {
@@ -264,7 +294,6 @@ func (f Fields) HasKey(key string) bool {
func (f Fields) GetField(key string) *Field {
keys := strings.Split(key, ".")
return f.getField(keys)
-
}
// HasNode checks if inside fields the given node exists
@@ -276,7 +305,6 @@ func (f Fields) HasNode(key string) bool {
}
func (f Fields) hasNode(keys []string) bool {
-
// Nothing to compare, so does not contain it
if len(keys) == 0 {
return false
@@ -286,7 +314,6 @@ func (f Fields) hasNode(keys []string) bool {
keys = keys[1:]
for _, field := range f {
-
if field.Name == key {
//// It's the last key to compare
@@ -373,7 +400,6 @@ func (f Fields) GetKeys() []string {
}
func (f Fields) getKeys(namespace string) []string {
-
var keys []string
for _, field := range f {
diff --git a/libbeat/mapping/field_test.go b/libbeat/mapping/field_test.go
index 52c03c6a018..6d69787a445 100644
--- a/libbeat/mapping/field_test.go
+++ b/libbeat/mapping/field_test.go
@@ -18,6 +18,7 @@
package mapping
import (
+ "fmt"
"strings"
"testing"
@@ -58,7 +59,8 @@ func TestFieldsHasNode(t *testing.T) {
Field{Name: "a", Fields: Fields{
Field{Name: "b", Fields: Fields{
Field{Name: "c"},
- }}}},
+ }},
+ }},
},
hasNode: true,
},
@@ -68,7 +70,8 @@ func TestFieldsHasNode(t *testing.T) {
Field{Name: "a", Fields: Fields{
Field{Name: "b", Fields: Fields{
Field{Name: "c"},
- }}}},
+ }},
+ }},
},
hasNode: true,
},
@@ -185,6 +188,46 @@ func TestDynamicYaml(t *testing.T) {
}
}
+func TestAnalyzer(t *testing.T) {
+ tests := map[string]struct {
+ input []byte
+ output Field
+ err error
+ }{
+ "simple analyzer": {
+ input: []byte(`{name: test, analyzer: simple}`),
+ output: Field{
+ Name: "test",
+ Analyzer: Analyzer{Name: "simple"},
+ },
+ err: nil,
+ },
+ "pattern analyzer": {
+ input: []byte(`{"name": "test", "analyzer": {"custom": {"type": "pattern", "pattern":"[\\W&&[^-]]+"}}}`),
+ output: Field{
+ Name: "test",
+ Analyzer: Analyzer{Name: "custom", Definition: map[string]interface{}{"type": "pattern", "pattern": "[\\W\u0026\u0026[^-]]+"}},
+ },
+ err: nil,
+ },
+ }
+
+ for name, test := range tests {
+ t.Run(name, func(t *testing.T) {
+ keys := Field{}
+
+ cfg, err := yaml.NewConfig(test.input)
+ assert.NoError(t, err)
+ err = cfg.Unpack(&keys)
+
+ if fmt.Sprint(err) != fmt.Sprint(test.err) {
+ t.Fatalf("unexpected error for %s: got:%v want:%v", name, err, test.err)
+ }
+ assert.Equal(t, test.output.Analyzer, keys.Analyzer)
+ })
+ }
+}
+
func TestGetKeys(t *testing.T) {
tests := []struct {
fields Fields
diff --git a/libbeat/metric/system/cgroup/util.go b/libbeat/metric/system/cgroup/util.go
index cc8d51e5ee5..70879b87738 100644
--- a/libbeat/metric/system/cgroup/util.go
+++ b/libbeat/metric/system/cgroup/util.go
@@ -29,7 +29,6 @@ import (
"github.com/pkg/errors"
"github.com/elastic/beats/v7/libbeat/logp"
- "github.com/elastic/beats/v7/libbeat/paths"
)
var (
@@ -273,14 +272,14 @@ func (r Reader) ProcessCgroupPaths(pid int) (PathList, error) {
// If it's not set, warn the user that they've hit this.
controllerPath := filepath.Join(r.cgroupMountpoints.V2Loc, path)
// Depending on the test environment, Hostfs can either be blank, or `/`
- if r.cgroupMountpoints.V2Loc == "" && len(paths.Paths.Hostfs) <= 1 {
+ if r.cgroupMountpoints.V2Loc == "" && len(r.rootfsMountpoint) <= 1 {
logp.L().Debugf(`PID %d contains a cgroups V2 path (%s) but no V2 mountpoint was found.
This may be because metricbeat is running inside a container on a hybrid system.
To monitor cgroups V2 processess in this way, mount the unified (V2) hierarchy inside
the container as /sys/fs/cgroup/unified and start metricbeat with --system.hostfs.`, pid, line)
continue
- } else if r.cgroupMountpoints.V2Loc == "" && len(paths.Paths.Hostfs) > 1 {
- controllerPath = filepath.Join(paths.Paths.Hostfs, "/sys/fs/cgroup/unified", path)
+ } else if r.cgroupMountpoints.V2Loc == "" && len(r.rootfsMountpoint) > 1 {
+ controllerPath = filepath.Join(r.rootfsMountpoint, "/sys/fs/cgroup/unified", path)
}
cgpaths, err := ioutil.ReadDir(controllerPath)
diff --git a/libbeat/metric/system/cpu/cpu.go b/libbeat/metric/system/cpu/cpu.go
index 24523366413..eee30555e83 100644
--- a/libbeat/metric/system/cpu/cpu.go
+++ b/libbeat/metric/system/cpu/cpu.go
@@ -15,8 +15,8 @@
// specific language governing permissions and limitations
// under the License.
-//go:build darwin || freebsd || linux || openbsd || windows
-// +build darwin freebsd linux openbsd windows
+//go:build darwin || freebsd || linux || openbsd || windows || aix
+// +build darwin freebsd linux openbsd windows aix
package cpu
diff --git a/libbeat/metric/system/process/process.go b/libbeat/metric/system/process/process.go
index 65b86f5ab67..b5a1f486d9d 100644
--- a/libbeat/metric/system/process/process.go
+++ b/libbeat/metric/system/process/process.go
@@ -15,8 +15,8 @@
// specific language governing permissions and limitations
// under the License.
-//go:build darwin || freebsd || linux || windows
-// +build darwin freebsd linux windows
+//go:build darwin || freebsd || linux || windows || aix
+// +build darwin freebsd linux windows aix
package process
diff --git a/libbeat/outputs/fileout/config.go b/libbeat/outputs/fileout/config.go
index 28441c93bb0..e80f0a27be9 100644
--- a/libbeat/outputs/fileout/config.go
+++ b/libbeat/outputs/fileout/config.go
@@ -25,19 +25,17 @@ import (
)
type config struct {
- Path string `config:"path"`
- Filename string `config:"filename"`
- Suffix file.SuffixType `config:"suffix"`
- RotateEveryKb uint `config:"rotate_every_kb" validate:"min=1"`
- NumberOfFiles uint `config:"number_of_files"`
- Codec codec.Config `config:"codec"`
- Permissions uint32 `config:"permissions"`
- RotateOnStartup bool `config:"rotate_on_startup"`
+ Path string `config:"path"`
+ Filename string `config:"filename"`
+ RotateEveryKb uint `config:"rotate_every_kb" validate:"min=1"`
+ NumberOfFiles uint `config:"number_of_files"`
+ Codec codec.Config `config:"codec"`
+ Permissions uint32 `config:"permissions"`
+ RotateOnStartup bool `config:"rotate_on_startup"`
}
func defaultConfig() config {
return config{
- Suffix: file.SuffixCount,
NumberOfFiles: 7,
RotateEveryKb: 10 * 1024,
Permissions: 0600,
diff --git a/libbeat/outputs/fileout/file.go b/libbeat/outputs/fileout/file.go
index 48a65adc1c0..b4a10e38396 100644
--- a/libbeat/outputs/fileout/file.go
+++ b/libbeat/outputs/fileout/file.go
@@ -84,7 +84,6 @@ func (out *fileOutput) init(beat beat.Info, c config) error {
var err error
out.rotator, err = file.NewFileRotator(
path,
- file.Suffix(c.Suffix),
file.MaxSizeBytes(c.RotateEveryKb*1024),
file.MaxBackups(c.NumberOfFiles),
file.Permissions(os.FileMode(c.Permissions)),
diff --git a/libbeat/outputs/kafka/kafka.go b/libbeat/outputs/kafka/kafka.go
index 9be3970b1c4..8f06398eb0c 100644
--- a/libbeat/outputs/kafka/kafka.go
+++ b/libbeat/outputs/kafka/kafka.go
@@ -18,9 +18,6 @@
package kafka
import (
- "errors"
- "time"
-
"github.com/Shopify/sarama"
"github.com/elastic/beats/v7/libbeat/beat"
@@ -32,20 +29,9 @@ import (
)
const (
- defaultWaitRetry = 1 * time.Second
-
- // NOTE: maxWaitRetry has no effect on mode, as logstash client currently does
- // not return ErrTempBulkFailure
- defaultMaxWaitRetry = 60 * time.Second
-
logSelector = "kafka"
)
-var (
- errNoTopicSet = errors.New("No topic configured")
- errNoHosts = errors.New("No hosts configured")
-)
-
func init() {
sarama.Logger = kafkaLogger{log: logp.NewLogger(logSelector)}
diff --git a/libbeat/outputs/kafka/kafka_integration_test.go b/libbeat/outputs/kafka/kafka_integration_test.go
index 0cc751d99b9..2be42f639e7 100644
--- a/libbeat/outputs/kafka/kafka_integration_test.go
+++ b/libbeat/outputs/kafka/kafka_integration_test.go
@@ -45,8 +45,9 @@ import (
)
const (
- kafkaDefaultHost = "localhost"
- kafkaDefaultPort = "9092"
+ kafkaDefaultHost = "kafka"
+ kafkaDefaultPort = "9092"
+ kafkaDefaultSASLPort = "9093"
)
type eventInfo struct {
@@ -183,6 +184,37 @@ func TestKafkaPublish(t *testing.T) {
"type": "log",
}),
},
+ {
+ "publish single event to test topic",
+ map[string]interface{}{},
+ testTopic,
+ single(common.MapStr{
+ "host": "test-host",
+ "message": id,
+ }),
+ },
+ {
+ // Initially I tried rerunning all tests over SASL/SCRAM, but
+ // that added a full 30sec to the test. Instead most tests run
+ // in plaintext, and individual tests can switch to SCRAM
+ // by inserting the config in this example:
+ "publish single event to test topic over SASL/SCRAM",
+ map[string]interface{}{
+ "hosts": []string{getTestSASLKafkaHost()},
+ "protocol": "https",
+ "sasl.mechanism": "SCRAM-SHA-512",
+ "ssl.certificate_authorities": []string{
+ "../../../testing/environments/docker/kafka/certs/ca-cert",
+ },
+ "username": "beats",
+ "password": "KafkaTest",
+ },
+ testTopic,
+ single(common.MapStr{
+ "host": "test-host",
+ "message": id,
+ }),
+ },
}
defaultConfig := map[string]interface{}{
@@ -322,6 +354,13 @@ func getTestKafkaHost() string {
)
}
+func getTestSASLKafkaHost() string {
+ return fmt.Sprintf("%v:%v",
+ getenv("KAFKA_HOST", kafkaDefaultHost),
+ getenv("KAFKA_SASL_PORT", kafkaDefaultSASLPort),
+ )
+}
+
func makeConfig(t *testing.T, in map[string]interface{}) *common.Config {
cfg, err := common.NewConfigFrom(in)
if err != nil {
diff --git a/libbeat/paths/paths.go b/libbeat/paths/paths.go
index 25fbf2697e6..53cabb9f956 100644
--- a/libbeat/paths/paths.go
+++ b/libbeat/paths/paths.go
@@ -189,6 +189,6 @@ func Resolve(fileType FileType, path string) string {
// String returns a textual representation
func (paths *Path) String() string {
- return fmt.Sprintf("Home path: [%s] Config path: [%s] Data path: [%s] Logs path: [%s]",
- paths.Home, paths.Config, paths.Data, paths.Logs)
+ return fmt.Sprintf("Home path: [%s] Config path: [%s] Data path: [%s] Logs path: [%s] Hostfs Path: [%s]",
+ paths.Home, paths.Config, paths.Data, paths.Logs, paths.Hostfs)
}
diff --git a/libbeat/processors/add_kubernetes_metadata/config.go b/libbeat/processors/add_kubernetes_metadata/config.go
index 6e738403087..ecc9b5919fe 100644
--- a/libbeat/processors/add_kubernetes_metadata/config.go
+++ b/libbeat/processors/add_kubernetes_metadata/config.go
@@ -69,5 +69,37 @@ func (k *kubeAnnotatorConfig) Validate() error {
k.Host = ""
}
+ // Checks below were added to warn the users early on and avoid initialising the processor in case the `logs_path`
+ // matcher config is not valid: supported paths defined as a `logs_path` configuration setting are strictly defined
+ // if `resource_type` is set
+ for _, matcher := range k.Matchers {
+ if matcherCfg, ok := matcher["logs_path"]; ok {
+ if matcherCfg.HasField("resource_type") {
+ logsPathMatcher := struct {
+ LogsPath string `config:"logs_path"`
+ ResourceType string `config:"resource_type"`
+ }{}
+
+ err := matcherCfg.Unpack(&logsPathMatcher)
+ if err != nil {
+ return fmt.Errorf("fail to unpack the `logs_path` matcher configuration: %s", err)
+ }
+ if logsPathMatcher.LogsPath == "" {
+ return fmt.Errorf("invalid logs_path matcher configuration: when resource_type is defined, logs_path must be set as well")
+ }
+ if logsPathMatcher.ResourceType != "pod" && logsPathMatcher.ResourceType != "container" {
+ return fmt.Errorf("invalid resource_type %s, valid values include `pod`, `container`", logsPathMatcher.ResourceType)
+ }
+ if logsPathMatcher.ResourceType == "pod" && !(logsPathMatcher.LogsPath == "/var/lib/kubelet/pods/" || logsPathMatcher.LogsPath == "/var/log/pods/") {
+ return fmt.Errorf("invalid logs_path defined for resource_type: %s, valid values include `/var/lib/kubelet/pods/`, `/var/log/pods/`", logsPathMatcher.ResourceType)
+ }
+ if logsPathMatcher.ResourceType == "container" && logsPathMatcher.LogsPath != "/var/log/containers/" {
+ return fmt.Errorf("invalid logs_path defined for resource_type: %s, valid value is `/var/log/containers/`", logsPathMatcher.ResourceType)
+ }
+ }
+
+ }
+ }
+
return nil
}
diff --git a/libbeat/processors/add_kubernetes_metadata/config_test.go b/libbeat/processors/add_kubernetes_metadata/config_test.go
index 3bdcf34a1d7..f7cc83812f6 100644
--- a/libbeat/processors/add_kubernetes_metadata/config_test.go
+++ b/libbeat/processors/add_kubernetes_metadata/config_test.go
@@ -60,3 +60,76 @@ func TestConfigValidate(t *testing.T) {
}
}
}
+
+func TestConfigValidate_LogsPatchMatcher(t *testing.T) {
+ tests := []struct {
+ matcherName string
+ matcherConfig map[string]interface{}
+ error bool
+ }{
+ {
+ matcherName: "",
+ matcherConfig: map[string]interface{}{},
+ error: false,
+ },
+ {
+ matcherName: "logs_path",
+ matcherConfig: map[string]interface{}{
+ "resource_type": "pod",
+ },
+ error: true,
+ },
+ {
+ matcherName: "logs_path",
+ matcherConfig: map[string]interface{}{
+ "resource_type": "pod",
+ "invalid_field": "invalid_value",
+ },
+ error: true,
+ },
+ {
+ matcherName: "logs_path",
+ matcherConfig: map[string]interface{}{
+ "resource_type": "pod",
+ "logs_path": "/var/log/invalid/path/",
+ },
+ error: true,
+ },
+ {
+ matcherName: "logs_path",
+ matcherConfig: map[string]interface{}{
+ "resource_type": "pod",
+ "logs_path": "/var/log/pods/",
+ },
+ error: false,
+ },
+ {
+ matcherName: "logs_path",
+ matcherConfig: map[string]interface{}{
+ "resource_type": "container",
+ "logs_path": "/var/log/containers/",
+ },
+ error: false,
+ },
+ }
+
+ for _, test := range tests {
+ cfg, _ := common.NewConfigFrom(test.matcherConfig)
+
+ c := defaultKubernetesAnnotatorConfig()
+ c.DefaultMatchers = Enabled{false}
+
+ err := cfg.Unpack(&c)
+ c.Matchers = PluginConfig{
+ {
+ test.matcherName: *cfg,
+ },
+ }
+ err = c.Validate()
+ if test.error {
+ require.NotNil(t, err)
+ } else {
+ require.Nil(t, err)
+ }
+ }
+}
diff --git a/libbeat/processors/add_kubernetes_metadata/docs/indexers_and_matchers.asciidoc b/libbeat/processors/add_kubernetes_metadata/docs/indexers_and_matchers.asciidoc
index 4c7fdba7503..71af7e00dc6 100644
--- a/libbeat/processors/add_kubernetes_metadata/docs/indexers_and_matchers.asciidoc
+++ b/libbeat/processors/add_kubernetes_metadata/docs/indexers_and_matchers.asciidoc
@@ -83,10 +83,29 @@ the `log.file.path` field.
This matcher has the following configuration settings:
`logs_path`:: (Optional) Base path of container logs. If not specified, it uses
-the default logs path of the platform where {beatname_uc} is running.
-`resource_type`:: (Optional) Type of the resource to obtain the ID of. It can be
-`pod`, to make the lookup based on the pod UID, or `container`, to make the
-lookup based on the container ID. It defaults to `container`.
+the default logs path of the platform where {beatname_uc} is running: for Linux -
+`/var/lib/docker/containers/`, Windows - `C:\\ProgramData\\Docker\\containers`.
+To change the default value: container ID must follow right after the `logs_path` -
+`/`, where `container_id` is a 64-character-long
+hexadecimal string.
+
+`resource_type`:: (Optional) Type of the resource to obtain the ID of.
+Valid `resource_type`:
+* `pod`: to make the lookup based on the pod UID. When `resource_type` is set to
+`pod`, `logs_path` must be set as well, supported path in this case:
+** `/var/lib/kubelet/pods/` used to read logs from mounted into the pod volumes,
+those logs end up under `/var/lib/kubelet/pods//volumes//...`
+To use `/var/lib/kubelet/pods/` as a `log_path`, `/var/lib/kubelet/pods` must be
+mounted into the filebeat Pods.
+** `/var/log/pods/`
+Note: when using `resource_type: 'pod'` logs will be enriched only with pod
+metadata: pod id, pod name, etc., not container metadata.
+*`container`: to make the lookup based on the container ID, `logs_path` must
+be set to `/var/log/containers/`.
+It defaults to `container`.
+
+To be able to use `logs_path` matcher filebeat input path must be a subdirectory
+of directory defined in `logs_path` configuration setting.
The default configuration is able to lookup the metadata using the container ID
when the logs are collected from the default docker logs path
diff --git a/libbeat/reader/readfile/line_terminator.go b/libbeat/reader/readfile/line_terminator.go
index 68ab24736c2..bcd82e36741 100644
--- a/libbeat/reader/readfile/line_terminator.go
+++ b/libbeat/reader/readfile/line_terminator.go
@@ -44,6 +44,8 @@ const (
LineSeparator
// ParagraphSeparator is the unicode char PS
ParagraphSeparator
+ // NullTerminator
+ NullTerminator
)
var (
@@ -57,6 +59,7 @@ var (
"next_line": NextLine,
"line_separator": LineSeparator,
"paragraph_separator": ParagraphSeparator,
+ "null_terminator": NullTerminator,
}
lineTerminatorCharacters = map[LineTerminator][]byte{
@@ -69,6 +72,7 @@ var (
NextLine: []byte{'\u0085'},
LineSeparator: []byte("\u2028"),
ParagraphSeparator: []byte("\u2029"),
+ NullTerminator: []byte{'\u0000'},
}
)
diff --git a/libbeat/template/load_test.go b/libbeat/template/load_test.go
index 75096e559f2..017f53639fa 100644
--- a/libbeat/template/load_test.go
+++ b/libbeat/template/load_test.go
@@ -18,6 +18,7 @@
package template
import (
+ "errors"
"fmt"
"testing"
@@ -38,19 +39,24 @@ func TestFileLoader_Load(t *testing.T) {
for name, test := range map[string]struct {
settings TemplateSettings
body common.MapStr
+ fields []byte
+ want common.MapStr
+ wantErr error
}{
"load minimal config info": {
body: common.MapStr{
"index_patterns": []string{"mock-7.0.0-*"},
"order": order,
- "settings": common.MapStr{"index": nil}},
+ "settings": common.MapStr{"index": nil},
+ },
},
"load minimal config with index settings": {
settings: TemplateSettings{Index: common.MapStr{"code": "best_compression"}},
body: common.MapStr{
"index_patterns": []string{"mock-7.0.0-*"},
"order": order,
- "settings": common.MapStr{"index": common.MapStr{"code": "best_compression"}}},
+ "settings": common.MapStr{"index": common.MapStr{"code": "best_compression"}},
+ },
},
"load minimal config with source settings": {
settings: TemplateSettings{Source: common.MapStr{"enabled": false}},
@@ -64,7 +70,134 @@ func TestFileLoader_Load(t *testing.T) {
"date_detection": false,
"dynamic_templates": nil,
"properties": nil,
- }},
+ },
+ },
+ },
+ "load config and in-line analyzer fields": {
+ body: common.MapStr{
+ "index_patterns": []string{"mock-7.0.0-*"},
+ "order": order,
+ "settings": common.MapStr{"index": nil},
+ },
+ fields: []byte(`- key: test
+ title: Test fields.yml with analyzer
+ description: >
+ Contains text fields with in-line analyzer for testing
+ fields:
+ - name: script_block_text
+ type: text
+ analyzer:
+ test_powershell:
+ type: pattern
+ pattern: "[\\W&&[^-]]+"
+
+ - name: code_block_text
+ type: text
+ analyzer:
+ test_powershell:
+ type: pattern
+ pattern: "[\\W&&[^-]]+"
+
+ - name: standard_text
+ type: text
+ analyzer: simple
+`),
+ want: common.MapStr{
+ "index_patterns": []string{
+ "mock-7.0.0-*",
+ },
+ "order": 1,
+ "mappings": common.MapStr{
+ "_meta": common.MapStr{
+ "version": "7.0.0",
+ "beat": "mock",
+ },
+ "date_detection": false,
+ "dynamic_templates": []common.MapStr{
+ {
+ "strings_as_keyword": common.MapStr{
+ "mapping": common.MapStr{
+ "ignore_above": 1024,
+ "type": "keyword",
+ },
+ "match_mapping_type": "string",
+ },
+ },
+ },
+ "properties": common.MapStr{
+ "code_block_text": common.MapStr{
+ "type": "text",
+ "norms": false,
+ "analyzer": "test_powershell",
+ },
+ "script_block_text": common.MapStr{
+ "type": "text",
+ "norms": false,
+ "analyzer": "test_powershell",
+ },
+ "standard_text": common.MapStr{
+ "type": "text",
+ "norms": false,
+ "analyzer": "simple",
+ },
+ },
+ },
+ "settings": common.MapStr{
+ "index": common.MapStr{
+ "refresh_interval": "5s",
+ "mapping": common.MapStr{
+ "total_fields": common.MapStr{
+ "limit": 10000,
+ },
+ },
+ "query": common.MapStr{
+ "default_field": []string{
+ "fields.*",
+ },
+ },
+ "max_docvalue_fields_search": 200,
+ },
+ "analysis": common.MapStr{
+ "analyzer": common.MapStr{
+ "test_powershell": map[string]interface{}{
+ "type": "pattern",
+ "pattern": "[\\W&&[^-]]+",
+ },
+ },
+ },
+ },
+ },
+ },
+ "load config and in-line analyzer fields with name collision": {
+ body: common.MapStr{
+ "index_patterns": []string{"mock-7.0.0-*"},
+ "order": order,
+ "settings": common.MapStr{"index": nil},
+ },
+ fields: []byte(`- key: test
+ title: Test fields.yml with analyzer
+ description: >
+ Contains text fields with in-line analyzer for testing
+ fields:
+ - name: script_block_text
+ type: text
+ analyzer:
+ test_powershell:
+ type: pattern
+ pattern: "[\\W&&[^-]]+"
+
+ - name: code_block_text
+ type: text
+ analyzer:
+ test_powershell:
+ type: pattern
+ pattern: "[\\W&&[^*-]]+"
+
+ - name: standard_text
+ type: text
+ analyzer: simple
+`),
+ wantErr: errors.New(`error creating template: inconsistent definitions for analyzers with the name "test_powershell"`),
},
} {
t.Run(name, func(t *testing.T) {
@@ -75,11 +208,18 @@ func TestFileLoader_Load(t *testing.T) {
cfg := DefaultConfig()
cfg.Settings = test.settings
- err = fl.Load(cfg, info, nil, false)
- require.NoError(t, err)
+ err = fl.Load(cfg, info, test.fields, false)
+ require.Equal(t, test.wantErr, err)
+ if err != nil {
+ return
+ }
assert.Equal(t, "template", fc.component)
assert.Equal(t, tmplName, fc.name)
- assert.Equal(t, test.body.StringToPrint()+"\n", fc.body)
+ want := test.body
+ if test.fields != nil {
+ want = test.want
+ }
+ assert.Equal(t, want.StringToPrint()+"\n", fc.body)
})
}
}
diff --git a/libbeat/template/processor.go b/libbeat/template/processor.go
index 15cea8aed0d..a9489a35a11 100644
--- a/libbeat/template/processor.go
+++ b/libbeat/template/processor.go
@@ -20,6 +20,7 @@ package template
import (
"errors"
"fmt"
+ "reflect"
"strings"
"github.com/elastic/beats/v7/libbeat/common"
@@ -63,7 +64,7 @@ type fieldState struct {
}
// Process recursively processes the given fields and writes the template in the given output
-func (p *Processor) Process(fields mapping.Fields, state *fieldState, output common.MapStr) error {
+func (p *Processor) Process(fields mapping.Fields, state *fieldState, output, analyzers common.MapStr) error {
if state == nil {
// Set the defaults.
state = &fieldState{DefaultField: DefaultField}
@@ -78,7 +79,10 @@ func (p *Processor) Process(fields mapping.Fields, state *fieldState, output com
if field.DefaultField == nil {
field.DefaultField = &state.DefaultField
}
- var indexMapping common.MapStr
+ var (
+ indexMapping common.MapStr
+ analyzer, searchAnalyzer mapping.Analyzer
+ )
switch field.Type {
case "ip":
@@ -90,23 +94,23 @@ func (p *Processor) Process(fields mapping.Fields, state *fieldState, output com
case "integer":
indexMapping = p.integer(&field)
case "text":
- indexMapping = p.text(&field)
+ indexMapping, analyzer, searchAnalyzer = p.text(&field, analyzers)
case "match_only_text":
noMatchOnlyText := p.EsVersion.LessThan(minVersionMatchOnlyText)
if !p.ElasticLicensed || noMatchOnlyText {
- indexMapping = p.text(&field)
+ indexMapping, analyzer, searchAnalyzer = p.text(&field, analyzers)
} else {
- indexMapping = p.matchOnlyText(&field)
+ indexMapping, analyzer, searchAnalyzer = p.matchOnlyText(&field, analyzers)
}
case "wildcard":
noWildcards := p.EsVersion.LessThan(minVersionWildcard)
if !p.ElasticLicensed || noWildcards {
- indexMapping = p.keyword(&field)
+ indexMapping = p.keyword(&field, analyzers)
} else {
- indexMapping = p.wildcard(&field)
+ indexMapping = p.wildcard(&field, analyzers)
}
case "", "keyword":
- indexMapping = p.keyword(&field)
+ indexMapping = p.keyword(&field, analyzers)
case "object":
indexMapping = p.object(&field)
case "array":
@@ -116,13 +120,13 @@ func (p *Processor) Process(fields mapping.Fields, state *fieldState, output com
case "histogram":
indexMapping = p.histogram(&field)
case "nested":
- mapping, err := p.nested(&field, output)
+ mapping, err := p.nested(&field, output, analyzers)
if err != nil {
return err
}
indexMapping = mapping
case "group":
- mapping, err := p.group(&field, output)
+ mapping, err := p.group(&field, output, analyzers)
if err != nil {
return err
}
@@ -149,6 +153,23 @@ func (p *Processor) Process(fields mapping.Fields, state *fieldState, output com
output.Put(mapping.GenerateKey(field.Name), indexMapping)
}
}
+
+ for _, a := range []mapping.Analyzer{
+ analyzer, searchAnalyzer,
+ } {
+ if a.Definition != nil {
+ prev, err := analyzers.Put(a.Name, a.Definition)
+ if err != nil {
+ // Should never happen.
+ return err
+ }
+ if prev != nil {
+ if !reflect.DeepEqual(prev, a.Definition) {
+ return fmt.Errorf("inconsistent definitions for analyzers with the name %q", a.Name)
+ }
+ }
+ }
+ }
}
return nil
}
@@ -204,8 +225,8 @@ func (p *Processor) scaledFloat(f *mapping.Field, params ...common.MapStr) commo
return property
}
-func (p *Processor) nested(f *mapping.Field, output common.MapStr) (common.MapStr, error) {
- mapping, err := p.group(f, output)
+func (p *Processor) nested(f *mapping.Field, output, analyzers common.MapStr) (common.MapStr, error) {
+ mapping, err := p.group(f, output, analyzers)
if err != nil {
return nil, err
}
@@ -213,7 +234,7 @@ func (p *Processor) nested(f *mapping.Field, output common.MapStr) (common.MapSt
return mapping, nil
}
-func (p *Processor) group(f *mapping.Field, output common.MapStr) (common.MapStr, error) {
+func (p *Processor) group(f *mapping.Field, output, analyzers common.MapStr) (common.MapStr, error) {
indexMapping := common.MapStr{}
if f.Dynamic.Value != nil {
indexMapping["dynamic"] = f.Dynamic.Value
@@ -236,7 +257,7 @@ func (p *Processor) group(f *mapping.Field, output common.MapStr) (common.MapStr
if f.Path != "" {
groupState.Path = f.Path + "." + f.Name
}
- if err := p.Process(f.Fields, groupState, properties); err != nil {
+ if err := p.Process(f.Fields, groupState, properties, analyzers); err != nil {
return nil, err
}
if len(properties) != 0 {
@@ -285,7 +306,7 @@ func stateFromField(f *mapping.Field) *fieldState {
return st
}
-func (p *Processor) keyword(f *mapping.Field) common.MapStr {
+func (p *Processor) keyword(f *mapping.Field, analyzers common.MapStr) common.MapStr {
property := p.getDefaultProperties(f)
property["type"] = "keyword"
@@ -305,14 +326,14 @@ func (p *Processor) keyword(f *mapping.Field) common.MapStr {
if len(f.MultiFields) > 0 {
fields := common.MapStr{}
- p.Process(f.MultiFields, stateFromField(f), fields)
+ p.Process(f.MultiFields, stateFromField(f), fields, analyzers)
property["fields"] = fields
}
return property
}
-func (p *Processor) wildcard(f *mapping.Field) common.MapStr {
+func (p *Processor) wildcard(f *mapping.Field, analyzers common.MapStr) common.MapStr {
property := p.getDefaultProperties(f)
property["type"] = "wildcard"
@@ -327,15 +348,15 @@ func (p *Processor) wildcard(f *mapping.Field) common.MapStr {
if len(f.MultiFields) > 0 {
fields := common.MapStr{}
- p.Process(f.MultiFields, stateFromField(f), fields)
+ p.Process(f.MultiFields, stateFromField(f), fields, analyzers)
property["fields"] = fields
}
return property
}
-func (p *Processor) text(f *mapping.Field) common.MapStr {
- properties := p.getDefaultProperties(f)
+func (p *Processor) text(f *mapping.Field, analyzers common.MapStr) (properties common.MapStr, analyzer, searchAnalyzer mapping.Analyzer) {
+ properties = p.getDefaultProperties(f)
properties["type"] = "text"
@@ -353,43 +374,47 @@ func (p *Processor) text(f *mapping.Field) common.MapStr {
}
}
- if f.Analyzer != "" {
- properties["analyzer"] = f.Analyzer
+ if f.Analyzer.Name != "" {
+ properties["analyzer"] = f.Analyzer.Name
+ analyzer = f.Analyzer
}
- if f.SearchAnalyzer != "" {
- properties["search_analyzer"] = f.SearchAnalyzer
+ if f.SearchAnalyzer.Name != "" {
+ properties["search_analyzer"] = f.SearchAnalyzer.Name
+ searchAnalyzer = f.SearchAnalyzer
}
if len(f.MultiFields) > 0 {
fields := common.MapStr{}
- p.Process(f.MultiFields, stateFromField(f), fields)
+ p.Process(f.MultiFields, stateFromField(f), fields, analyzers)
properties["fields"] = fields
}
- return properties
+ return properties, analyzer, searchAnalyzer
}
-func (p *Processor) matchOnlyText(f *mapping.Field) common.MapStr {
- properties := p.getDefaultProperties(f)
+func (p *Processor) matchOnlyText(f *mapping.Field, analyzers common.MapStr) (properties common.MapStr, analyzer, searchAnalyzer mapping.Analyzer) {
+ properties = p.getDefaultProperties(f)
properties["type"] = "match_only_text"
- if f.Analyzer != "" {
+ if f.Analyzer.Name != "" {
properties["analyzer"] = f.Analyzer
+ analyzer = f.Analyzer
}
- if f.SearchAnalyzer != "" {
+ if f.SearchAnalyzer.Name != "" {
properties["search_analyzer"] = f.SearchAnalyzer
+ searchAnalyzer = f.SearchAnalyzer
}
if len(f.MultiFields) > 0 {
fields := common.MapStr{}
- p.Process(f.MultiFields, nil, fields)
+ p.Process(f.MultiFields, nil, fields, analyzers)
properties["fields"] = fields
}
- return properties
+ return properties, analyzer, searchAnalyzer
}
func (p *Processor) array(f *mapping.Field) common.MapStr {
diff --git a/libbeat/template/processor_test.go b/libbeat/template/processor_test.go
index 9c2156c5cca..c686f2e4738 100644
--- a/libbeat/template/processor_test.go
+++ b/libbeat/template/processor_test.go
@@ -128,7 +128,7 @@ func TestProcessor(t *testing.T) {
},
},
{
- output: p.text(&mapping.Field{Type: "text", Analyzer: "autocomplete"}),
+ output: fieldsOnly(p.text(&mapping.Field{Type: "text", Analyzer: mapping.Analyzer{Name: "autocomplete"}}, nil)),
expected: common.MapStr{
"type": "text",
"analyzer": "autocomplete",
@@ -136,21 +136,21 @@ func TestProcessor(t *testing.T) {
},
},
{
- output: p.text(&mapping.Field{Type: "text", Analyzer: "autocomplete", Norms: true}),
+ output: fieldsOnly(p.text(&mapping.Field{Type: "text", Analyzer: mapping.Analyzer{Name: "autocomplete"}, Norms: true}, nil)),
expected: common.MapStr{
"type": "text",
"analyzer": "autocomplete",
},
},
{
- output: p.text(&mapping.Field{Type: "text", SearchAnalyzer: "standard", Norms: true}),
+ output: fieldsOnly(p.text(&mapping.Field{Type: "text", SearchAnalyzer: mapping.Analyzer{Name: "standard"}, Norms: true}, nil)),
expected: common.MapStr{
"type": "text",
"search_analyzer": "standard",
},
},
{
- output: p.text(&mapping.Field{Type: "text", Analyzer: "autocomplete", SearchAnalyzer: "standard", Norms: true}),
+ output: fieldsOnly(p.text(&mapping.Field{Type: "text", Analyzer: mapping.Analyzer{Name: "autocomplete"}, SearchAnalyzer: mapping.Analyzer{Name: "standard"}, Norms: true}, nil)),
expected: common.MapStr{
"type": "text",
"analyzer": "autocomplete",
@@ -158,7 +158,7 @@ func TestProcessor(t *testing.T) {
},
},
{
- output: p.text(&mapping.Field{Type: "text", MultiFields: mapping.Fields{mapping.Field{Name: "raw", Type: "keyword"}}, Norms: true}),
+ output: fieldsOnly(p.text(&mapping.Field{Type: "text", MultiFields: mapping.Fields{mapping.Field{Name: "raw", Type: "keyword"}}, Norms: true}, nil)),
expected: common.MapStr{
"type": "text",
"fields": common.MapStr{
@@ -170,7 +170,7 @@ func TestProcessor(t *testing.T) {
},
},
{
- output: p.keyword(&mapping.Field{Type: "keyword", MultiFields: mapping.Fields{mapping.Field{Name: "analyzed", Type: "text", Norms: true}}}),
+ output: p.keyword(&mapping.Field{Type: "keyword", MultiFields: mapping.Fields{mapping.Field{Name: "analyzed", Type: "text", Norms: true}}}, nil),
expected: common.MapStr{
"type": "keyword",
"ignore_above": 1024,
@@ -182,30 +182,30 @@ func TestProcessor(t *testing.T) {
},
},
{
- output: p.keyword(&mapping.Field{Type: "keyword", IgnoreAbove: 256}),
+ output: p.keyword(&mapping.Field{Type: "keyword", IgnoreAbove: 256}, nil),
expected: common.MapStr{
"type": "keyword",
"ignore_above": 256,
},
},
{
- output: p.keyword(&mapping.Field{Type: "keyword", IgnoreAbove: -1}),
+ output: p.keyword(&mapping.Field{Type: "keyword", IgnoreAbove: -1}, nil),
expected: common.MapStr{
"type": "keyword",
},
},
{
- output: p.keyword(&mapping.Field{Type: "keyword"}),
+ output: p.keyword(&mapping.Field{Type: "keyword"}, nil),
expected: common.MapStr{
"type": "keyword",
"ignore_above": 1024,
},
},
{
- output: p.text(&mapping.Field{Type: "text", MultiFields: mapping.Fields{
+ output: fieldsOnly(p.text(&mapping.Field{Type: "text", MultiFields: mapping.Fields{
mapping.Field{Name: "raw", Type: "keyword"},
mapping.Field{Name: "indexed", Type: "text"},
- }, Norms: true}),
+ }, Norms: true}, nil)),
expected: common.MapStr{
"type": "text",
"fields": common.MapStr{
@@ -221,10 +221,10 @@ func TestProcessor(t *testing.T) {
},
},
{
- output: p.text(&mapping.Field{Type: "text", MultiFields: mapping.Fields{
+ output: fieldsOnly(p.text(&mapping.Field{Type: "text", MultiFields: mapping.Fields{
mapping.Field{Name: "raw", Type: "keyword"},
mapping.Field{Name: "indexed", Type: "text"},
- }, Norms: true}),
+ }, Norms: true}, nil)),
expected: common.MapStr{
"type": "text",
"fields": common.MapStr{
@@ -335,6 +335,10 @@ func TestProcessor(t *testing.T) {
}
}
+func fieldsOnly(f common.MapStr, _, _ mapping.Analyzer) common.MapStr {
+ return f
+}
+
func TestDynamicTemplates(t *testing.T) {
tests := []struct {
field mapping.Field
@@ -526,11 +530,12 @@ func TestDynamicTemplates(t *testing.T) {
for _, test := range tests {
output := make(common.MapStr)
+ analyzers := make(common.MapStr)
p := &Processor{EsVersion: *common.MustNewVersion("8.0.0")}
err := p.Process(mapping.Fields{
test.field,
test.field, // should not be added twice
- }, &fieldState{Path: test.field.Path}, output)
+ }, &fieldState{Path: test.field.Path}, output, analyzers)
require.NoError(t, err)
assert.Equal(t, test.expected, p.dynamicTemplates)
}
@@ -562,13 +567,14 @@ func TestPropertiesCombine(t *testing.T) {
}
output := common.MapStr{}
+ analyzers := common.MapStr{}
version, err := common.NewVersion("6.0.0")
if err != nil {
t.Fatal(err)
}
p := Processor{EsVersion: *version}
- err = p.Process(fields, nil, output)
+ err = p.Process(fields, nil, output, analyzers)
if err != nil {
t.Fatal(err)
}
@@ -610,13 +616,14 @@ func TestProcessNoName(t *testing.T) {
}
output := common.MapStr{}
+ analyzers := common.MapStr{}
version, err := common.NewVersion("6.0.0")
if err != nil {
t.Fatal(err)
}
p := Processor{EsVersion: *version}
- err = p.Process(fields, nil, output)
+ err = p.Process(fields, nil, output, analyzers)
if err != nil {
t.Fatal(err)
}
@@ -737,7 +744,8 @@ func TestProcessDefaultField(t *testing.T) {
p := Processor{EsVersion: *version}
output := common.MapStr{}
- if err = p.Process(fields, nil, output); err != nil {
+ analyzers := common.MapStr{}
+ if err = p.Process(fields, nil, output, analyzers); err != nil {
t.Fatal(err)
}
@@ -771,13 +779,14 @@ func TestProcessWildcardOSS(t *testing.T) {
}
output := common.MapStr{}
+ analyzers := common.MapStr{}
version, err := common.NewVersion("8.0.0")
if err != nil {
t.Fatal(err)
}
p := Processor{EsVersion: *version}
- err = p.Process(fields, nil, output)
+ err = p.Process(fields, nil, output, analyzers)
if err != nil {
t.Fatal(err)
}
@@ -813,13 +822,14 @@ func TestProcessWildcardElastic(t *testing.T) {
}
output := common.MapStr{}
+ analyzers := common.MapStr{}
version, err := common.NewVersion("8.0.0")
if err != nil {
t.Fatal(err)
}
p := Processor{EsVersion: *version, ElasticLicensed: true}
- err = p.Process(fields, nil, output)
+ err = p.Process(fields, nil, output, analyzers)
if err != nil {
t.Fatal(err)
}
@@ -855,13 +865,14 @@ func TestProcessWildcardPreSupport(t *testing.T) {
}
output := common.MapStr{}
+ analyzers := common.MapStr{}
version, err := common.NewVersion("7.8.0")
if err != nil {
t.Fatal(err)
}
p := Processor{EsVersion: *version, ElasticLicensed: true}
- err = p.Process(fields, nil, output)
+ err = p.Process(fields, nil, output, analyzers)
if err != nil {
t.Fatal(err)
}
@@ -896,13 +907,14 @@ func TestProcessNestedSupport(t *testing.T) {
}
output := common.MapStr{}
+ analyzers := common.MapStr{}
version, err := common.NewVersion("7.8.0")
if err != nil {
t.Fatal(err)
}
p := Processor{EsVersion: *version, ElasticLicensed: true}
- err = p.Process(fields, nil, output)
+ err = p.Process(fields, nil, output, analyzers)
if err != nil {
t.Fatal(err)
}
@@ -931,13 +943,14 @@ func TestProcessNestedSupportNoSubfields(t *testing.T) {
}
output := common.MapStr{}
+ analyzers := common.MapStr{}
version, err := common.NewVersion("7.8.0")
if err != nil {
t.Fatal(err)
}
p := Processor{EsVersion: *version, ElasticLicensed: true}
- err = p.Process(fields, nil, output)
+ err = p.Process(fields, nil, output, analyzers)
if err != nil {
t.Fatal(err)
}
diff --git a/libbeat/template/template.go b/libbeat/template/template.go
index 8ed8886e919..291d128d0f4 100644
--- a/libbeat/template/template.go
+++ b/libbeat/template/template.go
@@ -156,12 +156,13 @@ func (t *Template) load(fields mapping.Fields) (common.MapStr, error) {
// Start processing at the root
properties := common.MapStr{}
+ analyzers := common.MapStr{}
processor := Processor{EsVersion: t.esVersion, ElasticLicensed: t.elasticLicensed, Migration: t.migration}
- if err := processor.Process(fields, nil, properties); err != nil {
+ if err := processor.Process(fields, nil, properties, analyzers); err != nil {
return nil, err
}
- output := t.Generate(properties, processor.dynamicTemplates)
+ output := t.Generate(properties, analyzers, processor.dynamicTemplates)
return output, nil
}
@@ -188,7 +189,7 @@ func (t *Template) LoadBytes(data []byte) (common.MapStr, error) {
// LoadMinimal loads the template only with the given configuration
func (t *Template) LoadMinimal() (common.MapStr, error) {
- m := common.MapStr{}
+ var m common.MapStr
switch t.templateType {
case IndexTemplateLegacy:
m = t.loadMinimalLegacy()
@@ -249,21 +250,21 @@ func (t *Template) GetPattern() string {
// Generate generates the full template
// The default values are taken from the default variable.
-func (t *Template) Generate(properties common.MapStr, dynamicTemplates []common.MapStr) common.MapStr {
+func (t *Template) Generate(properties, analyzers common.MapStr, dynamicTemplates []common.MapStr) common.MapStr {
switch t.templateType {
case IndexTemplateLegacy:
- return t.generateLegacy(properties, dynamicTemplates)
+ return t.generateLegacy(properties, analyzers, dynamicTemplates)
case IndexTemplateComponent:
- return t.generateComponent(properties, dynamicTemplates)
+ return t.generateComponent(properties, analyzers, dynamicTemplates)
case IndexTemplateIndex:
- return t.generateIndex(properties, dynamicTemplates)
+ return t.generateIndex(properties, analyzers, dynamicTemplates)
}
return nil
}
-func (t *Template) generateLegacy(properties common.MapStr, dynamicTemplates []common.MapStr) common.MapStr {
+func (t *Template) generateLegacy(properties, analyzers common.MapStr, dynamicTemplates []common.MapStr) common.MapStr {
keyPattern, patterns := buildPatternSettings(t.esVersion, t.GetPattern())
- return common.MapStr{
+ m := common.MapStr{
keyPattern: patterns,
"order": t.order,
"mappings": buildMappings(
@@ -278,10 +279,14 @@ func (t *Template) generateLegacy(properties common.MapStr, dynamicTemplates []c
),
},
}
+ if len(analyzers) != 0 {
+ m.Put("settings.analysis.analyzer", analyzers)
+ }
+ return m
}
-func (t *Template) generateComponent(properties common.MapStr, dynamicTemplates []common.MapStr) common.MapStr {
- return common.MapStr{
+func (t *Template) generateComponent(properties, analyzers common.MapStr, dynamicTemplates []common.MapStr) common.MapStr {
+ m := common.MapStr{
"template": common.MapStr{
"mappings": buildMappings(
t.beatVersion, t.esVersion, t.beatName,
@@ -296,10 +301,14 @@ func (t *Template) generateComponent(properties common.MapStr, dynamicTemplates
},
},
}
+ if len(analyzers) != 0 {
+ m.Put("settings.analysis.analyzer", analyzers)
+ }
+ return m
}
-func (t *Template) generateIndex(properties common.MapStr, dynamicTemplates []common.MapStr) common.MapStr {
- tmpl := t.generateComponent(properties, dynamicTemplates)
+func (t *Template) generateIndex(properties, analyzers common.MapStr, dynamicTemplates []common.MapStr) common.MapStr {
+ tmpl := t.generateComponent(properties, analyzers, dynamicTemplates)
tmpl["priority"] = t.priority
keyPattern, patterns := buildPatternSettings(t.esVersion, t.GetPattern())
tmpl[keyPattern] = patterns
diff --git a/libbeat/template/template_test.go b/libbeat/template/template_test.go
index b969c4da670..27223ecf6bd 100644
--- a/libbeat/template/template_test.go
+++ b/libbeat/template/template_test.go
@@ -143,7 +143,7 @@ func createTestTemplate(t *testing.T, beatVersion, esVersion string, config Temp
t.Fatalf("Failed to create the template: %+v", err)
}
- return &testTemplate{t: t, tmpl: template, data: template.Generate(nil, nil)}
+ return &testTemplate{t: t, tmpl: template, data: template.Generate(nil, nil, nil)}
}
func (t *testTemplate) Has(path string) bool {
diff --git a/libbeat/tests/system/base.py b/libbeat/tests/system/base.py
index 7fd9f1dbb49..a768d80e31e 100644
--- a/libbeat/tests/system/base.py
+++ b/libbeat/tests/system/base.py
@@ -1,9 +1,11 @@
import os
+from datetime import datetime
from beat.beat import TestCase
from elasticsearch import Elasticsearch, NotFoundError
class BaseTest(TestCase):
+ today = datetime.now().strftime("%Y%m%d")
@classmethod
def setUpClass(self):
diff --git a/libbeat/tests/system/beat/beat.py b/libbeat/tests/system/beat/beat.py
index 195741b1d31..e7a2c60640a 100644
--- a/libbeat/tests/system/beat/beat.py
+++ b/libbeat/tests/system/beat/beat.py
@@ -119,6 +119,7 @@ def __del__(self):
class TestCase(unittest.TestCase, ComposeMixin):
+ today = datetime.now().strftime("%Y%m%d")
@classmethod
def setUpClass(self):
@@ -207,7 +208,7 @@ def start_beat(self,
config = self.beat_name + ".yml"
if output is None:
- output = self.beat_name + ".log"
+ output = self.beat_name + "-" + self.today + ".ndjson"
args = [cmd, "-systemTest"]
if os.getenv("TEST_COVERAGE") == "true":
@@ -264,7 +265,7 @@ def read_output(self,
# Init defaults
if output_file is None:
- output_file = "output/" + self.beat_name
+ output_file = "output/" + self.beat_name + "-" + self.today + ".ndjson"
jsons = []
with open(os.path.join(self.working_dir, output_file), "r", encoding="utf_8") as f:
@@ -288,7 +289,7 @@ def read_output_json(self, output_file=None):
# Init defaults
if output_file is None:
- output_file = "output/" + self.beat_name
+ output_file = "output/" + self.beat_name + "-" + self.today + ".ndjson"
jsons = []
with open(os.path.join(self.working_dir, output_file), "r", encoding="utf_8") as f:
@@ -368,7 +369,7 @@ def get_log(self, logfile=None):
Returns the log as a string.
"""
if logfile is None:
- logfile = self.beat_name + ".log"
+ logfile = self.beat_name + "-" + self.today + ".ndjson"
with open(os.path.join(self.working_dir, logfile), 'r', encoding="utf_8") as f:
data = f.read()
@@ -380,7 +381,7 @@ def get_log_lines(self, logfile=None):
Returns the log lines as a list of strings
"""
if logfile is None:
- logfile = self.beat_name + ".log"
+ logfile = self.beat_name + "-" + self.today + ".ndjson"
with open(os.path.join(self.working_dir, logfile), 'r', encoding="utf_8") as f:
data = f.readlines()
@@ -417,8 +418,9 @@ def log_contains_count(self, msg, logfile=None, ignore_case=False):
# Init defaults
if logfile is None:
- logfile = self.beat_name + ".log"
+ logfile = self.beat_name + "-" + self.today + ".ndjson"
+ print("logfile", logfile, self.working_dir)
try:
with open(os.path.join(self.working_dir, logfile), "r", encoding="utf_8") as f:
for line in f:
@@ -430,7 +432,8 @@ def log_contains_count(self, msg, logfile=None, ignore_case=False):
line = line.lower()
if line.find(msg) >= 0:
counter = counter + 1
- except IOError:
+ except IOError as e:
+ print(e)
counter = -1
return counter
@@ -442,7 +445,7 @@ def log_contains_countmap(self, pattern, capture_group, logfile=None):
counts = {}
if logfile is None:
- logfile = self.beat_name + ".log"
+ logfile = self.beat_name + "-" + self.today + ".ndjson"
try:
with open(os.path.join(self.working_dir, logfile), "r", encoding="utf_8") as f:
@@ -462,7 +465,7 @@ def log_contains_countmap(self, pattern, capture_group, logfile=None):
def output_lines(self, output_file=None):
""" Count number of lines in a file."""
if output_file is None:
- output_file = "output/" + self.beat_name
+ output_file = "output/" + self.beat_name + "-" + self.today + ".ndjson"
try:
with open(os.path.join(self.working_dir, output_file), "r", encoding="utf_8") as f:
@@ -477,7 +480,7 @@ def output_has(self, lines, output_file=None):
# Init defaults
if output_file is None:
- output_file = "output/" + self.beat_name
+ output_file = "output/" + self.beat_name + "-" + self.today + ".ndjson"
try:
with open(os.path.join(self.working_dir, output_file, ), "r", encoding="utf_8") as f:
@@ -492,7 +495,7 @@ def output_is_empty(self, output_file=None):
# Init defaults
if output_file is None:
- output_file = "output/" + self.beat_name
+ output_file = "output/" + self.beat_name + "-" + self.today + ".ndjson"
try:
with open(os.path.join(self.working_dir, output_file, ), "r", encoding="utf_8") as f:
@@ -656,7 +659,7 @@ def output_count(self, pred, output_file=None):
# Init defaults
if output_file is None:
- output_file = "output/" + self.beat_name
+ output_file = "output/" + self.beat_name + "-" + self.today + ".ndjson"
try:
with open(os.path.join(self.working_dir, output_file), "r", encoding="utf_8") as f:
diff --git a/libbeat/tests/system/requirements_aix.txt b/libbeat/tests/system/requirements_aix.txt
new file mode 100644
index 00000000000..9b9df31aa37
--- /dev/null
+++ b/libbeat/tests/system/requirements_aix.txt
@@ -0,0 +1,48 @@
+attrs==19.3.0
+autopep8==1.5.4
+backports.ssl-match-hostname==3.5.0.1
+cached-property==1.4.2
+certifi==2018.1.18
+chardet==3.0.4
+deepdiff==4.2.0
+docker==4.1.0
+docker-pycreds==0.4.0
+dockerpty==0.4.1
+docopt==0.6.2
+elasticsearch==7.8.1
+enum34==1.1.6
+idna==2.6
+importlib-metadata==1.7.0
+iniconfig==1.0.1
+ipaddress==1.0.19
+Jinja2==2.11.2
+jsondiff==1.1.2
+jsonschema==3.2.0
+kafka-python==1.4.3
+MarkupSafe==1.1.1
+more-itertools==8.4.0
+ordered-set==3.1.1
+packaging==20.4
+parameterized==0.7.0
+pluggy==0.13.1
+py==1.10.0
+pycodestyle==2.6.0
+pyparsing==2.4.7
+pyrsistent==0.16.0
+pytest==6.2.4
+pytest-rerunfailures==9.1.1
+pytest-timeout==1.4.2
+PyYAML==5.4.1
+redis==2.10.6
+requests==2.25.1
+semver==2.8.1
+setuptools==47.3.2
+six==1.15.0
+stomp.py==4.1.22
+termcolor==1.1.0
+texttable==0.9.1
+toml==0.10.1
+urllib3==1.26.5
+wcwidth==0.2.5
+websocket-client==0.47.0
+zipp>=1.2.0,<=3.1.0
\ No newline at end of file
diff --git a/libbeat/tests/system/template/template.go b/libbeat/tests/system/template/template.go
index 09c9e0dcb19..ed284a6ff79 100644
--- a/libbeat/tests/system/template/template.go
+++ b/libbeat/tests/system/template/template.go
@@ -63,7 +63,7 @@ func testTemplateDefaultFieldLength(beatName string, elasticLicensed bool) func(
t.Fatal("Failed to load template bytes:", err)
}
- templateMap := tmpl.Generate(fields, nil)
+ templateMap := tmpl.Generate(fields, nil, nil)
v, _ := templateMap.GetValue("settings.index.query.default_field")
defaultValue, ok := v.([]string)
diff --git a/libbeat/tests/system/test_base.py b/libbeat/tests/system/test_base.py
index 97615e7ec00..fbb8b324f16 100644
--- a/libbeat/tests/system/test_base.py
+++ b/libbeat/tests/system/test_base.py
@@ -165,8 +165,7 @@ def run():
# remove log, restart beat and check meta file did not change
# and same UUID is used in log output.
-
- os.remove(os.path.join(self.working_dir, "mockbeat.log"))
+ os.remove(os.path.join(self.working_dir, "mockbeat-" + self.today + ".ndjson"))
meta1 = run()
assert self.log_contains("Beat ID: {}".format(meta1["uuid"]))
diff --git a/libbeat/tests/system/test_http.py b/libbeat/tests/system/test_http.py
index 5c1baa81bd2..76e5b40b181 100644
--- a/libbeat/tests/system/test_http.py
+++ b/libbeat/tests/system/test_http.py
@@ -47,3 +47,10 @@ def test_error(self):
"""
r = requests.get("http://localhost:5066/not-exist")
assert r.status_code == 404
+
+ def test_pprof_disabled(self):
+ """
+ Test /debug/pprof/ http endpoint
+ """
+ r = requests.get("http://localhost:5066/debug/pprof/")
+ assert r.status_code == 404
diff --git a/libbeat/tests/system/test_http_pprof.py b/libbeat/tests/system/test_http_pprof.py
new file mode 100644
index 00000000000..0276206fc9a
--- /dev/null
+++ b/libbeat/tests/system/test_http_pprof.py
@@ -0,0 +1,39 @@
+from base import BaseTest
+
+import requests
+import json
+
+
+class Test(BaseTest):
+ def setUp(self):
+ super(BaseTest, self).setUp()
+ self.render_config_template()
+ self.proc = self.start_beat(extra_args=["-E", "http.enabled=true", "-E", "http.pprof.enabled=true"])
+ self.wait_until(lambda: self.log_contains("Starting stats endpoint"))
+
+ def tearDown(self):
+ super(BaseTest, self).tearDown()
+ # Wait till the beat is completely started so it can handle SIGTERM
+ self.wait_until(lambda: self.log_contains("mockbeat start running."))
+ self.proc.check_kill_and_wait()
+
+ def test_pprof(self):
+ """
+ Test /debug/pprof/ http endpoint
+ """
+ r = requests.get("http://localhost:5066/debug/pprof/")
+ assert r.status_code == 200
+
+ def test_pprof_cmdline(self):
+ """
+ Test /debug/pprof/cmdline http endpoint
+ """
+ r = requests.get("http://localhost:5066/debug/pprof/cmdline")
+ assert r.status_code == 200
+
+ def test_pprof_error(self):
+ """
+ Test not existing http endpoint
+ """
+ r = requests.get("http://localhost:5066/debug/pprof/not-exist")
+ assert r.status_code == 404
diff --git a/libbeat/tests/system/test_logging.py b/libbeat/tests/system/test_logging.py
index 4295bfd1776..4380e25b55c 100644
--- a/libbeat/tests/system/test_logging.py
+++ b/libbeat/tests/system/test_logging.py
@@ -39,11 +39,11 @@ def test_file_default(self):
"""
self.run_beat_with_args("Mockbeat is alive!",
logging_args=[])
- self.assert_contains_ecs_log(logfile="logs/mockbeat")
+ self.assert_contains_ecs_log(logfile="logs/mockbeat-"+self.today+".ndjson")
def test_file_ecs(self):
"""
logs to file with ECS format
"""
self.run_beat_with_args("Mockbeat is alive!")
- self.assert_contains_ecs_log(logfile="logs/mockbeat")
+ self.assert_contains_ecs_log(logfile="logs/mockbeat-"+self.today+".ndjson")
diff --git a/libbeat/tests/system/test_umask.py b/libbeat/tests/system/test_umask.py
index e78214e2d9c..d6a7b7f391c 100644
--- a/libbeat/tests/system/test_umask.py
+++ b/libbeat/tests/system/test_umask.py
@@ -30,7 +30,7 @@ def test_output_file_perms(self):
"""
Test that output file permissions respect default umask
"""
- output_file_path = os.path.join(self.working_dir, "output", "mockbeat")
+ output_file_path = os.path.join(self.working_dir, "output", "mockbeat-" + self.today + ".ndjson")
perms = stat.S_IMODE(os.lstat(output_file_path).st_mode)
self.assertEqual(perms, self.output_file_permissions & ~TestUmask.DEFAULT_UMASK)
diff --git a/metricbeat/docs/autodiscover-hints.asciidoc b/metricbeat/docs/autodiscover-hints.asciidoc
index 68ee45f5901..240296751cb 100644
--- a/metricbeat/docs/autodiscover-hints.asciidoc
+++ b/metricbeat/docs/autodiscover-hints.asciidoc
@@ -161,7 +161,7 @@ annotations:
-------------------------------------------------------------------------------------
The above configuration would spin up two metricbeat module configurations to ensure that the endpoint "/metrics/p1" is
-polled every 60s whereas the "/metrics" endpoint is polled every 60s.
+polled every 5s whereas the "/metrics" endpoint is polled every 60s.
[float]
===== Namespace Defaults
diff --git a/metricbeat/docs/autodiscover-kubernetes-config.asciidoc b/metricbeat/docs/autodiscover-kubernetes-config.asciidoc
index 6c01fd03083..dfabef89b72 100644
--- a/metricbeat/docs/autodiscover-kubernetes-config.asciidoc
+++ b/metricbeat/docs/autodiscover-kubernetes-config.asciidoc
@@ -67,7 +67,7 @@ where `REDIS_PASSWORD` is a key stored in local keystore of Metricbeat.
[float]
===== Kubernetes Secrets
Metricbeat autodiscover supports leveraging https://kubernetes.io/docs/concepts/configuration/secret/[Kubernetes secrets]
-in order to retrieve sensitive data like passwords. In order to enable this future add the following section
+in order to retrieve sensitive data like passwords. In order to enable this feature add the following section
in Metricbeat's `ClusterRole` rules:
["source","yaml",subs="attributes"]
@@ -80,8 +80,8 @@ in Metricbeat's `ClusterRole` rules:
CAUTION: The above rule will give permission to Metricbeat Pod to access Kubernetes Secrets API.
This means that anyone who have access to Metricbeat Pod (`kubectl exec` for example) will be able to access
-Kubernetes Secrets API and get a specific secret no matter which namespace it belongs to. In this,
-this option should be carefully considered, specially when used with hints.
+Kubernetes Secrets API and get a specific secret no matter which namespace it belongs to.
+This option should be carefully considered, specially when used with hints.
One option to give permissions only for one namespace, and not cluster-scoped, is to use
a specific Role for a targeted namespace so as to better control access:
@@ -126,7 +126,7 @@ where `kubernetes.default.somesecret.value` specifies a key stored as Kubernetes
. Kubernetes Secret Name: `somesecret`
. Secret Data Key: `value`
-This secret can be created in a Kubernetes environment using the following the command:
+This secret can be created in a Kubernetes environment using the following command:
["source","yaml",subs="attributes"]
-------------------------------------------------------------------------------------
cat << EOF | kubectl apply -f -
diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc
index cba51ff349f..886ec623bbc 100644
--- a/metricbeat/docs/fields.asciidoc
+++ b/metricbeat/docs/fields.asciidoc
@@ -6736,7 +6736,7 @@ alias to: beat.stats.apm_server.acm.response.errors.unauthorized
--
type: alias
-alias to: beat.stats.beat.host
+alias to: beat.stats.info.host
--
@@ -6745,7 +6745,7 @@ alias to: beat.stats.beat.host
--
type: alias
-alias to: beat.stats.beat.name
+alias to: beat.stats.info.name
--
@@ -6754,7 +6754,7 @@ alias to: beat.stats.beat.name
--
type: alias
-alias to: beat.stats.beat.type
+alias to: beat.stats.info.type
--
@@ -6763,7 +6763,7 @@ alias to: beat.stats.beat.type
--
type: alias
-alias to: beat.stats.beat.uuid
+alias to: beat.stats.info.uuid
--
@@ -6772,7 +6772,7 @@ alias to: beat.stats.beat.uuid
--
type: alias
-alias to: beat.stats.beat.version
+alias to: beat.stats.info.version
--
@@ -8273,35 +8273,35 @@ type: long
--
-*`beat.stats.beat.name`*::
+*`beat.stats.info.name`*::
+
--
type: keyword
--
-*`beat.stats.beat.host`*::
+*`beat.stats.info.host`*::
+
--
type: keyword
--
-*`beat.stats.beat.type`*::
+*`beat.stats.info.type`*::
+
--
type: keyword
--
-*`beat.stats.beat.uuid`*::
+*`beat.stats.info.uuid`*::
+
--
type: keyword
--
-*`beat.stats.beat.version`*::
+*`beat.stats.info.version`*::
+
--
type: keyword
@@ -52790,10 +52790,40 @@ Openmetrics module
+*`openmetrics.help`*::
++
+--
+Brief description of the MetricFamily
+
+
+type: keyword
+
+--
+
+*`openmetrics.type`*::
++
+--
+Metric type
+
+
+type: keyword
+
+--
+
+*`openmetrics.unit`*::
++
+--
+Metric unit
+
+
+type: keyword
+
+--
+
*`openmetrics.labels.*`*::
+
--
-Prometheus metric labels
+Openmetrics metric labels
type: object
@@ -52803,7 +52833,27 @@ type: object
*`openmetrics.metrics.*`*::
+
--
-Prometheus metric
+Openmetrics metric
+
+
+type: object
+
+--
+
+*`openmetrics.exemplar.*`*::
++
+--
+Openmetrics exemplars
+
+
+type: object
+
+--
+
+*`openmetrics.exemplar.labels.*`*::
++
+--
+Openmetrics metric exemplar labels
type: object
@@ -58924,7 +58974,7 @@ type: keyword
*`system.filesystem.type`*::
+
--
-The disk type. For example: `ext4`
+The disk type. For example: `ext4`. In some case for Windows OS the value will be `unavailable` as access to this information is not allowed (ex. external disks).
type: keyword
diff --git a/metricbeat/docs/modules/openmetrics/collector.asciidoc b/metricbeat/docs/modules/openmetrics/collector.asciidoc
index 06000e77291..2b184916aa9 100644
--- a/metricbeat/docs/modules/openmetrics/collector.asciidoc
+++ b/metricbeat/docs/modules/openmetrics/collector.asciidoc
@@ -9,6 +9,7 @@ beta[]
include::../../../module/openmetrics/collector/_meta/docs.asciidoc[]
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
==== Fields
diff --git a/metricbeat/helper/openmetrics/label.go b/metricbeat/helper/openmetrics/label.go
new file mode 100644
index 00000000000..0f0a69054dd
--- /dev/null
+++ b/metricbeat/helper/openmetrics/label.go
@@ -0,0 +1,59 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package openmetrics
+
+// LabelMap defines the mapping from OpenMetrics label to a Metricbeat field
+type LabelMap interface {
+ // GetField returns the resulting field name
+ GetField() string
+
+ // IsKey returns true if the label is a key label
+ IsKey() bool
+}
+
+// Label maps a OpenMetrics label to a Metricbeat field
+func Label(field string) LabelMap {
+ return &commonLabel{
+ field: field,
+ key: false,
+ }
+}
+
+// KeyLabel maps a OpenMetrics label to a Metricbeat field. The label is flagged as key.
+// Metrics with the same tuple of key labels will be grouped in the same event.
+func KeyLabel(field string) LabelMap {
+ return &commonLabel{
+ field: field,
+ key: true,
+ }
+}
+
+type commonLabel struct {
+ field string
+ key bool
+}
+
+// GetField returns the resulting field name
+func (l *commonLabel) GetField() string {
+ return l.field
+}
+
+// IsKey returns true if the label is a key label
+func (l *commonLabel) IsKey() bool {
+ return l.key
+}
diff --git a/metricbeat/helper/openmetrics/metric.go b/metricbeat/helper/openmetrics/metric.go
new file mode 100644
index 00000000000..4907ab59c9e
--- /dev/null
+++ b/metricbeat/helper/openmetrics/metric.go
@@ -0,0 +1,495 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package openmetrics
+
+import (
+ "fmt"
+ "math"
+ "strconv"
+ "strings"
+ "time"
+
+ "github.com/elastic/beats/v7/libbeat/common"
+)
+
+// MetricMap defines the mapping from Openmetrics metric to a Metricbeat field
+type MetricMap interface {
+ // GetOptions returns the list of metric options
+ GetOptions() []MetricOption
+
+ // GetField returns the resulting field name
+ GetField() string
+
+ // GetValue returns the resulting value
+ GetValue(m *OpenMetric) interface{}
+ GetNilValue() interface{}
+
+ // GetConfiguration returns the configuration for the metric
+ GetConfiguration() Configuration
+}
+
+// Configuration for mappings that needs extended treatment
+type Configuration struct {
+ // StoreNonMappedLabels indicates if labels found at the metric that are
+ // not found at the label map should be part of the resulting event.
+ // This setting should be used when the label name is not known beforehand
+ StoreNonMappedLabels bool
+ // NonMappedLabelsPlacement is used when StoreNonMappedLabels is set to true, and
+ // defines the key path at the event under which to store the dynamically found labels.
+ // This key path will be added to the events that match this metric along with a subset of
+ // key/value pairs will be created under it, one for each non mapped label found.
+ //
+ // Example:
+ //
+ // given a metric family in a Openmetrics resource in the form:
+ // metric1{label1="value1",label2="value2"} 1
+ // and not mapping labels but using this entry on a the MetricMap definition:
+ // "metric1": ExtendedInfoMetric(Configuration{StoreNonMappedLabels: true, NonMappedLabelsPlacement: "mypath"}),
+ // would output an event that contains a metricset field as follows
+ // "mypath": {"label1":"value1","label2":"value2"}
+ //
+ NonMappedLabelsPlacement string
+ // MetricProcessing options are a set of functions that will be
+ // applied to metrics after they are retrieved
+ MetricProcessingOptions []MetricOption
+ // ExtraFields is used to add fields to the
+ // event where this metric is included
+ ExtraFields common.MapStr
+}
+
+// MetricOption adds settings to Metric objects behavior
+type MetricOption interface {
+ // Process a tuple of field, value and labels from a metric, return the same tuple updated
+ Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr)
+}
+
+// OpFilterMap only processes metrics matching the given filter
+func OpFilterMap(label string, filterMap map[string]string) MetricOption {
+ return opFilterMap{
+ label: label,
+ filterMap: filterMap,
+ }
+}
+
+// OpLowercaseValue lowercases the value if it's a string
+func OpLowercaseValue() MetricOption {
+ return opLowercaseValue{}
+}
+
+// OpUnixTimestampValue parses a value into a Unix timestamp
+func OpUnixTimestampValue() MetricOption {
+ return opUnixTimestampValue{}
+}
+
+// OpMultiplyBuckets multiplies bucket labels in histograms, useful to change units
+func OpMultiplyBuckets(multiplier float64) MetricOption {
+ return opMultiplyBuckets{
+ multiplier: multiplier,
+ }
+}
+
+// OpSetSuffix extends the field's name with the given suffix if the value of the metric
+// is numeric (and not histogram or quantile), otherwise does nothing
+func OpSetNumericMetricSuffix(suffix string) MetricOption {
+ return opSetNumericMetricSuffix{
+ suffix: suffix,
+ }
+}
+
+// Metric directly maps a Openmetrics metric to a Metricbeat field
+func Metric(field string, options ...MetricOption) MetricMap {
+ return &commonMetric{
+ field: field,
+ config: Configuration{MetricProcessingOptions: options},
+ }
+}
+
+// KeywordMetric maps a Openmetrics metric to a Metricbeat field, stores the
+// given keyword when source metric value is 1
+func KeywordMetric(field, keyword string, options ...MetricOption) MetricMap {
+ return &keywordMetric{
+ commonMetric{
+ field: field,
+ config: Configuration{MetricProcessingOptions: options},
+ },
+ keyword,
+ }
+}
+
+// BooleanMetric maps a Openmetrics metric to a Metricbeat field of bool type
+func BooleanMetric(field string, options ...MetricOption) MetricMap {
+ return &booleanMetric{
+ commonMetric{
+ field: field,
+ config: Configuration{MetricProcessingOptions: options},
+ },
+ }
+}
+
+// LabelMetric maps a Openmetrics metric to a Metricbeat field, stores the value
+// of a given label on it if the gauge value is 1
+func LabelMetric(field, label string, options ...MetricOption) MetricMap {
+ return &labelMetric{
+ commonMetric{
+ field: field,
+ config: Configuration{MetricProcessingOptions: options},
+ },
+ label,
+ }
+}
+
+// InfoMetric obtains info labels from the given metric and puts them
+// into events matching all the key labels present in the metric
+func InfoMetric(options ...MetricOption) MetricMap {
+ return &infoMetric{
+ commonMetric{
+ config: Configuration{MetricProcessingOptions: options},
+ },
+ }
+}
+
+// ExtendedInfoMetric obtains info labels from the given metric and puts them
+// into events matching all the key labels present in the metric
+func ExtendedInfoMetric(configuration Configuration) MetricMap {
+ return &infoMetric{
+ commonMetric{
+ config: configuration,
+ },
+ }
+}
+
+// ExtendedMetric is a metric item that allows extended behaviour
+// through configuration
+func ExtendedMetric(field string, configuration Configuration) MetricMap {
+ return &commonMetric{
+ field: field,
+ config: configuration,
+ }
+}
+
+type commonMetric struct {
+ field string
+ config Configuration
+}
+
+// GetOptions returns the list of metric options
+func (m *commonMetric) GetOptions() []MetricOption {
+ return m.config.MetricProcessingOptions
+}
+
+// GetField returns the resulting field name
+func (m *commonMetric) GetField() string {
+ return m.field
+}
+
+// GetConfiguration returns the configuration for the metric
+func (m *commonMetric) GetConfiguration() Configuration {
+ return m.config
+}
+func (m *commonMetric) GetNilValue() interface{} {
+ return nil
+}
+
+// GetValue returns the resulting value
+func (m *commonMetric) GetValue(metric *OpenMetric) interface{} {
+ info := metric.GetInfo()
+ if info != nil {
+ if info.HasValidValue() {
+ return info.GetValue()
+ }
+ }
+
+ stateset := metric.GetStateset()
+ if stateset != nil {
+ if stateset.HasValidValue() {
+ return stateset.GetValue()
+ }
+ }
+
+ unknown := metric.GetUnknown()
+ if unknown != nil {
+ if !math.IsNaN(unknown.GetValue()) && !math.IsInf(unknown.GetValue(), 0) {
+ return int64(unknown.GetValue())
+ }
+ }
+
+ counter := metric.GetCounter()
+ if counter != nil {
+ if !math.IsNaN(counter.GetValue()) && !math.IsInf(counter.GetValue(), 0) {
+ return int64(counter.GetValue())
+ }
+ }
+
+ gauge := metric.GetGauge()
+ if gauge != nil {
+ if !math.IsNaN(gauge.GetValue()) && !math.IsInf(gauge.GetValue(), 0) {
+ return gauge.GetValue()
+ }
+ }
+
+ summary := metric.GetSummary()
+ if summary != nil {
+ value := common.MapStr{}
+ if !math.IsNaN(summary.GetSampleSum()) && !math.IsInf(summary.GetSampleSum(), 0) {
+ value["sum"] = summary.GetSampleSum()
+ value["count"] = summary.GetSampleCount()
+ }
+
+ quantiles := summary.GetQuantile()
+ percentileMap := common.MapStr{}
+ for _, quantile := range quantiles {
+ if !math.IsNaN(quantile.GetValue()) && !math.IsInf(quantile.GetValue(), 0) {
+ key := strconv.FormatFloat(100*quantile.GetQuantile(), 'f', -1, 64)
+ percentileMap[key] = quantile.GetValue()
+ }
+ }
+
+ if len(percentileMap) != 0 {
+ value["percentile"] = percentileMap
+ }
+
+ return value
+ }
+
+ histogram := metric.GetHistogram()
+ if histogram != nil {
+ value := common.MapStr{}
+ if !math.IsNaN(histogram.GetSampleSum()) && !math.IsInf(histogram.GetSampleSum(), 0) {
+ value["sum"] = histogram.GetSampleSum()
+ value["count"] = histogram.GetSampleCount()
+ }
+
+ buckets := histogram.GetBucket()
+ bucketMap := common.MapStr{}
+ for _, bucket := range buckets {
+ if bucket.GetCumulativeCount() != uint64(math.NaN()) && bucket.GetCumulativeCount() != uint64(math.Inf(0)) {
+ key := strconv.FormatFloat(bucket.GetUpperBound(), 'f', -1, 64)
+ bucketMap[key] = bucket.GetCumulativeCount()
+ }
+ }
+
+ if len(bucketMap) != 0 {
+ value["bucket"] = bucketMap
+ }
+
+ return value
+ }
+
+ gaugehistogram := metric.GetGaugeHistogram()
+ if gaugehistogram != nil {
+ value := common.MapStr{}
+ if !math.IsNaN(gaugehistogram.GetSampleSum()) && !math.IsInf(gaugehistogram.GetSampleSum(), 0) {
+ value["gsum"] = gaugehistogram.GetSampleSum()
+ value["gcount"] = gaugehistogram.GetSampleCount()
+ }
+
+ buckets := gaugehistogram.GetBucket()
+ bucketMap := common.MapStr{}
+ for _, bucket := range buckets {
+ if bucket.GetCumulativeCount() != uint64(math.NaN()) && bucket.GetCumulativeCount() != uint64(math.Inf(0)) {
+ key := strconv.FormatFloat(bucket.GetUpperBound(), 'f', -1, 64)
+ bucketMap[key] = bucket.GetCumulativeCount()
+ }
+ }
+
+ if len(bucketMap) != 0 {
+ value["bucket"] = bucketMap
+ }
+
+ return value
+ }
+
+ // Other types are not supported here
+ return nil
+}
+
+type keywordMetric struct {
+ commonMetric
+ keyword string
+}
+
+// GetValue returns the resulting value
+func (m *keywordMetric) GetValue(metric *OpenMetric) interface{} {
+ if gauge := metric.GetGauge(); gauge != nil && gauge.GetValue() == 1 {
+ return m.keyword
+ }
+ return nil
+}
+
+type booleanMetric struct {
+ commonMetric
+}
+
+// GetValue returns the resulting value
+func (m *booleanMetric) GetValue(metric *OpenMetric) interface{} {
+ if gauge := metric.GetGauge(); gauge != nil {
+ return gauge.GetValue() == 1
+ }
+ return nil
+}
+
+type labelMetric struct {
+ commonMetric
+ label string
+}
+
+// GetValue returns the resulting value
+func (m *labelMetric) GetValue(metric *OpenMetric) interface{} {
+ if gauge := metric.GetGauge(); gauge != nil && gauge.GetValue() == 1 {
+ return getLabel(metric, m.label)
+ }
+ return nil
+}
+
+func getLabel(metric *OpenMetric, name string) string {
+ for _, label := range metric.GetLabel() {
+ if label.Name == name {
+ return label.Value
+ }
+ }
+ return ""
+}
+
+type infoMetric struct {
+ commonMetric
+}
+
+// GetValue returns the resulting value
+func (m *infoMetric) GetValue(metric *OpenMetric) interface{} {
+ return ""
+}
+
+// GetField returns the resulting field name
+func (m *infoMetric) GetField() string {
+ return ""
+}
+
+type opFilterMap struct {
+ label string
+ filterMap map[string]string
+}
+
+// Called by the Openmetrics helper to apply extra options on retrieved metrics
+// Check whether the value of the specified label is allowed and, if yes, return the metric via the specified mapped field
+// Else, if the specified label does not match the filter, return nil
+// This is useful in cases where multiple Metricbeat fields need to be defined per Openmetrics metric, based on label values
+func (o opFilterMap) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) {
+ for k, v := range o.filterMap {
+ if labels[o.label] == k {
+ return fmt.Sprintf("%v.%v", field, v), value, labels
+ }
+ }
+ return "", nil, nil
+}
+
+type opLowercaseValue struct{}
+
+// Process will lowercase the given value if it's a string
+func (o opLowercaseValue) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) {
+ if val, ok := value.(string); ok {
+ value = strings.ToLower(val)
+ }
+ return field, value, labels
+}
+
+type opMultiplyBuckets struct {
+ multiplier float64
+}
+
+// Process will multiply the bucket labels if it is an histogram with numeric labels
+func (o opMultiplyBuckets) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) {
+ histogram, ok := value.(common.MapStr)
+ if !ok {
+ return field, value, labels
+ }
+ bucket, ok := histogram["bucket"].(common.MapStr)
+ if !ok {
+ return field, value, labels
+ }
+ sum, ok := histogram["sum"].(float64)
+ if !ok {
+ return field, value, labels
+ }
+ multiplied := common.MapStr{}
+ for k, v := range bucket {
+ if f, err := strconv.ParseFloat(k, 64); err == nil {
+ key := strconv.FormatFloat(f*o.multiplier, 'f', -1, 64)
+ multiplied[key] = v
+ } else {
+ multiplied[k] = v
+ }
+ }
+ histogram["bucket"] = multiplied
+ histogram["sum"] = sum * o.multiplier
+ return field, histogram, labels
+}
+
+type opSetNumericMetricSuffix struct {
+ suffix string
+}
+
+// Process will extend the field's name with the given suffix
+func (o opSetNumericMetricSuffix) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) {
+ _, ok := value.(float64)
+ if !ok {
+ return field, value, labels
+ }
+ field = fmt.Sprintf("%v.%v", field, o.suffix)
+ return field, value, labels
+}
+
+type opUnixTimestampValue struct {
+}
+
+// Process converts a value in seconds into an unix time
+func (o opUnixTimestampValue) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) {
+ return field, common.Time(time.Unix(int64(value.(float64)), 0)), labels
+}
+
+// OpLabelKeyPrefixRemover removes prefix from label keys
+func OpLabelKeyPrefixRemover(prefix string) MetricOption {
+ return opLabelKeyPrefixRemover{prefix}
+}
+
+// opLabelKeyPrefixRemover is a metric option processor that removes a prefix from the key of a label set
+type opLabelKeyPrefixRemover struct {
+ Prefix string
+}
+
+// Process modifies the labels map, removing a prefix when found at keys of the labels set.
+// For each label, if the key is found a new key will be created hosting the same value and the
+// old key will be deleted.
+// Fields, values and not prefixed labels will remain unmodified.
+func (o opLabelKeyPrefixRemover) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) {
+ renameKeys := []string{}
+ for k := range labels {
+ if len(k) < len(o.Prefix) {
+ continue
+ }
+ if k[:6] == o.Prefix {
+ renameKeys = append(renameKeys, k)
+ }
+ }
+
+ for i := range renameKeys {
+ v := labels[renameKeys[i]]
+ delete(labels, renameKeys[i])
+ labels[renameKeys[i][len(o.Prefix):]] = v
+ }
+ return "", value, labels
+}
diff --git a/metricbeat/helper/openmetrics/module.go b/metricbeat/helper/openmetrics/module.go
new file mode 100644
index 00000000000..fac374ee1b4
--- /dev/null
+++ b/metricbeat/helper/openmetrics/module.go
@@ -0,0 +1,61 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package openmetrics
+
+import (
+ "github.com/elastic/beats/v7/metricbeat/mb"
+ "github.com/elastic/beats/v7/metricbeat/mb/parse"
+)
+
+const (
+ defaultScheme = "http"
+ defaultPath = "/metrics"
+)
+
+var (
+ // HostParser validates OpenMetrics URLs
+ HostParser = parse.URLHostParserBuilder{
+ DefaultScheme: defaultScheme,
+ DefaultPath: defaultPath,
+ }.Build()
+)
+
+// MetricSetBuilder returns a builder function for a new OpenMetrics metricset using the given mapping
+func MetricSetBuilder(mapping *MetricsMapping) func(base mb.BaseMetricSet) (mb.MetricSet, error) {
+ return func(base mb.BaseMetricSet) (mb.MetricSet, error) {
+ openmetrics, err := NewOpenMetricsClient(base)
+ if err != nil {
+ return nil, err
+ }
+ return &openmetricsMetricSet{
+ BaseMetricSet: base,
+ openmetrics: openmetrics,
+ mapping: mapping,
+ }, nil
+ }
+}
+
+type openmetricsMetricSet struct {
+ mb.BaseMetricSet
+ openmetrics OpenMetrics
+ mapping *MetricsMapping
+}
+
+func (m *openmetricsMetricSet) Fetch(r mb.ReporterV2) error {
+ return m.openmetrics.ReportProcessedMetrics(m.mapping, r)
+}
diff --git a/metricbeat/helper/openmetrics/openmetrics.go b/metricbeat/helper/openmetrics/openmetrics.go
new file mode 100644
index 00000000000..9e4abc6428b
--- /dev/null
+++ b/metricbeat/helper/openmetrics/openmetrics.go
@@ -0,0 +1,1000 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package openmetrics
+
+import (
+ "compress/gzip"
+ "fmt"
+ "io"
+ "io/ioutil"
+ "math"
+ "mime"
+ "net/http"
+ "regexp"
+ "strconv"
+ "strings"
+ "time"
+
+ "github.com/prometheus/common/model"
+
+ "github.com/prometheus/prometheus/pkg/exemplar"
+ "github.com/prometheus/prometheus/pkg/labels"
+ "github.com/prometheus/prometheus/pkg/textparse"
+ "github.com/prometheus/prometheus/pkg/timestamp"
+
+ "github.com/pkg/errors"
+
+ "github.com/elastic/beats/v7/libbeat/common"
+ "github.com/elastic/beats/v7/libbeat/logp"
+ "github.com/elastic/beats/v7/metricbeat/helper"
+ "github.com/elastic/beats/v7/metricbeat/mb"
+)
+
+const acceptHeader = `application/openmetrics-text; version=1.0.0; charset=utf-8,text/plain`
+
+var errNameLabelMandatory = fmt.Errorf("missing metric name (%s label)", labels.MetricName)
+
+type Gauge struct {
+ Value *float64
+}
+
+func (m *Gauge) GetValue() float64 {
+ if m != nil && m.Value != nil {
+ return *m.Value
+ }
+ return 0
+}
+
+type Info struct {
+ Value *int64
+}
+
+func (m *Info) GetValue() int64 {
+ if m != nil && m.Value != nil {
+ return *m.Value
+ }
+ return 0
+}
+func (m *Info) HasValidValue() bool {
+ return m != nil && *m.Value == 1
+}
+
+type Stateset struct {
+ Value *int64
+}
+
+func (m *Stateset) GetValue() int64 {
+ if m != nil && m.Value != nil {
+ return *m.Value
+ }
+ return 0
+}
+func (m *Stateset) HasValidValue() bool {
+ return m != nil && (*m.Value == 0 || *m.Value == 1)
+}
+
+type Counter struct {
+ Value *float64
+}
+
+func (m *Counter) GetValue() float64 {
+ if m != nil && m.Value != nil {
+ return *m.Value
+ }
+ return 0
+}
+
+type Quantile struct {
+ Quantile *float64
+ Value *float64
+ Exemplar *exemplar.Exemplar
+}
+
+func (m *Quantile) GetQuantile() float64 {
+ if m != nil && m.Quantile != nil {
+ return *m.Quantile
+ }
+ return 0
+}
+
+func (m *Quantile) GetValue() float64 {
+ if m != nil && m.Value != nil {
+ return *m.Value
+ }
+ return 0
+}
+
+type Summary struct {
+ SampleCount *uint64
+ SampleSum *float64
+ Quantile []*Quantile
+}
+
+func (m *Summary) GetSampleCount() uint64 {
+ if m != nil && m.SampleCount != nil {
+ return *m.SampleCount
+ }
+ return 0
+}
+
+func (m *Summary) GetSampleSum() float64 {
+ if m != nil && m.SampleSum != nil {
+ return *m.SampleSum
+ }
+ return 0
+}
+
+func (m *Summary) GetQuantile() []*Quantile {
+ if m != nil {
+ return m.Quantile
+ }
+ return nil
+}
+
+type Unknown struct {
+ Value *float64
+}
+
+func (m *Unknown) GetValue() float64 {
+ if m != nil && m.Value != nil {
+ return *m.Value
+ }
+ return 0
+}
+
+type Bucket struct {
+ CumulativeCount *uint64
+ UpperBound *float64
+ Exemplar *exemplar.Exemplar
+}
+
+func (m *Bucket) GetCumulativeCount() uint64 {
+ if m != nil && m.CumulativeCount != nil {
+ return *m.CumulativeCount
+ }
+ return 0
+}
+
+func (m *Bucket) GetUpperBound() float64 {
+ if m != nil && m.UpperBound != nil {
+ return *m.UpperBound
+ }
+ return 0
+}
+
+type Histogram struct {
+ SampleCount *uint64
+ SampleSum *float64
+ Bucket []*Bucket
+ IsGaugeHistogram bool
+}
+
+func (m *Histogram) GetSampleCount() uint64 {
+ if m != nil && m.SampleCount != nil {
+ return *m.SampleCount
+ }
+ return 0
+}
+
+func (m *Histogram) GetSampleSum() float64 {
+ if m != nil && m.SampleSum != nil {
+ return *m.SampleSum
+ }
+ return 0
+}
+
+func (m *Histogram) GetBucket() []*Bucket {
+ if m != nil {
+ return m.Bucket
+ }
+ return nil
+}
+
+type OpenMetric struct {
+ Label []*labels.Label
+ Exemplar *exemplar.Exemplar
+ Name *string
+ Gauge *Gauge
+ Counter *Counter
+ Info *Info
+ Stateset *Stateset
+ Summary *Summary
+ Unknown *Unknown
+ Histogram *Histogram
+ TimestampMs *int64
+}
+
+func (m *OpenMetric) GetName() *string {
+ if m != nil {
+ return m.Name
+ }
+ return nil
+}
+
+func (m *OpenMetric) GetLabel() []*labels.Label {
+ if m != nil {
+ return m.Label
+ }
+ return nil
+}
+
+func (m *OpenMetric) GetGauge() *Gauge {
+ if m != nil {
+ return m.Gauge
+ }
+ return nil
+}
+
+func (m *OpenMetric) GetCounter() *Counter {
+ if m != nil {
+ return m.Counter
+ }
+ return nil
+}
+
+func (m *OpenMetric) GetInfo() *Info {
+ if m != nil {
+ return m.Info
+ }
+ return nil
+}
+
+func (m *OpenMetric) GetStateset() *Stateset {
+ if m != nil {
+ return m.Stateset
+ }
+ return nil
+}
+
+func (m *OpenMetric) GetSummary() *Summary {
+ if m != nil {
+ return m.Summary
+ }
+ return nil
+}
+
+func (m *OpenMetric) GetUnknown() *Unknown {
+ if m != nil {
+ return m.Unknown
+ }
+ return nil
+}
+
+func (m *OpenMetric) GetHistogram() *Histogram {
+ if m != nil && m.Histogram != nil && !m.Histogram.IsGaugeHistogram {
+ return m.Histogram
+ }
+ return nil
+}
+
+func (m *OpenMetric) GetGaugeHistogram() *Histogram {
+ if m != nil && m.Histogram != nil && m.Histogram.IsGaugeHistogram {
+ return m.Histogram
+ }
+ return nil
+}
+
+func (m *OpenMetric) GetTimestampMs() int64 {
+ if m != nil && m.TimestampMs != nil {
+ return *m.TimestampMs
+ }
+ return 0
+}
+
+type OpenMetricFamily struct {
+ Name *string
+ Help *string
+ Type textparse.MetricType
+ Unit *string
+ Metric []*OpenMetric
+}
+
+func (m *OpenMetricFamily) GetName() string {
+ if m != nil && m.Name != nil {
+ return *m.Name
+ }
+ return ""
+}
+func (m *OpenMetricFamily) GetUnit() string {
+ if m != nil && *m.Unit != "" {
+ return *m.Unit
+ }
+ return ""
+}
+
+func (m *OpenMetricFamily) GetMetric() []*OpenMetric {
+ if m != nil {
+ return m.Metric
+ }
+ return nil
+}
+
+// OpenMetrics helper retrieves openmetrics formatted metrics
+// This interface needs to use TextParse
+type OpenMetrics interface {
+ // GetFamilies requests metric families from openmetrics endpoint and returns them
+ GetFamilies() ([]*OpenMetricFamily, error)
+
+ GetProcessedMetrics(mapping *MetricsMapping) ([]common.MapStr, error)
+
+ ProcessMetrics(families []*OpenMetricFamily, mapping *MetricsMapping) ([]common.MapStr, error)
+
+ ReportProcessedMetrics(mapping *MetricsMapping, r mb.ReporterV2) error
+}
+
+type openmetrics struct {
+ httpfetcher
+ logger *logp.Logger
+}
+
+type httpfetcher interface {
+ FetchResponse() (*http.Response, error)
+}
+
+// NewOpenMetricsClient creates new openmetrics helper
+func NewOpenMetricsClient(base mb.BaseMetricSet) (OpenMetrics, error) {
+ httpclient, err := helper.NewHTTP(base)
+ if err != nil {
+ return nil, err
+ }
+
+ httpclient.SetHeaderDefault("Accept", acceptHeader)
+ httpclient.SetHeaderDefault("Accept-Encoding", "gzip")
+ return &openmetrics{httpclient, base.Logger()}, nil
+}
+
+// GetFamilies requests metric families from openmetrics endpoint and returns them
+func (p *openmetrics) GetFamilies() ([]*OpenMetricFamily, error) {
+ var reader io.Reader
+
+ resp, err := p.FetchResponse()
+ if err != nil {
+ return nil, err
+ }
+ defer resp.Body.Close()
+
+ if resp.Header.Get("Content-Encoding") == "gzip" {
+ greader, err := gzip.NewReader(resp.Body)
+ if err != nil {
+ return nil, err
+ }
+ defer greader.Close()
+ reader = greader
+ } else {
+ reader = resp.Body
+ }
+
+ if resp.StatusCode > 399 {
+ bodyBytes, err := ioutil.ReadAll(reader)
+ if err == nil {
+ p.logger.Debug("error received from openmetrics endpoint: ", string(bodyBytes))
+ }
+ return nil, fmt.Errorf("unexpected status code %d from server", resp.StatusCode)
+ }
+
+ contentType := getContentType(resp.Header)
+ if contentType == "" {
+ return nil, fmt.Errorf("Invalid format for response of response")
+ }
+
+ appendTime := time.Now().Round(0)
+ b, err := ioutil.ReadAll(reader)
+ families, err := parseMetricFamilies(b, contentType, appendTime)
+
+ return families, nil
+}
+
+const (
+ suffixInfo = "_info"
+ suffixTotal = "_total"
+ suffixGCount = "_gcount"
+ suffixGSum = "_gsum"
+ suffixCount = "_count"
+ suffixSum = "_sum"
+ suffixBucket = "_bucket"
+)
+
+func isInfo(name string) bool {
+ return len(name) > 5 && name[len(name)-5:] == suffixInfo
+}
+
+// Counters have _total suffix
+func isTotal(name string) bool {
+ return len(name) > 6 && name[len(name)-6:] == suffixTotal
+}
+
+func isGCount(name string) bool {
+ return len(name) > 7 && name[len(name)-7:] == suffixGCount
+}
+
+func isGSum(name string) bool {
+ return len(name) > 5 && name[len(name)-5:] == suffixGSum
+}
+
+func isCount(name string) bool {
+ return len(name) > 6 && name[len(name)-6:] == suffixCount
+}
+
+func isSum(name string) bool {
+ return len(name) > 4 && name[len(name)-4:] == suffixSum
+}
+
+func isBucket(name string) bool {
+ return len(name) > 7 && name[len(name)-7:] == suffixBucket
+}
+
+func summaryMetricName(name string, s float64, qv string, lbls string, t *int64, summariesByName map[string]map[string]*OpenMetric) (string, *OpenMetric) {
+ var summary = &Summary{}
+ var quantile = []*Quantile{}
+ var quant = &Quantile{}
+
+ switch {
+ case isCount(name):
+ u := uint64(s)
+ summary.SampleCount = &u
+ name = name[:len(name)-6]
+ case isSum(name):
+ summary.SampleSum = &s
+ name = name[:len(name)-4]
+ default:
+ f, err := strconv.ParseFloat(qv, 64)
+ if err != nil {
+ f = -1
+ }
+ quant.Quantile = &f
+ quant.Value = &s
+ }
+
+ _, k := summariesByName[name]
+ if !k {
+ summariesByName[name] = make(map[string]*OpenMetric)
+ }
+ metric, ok := summariesByName[name][lbls]
+ if !ok {
+ metric = &OpenMetric{}
+ metric.Name = &name
+ metric.Summary = summary
+ metric.Summary.Quantile = quantile
+ summariesByName[name][lbls] = metric
+ }
+ if metric.Summary.SampleSum == nil && summary.SampleSum != nil {
+ metric.Summary.SampleSum = summary.SampleSum
+ } else if metric.Summary.SampleCount == nil && summary.SampleCount != nil {
+ metric.Summary.SampleCount = summary.SampleCount
+ } else if quant.Quantile != nil {
+ metric.Summary.Quantile = append(metric.Summary.Quantile, quant)
+ }
+
+ return name, metric
+}
+
+func histogramMetricName(name string, s float64, qv string, lbls string, t *int64, isGaugeHistogram bool, e *exemplar.Exemplar, histogramsByName map[string]map[string]*OpenMetric) (string, *OpenMetric) {
+ var histogram = &Histogram{}
+ var bucket = []*Bucket{}
+ var bkt = &Bucket{}
+
+ switch {
+ case isCount(name):
+ u := uint64(s)
+ histogram.SampleCount = &u
+ name = name[:len(name)-6]
+ case isSum(name):
+ histogram.SampleSum = &s
+ name = name[:len(name)-4]
+ case isGaugeHistogram && isGCount(name):
+ u := uint64(s)
+ histogram.SampleCount = &u
+ name = name[:len(name)-7]
+ case isGaugeHistogram && isGSum(name):
+ histogram.SampleSum = &s
+ name = name[:len(name)-5]
+ default:
+ if isBucket(name) {
+ name = name[:len(name)-7]
+ }
+ f, err := strconv.ParseFloat(qv, 64)
+ if err != nil {
+ f = math.MaxUint64
+ }
+ cnt := uint64(s)
+ bkt.UpperBound = &f
+ bkt.CumulativeCount = &cnt
+
+ if e != nil {
+ if !e.HasTs {
+ e.Ts = *t
+ }
+ bkt.Exemplar = e
+ }
+ }
+
+ _, k := histogramsByName[name]
+ if !k {
+ histogramsByName[name] = make(map[string]*OpenMetric)
+ }
+ metric, ok := histogramsByName[name][lbls]
+ if !ok {
+ metric = &OpenMetric{}
+ metric.Name = &name
+ metric.Histogram = histogram
+ metric.Histogram.Bucket = bucket
+ histogramsByName[name][lbls] = metric
+ }
+ if metric.Histogram.SampleSum == nil && histogram.SampleSum != nil {
+ metric.Histogram.SampleSum = histogram.SampleSum
+ } else if metric.Histogram.SampleCount == nil && histogram.SampleCount != nil {
+ metric.Histogram.SampleCount = histogram.SampleCount
+ } else if bkt.UpperBound != nil {
+ metric.Histogram.Bucket = append(metric.Histogram.Bucket, bkt)
+ }
+
+ return name, metric
+}
+
+func parseMetricFamilies(b []byte, contentType string, ts time.Time) ([]*OpenMetricFamily, error) {
+ var (
+ parser = textparse.New(b, contentType)
+ defTime = timestamp.FromTime(ts)
+ metricFamiliesByName = map[string]*OpenMetricFamily{}
+ summariesByName = map[string]map[string]*OpenMetric{}
+ histogramsByName = map[string]map[string]*OpenMetric{}
+ fam *OpenMetricFamily
+ mt = textparse.MetricTypeUnknown
+ )
+ var err error
+
+loop:
+ for {
+ var (
+ et textparse.Entry
+ ok bool
+ e exemplar.Exemplar
+ )
+ if et, err = parser.Next(); err != nil {
+ if err == io.EOF {
+ err = nil
+ }
+ break
+ }
+ switch et {
+ case textparse.EntryType:
+ buf, t := parser.Type()
+ s := string(buf)
+ fam, ok = metricFamiliesByName[s]
+ if !ok {
+ fam = &OpenMetricFamily{Name: &s, Type: t}
+ metricFamiliesByName[s] = fam
+ }
+ mt = t
+ continue
+ case textparse.EntryHelp:
+ buf, t := parser.Help()
+ s := string(buf)
+ h := string(t)
+ fam, ok = metricFamiliesByName[s]
+ if !ok {
+ fam = &OpenMetricFamily{Name: &s, Help: &h, Type: textparse.MetricTypeUnknown}
+ metricFamiliesByName[s] = fam
+ }
+ fam.Help = &h
+ continue
+ case textparse.EntryUnit:
+ buf, t := parser.Unit()
+ s := string(buf)
+ u := string(t)
+ fam, ok = metricFamiliesByName[s]
+ if !ok {
+ fam = &OpenMetricFamily{Name: &s, Unit: &u, Type: textparse.MetricTypeUnknown}
+ metricFamiliesByName[string(buf)] = fam
+ }
+ fam.Unit = &u
+ continue
+ case textparse.EntryComment:
+ continue
+ default:
+ }
+
+ t := defTime
+ _, tp, v := parser.Series()
+
+ var (
+ lset labels.Labels
+ mets string
+ )
+
+ mets = parser.Metric(&lset)
+
+ if !lset.Has(labels.MetricName) {
+ err = errNameLabelMandatory
+ break loop
+ }
+
+ var lbls strings.Builder
+ lbls.Grow(len(mets))
+ var labelPairs = []*labels.Label{}
+ for _, l := range lset.Copy() {
+ if l.Name == labels.MetricName {
+ continue
+ }
+
+ if l.Name != model.QuantileLabel && l.Name != labels.BucketLabel { // quantile and le are special labels handled below
+
+ lbls.WriteString(l.Name)
+ lbls.WriteString(l.Value)
+ }
+ n := l.Name
+ v := l.Value
+
+ labelPairs = append(labelPairs, &labels.Label{
+ Name: n,
+ Value: v,
+ })
+ }
+
+ var metric *OpenMetric
+
+ metricName := lset.Get(labels.MetricName)
+ var lookupMetricName string
+ var exm *exemplar.Exemplar
+
+ // Suffixes - https://github.com/OpenObservability/OpenMetrics/blob/main/specification/OpenMetrics.md#suffixes
+ switch mt {
+ case textparse.MetricTypeCounter:
+ var counter = &Counter{Value: &v}
+ mn := lset.Get(labels.MetricName)
+ metric = &OpenMetric{Name: &mn, Counter: counter, Label: labelPairs}
+ if isTotal(metricName) { // Remove suffix _total, get lookup metricname
+ lookupMetricName = metricName[:len(metricName)-6]
+ }
+ break
+ case textparse.MetricTypeGauge:
+ var gauge = &Gauge{Value: &v}
+ metric = &OpenMetric{Name: &metricName, Gauge: gauge, Label: labelPairs}
+ lookupMetricName = metricName
+ break
+ case textparse.MetricTypeInfo:
+ value := int64(v)
+ var info = &Info{Value: &value}
+ metric = &OpenMetric{Name: &metricName, Info: info, Label: labelPairs}
+ lookupMetricName = metricName
+ break
+ case textparse.MetricTypeSummary:
+ lookupMetricName, metric = summaryMetricName(metricName, v, lset.Get(model.QuantileLabel), lbls.String(), &t, summariesByName)
+ metric.Label = labelPairs
+ if !isSum(metricName) {
+ continue
+ }
+ metricName = lookupMetricName
+ break
+ case textparse.MetricTypeHistogram:
+ if hasExemplar := parser.Exemplar(&e); hasExemplar {
+ exm = &e
+ }
+ lookupMetricName, metric = histogramMetricName(metricName, v, lset.Get(labels.BucketLabel), lbls.String(), &t, false, exm, histogramsByName)
+ metric.Label = labelPairs
+ if !isSum(metricName) {
+ continue
+ }
+ metricName = lookupMetricName
+ break
+ case textparse.MetricTypeGaugeHistogram:
+ if hasExemplar := parser.Exemplar(&e); hasExemplar {
+ exm = &e
+ }
+ lookupMetricName, metric = histogramMetricName(metricName, v, lset.Get(labels.BucketLabel), lbls.String(), &t, true, exm, histogramsByName)
+ metric.Label = labelPairs
+ metric.Histogram.IsGaugeHistogram = true
+ if !isGSum(metricName) {
+ continue
+ }
+ metricName = lookupMetricName
+ break
+ case textparse.MetricTypeStateset:
+ value := int64(v)
+ var stateset = &Stateset{Value: &value}
+ metric = &OpenMetric{Name: &metricName, Stateset: stateset, Label: labelPairs}
+ lookupMetricName = metricName
+ break
+ case textparse.MetricTypeUnknown:
+ var unknown = &Unknown{Value: &v}
+ metric = &OpenMetric{Name: &metricName, Unknown: unknown, Label: labelPairs}
+ lookupMetricName = metricName
+ break
+ default:
+ lookupMetricName = metricName
+ }
+
+ fam, ok = metricFamiliesByName[lookupMetricName]
+ if !ok {
+ fam = &OpenMetricFamily{Type: mt}
+ metricFamiliesByName[lookupMetricName] = fam
+ }
+
+ fam.Name = &metricName
+
+ if hasExemplar := parser.Exemplar(&e); hasExemplar && mt != textparse.MetricTypeHistogram && metric != nil {
+ if !e.HasTs {
+ e.Ts = t
+ }
+ metric.Exemplar = &e
+ }
+
+ if tp != nil && metric != nil {
+ t = *tp
+ metric.TimestampMs = &t
+ }
+
+ fam.Metric = append(fam.Metric, metric)
+ }
+
+ families := make([]*OpenMetricFamily, 0, len(metricFamiliesByName))
+ for _, v := range metricFamiliesByName {
+ if v.Metric != nil {
+ families = append(families, v)
+ }
+ }
+ return families, nil
+}
+
+// MetricsMapping defines mapping settings for OpenMetrics metrics, to be used with `GetProcessedMetrics`
+type MetricsMapping struct {
+ // Metrics translates from openmetrics metric name to Metricbeat fields
+ Metrics map[string]MetricMap
+
+ // Namespace for metrics managed by this mapping
+ Namespace string
+
+ // Labels translate from openmetrics label names to Metricbeat fields
+ Labels map[string]LabelMap
+
+ // ExtraFields adds the given fields to all events coming from `GetProcessedMetrics`
+ ExtraFields map[string]string
+}
+
+func (p *openmetrics) ProcessMetrics(families []*OpenMetricFamily, mapping *MetricsMapping) ([]common.MapStr, error) {
+
+ eventsMap := map[string]common.MapStr{}
+ infoMetrics := []*infoMetricData{}
+ for _, family := range families {
+ for _, metric := range family.GetMetric() {
+ m, ok := mapping.Metrics[family.GetName()]
+ if m == nil || !ok {
+ // Ignore unknown metrics
+ continue
+ }
+
+ field := m.GetField()
+ value := m.GetValue(metric)
+
+ // Ignore retrieval errors (bad conf)
+ if value == nil {
+ continue
+ }
+
+ storeAllLabels := false
+ labelsLocation := ""
+ var extraFields common.MapStr
+ if m != nil {
+ c := m.GetConfiguration()
+ storeAllLabels = c.StoreNonMappedLabels
+ labelsLocation = c.NonMappedLabelsPlacement
+ extraFields = c.ExtraFields
+ }
+
+ // Apply extra options
+ allLabels := getLabels(metric)
+ for _, option := range m.GetOptions() {
+ field, value, allLabels = option.Process(field, value, allLabels)
+ }
+
+ // Convert labels
+ labels := common.MapStr{}
+ keyLabels := common.MapStr{}
+ for k, v := range allLabels {
+ if l, ok := mapping.Labels[k]; ok {
+ if l.IsKey() {
+ keyLabels.Put(l.GetField(), v)
+ } else {
+ labels.Put(l.GetField(), v)
+ }
+ } else if storeAllLabels {
+ // if label for this metric is not found at the label mappings but
+ // it is configured to store any labels found, make it so
+ labels.Put(labelsLocation+"."+k, v)
+ }
+ }
+
+ // if extra fields have been added through metric configuration
+ // add them to labels.
+ //
+ // not considering these extra fields to be keylabels as that case
+ // have not appeared yet
+ for k, v := range extraFields {
+ labels.Put(k, v)
+ }
+
+ // Keep a info document if it's an infoMetric
+ if _, ok = m.(*infoMetric); ok {
+ labels.DeepUpdate(keyLabels)
+ infoMetrics = append(infoMetrics, &infoMetricData{
+ Labels: keyLabels,
+ Meta: labels,
+ })
+ continue
+ }
+
+ if field != "" {
+ event := getEvent(eventsMap, keyLabels)
+ update := common.MapStr{}
+ update.Put(field, value)
+ // value may be a mapstr (for histograms and summaries), do a deep update to avoid smashing existing fields
+ event.DeepUpdate(update)
+
+ event.DeepUpdate(labels)
+ }
+ }
+ }
+
+ // populate events array from values in eventsMap
+ events := make([]common.MapStr, 0, len(eventsMap))
+ for _, event := range eventsMap {
+ // Add extra fields
+ for k, v := range mapping.ExtraFields {
+ event[k] = v
+ }
+ events = append(events, event)
+ }
+
+ // fill info from infoMetrics
+ for _, info := range infoMetrics {
+ for _, event := range events {
+ found := true
+ for k, v := range info.Labels.Flatten() {
+ value, err := event.GetValue(k)
+ if err != nil || v != value {
+ found = false
+ break
+ }
+ }
+
+ // fill info from this metric
+ if found {
+ event.DeepUpdate(info.Meta)
+ }
+ }
+ }
+
+ return events, nil
+}
+
+func (p *openmetrics) GetProcessedMetrics(mapping *MetricsMapping) ([]common.MapStr, error) {
+ families, err := p.GetFamilies()
+ if err != nil {
+ return nil, err
+ }
+ return p.ProcessMetrics(families, mapping)
+}
+
+// infoMetricData keeps data about an infoMetric
+type infoMetricData struct {
+ Labels common.MapStr
+ Meta common.MapStr
+}
+
+func (p *openmetrics) ReportProcessedMetrics(mapping *MetricsMapping, r mb.ReporterV2) error {
+ events, err := p.GetProcessedMetrics(mapping)
+ if err != nil {
+ return errors.Wrap(err, "error getting processed metrics")
+ }
+ for _, event := range events {
+ r.Event(mb.Event{
+ MetricSetFields: event,
+ Namespace: mapping.Namespace,
+ })
+ }
+
+ return nil
+}
+
+func getEvent(m map[string]common.MapStr, labels common.MapStr) common.MapStr {
+ hash := labels.String()
+ res, ok := m[hash]
+ if !ok {
+ res = labels
+ m[hash] = res
+ }
+ return res
+}
+
+func getLabels(metric *OpenMetric) common.MapStr {
+ labels := common.MapStr{}
+ for _, label := range metric.GetLabel() {
+ if label.Name != "" && label.Value != "" {
+ labels.Put(label.Name, label.Value)
+ }
+ }
+ return labels
+}
+
+// CompilePatternList compiles a pattern list and returns the list of the compiled patterns
+func CompilePatternList(patterns *[]string) ([]*regexp.Regexp, error) {
+ var compiledPatterns []*regexp.Regexp
+ compiledPatterns = []*regexp.Regexp{}
+ if patterns != nil {
+ for _, pattern := range *patterns {
+ r, err := regexp.Compile(pattern)
+ if err != nil {
+ return nil, errors.Wrapf(err, "compiling pattern '%s'", pattern)
+ }
+ compiledPatterns = append(compiledPatterns, r)
+ }
+ return compiledPatterns, nil
+ }
+ return []*regexp.Regexp{}, nil
+}
+
+// MatchMetricFamily checks if the given family/metric name matches any of the given patterns
+func MatchMetricFamily(family string, matchMetrics []*regexp.Regexp) bool {
+ for _, checkMetric := range matchMetrics {
+ matched := checkMetric.MatchString(family)
+ if matched {
+ return true
+ }
+ }
+ return false
+}
+
+const (
+ TextVersion = "0.0.4"
+ OpenMetricsType = `application/openmetrics-text`
+
+ // The Content-Type values for the different wire protocols.
+ FmtUnknown string = ``
+ FmtText string = `text/plain; version=` + TextVersion + `; charset=utf-8`
+)
+
+const (
+ hdrContentType = "Content-Type"
+)
+
+func getContentType(h http.Header) string {
+ ct := h.Get(hdrContentType)
+
+ mediatype, params, err := mime.ParseMediaType(ct)
+ if err != nil {
+ return FmtUnknown
+ }
+
+ const textType = "text/plain"
+
+ switch mediatype {
+ case OpenMetricsType:
+ if e, ok := params["encoding"]; ok && e != "delimited" {
+ return FmtUnknown
+ }
+ return OpenMetricsType
+
+ case textType:
+ if v, ok := params["version"]; ok && v != TextVersion {
+ return FmtUnknown
+ }
+ return FmtText
+ }
+
+ return FmtUnknown
+}
diff --git a/metricbeat/helper/openmetrics/openmetrics_test.go b/metricbeat/helper/openmetrics/openmetrics_test.go
new file mode 100644
index 00000000000..5ebf1903c0f
--- /dev/null
+++ b/metricbeat/helper/openmetrics/openmetrics_test.go
@@ -0,0 +1,1093 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package openmetrics
+
+import (
+ "bytes"
+ "compress/gzip"
+ "io/ioutil"
+ "net/http"
+ "sort"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+
+ "github.com/elastic/beats/v7/libbeat/common"
+ "github.com/elastic/beats/v7/libbeat/logp"
+ mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing"
+)
+
+const (
+ openMetricsTestSamples = `# TYPE first_metric gauge
+first_metric{label1="value1",label2="value2",label3="Value3",label4="FOO"} 1
+# TYPE second_metric gauge
+second_metric{label1="value1",label3="othervalue"} 0
+# TYPE summary_metric summary
+summary_metric{quantile="0.5"} 29735
+summary_metric{quantile="0.9"} 47103
+summary_metric{quantile="0.99"} 50681
+summary_metric_sum 234892394
+summary_metric_count 44000
+# TYPE histogram_metric histogram
+histogram_metric_bucket{le="1000"} 1
+histogram_metric_bucket{le="10000"} 1
+histogram_metric_bucket{le="100000"} 1
+histogram_metric_bucket{le="1e+06"} 1
+histogram_metric_bucket{le="1e+08"} 1
+histogram_metric_bucket{le="1e+09"} 1
+histogram_metric_bucket{le="+Inf"} 1
+histogram_metric_sum 117
+histogram_metric_count 1
+# TYPE histogram_decimal_metric histogram
+histogram_decimal_metric_bucket{le="0.001"} 1
+histogram_decimal_metric_bucket{le="0.01"} 1
+histogram_decimal_metric_bucket{le="0.1"} 2
+histogram_decimal_metric_bucket{le="1"} 3
+histogram_decimal_metric_bucket{le="+Inf"} 5
+histogram_decimal_metric_sum 4.31
+histogram_decimal_metric_count 5
+# TYPE gaugehistogram_metric gaugehistogram
+gaugehistogram_metric_bucket{le="0.01"} 20.0
+gaugehistogram_metric_bucket{le="0.1"} 25.0
+gaugehistogram_metric_bucket{le="1"} 34.0
+gaugehistogram_metric_bucket{le="10"} 34.0
+gaugehistogram_metric_bucket{le="+Inf"} 42.0
+gaugehistogram_metric_gcount 42.0
+gaugehistogram_metric_gsum 3289.3
+gaugehistogram_metric_created 1520430000.123
+# TYPE target info
+target_info 1
+# TYPE target_with_labels info
+target_with_labels_info{env="prod",hostname="myhost"} 1
+`
+
+ openMetricsGaugeKeyLabel = `# TYPE metrics_one_count_total gauge
+metrics_one_count_total{name="jane",surname="foster"} 1
+metrics_one_count_total{name="john",surname="williams"} 2
+metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3
+`
+
+ openMetricsGaugeKeyLabelWithNaNInf = `# TYPE metrics_one_count_errors gauge
+metrics_one_count_errors{name="jane",surname="foster"} 0
+# TYPE metrics_one_count_total gauge
+metrics_one_count_total{name="jane",surname="foster"} NaN
+metrics_one_count_total{name="foo",surname="bar"} +Inf
+metrics_one_count_total{name="john",surname="williams"} -Inf
+metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3
+`
+
+ openMetricsCounterKeyLabel = `# TYPE metrics_one_count_total counter
+metrics_one_count_total{name="jane",surname="foster"} 1
+metrics_one_count_total{name="john",surname="williams"} 2
+metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3
+`
+
+ openMetricsCounterKeyLabelWithNaNInf = `# TYPE metrics_one_count_errors counter
+metrics_one_count_errors{name="jane",surname="foster"} 1
+# TYPE metrics_one_count_total counter
+metrics_one_count_total{name="jane",surname="foster"} NaN
+metrics_one_count_total{name="john",surname="williams"} +Inf
+metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3
+
+`
+
+ openMetricsHistogramKeyLabel = `# TYPE metrics_one_midichlorians histogram
+metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="2000"} 52
+metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="4000"} 70
+metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="8000"} 78
+metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="16000"} 84
+metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="32000"} 86
+metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="+Inf"} 86
+metrics_one_midichlorians_sum{rank="youngling",alive="yes"} 1000001
+metrics_one_midichlorians_count{rank="youngling",alive="yes"} 86
+metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="2000"} 16
+metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="4000"} 20
+metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="8000"} 23
+metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="16000"} 27
+metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="32000"} 27
+metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="+Inf"} 28
+metrics_one_midichlorians_sum{rank="padawan",alive="yes"} 800001
+metrics_one_midichlorians_count{rank="padawan",alive="yes"} 28
+`
+
+ openMetricsHistogramKeyLabelWithNaNInf = `# TYPE metrics_one_midichlorians histogram
+metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="2000"} NaN
+metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="4000"} +Inf
+metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="8000"} -Inf
+metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="16000"} 84
+metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="32000"} 86
+metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="+Inf"} 86
+metrics_one_midichlorians_sum{rank="youngling",alive="yes"} 1000001
+metrics_one_midichlorians_count{rank="youngling",alive="yes"} 86
+`
+
+ openMetricsSummaryKeyLabel = `# TYPE metrics_force_propagation_ms summary
+metrics_force_propagation_ms{kind="jedi",quantile="0"} 35
+metrics_force_propagation_ms{kind="jedi",quantile="0.25"} 22
+metrics_force_propagation_ms{kind="jedi",quantile="0.5"} 7
+metrics_force_propagation_ms{kind="jedi",quantile="0.75"} 20
+metrics_force_propagation_ms{kind="jedi",quantile="1"} 30
+metrics_force_propagation_ms_sum{kind="jedi"} 89
+metrics_force_propagation_ms_count{kind="jedi"} 651
+metrics_force_propagation_ms{kind="sith",quantile="0"} 30
+metrics_force_propagation_ms{kind="sith",quantile="0.25"} 20
+metrics_force_propagation_ms{kind="sith",quantile="0.5"} 12
+metrics_force_propagation_ms{kind="sith",quantile="0.75"} 21
+metrics_force_propagation_ms{kind="sith",quantile="1"} 29
+metrics_force_propagation_ms_sum{kind="sith"} 112
+metrics_force_propagation_ms_count{kind="sith"} 711
+`
+
+ openMetricsSummaryKeyLabelWithNaNInf = `# TYPE metrics_force_propagation_ms summary
+metrics_force_propagation_ms{kind="jedi",quantile="0"} NaN
+metrics_force_propagation_ms{kind="jedi",quantile="0.25"} +Inf
+metrics_force_propagation_ms{kind="jedi",quantile="0.5"} -Inf
+metrics_force_propagation_ms{kind="jedi",quantile="0.75"} 20
+metrics_force_propagation_ms{kind="jedi",quantile="1"} 30
+metrics_force_propagation_ms_sum{kind="jedi"} 50
+metrics_force_propagation_ms_count{kind="jedi"} 651
+`
+
+ openMetricsGaugeLabeled = `# TYPE metrics_that_inform_labels gauge
+metrics_that_inform_labels{label1="I am 1",label2="I am 2"} 1
+metrics_that_inform_labels{label1="I am 1",label3="I am 3"} 1
+# TYPE metrics_that_use_labels gauge
+metrics_that_use_labels{label1="I am 1"} 20
+`
+ openMetricsStateset = `# TYPE enable_category stateset
+enable_category{category="shoes"} 0
+enable_category{category="collectibles"} 1
+`
+)
+
+type mockFetcher struct {
+ response string
+}
+
+var _ = httpfetcher(&mockFetcher{})
+
+// FetchResponse returns an HTTP response but for the Body, which
+// returns the mockFetcher.Response contents
+func (m mockFetcher) FetchResponse() (*http.Response, error) {
+ body := bytes.NewBuffer(nil)
+ writer := gzip.NewWriter(body)
+ writer.Write([]byte(m.response))
+ writer.Close()
+
+ return &http.Response{
+ StatusCode: 200,
+ Header: http.Header{
+ "Content-Encoding": []string{"gzip"},
+ "Content-Type": []string{"application/openmetrics-text"},
+ },
+ Body: ioutil.NopCloser(body),
+ }, nil
+}
+
+func TestOpenMetrics(t *testing.T) {
+
+ p := &openmetrics{mockFetcher{response: openMetricsTestSamples}, logp.NewLogger("test")}
+
+ tests := []struct {
+ mapping *MetricsMapping
+ msg string
+ expected []common.MapStr
+ }{
+ {
+ msg: "Simple field map",
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "first_metric": Metric("first.metric"),
+ },
+ },
+ expected: []common.MapStr{
+ common.MapStr{
+ "first": common.MapStr{
+ "metric": 1.0,
+ },
+ },
+ },
+ },
+ {
+ msg: "Simple field map with labels",
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "first_metric": Metric("first.metric"),
+ },
+ Labels: map[string]LabelMap{
+ "label1": Label("labels.label1"),
+ "label2": Label("labels.label2"),
+ },
+ },
+ expected: []common.MapStr{
+ common.MapStr{
+ "first": common.MapStr{
+ "metric": 1.0,
+ },
+ "labels": common.MapStr{
+ "label1": "value1",
+ "label2": "value2",
+ },
+ },
+ },
+ },
+ {
+ msg: "Several metrics",
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "first_metric": Metric("first.metric"),
+ "second_metric": Metric("second.metric"),
+ },
+ Labels: map[string]LabelMap{
+ "label3": KeyLabel("labels.label3"),
+ },
+ },
+ expected: []common.MapStr{
+ common.MapStr{
+ "first": common.MapStr{
+ "metric": 1.0,
+ },
+ "labels": common.MapStr{
+ "label3": "Value3",
+ },
+ },
+ common.MapStr{
+ "second": common.MapStr{
+ "metric": 0.0,
+ },
+ "labels": common.MapStr{
+ "label3": "othervalue",
+ },
+ },
+ },
+ },
+ {
+ msg: "Grouping by key labels",
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "first_metric": Metric("first.metric"),
+ "second_metric": Metric("second.metric"),
+ },
+ Labels: map[string]LabelMap{
+ "label1": KeyLabel("labels.label1"),
+ "label2": Label("labels.label2"),
+ },
+ },
+ expected: []common.MapStr{
+ common.MapStr{
+ "first": common.MapStr{
+ "metric": 1.0,
+ },
+ "second": common.MapStr{
+ "metric": 0.0,
+ },
+ "labels": common.MapStr{
+ "label1": "value1",
+ "label2": "value2",
+ },
+ },
+ },
+ },
+ {
+ msg: "Keyword metrics",
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "first_metric": KeywordMetric("first.metric", "works"),
+ "second_metric": KeywordMetric("second.metric", "itsnot"),
+ },
+ Labels: map[string]LabelMap{
+ "label1": KeyLabel("labels.label1"),
+ },
+ },
+ expected: []common.MapStr{
+ common.MapStr{
+ "first": common.MapStr{
+ "metric": "works",
+ },
+ "labels": common.MapStr{
+ "label1": "value1",
+ },
+ },
+ },
+ },
+ {
+ msg: "Boolean metrics",
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "first_metric": BooleanMetric("first.metric"),
+ "second_metric": BooleanMetric("second.metric"),
+ },
+ Labels: map[string]LabelMap{
+ "label1": KeyLabel("labels.label1"),
+ },
+ },
+ expected: []common.MapStr{
+ common.MapStr{
+ "first": common.MapStr{
+ "metric": true,
+ },
+ "second": common.MapStr{
+ "metric": false,
+ },
+ "labels": common.MapStr{
+ "label1": "value1",
+ },
+ },
+ },
+ },
+ {
+ msg: "Label metrics",
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "first_metric": LabelMetric("first.metric", "label3"),
+ },
+ Labels: map[string]LabelMap{
+ "label1": Label("labels.label1"),
+ },
+ },
+ expected: []common.MapStr{
+ common.MapStr{
+ "first": common.MapStr{
+ "metric": "Value3",
+ },
+ "labels": common.MapStr{
+ "label1": "value1",
+ },
+ },
+ },
+ },
+ {
+ msg: "Label metrics, lowercase",
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "first_metric": LabelMetric("first.metric", "label4", OpLowercaseValue()),
+ },
+ Labels: map[string]LabelMap{
+ "label1": Label("labels.label1"),
+ },
+ },
+ expected: []common.MapStr{
+ common.MapStr{
+ "first": common.MapStr{
+ "metric": "foo",
+ },
+ "labels": common.MapStr{
+ "label1": "value1",
+ },
+ },
+ },
+ },
+ {
+ msg: "Label metrics, filter",
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "first_metric": LabelMetric("first.metric", "label4", OpFilterMap(
+ "label1",
+ map[string]string{"value1": "foo"},
+ )),
+ },
+ Labels: map[string]LabelMap{
+ "label1": Label("labels.label1"),
+ },
+ },
+ expected: []common.MapStr{
+ common.MapStr{
+ "first": common.MapStr{
+ "metric": common.MapStr{
+ "foo": "FOO",
+ },
+ },
+ "labels": common.MapStr{
+ "label1": "value1",
+ },
+ },
+ },
+ },
+ {
+ msg: "Label metrics, filter",
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "first_metric": LabelMetric("first.metric", "label4", OpLowercaseValue(), OpFilterMap(
+ "foo",
+ map[string]string{"Filtered": "filtered"},
+ )),
+ },
+ Labels: map[string]LabelMap{
+ "label1": Label("labels.label1"),
+ },
+ },
+ expected: []common.MapStr{},
+ },
+ {
+ msg: "Summary metric",
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "summary_metric": Metric("summary.metric"),
+ },
+ },
+ expected: []common.MapStr{
+ common.MapStr{
+ "summary": common.MapStr{
+ "metric": common.MapStr{
+ "sum": 234892394.0,
+ "count": uint64(44000),
+ "percentile": common.MapStr{
+ "50": 29735.0,
+ "90": 47103.0,
+ "99": 50681.0,
+ },
+ },
+ },
+ },
+ },
+ },
+ {
+ msg: "Histogram metric",
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "histogram_metric": Metric("histogram.metric"),
+ },
+ },
+ expected: []common.MapStr{
+ common.MapStr{
+ "histogram": common.MapStr{
+ "metric": common.MapStr{
+ "count": uint64(1),
+ "bucket": common.MapStr{
+ "1000000000": uint64(1),
+ "+Inf": uint64(1),
+ "1000": uint64(1),
+ "10000": uint64(1),
+ "100000": uint64(1),
+ "1000000": uint64(1),
+ "100000000": uint64(1),
+ },
+ "sum": 117.0,
+ },
+ },
+ },
+ },
+ },
+ {
+ msg: "Histogram decimal metric",
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "histogram_decimal_metric": Metric("histogram.metric", OpMultiplyBuckets(1000)),
+ },
+ },
+ expected: []common.MapStr{
+ common.MapStr{
+ "histogram": common.MapStr{
+ "metric": common.MapStr{
+ "count": uint64(5),
+ "bucket": common.MapStr{
+ "1": uint64(1),
+ "10": uint64(1),
+ "100": uint64(2),
+ "1000": uint64(3),
+ "+Inf": uint64(5),
+ },
+ "sum": 4310.0,
+ },
+ },
+ },
+ },
+ },
+ {
+ msg: "Gauge histogram metric",
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "gaugehistogram_metric": Metric("gaugehistogram.metric"),
+ },
+ },
+ expected: []common.MapStr{
+ common.MapStr{
+ "gaugehistogram": common.MapStr{
+ "metric": common.MapStr{
+ "gcount": uint64(42),
+ "bucket": common.MapStr{
+ "0.01": uint64(20),
+ "0.1": uint64(25),
+ "1": uint64(34),
+ "10": uint64(34),
+ "+Inf": uint64(42),
+ },
+ "gsum": 3289.3,
+ },
+ },
+ },
+ },
+ },
+ {
+ msg: "Info metric",
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "target_info": Metric("target_info.metric"),
+ },
+ },
+ expected: []common.MapStr{
+ common.MapStr{
+ "target_info": common.MapStr{
+ "metric": int64(1),
+ },
+ },
+ },
+ },
+ {
+ msg: "Info metric with labels",
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "target_with_labels_info": Metric("target_with_labels_info.metric"),
+ },
+ Labels: map[string]LabelMap{
+ "env": Label("labels.env"),
+ "hostname": Label("labels.hostname"),
+ },
+ },
+ expected: []common.MapStr{
+ common.MapStr{
+ "target_with_labels_info": common.MapStr{
+ "metric": int64(1),
+ },
+ "labels": common.MapStr{
+ "env": "prod",
+ "hostname": "myhost",
+ },
+ },
+ },
+ },
+ }
+
+ for _, test := range tests {
+ t.Run(test.msg, func(t *testing.T) {
+ reporter := &mbtest.CapturingReporterV2{}
+ p.ReportProcessedMetrics(test.mapping, reporter)
+ assert.Nil(t, reporter.GetErrors(), test.msg)
+ // Sort slice to avoid randomness
+ res := reporter.GetEvents()
+ sort.Slice(res, func(i, j int) bool {
+ return res[i].MetricSetFields.String() < res[j].MetricSetFields.String()
+ })
+ assert.Equal(t, len(test.expected), len(res))
+ for j, ev := range res {
+ assert.Equal(t, test.expected[j], ev.MetricSetFields, test.msg)
+ }
+ })
+ }
+}
+
+func TestOpenMetricsKeyLabels(t *testing.T) {
+
+ testCases := []struct {
+ testName string
+ openmetricsResponse string
+ mapping *MetricsMapping
+ expectedEvents []common.MapStr
+ }{
+ {
+ testName: "Test gauge with KeyLabel",
+ openmetricsResponse: openMetricsGaugeKeyLabel,
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "metrics_one_count_total": Metric("metrics.one.count"),
+ },
+ Labels: map[string]LabelMap{
+ "name": KeyLabel("metrics.one.labels.name"),
+ "surname": KeyLabel("metrics.one.labels.surname"),
+ "age": KeyLabel("metrics.one.labels.age"),
+ },
+ },
+ expectedEvents: []common.MapStr{
+ common.MapStr{
+ "metrics": common.MapStr{
+ "one": common.MapStr{
+ "count": 1.0,
+ "labels": common.MapStr{
+ "name": "jane",
+ "surname": "foster",
+ },
+ },
+ },
+ },
+ common.MapStr{
+ "metrics": common.MapStr{
+ "one": common.MapStr{
+ "count": 2.0,
+ "labels": common.MapStr{
+ "name": "john",
+ "surname": "williams",
+ },
+ },
+ },
+ },
+ common.MapStr{
+ "metrics": common.MapStr{
+ "one": common.MapStr{
+ "count": 3.0,
+ "labels": common.MapStr{
+ "name": "jahn",
+ "surname": "baldwin",
+ "age": "30",
+ },
+ },
+ },
+ },
+ },
+ },
+
+ {
+ testName: "Test gauge with KeyLabel With NaN Inf",
+ openmetricsResponse: openMetricsGaugeKeyLabelWithNaNInf,
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "metrics_one_count_errors": Metric("metrics.one.count"),
+ "metrics_one_count_total": Metric("metrics.one.count"),
+ },
+ Labels: map[string]LabelMap{
+ "name": KeyLabel("metrics.one.labels.name"),
+ "surname": KeyLabel("metrics.one.labels.surname"),
+ "age": KeyLabel("metrics.one.labels.age"),
+ },
+ },
+ expectedEvents: []common.MapStr{
+ common.MapStr{
+ "metrics": common.MapStr{
+ "one": common.MapStr{
+ "count": 0.0,
+ "labels": common.MapStr{
+ "name": "jane",
+ "surname": "foster",
+ },
+ },
+ },
+ },
+ common.MapStr{
+ "metrics": common.MapStr{
+ "one": common.MapStr{
+ "count": 3.0,
+ "labels": common.MapStr{
+ "name": "jahn",
+ "surname": "baldwin",
+ "age": "30",
+ },
+ },
+ },
+ },
+ },
+ },
+
+ {
+ testName: "Test counter with KeyLabel",
+ openmetricsResponse: openMetricsCounterKeyLabel,
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "metrics_one_count_total": Metric("metrics.one.count"),
+ },
+ Labels: map[string]LabelMap{
+ "name": KeyLabel("metrics.one.labels.name"),
+ "surname": KeyLabel("metrics.one.labels.surname"),
+ "age": KeyLabel("metrics.one.labels.age"),
+ },
+ },
+ expectedEvents: []common.MapStr{
+ common.MapStr{
+ "metrics": common.MapStr{
+ "one": common.MapStr{
+ "count": int64(1),
+ "labels": common.MapStr{
+ "name": "jane",
+ "surname": "foster",
+ },
+ },
+ },
+ },
+ common.MapStr{
+ "metrics": common.MapStr{
+ "one": common.MapStr{
+ "count": int64(2),
+ "labels": common.MapStr{
+ "name": "john",
+ "surname": "williams",
+ },
+ },
+ },
+ },
+ common.MapStr{
+ "metrics": common.MapStr{
+ "one": common.MapStr{
+ "count": int64(3),
+ "labels": common.MapStr{
+ "name": "jahn",
+ "surname": "baldwin",
+ "age": "30",
+ },
+ },
+ },
+ },
+ },
+ },
+
+ {
+ testName: "Test counter with KeyLabel With NaN Inf",
+ openmetricsResponse: openMetricsCounterKeyLabelWithNaNInf,
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "metrics_one_count_errors": Metric("metrics.one.count"),
+ "metrics_one_count_total": Metric("metrics.one.count"),
+ },
+ Labels: map[string]LabelMap{
+ "name": KeyLabel("metrics.one.labels.name"),
+ "surname": KeyLabel("metrics.one.labels.surname"),
+ "age": KeyLabel("metrics.one.labels.age"),
+ },
+ },
+ expectedEvents: []common.MapStr{
+ common.MapStr{
+ "metrics": common.MapStr{
+ "one": common.MapStr{
+ "count": int64(1),
+ "labels": common.MapStr{
+ "name": "jane",
+ "surname": "foster",
+ },
+ },
+ },
+ },
+ common.MapStr{
+ "metrics": common.MapStr{
+ "one": common.MapStr{
+ "count": int64(3),
+ "labels": common.MapStr{
+ "name": "jahn",
+ "surname": "baldwin",
+ "age": "30",
+ },
+ },
+ },
+ },
+ },
+ },
+
+ {
+ testName: "Test histogram with KeyLabel",
+ openmetricsResponse: openMetricsHistogramKeyLabel,
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "metrics_one_midichlorians": Metric("metrics.one.midichlorians"),
+ },
+ Labels: map[string]LabelMap{
+ "rank": KeyLabel("metrics.one.midichlorians.rank"),
+ "alive": KeyLabel("metrics.one.midichlorians.alive"),
+ },
+ },
+ expectedEvents: []common.MapStr{
+ common.MapStr{
+ "metrics": common.MapStr{
+ "one": common.MapStr{
+ "midichlorians": common.MapStr{
+ "count": uint64(86),
+ "sum": 1000001.0,
+ "bucket": common.MapStr{
+ "2000": uint64(52),
+ "4000": uint64(70),
+ "8000": uint64(78),
+ "16000": uint64(84),
+ "32000": uint64(86),
+ "+Inf": uint64(86),
+ },
+
+ "rank": "youngling",
+ "alive": "yes",
+ },
+ },
+ },
+ },
+ common.MapStr{
+ "metrics": common.MapStr{
+ "one": common.MapStr{
+ "midichlorians": common.MapStr{
+ "count": uint64(28),
+ "sum": 800001.0,
+ "bucket": common.MapStr{
+ "2000": uint64(16),
+ "4000": uint64(20),
+ "8000": uint64(23),
+ "16000": uint64(27),
+ "32000": uint64(27),
+ "+Inf": uint64(28),
+ },
+ "rank": "padawan",
+ "alive": "yes",
+ },
+ },
+ },
+ },
+ },
+ },
+
+ {
+ testName: "Test histogram with KeyLabel With NaN Inf",
+ openmetricsResponse: openMetricsHistogramKeyLabelWithNaNInf,
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "metrics_one_midichlorians": Metric("metrics.one.midichlorians"),
+ },
+ Labels: map[string]LabelMap{
+ "rank": KeyLabel("metrics.one.midichlorians.rank"),
+ "alive": KeyLabel("metrics.one.midichlorians.alive"),
+ },
+ },
+ expectedEvents: []common.MapStr{
+ common.MapStr{
+ "metrics": common.MapStr{
+ "one": common.MapStr{
+ "midichlorians": common.MapStr{
+ "count": uint64(86),
+ "sum": 1000001.0,
+ "bucket": common.MapStr{
+ "16000": uint64(84),
+ "32000": uint64(86),
+ "+Inf": uint64(86),
+ },
+
+ "rank": "youngling",
+ "alive": "yes",
+ },
+ },
+ },
+ },
+ },
+ },
+
+ {
+ testName: "Test summary with KeyLabel",
+ openmetricsResponse: openMetricsSummaryKeyLabel,
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "metrics_force_propagation_ms": Metric("metrics.force.propagation.ms"),
+ },
+ Labels: map[string]LabelMap{
+ "kind": KeyLabel("metrics.force.propagation.ms.labels.kind"),
+ },
+ },
+ expectedEvents: []common.MapStr{
+ common.MapStr{
+ "metrics": common.MapStr{
+ "force": common.MapStr{
+ "propagation": common.MapStr{
+ "ms": common.MapStr{
+ "count": uint64(651),
+ "sum": 89.0,
+ "percentile": common.MapStr{
+ "0": 35.0,
+ "25": 22.0,
+ "50": 7.0,
+ "75": 20.0,
+ "100": 30.0,
+ },
+ "labels": common.MapStr{
+ "kind": "jedi",
+ },
+ },
+ },
+ },
+ },
+ },
+ common.MapStr{
+ "metrics": common.MapStr{
+ "force": common.MapStr{
+ "propagation": common.MapStr{
+ "ms": common.MapStr{
+ "count": uint64(711),
+ "sum": 112.0,
+ "percentile": common.MapStr{
+ "0": 30.0,
+ "25": 20.0,
+ "50": 12.0,
+ "75": 21.0,
+ "100": 29.0,
+ },
+ "labels": common.MapStr{
+ "kind": "sith",
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+
+ {
+ testName: "Test summary with KeyLabel With NaN Inf",
+ openmetricsResponse: openMetricsSummaryKeyLabelWithNaNInf,
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "metrics_force_propagation_ms": Metric("metrics.force.propagation.ms"),
+ },
+ Labels: map[string]LabelMap{
+ "kind": KeyLabel("metrics.force.propagation.ms.labels.kind"),
+ },
+ },
+ expectedEvents: []common.MapStr{
+ common.MapStr{
+ "metrics": common.MapStr{
+ "force": common.MapStr{
+ "propagation": common.MapStr{
+ "ms": common.MapStr{
+ "count": uint64(651),
+ "sum": 50.0,
+ "percentile": common.MapStr{
+ "75": 20.0,
+ "100": 30.0,
+ },
+ "labels": common.MapStr{
+ "kind": "jedi",
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+
+ {
+ testName: "Test gauge InfoMetrics using ExtendedInfoMetric",
+ openmetricsResponse: openMetricsGaugeLabeled,
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "metrics_that_inform_labels": ExtendedInfoMetric(Configuration{StoreNonMappedLabels: true, NonMappedLabelsPlacement: "metrics.other_labels"}),
+ "metrics_that_use_labels": Metric("metrics.value"),
+ },
+ Labels: map[string]LabelMap{
+ "label1": KeyLabel("metrics.label1"),
+ },
+ },
+ expectedEvents: []common.MapStr{
+ common.MapStr{
+ "metrics": common.MapStr{
+ "value": 20.0,
+ "label1": "I am 1",
+ "other_labels": common.MapStr{
+ "label2": "I am 2",
+ "label3": "I am 3",
+ },
+ },
+ },
+ },
+ },
+ {
+ testName: "Test gauge InfoMetrics using ExtendedInfoMetric and extra fields",
+ openmetricsResponse: openMetricsGaugeLabeled,
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "metrics_that_inform_labels": ExtendedInfoMetric(Configuration{
+ StoreNonMappedLabels: true,
+ NonMappedLabelsPlacement: "metrics.other_labels",
+ ExtraFields: common.MapStr{
+ "metrics.extra.field1": "extra1",
+ "metrics.extra.field2": "extra2",
+ }}),
+ "metrics_that_use_labels": Metric("metrics.value"),
+ },
+ Labels: map[string]LabelMap{
+ "label1": KeyLabel("metrics.label1"),
+ },
+ },
+ expectedEvents: []common.MapStr{
+ common.MapStr{
+ "metrics": common.MapStr{
+ "value": 20.0,
+ "label1": "I am 1",
+ "other_labels": common.MapStr{
+ "label2": "I am 2",
+ "label3": "I am 3",
+ },
+ "extra": common.MapStr{
+ "field1": "extra1",
+ "field2": "extra2",
+ },
+ },
+ },
+ },
+ },
+ {
+ testName: "Stateset metric with labels",
+ openmetricsResponse: openMetricsStateset,
+ mapping: &MetricsMapping{
+ Metrics: map[string]MetricMap{
+ "enable_category": Metric("metrics.count"),
+ },
+ Labels: map[string]LabelMap{
+ "category": KeyLabel("metrics.labels.category"),
+ },
+ },
+ expectedEvents: []common.MapStr{
+ common.MapStr{
+ "metrics": common.MapStr{
+ "count": int64(0),
+ "labels": common.MapStr{
+ "category": "shoes",
+ },
+ },
+ },
+ common.MapStr{
+ "metrics": common.MapStr{
+ "count": int64(1),
+ "labels": common.MapStr{
+ "category": "collectibles",
+ },
+ },
+ },
+ },
+ },
+ }
+
+ for _, tc := range testCases {
+ r := &mbtest.CapturingReporterV2{}
+ p := &openmetrics{mockFetcher{response: tc.openmetricsResponse}, logp.NewLogger("test")}
+ p.ReportProcessedMetrics(tc.mapping, r)
+ if !assert.Nil(t, r.GetErrors(),
+ "error reporting/processing metrics, at %q", tc.testName) {
+ continue
+ }
+
+ events := r.GetEvents()
+ if !assert.Equal(t, len(tc.expectedEvents), len(events),
+ "number of returned events doesn't match expected, at %q", tc.testName) {
+ continue
+ }
+
+ // Sort slices of received and expeected to avoid unmatching
+ sort.Slice(events, func(i, j int) bool {
+ return events[i].MetricSetFields.String() < events[j].MetricSetFields.String()
+ })
+ sort.Slice(tc.expectedEvents, func(i, j int) bool {
+ return tc.expectedEvents[i].String() < tc.expectedEvents[j].String()
+ })
+
+ for i := range events {
+ if !assert.Equal(t, tc.expectedEvents[i], events[i].MetricSetFields,
+ "mismatch at event #%d, at %q", i, tc.testName) {
+
+ continue
+ }
+ }
+ }
+}
diff --git a/metricbeat/mb/testing/testdata.go b/metricbeat/mb/testing/testdata.go
index 6e398e8e8f9..e5b853d570e 100644
--- a/metricbeat/mb/testing/testdata.go
+++ b/metricbeat/mb/testing/testdata.go
@@ -43,6 +43,7 @@ import (
const (
expectedExtension = "-expected.json"
+ applicationJson = "application/json"
)
// DataConfig is the configuration for testdata tests
@@ -75,6 +76,9 @@ type DataConfig struct {
// URL of the endpoint that must be tested depending on each module
URL string
+ // ContentType of the data being returned by server
+ ContentType string `yaml:"content_type"`
+
// Suffix is the extension of the source file with the input contents. Defaults to `json`, `plain` is also a common use.
Suffix string
@@ -107,9 +111,10 @@ type DataConfig struct {
func defaultDataConfig() DataConfig {
return DataConfig{
- Path: ".",
- WritePath: ".",
- Suffix: "json",
+ Path: ".",
+ WritePath: ".",
+ Suffix: "json",
+ ContentType: applicationJson,
}
}
@@ -189,7 +194,7 @@ func TestMetricsetFieldsDocumented(t *testing.T, metricSet mb.MetricSet, events
func runTest(t *testing.T, file string, module, metricSetName string, config DataConfig) {
// starts a server serving the given file under the given url
- s := server(t, file, config.URL)
+ s := server(t, file, config.URL, config.ContentType)
defer s.Close()
moduleConfig := getConfig(module, metricSetName, s.URL, config)
@@ -440,7 +445,7 @@ func getConfig(module, metricSet, url string, config DataConfig) map[string]inte
}
// server starts a server with a mock output
-func server(t *testing.T, path string, url string) *httptest.Server {
+func server(t *testing.T, path string, url string, contentType string) *httptest.Server {
body, err := ioutil.ReadFile(path)
if err != nil {
@@ -455,7 +460,7 @@ func server(t *testing.T, path string, url string) *httptest.Server {
}
if r.URL.Path+query == url {
- w.Header().Set("Content-Type", "application/json;")
+ w.Header().Set("Content-Type", contentType)
w.WriteHeader(200)
w.Write(body)
} else {
diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml
index c2edf2795aa..7673d7b01b5 100644
--- a/metricbeat/metricbeat.reference.yml
+++ b/metricbeat/metricbeat.reference.yml
@@ -2206,11 +2206,6 @@ logging.files:
# file. Defaults to true.
# rotateonstartup: true
- # Rotated files are either suffixed with a number e.g. metricbeat.1 when
- # renamed during rotation. Or when set to date, the date is added to
- # the end of the file. On rotation a new file is created, older files are untouched.
- #suffix: count
-
# ============================= X-Pack Monitoring ==============================
# Metricbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
@@ -2395,6 +2390,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
# ============================== Process Security ==============================
# Enable or disable seccomp system call filtering on Linux. Default is enabled.
diff --git a/metricbeat/module/beat/_meta/fields.yml b/metricbeat/module/beat/_meta/fields.yml
index 5f40348c572..b29bffb2cfa 100644
--- a/metricbeat/module/beat/_meta/fields.yml
+++ b/metricbeat/module/beat/_meta/fields.yml
@@ -305,19 +305,19 @@
fields:
- name: host
type: alias
- path: beat.stats.beat.host
+ path: beat.stats.info.host
- name: name
type: alias
- path: beat.stats.beat.name
+ path: beat.stats.info.name
- name: type
type: alias
- path: beat.stats.beat.type
+ path: beat.stats.info.type
- name: uuid
type: alias
- path: beat.stats.beat.uuid
+ path: beat.stats.info.uuid
- name: version
type: alias
- path: beat.stats.beat.version
+ path: beat.stats.info.version
- name: metrics
type: group
fields:
diff --git a/metricbeat/module/beat/fields.go b/metricbeat/module/beat/fields.go
index cd59838480a..b8ee153217a 100644
--- a/metricbeat/module/beat/fields.go
+++ b/metricbeat/module/beat/fields.go
@@ -32,5 +32,5 @@ func init() {
// AssetBeat returns asset data.
// This is the base64 encoded zlib format compressed contents of module/beat.
func AssetBeat() string {
- return "eJzsXU1v5LgRvftXED5nBOxhLz4kQZAE2EsCBAvkEAQGrWZ3E5ZIDUl54v31gaRutT5YrJJEqnt3x5cZjEfvPRbJYvGzvrB38fnC3gR3T4w56Qrxwp7/Irh7fmLsIGxuZOWkVi/sj0+MMdb8ipX6UBfiiTEjCsGteGEn/sSYFc5JdbIv7D/P1hbPf2DPZ+eq5/82vztr415zrY7y9MKOvLDN90cpioN9aZG/MMVL0Wmxr9ZxZ9t/Z8x9Vg2F0XV1+Zfhd8NveVV+scJ8CNP/yve5D2IIUxmdC2u1Gf0WQoLQhoi24ipzhit71KbkjUXt7D9fCXghue+3FXfnzj5Za56MV+VrV9ysl5yRqK66hDGzUoZLGirttMS+QuDFpBe1VZ/BTL0Wx/N3Z3gudlKE8F11HQ0vd5IUoLqqwZtnfFkUzqu+g8j1QapT9+k++iicM325rpXbVx5MeVX3wQt5aK28p/1orB6N+9kQJR31D543//NX6zEHZXgovznS9UjecyiM6kO7/76nMpT2Pj5+JvEhPf1Q5cP6e6/Ix/P6Q5kP7fsBoeERwOra5KLkPg+/3f+33MIXjccseF+GLMR3n5540/aw/dAj8fF64U3kQ/dBr8xwDyyFMzJP0v32HRq7gqwaFYPKIAtgVmDTRQGoeDQjLDYEzdFMnOWdJC7p8L/JyqL6s7tWV9CnjPrUbAxcv853EMeCO5EoPlBOKPelEOrkzkn808Uc2aUYGYGSUsOxRYVGiNMvMlV4tpv5mzI8lu0vikKGr1Wuy8oIa8Xh114Bw7I8VkVMlIUqxAg+d20szlKV/MXn4+IVs9OegTz7GfyiBAlLpbVSnb6MmwoYKKzf5rmqIhP2NTbdFWObxjkjvtbCugQlvPwRJhi4hLw2RiiXfePSZWXcTbXLHwSWm11spZVNFQCkauy90Tv11Ag3eXCr35PGjNNit4XKAqT9PnOei8p5x7nU6lDq/UJuv0C87RDWQGI0nv0N0BUsuHYyWG/QuuDmBI2jSRWi3JOJ7F1Eoty90+VOFLKUd6lsnPwq82st6rsYMkzcd5dC+yP35PoQ5n6/T5s3eTgIaE0lqUacfBaT5J/3cT44/W3Kxmt31kb+cp+KJ/FfxUrlhFG8uIdQlHu8nnQPiQjzYAH9rO9S2R7mWzhVBgN+WFNIRxh1zO2N2h9xejSUS5wk1cqKhCL88FgQFok8XHJokrJ9Kqa0K/VBHiXouLZNyEaF7OJqjDL9LNEjCg/2wdlUdC0AE3HOFl0OyIdOg7Y3TyR0jlhWSqxOHMHjqwoSUsLy+JJgtp37LzpXJYU08QUF6Igz5/iagoSDYPqDy4K/FfsJwzipU6f4ysKMpGg0vqgA3WBgP+pa7acpSHjznK2D/VoLA83qUnhPhJS6/hJfWpiRtKKRwJXCdAsm3EmcxJx0eNvqacq+5K7UWdsN07X2rzOIvjPy0j8no2PPIPpB5LPaij2D6Ku5nk07lmLPIPrQThg7P1e0FH6KMj5fZze1CPtpnSijzaXzqs5ybbwH7xfOIjtlGYx45Sw0P2Q/RCME4EZsP8Zlm8ONyxaZzoM34lPaTFsEizLTef7hOZ4jHZaoUextAkPuH5OS++powJ6U/Edv1y7k22TAYJv6diUrUUiVaLu8kEK5iAd5L6XPrqqzEMNoepnx/D3miD9TgrH0aw4fAplcxth55bmTHwlWwWfFbotjM4Svn8kaXVUpdjogXRhhPz3jsthTF8LXy5KFE2ZXYRhj7zjqt0La857acMrb6r8Dp2kJhIXpbosmLsXeGSTKT9cvCteuquFtgS1ev+PfwcXBDp1tN2dnoJt/C5Ht5XWnmkg+9427/Aze0o2uCqPbbSgYy6IOBIe6KmTOk5wsA5RdGXGbpR6lxsKIY5TTuuQqobcdq8LodvK2U1EQ2fAoePb2Cdfyhhj0ogWhGCmJfQnSJ4Vw3dGzBBRPBAh+Zf9mpBOJKwXjGGtJXC1BksHpqaP0XXHcHhl0r1ZlplYKu0W5qpid9CD+RIp13KSYoF6UBOBnQnSVUscUHVh9ZpsWE6Q66kxUZ1EKw4vXwMkP8hIXDjkirysnSxHlFgKC16++c3UoAkujW/pLu8GSnbmJuHBx0Zsh2GMJVh8jbi2NJYDY/VSlirlreiX3ot4W4cvh83dzyi21espflfhfRHte1WYh5EHRtPl85UWhfbf4t0ro4DMYfqIjFKZF0EEIzGxEt9vT+1D7ARZqPBEWXKs6+bwbvHTE1kfVnUnabaEAfF/Ko80qYaQ+ZHWCee1ADI1pqOtrrR3fQxZK1G8GAo5sLCfUMhihdQwZO4uFOBnZDAwxRfcPFMZ+znE22rlCHEhfxdW5jHuuGHwUJa1Y5FmUvKp5nju4667wpDc1Ieipgtbdw1bariNIMB7aUpgjjDzgv8RWkee2YxUUmqGk2vJT9On2XFKIJjxORriV323iOpm/xyxj0yUx5JkEaBoUQwSMPVp+yz54EfNkb6MBAx4LSFATGPBUQIJ6wKH7c1BWmBRGQHAn9AlMMEJ+YpMVje718msDmfdr6PXyu57FEwnP4omEZ/FEwrN4Iu1ZPBE+i9e0L+t4Wc3axBS7w33+c//F8wxs2CLZqsblr8KIrQBsvWsWA7nJz9KJ3NUGPl0UXo1r9GRBnKFyj2UWEYEYgQ64iCAIrtMsNlUFd0f/0T9cO/M1obYo2mZB5HD/jMDuA76tBFf1xmusIoNAxiTK8x71YpI5yGRzYGNRQJQJzcbCgCjjMycbPRgE0rtZYT5kHu8i8fZNDJFdNPnmbRF8i4co6GngPrmSbQjoiaTmtvdktYFjspHROqx38flNjzYuvIjdT5sv56e/ZvPRfRywrIVuvpuD00Z7DHuKMs72c/0JXgXYrzvMTTf+NNjEsY+xRuv7fuSqo1kgfJ++0J6N56EF4GE+VISo27SeMC+sYlqG1R8DRzJoH3vmEfSPt7SfvKitE2Y+C6F8HDWmzrVyXCoBXV+j2SJRqPkujBLhvTxIGcMb2DIQUthLAaIEsKHqL7niJ1EK5TKh+Nv8QF0H8aZ1IfiUJjA8ND8/WZYL5QwvBjTsQvOndQGlVE6cZs9UIkL+UZdvwjB9vOBb5isrOdoM2ROLIf11iunnpWjUd+CstuLA3j7bIdgrorvrkUZDi83ehFQnvxBoX299hGE3RRi3u6/R3ByU/S+MGkIeGY6WCZCFx/QhIpTDD9eLaZ7qxjdyQbFs3HaQtFILAYOZoBZi0apmISg1u8E6UNpDlyRM+sv+a2E3ih1VE5iMjX1v+iuwCMnL1iB+70yP3plCea1Y1K4UznFFkMy+N4SEDQFMr8SitoKkbgFFi3nYDK1OYiEYYYlnIeS8lfxeLQNG+v7sPyxKnA9nAsLxMQ42WZRBs6KwZU0mkjcBUvGw30v5kYw47PdiBzARDYsbpsNJaQhiWfxyL8wKgyAP91QS+Szs2eIFZSdlZlmAF0isgpcdKz+LV/dsOvLuOugG86UQ1Q/xCHlOVqBGDnCIIXVMO0cqARsd2ETTgaxAJeTvWIFKSbixAhZLkLECEk1qsQKTkodijVRS3ogVwMQsDyuQCSkZVqCiORRWYKJpDxDMm0MMZypYBJMwVVjUkXwzBJSBYAHEPvnG8Gf9CZJZmmiCkAuNhEPOXUbbeArHdTEqhZyDilR8choZEhotp9PeTYWYhYa2hE9NU0ZCwx9JXwhITwpFgiOmxyFhIU+JL0QjPAG+EJGeNo3Wfmn5w6jNhJ6YaoaY5NjappNnm868/TqPre3+CnQw4Co0T5MICHt/+KBrLDkD+owwBWM7BPBEM4s6lsPmImllNLMtx1oHNWic0Ro6ctWWskCI3ZMlYITvuZIBNpQCu2VKgAheE6V/v1DBbcA+6mitgvSsFToWoM9TgYXxvhqzyZsn8caUF1Oo0178lRMiEjJvpZwDDr2iEs8546+CLJk3LHhsZBXs2nMDgzYIP+5B61CEdzkIQrrXI5L0hwhNb8lzHoTzJfSHOEBfBDyPtt4bwQ+XkWsPfHKMjgA9FkZA8L8ihpjR/3TgeisCD+VRgvPQY4Dk74GX/BArQGMiSIscpG+PtXegXj5Tq5bwpI2unVRABSwnvt2CuEGzy1ukTCr4OsHSnB6Ijr+3zYTluiy1Yk4zXhQt+bSgD58bBPVm1NQe+ELqXm/Wkx6Ipy0xEh9Qpy3i0V4Wp2FRk1aQ0Oh5JmhLbqTMEMR1WcoL4+EIKN1by5RHlu1Zm/BroYT3kSkg2NvGfox+XFuXqwJxk83PP7sLX1BwT7EzsDbISCEeSWTz8/NnNbihltKVEQX9rWG5HiaH2OKm8kC2monC2Wik7ozVCFD6WyEOp3hZPlLI7ajDVTxYfSdm/khmWFRB1LFsWxNYnCDkjna1lDQlMYf2bWIjJxJJodRpzRpyatfaMPavUvpzw8fUxLLhAEB4N1xYzFHgX4Ifgktj1BEgtBjBktZ8yxwy1uJjjilUNvpC/FeJbYaP1LX+74bkN1Htjblc4OTCA9R8W6NTAaG//D8AAP//qNtugg=="
+ return "eJzsXU1v5LgRvftXED5nBOxhLz4kQZAE2EsCBAvkEAQGrWZ3E5ZIDUl54v31gaRutT5YrJJEqnt3x5cZjEfvPRbJYvGzvrB38fnC3gR3T4w56Qrxwp7/Irh7fmLsIGxuZOWkVi/sj0+MMdb8ipX6UBfiiTEjCsGteGEn/sSYFc5JdbIv7D/P1hbPf2DPZ+eq5/82vztr415zrY7y9MKOvLDN90cpioN9aZG/MMVL0Wmxr9ZxZ9t/Z8x9Vg2F0XV1+Zfhd8NveVV+scJ8CNP/yve5D2IIUxmdC2u1Gf0WQoLQhoi24ipzhit71KbkjUXt7D9fCXghue+3FXfnzj5Za56MV+VrV9ysl5yRqK66hDGzUoZLGirttMS+QuDFpBe1VZ/BTL0Wx/N3Z3gudlKE8F11HQ0vd5IUoLqqwZtnfFkUzqu+g8j1QapT9+k++iicM325rpXbVx5MeVX3wQt5aK28p/1orB6N+9kQJR31D543//NX6zEHZXgovznS9UjecyiM6kO7/76nMpT2Pj5+JvEhPf1Q5cP6e6/Ix/P6Q5kP7fsBoeERwOra5KLkPg+/3f+33MIXjccseF+GLMR3n5540/aw/dAj8fF64U3kQ/dBr8xwDyyFMzJP0v32HRq7gqwaFYPKIAtgVmDTRQGoeDQjLDYEzdFMnOWdJC7p8L/JyqL6s7tWV9CnjPrUbAxcv853EMeCO5EoPlBOKPelEOrkzkn808Uc2aUYGYGSUsOxRYVGiNMvMlV4tpv5mzI8lu0vikKGr1Wuy8oIa8Xh114Bw7I8VkVMlIUqxAg+d20szlKV/MXn4+IVs9OegTz7GfyiBAlLpbVSnb6MmwoYKKzf5rmqIhP2NTbdFWObxjkjvtbCugQlvPwRJhi4hLw2RiiXfePSZWXcTbXLHwSWm11spZVNFQCkauy90Tv11Ag3eXCr35PGjNNit4XKAqT9PnOei8p5x7nU6lDq/UJuv0C87RDWQGI0nv0N0BUsuHYyWG/QuuDmBI2jSRWi3JOJ7F1Eoty90+VOFLKUd6lsnPwq82st6rsYMkzcd5dC+yP35PoQ5n6/T5s3eTgIaE0lqUacfBaT5J/3cT44/W3Kxmt31kb+cp+KJ/FfxUrlhFG8uIdQlHu8nnQPiQjzYAH9rO9S2R7mWzhVBgN+WFNIRxh1zO2N2h9xejSUS5wk1cqKhCL88FgQFok8XHJokrJ9Kqa0K/VBHiXouLZNyEaF7OJqjDL9LNEjCg/2wdlUdC0AE3HOFl0OyIdOg7Y3TyR0jlhWSqxOHMHjqwoSUsLy+JJgtp37LzpXJYU08QUF6Igz5/iagoSDYPqDy4K/FfsJwzipU6f4ysKMpGg0vqgA3WBgP+pa7acpSHjznK2D/VoLA83qUnhPhJS6/hJfWpiRtKKRwJXCdAsm3EmcxJx0eNvqacq+5K7UWdsN0zWpjjqbQfSdkZf+ORkdewbRDyKf1VbsGURfzfVs2rEUewbRh3bC2Pm5oqXwU5Tx+Tq7qUXYT+tEGW0unVd1lmvjPXi/cBbZKctgxCtnofkh+yEaIQA3YvsxLtscbly2yHQevBGf0mbaIliUmc7zD8/xHOmwRI1ibxMYcv+YlNxXRwP2pOQ/ert2Id8mAwbb1LcrWYlCqkTb5YUUykU8yHspfXZVnYUYRtPLjOfvMUf8mRKMpV9z+BDI5DLGzivPnfxIsAo+K3ZbHJshfP1M1uiqSrHTAenCCPvpGZfFnroQvl6WLJwwuwrDGHvHUb8V0p731IZT3lb/HThNSyAsTHdbNHEp9s4gUX66flG4dlUNbwts8fod/w4uDnbobLs5OwPd/FuIbC+vO9VE8rlv3OVn8JZudFUY3W5DwVgWdSA41FUhc57kZBmg7MqI2yz1KDUWRhyjnNYlVwm97VgVRreTt52KgsiGR8Gzt0+4ljfEoBctCMVISexLkD4phOuOniWgeCJA8Cv7NyOdSFwpGMdYS+JqCZIMTk8dpe+K4/bIoHu1KjO1UtgtylXF7KQH8SdSrOMmxQT1oiQAPxOiq5Q6pujA6jPbtJjQLmyK6ixKYXjxGjj5QV7iwiFH5HXlZCmi3EJA8PrVd64ORWBpdEt/aTdYsjM3ERcuLnozBHsswepjxK2lsQQQu5+qVDF3Ta/kXtTbInw5fP5uTrmlVk/5qxL/i2jPq9oshDwomjafr7wotO8W/1YJHXwGw090hMK0CDoIgZmN6HZ7eh9qP8BCjSfCgmtVJ593g5eO2PqoujNJuy0UgO9LebRZJYzUh6xOMK8diKExDXV9rbXje8hCifrNQMCRjeWEWgYjtI4hY2exECcjm4Ehpuj+gcLYzznORjtXiAPpq7g6l3HPFYOPoqQVizyLklc1z3MHd90VnvSmJgQ9VdC6e9hK23UECcZDWwpzhJEH/JfYKvLcdqyCQjOUVFt+ij7dnksK0YTHyQi38rtNXCfz95hlbLokhjyTAE2DYoiAsUfLb9kHL2Ke7G00YMBjAQlqAgOeCkhQDzh0fw7KCpPCCAjuhD6BCUbIT2yyotG9Xn5tIPN+Db1eftezeCJr/5rkLN4FO8lZvAt2krN4F+xUZ/Eu8NBZvKZ9WcfLatYmptgd7vOf+y+eZ2DDFslWNS5/FUZsBWDrXbMYyE1+lk7krjbw6aLwalyjJwviDJV7LLOICMQIdMBFBEFwnWaxqSq4O/qP/uHama8JtUXRNgsih/tnBHYf8G0luKo3XmMVGQQyJlGe96gXk8xBJpsDG4sCokxoNhYGRBmfOdnowSCQ3s0K8yHzeBeJt29iiOyiyTdvi+BbPERBTwP3yZVsQ0BPJDW3vSerDRyTjYzWYb2Lz296tHHhRex+2nw5P/01m4/u44BlLXTz3RycNtpj2FOUcbaf60/wKsB+3WFuuvGnwSaOfYw1Wt/3I1cdzQLh+/SF9mw8Dy0AD/OhIkTdpvWEeWEV0zKs/hg4kkH72DOPoH+8pf3kRW2dMPNZCOXjqDF1rpXjUgno+hrNFolCzXdhlAjv5UHKGN7AloGQwl4KECWADVV/yRU/iVIolwnF3+YH6jqIN60Lwac0geGh+fnJslwoZ3gxoGEXmj+tCyilcuI0e6YSEfKPunwThunjBd8yX1nJ0WbInlgM6a9TTD8vRaO+A2e1FQf29tkOwV4R3V2PNBpabPYmpDr5hUD7eusjDLspwrjdfY3m5qDsf2HUEPLIcLRMgCw8pg8RoRx+uF5M81Q3vpELimXjtoOklVoIGMwEtRCLVjULQanZDdaB0h66JGHSX/ZfC7tR7KiawGRs7HvTX4FFSF62BvF7Z3r0zhTKa8WidqVwjiuCZPa9ISRsCGB6JRa1FSR1CyhazMNmaHUSC8EISzwLIeet5PdqGTDS92f/YVHifDgTEI6PcbDJogyaFYUtazKRvAmQiof9XsqPZMRhvxc7gIloWNwwHU5KQxDL4pd7YVYYBHm4p5LIZ2HPFi8oOykzywK8QGIVvOxY+Vm8umfTkXfXQTeYL4WofohHyHOyAjVygEMMqWPaOVIJ2OjAJpoOZAUqIX/HClRKwo0VsFiCjBWQaFKLFZiUPBRrpJLyRqwAJmZ5WIFMSMmwAhXNobACE017gGDeHGI4U8EimISpwqKO5JshoAwECyD2yTeGP+tPkMzSRBOEXGgkHHLuMtrGUziui1Ep5BxUpOKT08iQ0Gg5nfZuKsQsNLQlfGqaMhIa/kj6QkB6UigSHDE9DgkLeUp8IRrhCfCFiPS0abT2S8sfRm0m9MRUM8SbyY76yffFmlMBm06ebTrz9us8trb7K9DBgKvQPE0iIOz94YOuseQM6DPCFIztEMATzSzqWA6bi6SV0cy2HGsd1KBxRmvoyFVbygIhdk+WgBG+50oG2FAK7JYpASJ4TZT+/UIFSUYf0rNW6FiAPk8FFsb7aswmb57EG1NeTKFOe/FXTohIyLyVcg449IpKPOeMvwqyZN6w4LGRVbBrzw0M2iD8uAetQxHe5SAI6V6PSNIfIjS9Jc95EM6X0B/iAH0R8Dzaem8EP1xGrj3wyTE6AvRYGAHB/4oYYkb/04HrrQg8lEcJzkOPAZK/B17yQ6wAjYkgLXKQvj3W3oF6+UytWsKTNrp2UgEVsJz4dgviBs0ub5EyqeDrBEtzeiA6/t42E5brstSKOc14UbTk04I+fG4Q1JtRU3vgC6l7vVlPeiCetsRIfECdtohHe1mchkVNWkFCo+eZoC25kTJDENdlKS+MhyOgdG8tUx5Ztmdtwq+FEt5HpoBgbxv7MfpxbV2uCsRNNj//7C58QcE9xc7A2iAjhXgkkc3Pz5/V4IZaSldGFPS3huV6mBxii5vKA9lqJgpno5G6M1YjQOlvhTic4mX5SCG3ow5X8U0oNfNHMsOiCqKOZduawOIEIXe0q6WkKYk5tG8TGzmRSAqlTmvWkFO71oaxf5XSnxs+piaWDQcAwrvhwmKOAv8S/BBcGqOOAKHFCJa05lvmkLEWH3NMobLRF+K/SmwzfKSu9X83JL+Jam/M5QInFx6g5tsanQoI/eX/AQAA//95+27i"
}
diff --git a/metricbeat/module/beat/stats/_meta/fields.yml b/metricbeat/module/beat/stats/_meta/fields.yml
index 0e5700b5fd5..19c0f75d715 100644
--- a/metricbeat/module/beat/stats/_meta/fields.yml
+++ b/metricbeat/module/beat/stats/_meta/fields.yml
@@ -219,7 +219,7 @@
type: long
- name: unauthorized
type: long
- - name: beat
+ - name: info
type: group
fields:
- name: name
diff --git a/metricbeat/module/kubernetes/_meta/test/docs/01_playground/ek_stack.yaml b/metricbeat/module/kubernetes/_meta/test/docs/01_playground/ek_stack.yaml
index 7365ce2e6ef..87a0f7c227c 100644
--- a/metricbeat/module/kubernetes/_meta/test/docs/01_playground/ek_stack.yaml
+++ b/metricbeat/module/kubernetes/_meta/test/docs/01_playground/ek_stack.yaml
@@ -26,10 +26,22 @@ spec:
- image: docker.elastic.co/elasticsearch/elasticsearch:8.0.0-SNAPSHOT
imagePullPolicy: IfNotPresent
name: elasticsearch
- env:
- - name: "discovery.type"
- value: "single-node"
-
+ envFrom:
+ - configMapRef:
+ name: elasticsearch-config
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: elasticsearch-config
+data:
+ discovery.type: "single-node"
+ ES_JAVA_OPTS: "-Xms1g -Xmx1g"
+ xpack.license.self_generated.type: "trial"
+ xpack.security.enabled: 'true'
+ xpack.security.authc.api_key.enabled: 'true'
+ ELASTIC_USERNAME: "elastic"
+ ELASTIC_PASSWORD: "changeme"
---
apiVersion: v1
kind: Service
@@ -47,7 +59,6 @@ spec:
app: elasticsearch
sessionAffinity: None
type: ClusterIP
-
---
apiVersion: apps/v1
kind: Deployment
@@ -77,3 +88,8 @@ spec:
- image: docker.elastic.co/kibana/kibana:8.0.0-SNAPSHOT
imagePullPolicy: IfNotPresent
name: kibana
+ env:
+ - name: ELASTICSEARCH_USERNAME
+ value: elastic
+ - name: ELASTICSEARCH_PASSWORD
+ value: changeme
diff --git a/metricbeat/module/kubernetes/_meta/test/docs/README.md b/metricbeat/module/kubernetes/_meta/test/docs/README.md
index c3d7bc6c750..fb409cb2106 100644
--- a/metricbeat/module/kubernetes/_meta/test/docs/README.md
+++ b/metricbeat/module/kubernetes/_meta/test/docs/README.md
@@ -28,7 +28,8 @@ You can spin up an ELK stack in two ways
2. Locally on your kind cluster (EK tuple will suffice).
```bash
# Deploy Elasticsearch and Kibana
-kubectl apply -f ../01_playground/ek_stack.yaml
+cd metricbeat/module/kubernetes/_meta/test/docs
+kubectl apply -f 01_playground/ek_stack.yaml
# Expose Kibana with port forwarding. In your browser visit localhost:5601
kubectl port-forward deployment/kibana 5601:5601
@@ -46,7 +47,7 @@ In case of Elastic Cloud deployment configure the variables ELASTIC_CLOUD_ID and
Deploy metricbeat
```
-kubectl apply -f ../01_playground/metricbeat.yaml
+kubectl apply -f 01_playground/metricbeat.yaml
```
## Build and launch metricbeat process
diff --git a/metricbeat/module/linux/conntrack/conntrack.go b/metricbeat/module/linux/conntrack/conntrack.go
index a29565d0285..c8d9122de09 100644
--- a/metricbeat/module/linux/conntrack/conntrack.go
+++ b/metricbeat/module/linux/conntrack/conntrack.go
@@ -50,12 +50,11 @@ type MetricSet struct {
// any MetricSet specific configuration options if there are any.
func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
cfgwarn.Beta("The linux conntrack metricset is beta.")
- linuxModule, ok := base.Module().(*linux.Module)
- if !ok {
- return nil, errors.New("unexpected module type")
- }
- path := filepath.Join(linuxModule.HostFS, "proc")
+ sys := base.Module().(linux.LinuxModule)
+ hostfs := sys.GetHostFS()
+
+ path := filepath.Join(hostfs, "proc")
newFS, err := procfs.NewFS(path)
if err != nil {
return nil, errors.Wrapf(err, "error creating new Host FS at %s", path)
diff --git a/metricbeat/module/linux/ksm/ksm.go b/metricbeat/module/linux/ksm/ksm.go
index 4d62759cf56..67ec072f6bf 100644
--- a/metricbeat/module/linux/ksm/ksm.go
+++ b/metricbeat/module/linux/ksm/ksm.go
@@ -50,14 +50,13 @@ type MetricSet struct {
// any MetricSet specific configuration options if there are any.
func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
cfgwarn.Beta("The linux pageinfo metricset is beta.")
- linuxModule, ok := base.Module().(*linux.Module)
- if !ok {
- return nil, errors.New("unexpected module type")
- }
+
+ sys := base.Module().(linux.LinuxModule)
+ hostfs := sys.GetHostFS()
return &MetricSet{
BaseMetricSet: base,
- fs: filepath.Join(linuxModule.HostFS, "/sys/kernel/mm/ksm"),
+ fs: filepath.Join(hostfs, "/sys/kernel/mm/ksm"),
}, nil
}
diff --git a/metricbeat/module/linux/linux.go b/metricbeat/module/linux/linux.go
index 518eab8ceff..25a29f15d01 100644
--- a/metricbeat/module/linux/linux.go
+++ b/metricbeat/module/linux/linux.go
@@ -20,6 +20,7 @@ package linux
import (
"time"
+ "github.com/elastic/beats/v7/libbeat/paths"
"github.com/elastic/beats/v7/metricbeat/mb"
)
@@ -30,6 +31,10 @@ func init() {
}
}
+type LinuxModule interface {
+ GetHostFS() string
+}
+
// Module defines the base module config used in `linux`
type Module struct {
mb.BaseModule
@@ -55,5 +60,14 @@ func NewModule(base mb.BaseModule) (mb.Module, error) {
dir = "/"
}
+ // Steer towards system.hostfs, since the two behave fundamentally the same, and system.hostfs has a CLI flag that many users may default to.
+ if len(paths.Paths.Hostfs) > 2 {
+ dir = paths.Paths.Hostfs
+ }
+
return &Module{BaseModule: base, HostFS: dir, Period: config.Period}, nil
}
+
+func (m Module) GetHostFS() string {
+ return m.HostFS
+}
diff --git a/metricbeat/module/linux/pageinfo/pageinfo.go b/metricbeat/module/linux/pageinfo/pageinfo.go
index 47482dee79b..e4d700be7db 100644
--- a/metricbeat/module/linux/pageinfo/pageinfo.go
+++ b/metricbeat/module/linux/pageinfo/pageinfo.go
@@ -51,14 +51,13 @@ type MetricSet struct {
// any MetricSet specific configuration options if there are any.
func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
cfgwarn.Beta("The linux pageinfo metricset is beta.")
- linuxModule, ok := base.Module().(*linux.Module)
- if !ok {
- return nil, errors.New("unexpected module type")
- }
+
+ sys := base.Module().(linux.LinuxModule)
+ hostfs := sys.GetHostFS()
return &MetricSet{
BaseMetricSet: base,
- fs: linuxModule.HostFS,
+ fs: hostfs,
}, nil
}
diff --git a/metricbeat/module/linux/pressure/pressure.go b/metricbeat/module/linux/pressure/pressure.go
index fbd7ddb4515..9a0e90c1839 100644
--- a/metricbeat/module/linux/pressure/pressure.go
+++ b/metricbeat/module/linux/pressure/pressure.go
@@ -63,12 +63,10 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
return nil, fmt.Errorf("the %v/%v metricset is only supported on Linux", moduleName, metricsetName)
}
- linuxModule, ok := base.Module().(*linux.Module)
- if !ok {
- return nil, errors.New("unexpected module type")
- }
+ sys := base.Module().(linux.LinuxModule)
+ hostfs := sys.GetHostFS()
- path := filepath.Join(linuxModule.HostFS, "proc")
+ path := filepath.Join(hostfs, "proc")
procfs, err := procfs.NewFS(path)
if err != nil {
return nil, errors.Wrapf(err, "error creating new Host FS at %s", path)
@@ -76,7 +74,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
return &MetricSet{
BaseMetricSet: base,
- fs: linuxModule.HostFS,
+ fs: hostfs,
procfs: procfs,
}, nil
}
diff --git a/metricbeat/module/linux/rapl/rapl.go b/metricbeat/module/linux/rapl/rapl.go
index 21172b00cf0..f7d3cacf93c 100644
--- a/metricbeat/module/linux/rapl/rapl.go
+++ b/metricbeat/module/linux/rapl/rapl.go
@@ -37,8 +37,8 @@ import (
"github.com/elastic/beats/v7/libbeat/common"
"github.com/elastic/beats/v7/libbeat/common/cfgwarn"
"github.com/elastic/beats/v7/libbeat/logp"
- "github.com/elastic/beats/v7/libbeat/paths"
"github.com/elastic/beats/v7/metricbeat/mb"
+ "github.com/elastic/beats/v7/metricbeat/module/linux"
)
// init registers the MetricSet with the central registry as soon as the program
@@ -83,14 +83,16 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
return nil, err
}
- CPUList, err := getMSRCPUs()
+ sys := base.Module().(linux.LinuxModule)
+ hostfs := sys.GetHostFS()
+ CPUList, err := getMSRCPUs(hostfs)
if err != nil {
return nil, errors.Wrap(err, "error getting list of CPUs to query")
}
// check to see if msr-safe is installed
if config.UseMSRSafe {
- queryPath := filepath.Join(paths.Paths.Hostfs, "/dev/cpu/", fmt.Sprint(CPUList[0]), "msr_safe")
+ queryPath := filepath.Join(hostfs, "/dev/cpu/", fmt.Sprint(CPUList[0]), "msr_safe")
_, err := os.Stat(queryPath)
if errors.Is(err, os.ErrNotExist) {
return nil, errors.New("no msr_safe device found. Is the kernel module loaded?")
@@ -110,7 +112,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
handlers := map[int]rapl.RAPLHandler{}
for _, cpu := range CPUList {
- formatPath := filepath.Join(paths.Paths.Hostfs, "/dev/cpu/%d")
+ formatPath := filepath.Join(hostfs, "/dev/cpu/%d")
if config.UseMSRSafe {
formatPath = filepath.Join(formatPath, "/msr_safe")
} else {
@@ -203,8 +205,8 @@ func (m *MetricSet) updatePower() map[int]map[rapl.RAPLDomain]energyUsage {
// getMSRCPUs forms a list of CPU cores to query
// For multi-processor systems, this will be more than 1.
-func getMSRCPUs() ([]int, error) {
- CPUs, err := topoPkgCPUMap()
+func getMSRCPUs(hostfs string) ([]int, error) {
+ CPUs, err := topoPkgCPUMap(hostfs)
if err != nil {
return nil, errors.Wrap(err, "error fetching CPU topology")
}
@@ -225,12 +227,12 @@ func getMSRCPUs() ([]int, error) {
//it is, however, the simplest way to do this. The intel power gadget iterates through each CPU using affinity masks, and runs `cpuid` in a loop to
//figure things out
//This uses /sys/devices/system/cpu/cpu*/topology/physical_package_id, which is what lscpu does. I *think* geopm does something similar to this.
-func topoPkgCPUMap() (map[int][]int, error) {
+func topoPkgCPUMap(hostfs string) (map[int][]int, error) {
sysdir := "/sys/devices/system/cpu/"
cpuMap := make(map[int][]int)
- files, err := ioutil.ReadDir(filepath.Join(paths.Paths.Hostfs, sysdir))
+ files, err := ioutil.ReadDir(filepath.Join(hostfs, sysdir))
if err != nil {
return nil, err
}
@@ -240,7 +242,7 @@ func topoPkgCPUMap() (map[int][]int, error) {
for _, file := range files {
if file.IsDir() && re.MatchString(file.Name()) {
- fullPkg := filepath.Join(paths.Paths.Hostfs, sysdir, file.Name(), "/topology/physical_package_id")
+ fullPkg := filepath.Join(hostfs, sysdir, file.Name(), "/topology/physical_package_id")
dat, err := ioutil.ReadFile(fullPkg)
if err != nil {
return nil, errors.Wrapf(err, "error reading file %s", fullPkg)
diff --git a/metricbeat/module/linux/rapl/rapl_test.go b/metricbeat/module/linux/rapl/rapl_test.go
index 3824071763e..d51fbedb105 100644
--- a/metricbeat/module/linux/rapl/rapl_test.go
+++ b/metricbeat/module/linux/rapl/rapl_test.go
@@ -24,8 +24,6 @@ import (
"testing"
"github.com/stretchr/testify/assert"
-
- "github.com/elastic/beats/v7/libbeat/paths"
)
// func TestData(t *testing.T) {
@@ -49,9 +47,9 @@ import (
// }
func TestTopo(t *testing.T) {
- paths.Paths.Hostfs = "./testdata/"
+ hostfs := "./testdata/"
- cpus, err := topoPkgCPUMap()
+ cpus, err := topoPkgCPUMap(hostfs)
assert.NoError(t, err)
good := map[int][]int{
0: {0, 1},
diff --git a/metricbeat/module/openmetrics/_meta/fields.yml b/metricbeat/module/openmetrics/_meta/fields.yml
index c83c99f1363..12592096f5e 100644
--- a/metricbeat/module/openmetrics/_meta/fields.yml
+++ b/metricbeat/module/openmetrics/_meta/fields.yml
@@ -7,18 +7,41 @@
fields:
- name: openmetrics
type: group
+ release: beta
description: >
`openmetrics` contains metrics from endpoints that are following Openmetrics format.
fields:
# Order is important here, labels will match first, the rest are double
+ - name: help
+ type: keyword
+ description: >
+ Brief description of the MetricFamily
+ - name: type
+ type: keyword
+ description: >
+ Metric type
+ - name: unit
+ type: keyword
+ description: >
+ Metric unit
- name: labels.*
type: object
object_type: keyword
description: >
- Prometheus metric labels
+ Openmetrics metric labels
- name: metrics.*
type: object
object_type: double
object_type_mapping_type: "*"
description: >
- Prometheus metric
+ Openmetrics metric
+ - name: exemplar.*
+ type: object
+ object_type: keyword
+ description: >
+ Openmetrics exemplars
+ - name: exemplar.labels.*
+ type: object
+ object_type: keyword
+ description: >
+ Openmetrics metric exemplar labels
diff --git a/metricbeat/module/openmetrics/collector/_meta/data.json b/metricbeat/module/openmetrics/collector/_meta/data.json
index d20778fec4a..668e6a88751 100644
--- a/metricbeat/module/openmetrics/collector/_meta/data.json
+++ b/metricbeat/module/openmetrics/collector/_meta/data.json
@@ -15,11 +15,11 @@
"job": "openmetrics"
},
"metrics": {
- "node_network_carrier": 0
+ "up": 1
}
},
"service": {
"address": "127.0.0.1:55555",
"type": "openmetrics"
}
-}
\ No newline at end of file
+}
diff --git a/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/config.yml b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/config.yml
new file mode 100644
index 00000000000..a8369b90cf2
--- /dev/null
+++ b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/config.yml
@@ -0,0 +1,8 @@
+type: http
+url: "/metrics"
+content_type: "application/openmetrics-text"
+suffix: plain
+remove_fields_from_comparison: ["openmetrics.labels.instance"]
+module:
+ enable_exemplars: false
+ enable_metadata: false
diff --git a/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain
new file mode 100644
index 00000000000..d5f0fd96fab
--- /dev/null
+++ b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain
@@ -0,0 +1,6 @@
+# HELP net_conntrack_listener_conn_accepted Total number of connections opened to the listener of a given name.
+# TYPE net_conntrack_listener_conn_accepted counter
+net_conntrack_listener_conn_accepted_total{listener_name="http"} 3
+# HELP net_conntrack_listener_conn_closed Total number of connections closed that were made to the listener of a given name.
+# TYPE net_conntrack_listener_conn_closed counter
+net_conntrack_listener_conn_closed_total{listener_name="http"} 0
diff --git a/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain-expected.json b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain-expected.json
new file mode 100644
index 00000000000..e1244391ba7
--- /dev/null
+++ b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain-expected.json
@@ -0,0 +1,52 @@
+[
+ {
+ "event": {
+ "dataset": "openmetrics.collector",
+ "duration": 115000,
+ "module": "openmetrics"
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "openmetrics": {
+ "labels": {
+ "instance": "127.0.0.1:55922",
+ "job": "openmetrics"
+ },
+ "metrics": {
+ "up": 1
+ }
+ },
+ "service": {
+ "address": "127.0.0.1:55555",
+ "type": "openmetrics"
+ }
+ },
+ {
+ "event": {
+ "dataset": "openmetrics.collector",
+ "duration": 115000,
+ "module": "openmetrics"
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "openmetrics": {
+ "labels": {
+ "instance": "127.0.0.1:55922",
+ "job": "openmetrics",
+ "listener_name": "http"
+ },
+ "metrics": {
+ "net_conntrack_listener_conn_accepted_total": 3,
+ "net_conntrack_listener_conn_closed_total": 0
+ }
+ },
+ "service": {
+ "address": "127.0.0.1:55555",
+ "type": "openmetrics"
+ }
+ }
+]
diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/config.yml b/metricbeat/module/openmetrics/collector/_meta/testdata/config.yml
index a5d8ee128af..37f3a8443ac 100644
--- a/metricbeat/module/openmetrics/collector/_meta/testdata/config.yml
+++ b/metricbeat/module/openmetrics/collector/_meta/testdata/config.yml
@@ -1,4 +1,8 @@
type: http
url: "/metrics"
+content_type: "application/openmetrics-text"
suffix: plain
remove_fields_from_comparison: ["openmetrics.labels.instance"]
+module:
+ enable_exemplars: true
+ enable_metadata: true
diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain
index 47c3b38aedb..d5f0fd96fab 100644
--- a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain
+++ b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain
@@ -1,11 +1,6 @@
-# HELP node_network_carrier carrier value of /sys/class/net/.
-# TYPE node_network_carrier gauge
-node_network_carrier{device="br-0cb306323b90"} 0
-node_network_carrier{device="br-10229e3512d9"} 0
-node_network_carrier{device="br-210476dc4ef8"} 0
-node_network_carrier{device="br-33d819d5f834"} 0
-node_network_carrier{device="br-38425a39f36b"} 0
-node_network_carrier{device="br-38feb0aad6ab"} 0
-node_network_carrier{device="br-3a285aa5e58c"} 0
-node_network_carrier{device="br-425cb4c454a6"} 0
-node_network_carrier{device="br-4e623477470e"} 0
+# HELP net_conntrack_listener_conn_accepted Total number of connections opened to the listener of a given name.
+# TYPE net_conntrack_listener_conn_accepted counter
+net_conntrack_listener_conn_accepted_total{listener_name="http"} 3
+# HELP net_conntrack_listener_conn_closed Total number of connections closed that were made to the listener of a given name.
+# TYPE net_conntrack_listener_conn_closed counter
+net_conntrack_listener_conn_closed_total{listener_name="http"} 0
diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json
index 16f5001ba5e..04dd247087d 100644
--- a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json
+++ b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json
@@ -11,137 +11,13 @@
},
"openmetrics": {
"labels": {
- "device": "br-10229e3512d9",
- "instance": "127.0.0.1:50135",
+ "instance": "127.0.0.1:55922",
"job": "openmetrics"
},
- "metrics": {
- "node_network_carrier": 0
- }
- },
- "service": {
- "address": "127.0.0.1:55555",
- "type": "openmetrics"
- }
- },
- {
- "event": {
- "dataset": "openmetrics.collector",
- "duration": 115000,
- "module": "openmetrics"
- },
- "metricset": {
- "name": "collector",
- "period": 10000
- },
- "openmetrics": {
- "labels": {
- "device": "br-425cb4c454a6",
- "instance": "127.0.0.1:50135",
- "job": "openmetrics"
- },
- "metrics": {
- "node_network_carrier": 0
- }
- },
- "service": {
- "address": "127.0.0.1:55555",
- "type": "openmetrics"
- }
- },
- {
- "event": {
- "dataset": "openmetrics.collector",
- "duration": 115000,
- "module": "openmetrics"
- },
- "metricset": {
- "name": "collector",
- "period": 10000
- },
- "openmetrics": {
- "labels": {
- "device": "br-38425a39f36b",
- "instance": "127.0.0.1:50135",
- "job": "openmetrics"
- },
- "metrics": {
- "node_network_carrier": 0
- }
- },
- "service": {
- "address": "127.0.0.1:55555",
- "type": "openmetrics"
- }
- },
- {
- "event": {
- "dataset": "openmetrics.collector",
- "duration": 115000,
- "module": "openmetrics"
- },
- "metricset": {
- "name": "collector",
- "period": 10000
- },
- "openmetrics": {
- "labels": {
- "instance": "127.0.0.1:50135",
- "job": "prometheus"
- },
"metrics": {
"up": 1
- }
- },
- "service": {
- "address": "127.0.0.1:55555",
- "type": "openmetrics"
- }
- },
- {
- "event": {
- "dataset": "openmetrics.collector",
- "duration": 115000,
- "module": "openmetrics"
- },
- "metricset": {
- "name": "collector",
- "period": 10000
- },
- "openmetrics": {
- "labels": {
- "device": "br-33d819d5f834",
- "instance": "127.0.0.1:50135",
- "job": "openmetrics"
- },
- "metrics": {
- "node_network_carrier": 0
- }
- },
- "service": {
- "address": "127.0.0.1:55555",
- "type": "openmetrics"
- }
- },
- {
- "event": {
- "dataset": "openmetrics.collector",
- "duration": 115000,
- "module": "openmetrics"
- },
- "metricset": {
- "name": "collector",
- "period": 10000
- },
- "openmetrics": {
- "labels": {
- "device": "br-4e623477470e",
- "instance": "127.0.0.1:50135",
- "job": "openmetrics"
},
- "metrics": {
- "node_network_carrier": 0
- }
+ "type":"gauge"
},
"service": {
"address": "127.0.0.1:55555",
@@ -159,39 +35,16 @@
"period": 10000
},
"openmetrics": {
+ "help": "Total number of connections opened to the listener of a given name.",
"labels": {
- "device": "br-210476dc4ef8",
- "instance": "127.0.0.1:50135",
- "job": "openmetrics"
+ "instance": "127.0.0.1:55922",
+ "job": "openmetrics",
+ "listener_name": "http"
},
"metrics": {
- "node_network_carrier": 0
- }
- },
- "service": {
- "address": "127.0.0.1:55555",
- "type": "openmetrics"
- }
- },
- {
- "event": {
- "dataset": "openmetrics.collector",
- "duration": 115000,
- "module": "openmetrics"
- },
- "metricset": {
- "name": "collector",
- "period": 10000
- },
- "openmetrics": {
- "labels": {
- "device": "br-0cb306323b90",
- "instance": "127.0.0.1:50135",
- "job": "openmetrics"
+ "net_conntrack_listener_conn_accepted_total": 3
},
- "metrics": {
- "node_network_carrier": 0
- }
+ "type":"counter"
},
"service": {
"address": "127.0.0.1:55555",
@@ -209,43 +62,20 @@
"period": 10000
},
"openmetrics": {
+ "help": "Total number of connections closed that were made to the listener of a given name.",
"labels": {
- "device": "br-38feb0aad6ab",
- "instance": "127.0.0.1:50135",
- "job": "openmetrics"
+ "instance": "127.0.0.1:55922",
+ "job": "openmetrics",
+ "listener_name": "http"
},
"metrics": {
- "node_network_carrier": 0
- }
- },
- "service": {
- "address": "127.0.0.1:55555",
- "type": "openmetrics"
- }
- },
- {
- "event": {
- "dataset": "openmetrics.collector",
- "duration": 115000,
- "module": "openmetrics"
- },
- "metricset": {
- "name": "collector",
- "period": 10000
- },
- "openmetrics": {
- "labels": {
- "device": "br-3a285aa5e58c",
- "instance": "127.0.0.1:50135",
- "job": "openmetrics"
+ "net_conntrack_listener_conn_closed_total": 0
},
- "metrics": {
- "node_network_carrier": 0
- }
+ "type":"counter"
},
"service": {
"address": "127.0.0.1:55555",
"type": "openmetrics"
}
}
-]
\ No newline at end of file
+]
diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain
new file mode 100644
index 00000000000..eb046b4b71d
--- /dev/null
+++ b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain
@@ -0,0 +1,23 @@
+# HELP my_counter_last_increment_timestamp_milliseconds When my_counter was last incremented
+# TYPE my_counter_last_increment_timestamp_milliseconds gauge
+# UNIT my_counter_last_increment_timestamp_milliseconds milliseconds
+my_counter_last_increment_timestamp_milliseconds 123
+# TYPE disk_errors counter
+# HELP disk_errors Count total disk errors
+disk_errors_total{type="netapp"} 17.0 1520879607.789
+# TYPE app info
+app_info{name="open metrics collector",version="6.3.9"} 1
+# TYPE collector info
+collector_info{name="metrics collector",version="8.2.7"} 1 1622329674
+# TYPE enable_category stateset
+enable_category{category="shoes"} 0
+enable_category{category="shirts"} 1
+enable_category{category="shades"} 0
+# TYPE connection_errors unknown
+connection_errors 42
+# TYPE cnt_rulefires_deployment counter
+cnt_rulefires_deployment_total 66666.0 # {trace_id="KOO5S4vxi0o"} 0.67
+# TYPE process_cpu_seconds counter
+# UNIT process_cpu_seconds seconds
+# HELP process_cpu_seconds Total user and system CPU time spent in seconds. Exemplar with timestamp and labels.
+process_cpu_seconds_total{entity="controller",build="8.2.7"} 11111 1622301927 # {trace_id="0d482-ac43e-d9320-debfe"} 17.0 1622302012
diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json
new file mode 100644
index 00000000000..ce7febdc874
--- /dev/null
+++ b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json
@@ -0,0 +1,305 @@
+[
+ {
+ "event": {
+ "dataset": "openmetrics.collector",
+ "duration": 115000,
+ "module": "openmetrics"
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "openmetrics": {
+ "help": "When my_counter was last incremented",
+ "labels": {
+ "instance": "127.0.0.1:55922",
+ "job": "openmetrics"
+ },
+ "metrics": {
+ "my_counter_last_increment_timestamp_milliseconds": 123
+ },
+ "type":"gauge",
+ "unit":"milliseconds"
+ },
+ "service": {
+ "address": "127.0.0.1:55555",
+ "type": "openmetrics"
+ }
+ },
+ {
+ "event": {
+ "dataset": "openmetrics.collector",
+ "duration": 115000,
+ "module": "openmetrics"
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "openmetrics": {
+ "labels": {
+ "instance": "127.0.0.1:55922",
+ "job": "openmetrics"
+ },
+ "metrics": {
+ "up": 1
+ },
+ "type":"gauge"
+ },
+ "service": {
+ "address": "127.0.0.1:55555",
+ "type": "openmetrics"
+ }
+ },
+ {
+ "event": {
+ "dataset": "openmetrics.collector",
+ "duration": 115000,
+ "module": "openmetrics"
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "openmetrics": {
+ "help": "Count total disk errors",
+ "labels": {
+ "instance": "127.0.0.1:55922",
+ "job": "openmetrics",
+ "type": "netapp"
+ },
+ "metrics": {
+ "disk_errors_total": 17
+ },
+ "type":"counter"
+ },
+ "service": {
+ "address": "127.0.0.1:55555",
+ "type": "openmetrics"
+ }
+ },
+ {
+ "event": {
+ "dataset": "openmetrics.collector",
+ "duration": 115000,
+ "module": "openmetrics"
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "openmetrics": {
+ "labels": {
+ "instance": "127.0.0.1:55922",
+ "job": "openmetrics",
+ "name": "open metrics collector",
+ "version": "6.3.9"
+ },
+ "metrics": {
+ "app_info": 1
+ },
+ "type":"info"
+ },
+ "service": {
+ "address": "127.0.0.1:55555",
+ "type": "openmetrics"
+ }
+ },
+ {
+ "event": {
+ "dataset": "openmetrics.collector",
+ "duration": 115000,
+ "module": "openmetrics"
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "openmetrics": {
+ "labels": {
+ "instance": "127.0.0.1:55922",
+ "job": "openmetrics",
+ "name": "metrics collector",
+ "version": "8.2.7"
+ },
+ "metrics": {
+ "collector_info": 1
+ },
+ "type":"info"
+ },
+ "service": {
+ "address": "127.0.0.1:55555",
+ "type": "openmetrics"
+ }
+ },
+ {
+ "event": {
+ "dataset": "openmetrics.collector",
+ "duration": 115000,
+ "module": "openmetrics"
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "openmetrics": {
+ "labels": {
+ "instance": "127.0.0.1:55922",
+ "job": "openmetrics",
+ "category": "shoes"
+ },
+ "metrics": {
+ "enable_category": 0
+ },
+ "type":"stateset"
+ },
+ "service": {
+ "address": "127.0.0.1:55555",
+ "type": "openmetrics"
+ }
+ },
+ {
+ "event": {
+ "dataset": "openmetrics.collector",
+ "duration": 115000,
+ "module": "openmetrics"
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "openmetrics": {
+ "labels": {
+ "instance": "127.0.0.1:55922",
+ "job": "openmetrics",
+ "category": "shirts"
+ },
+ "metrics": {
+ "enable_category": 1
+ },
+ "type":"stateset"
+ },
+ "service": {
+ "address": "127.0.0.1:55555",
+ "type": "openmetrics"
+ }
+ },
+ {
+ "event": {
+ "dataset": "openmetrics.collector",
+ "duration": 115000,
+ "module": "openmetrics"
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "openmetrics": {
+ "labels": {
+ "instance": "127.0.0.1:55922",
+ "job": "openmetrics",
+ "category": "shades"
+ },
+ "metrics": {
+ "enable_category": 0
+ },
+ "type":"stateset"
+ },
+ "service": {
+ "address": "127.0.0.1:55555",
+ "type": "openmetrics"
+ }
+ },
+ {
+ "event": {
+ "dataset": "openmetrics.collector",
+ "duration": 115000,
+ "module": "openmetrics"
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "openmetrics": {
+ "labels": {
+ "instance": "127.0.0.1:55922",
+ "job": "openmetrics"
+ },
+ "metrics": {
+ "connection_errors": 42
+ },
+ "type":"unknown"
+ },
+ "service": {
+ "address": "127.0.0.1:55555",
+ "type": "openmetrics"
+ }
+ },
+ {
+ "event": {
+ "dataset": "openmetrics.collector",
+ "duration": 115000,
+ "module": "openmetrics"
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "openmetrics": {
+ "exemplar": {
+ "cnt_rulefires_deployment_total":0.67,
+ "labels": {
+ "trace_id":"KOO5S4vxi0o"
+ }
+ },
+ "labels": {
+ "instance": "127.0.0.1:55922",
+ "job": "openmetrics"
+ },
+ "metrics": {
+ "cnt_rulefires_deployment_total": 66666
+ },
+ "type":"counter"
+ },
+ "service": {
+ "address": "127.0.0.1:55555",
+ "type": "openmetrics"
+ }
+ },
+ {
+ "event": {
+ "dataset": "openmetrics.collector",
+ "duration": 115000,
+ "module": "openmetrics"
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "openmetrics": {
+ "exemplar": {
+ "labels": {
+ "trace_id": "0d482-ac43e-d9320-debfe"
+ },
+ "process_cpu_seconds_total": 17,
+ "timestamp": 1622302012000
+ },
+ "help": "Total user and system CPU time spent in seconds. Exemplar with timestamp and labels.",
+ "labels": {
+ "instance": "127.0.0.1:55922",
+ "job": "openmetrics",
+ "entity": "controller",
+ "build": "8.2.7"
+ },
+ "metrics": {
+ "process_cpu_seconds_total": 11111
+ },
+ "type":"counter",
+ "unit":"seconds"
+ },
+ "service": {
+ "address": "127.0.0.1:55555",
+ "type": "openmetrics"
+ }
+ }
+]
diff --git a/metricbeat/module/openmetrics/collector/collector.go b/metricbeat/module/openmetrics/collector/collector.go
index 6ce25dc9068..ab54dca1cfa 100644
--- a/metricbeat/module/openmetrics/collector/collector.go
+++ b/metricbeat/module/openmetrics/collector/collector.go
@@ -18,9 +18,16 @@
package collector
import (
+ "regexp"
+
+ "github.com/pkg/errors"
+ "github.com/prometheus/prometheus/pkg/labels"
+ "github.com/prometheus/prometheus/pkg/textparse"
+
+ "github.com/elastic/beats/v7/libbeat/common"
+ p "github.com/elastic/beats/v7/metricbeat/helper/openmetrics"
"github.com/elastic/beats/v7/metricbeat/mb"
"github.com/elastic/beats/v7/metricbeat/mb/parse"
- "github.com/elastic/beats/v7/metricbeat/module/prometheus/collector"
)
const (
@@ -29,14 +36,246 @@ const (
)
var (
+ // HostParser parses a OpenMetrics endpoint URL
hostParser = parse.URLHostParserBuilder{
DefaultScheme: defaultScheme,
DefaultPath: defaultPath,
+ PathConfigKey: "metrics_path",
}.Build()
+
+ upMetricName = "up"
+ upMetricType = textparse.MetricTypeGauge
+ upMetricInstanceLabel = "instance"
+ upMetricJobLabel = "job"
+ upMetricJobValue = "openmetrics"
)
func init() {
mb.Registry.MustAddMetricSet("openmetrics", "collector",
- collector.MetricSetBuilder("openmetrics", collector.DefaultPromEventsGeneratorFactory),
- mb.WithHostParser(hostParser))
+ MetricSetBuilder("openmetrics", DefaultOpenMetricsEventsGeneratorFactory),
+ mb.WithHostParser(hostParser),
+ mb.DefaultMetricSet(),
+ )
+}
+
+// OpenMetricsEventsGenerator converts a OpenMetrics metric family into a OpenMetricEvent list
+type OpenMetricsEventsGenerator interface {
+ // Start must be called before using the generator
+ Start()
+
+ // converts a OpenMetrics metric family into a list of OpenMetricsEvents
+ GenerateOpenMetricsEvents(mf *p.OpenMetricFamily) []OpenMetricEvent
+
+ // Stop must be called when the generator won't be used anymore
+ Stop()
+}
+
+// OpenMetricsEventsGeneratorFactory creates a OpenMetricsEventsGenerator when instanciating a metricset
+type OpenMetricsEventsGeneratorFactory func(ms mb.BaseMetricSet) (OpenMetricsEventsGenerator, error)
+
+// MetricSet for fetching openmetrics data
+type MetricSet struct {
+ mb.BaseMetricSet
+ openmetrics p.OpenMetrics
+ includeMetrics []*regexp.Regexp
+ excludeMetrics []*regexp.Regexp
+ namespace string
+ openMetricsEventsGen OpenMetricsEventsGenerator
+ host string
+ eventGenStarted bool
+ enableExemplars bool
+ enableMetadata bool
+}
+
+// MetricSetBuilder returns a builder function for a new OpenMetrics metricset using
+// the given namespace and event generator
+func MetricSetBuilder(namespace string, genFactory OpenMetricsEventsGeneratorFactory) func(base mb.BaseMetricSet) (mb.MetricSet, error) {
+ return func(base mb.BaseMetricSet) (mb.MetricSet, error) {
+ config := defaultConfig
+ if err := base.Module().UnpackConfig(&config); err != nil {
+ return nil, err
+ }
+ openmetrics, err := p.NewOpenMetricsClient(base)
+ if err != nil {
+ return nil, err
+ }
+
+ openMetricsEventsGen, err := genFactory(base)
+ if err != nil {
+ return nil, err
+ }
+
+ ms := &MetricSet{
+ BaseMetricSet: base,
+ openmetrics: openmetrics,
+ namespace: namespace,
+ openMetricsEventsGen: openMetricsEventsGen,
+ eventGenStarted: false,
+ enableExemplars: config.EnableExemplars,
+ enableMetadata: config.EnableMetadata,
+ }
+ // store host here to use it as a pointer when building `up` metric
+ ms.host = ms.Host()
+ ms.excludeMetrics, err = p.CompilePatternList(config.MetricsFilters.ExcludeMetrics)
+ if err != nil {
+ return nil, errors.Wrapf(err, "unable to compile exclude patterns")
+ }
+ ms.includeMetrics, err = p.CompilePatternList(config.MetricsFilters.IncludeMetrics)
+ if err != nil {
+ return nil, errors.Wrapf(err, "unable to compile include patterns")
+ }
+
+ return ms, nil
+ }
+}
+
+// Fetch fetches data and reports it
+func (m *MetricSet) Fetch(reporter mb.ReporterV2) error {
+ if !m.eventGenStarted {
+ m.openMetricsEventsGen.Start()
+ m.eventGenStarted = true
+ }
+
+ families, err := m.openmetrics.GetFamilies()
+ eventList := map[textparse.MetricType]map[string]common.MapStr{}
+ if err != nil {
+ // send up event only
+ families = append(families, m.upMetricFamily(0.0))
+
+ // set the error to report it after sending the up event
+ err = errors.Wrap(err, "unable to decode response from openmetrics endpoint")
+ } else {
+ // add up event to the list
+ families = append(families, m.upMetricFamily(1.0))
+ }
+
+ for _, family := range families {
+ if m.skipFamily(family) {
+ continue
+ }
+ openMetricsEvents := m.openMetricsEventsGen.GenerateOpenMetricsEvents(family)
+
+ for _, openMetricEvent := range openMetricsEvents {
+ var labelsHash string
+ if m.enableMetadata {
+ labelsHash = openMetricEvent.MetaDataHash()
+ } else {
+ labelsHash = openMetricEvent.LabelsHash()
+ }
+ if _, ok := eventList[openMetricEvent.Type]; !ok {
+ eventList[openMetricEvent.Type] = make(map[string]common.MapStr)
+ }
+ if _, ok := eventList[openMetricEvent.Type][labelsHash]; !ok {
+ eventList[openMetricEvent.Type][labelsHash] = common.MapStr{}
+
+ // Add default instance label if not already there
+ if exists, _ := openMetricEvent.Labels.HasKey(upMetricInstanceLabel); !exists {
+ openMetricEvent.Labels.Put(upMetricInstanceLabel, m.Host())
+ }
+ // Add default job label if not already there
+ if exists, _ := openMetricEvent.Labels.HasKey("job"); !exists {
+ openMetricEvent.Labels.Put("job", m.Module().Name())
+ }
+ // Add labels
+ if len(openMetricEvent.Labels) > 0 {
+ eventList[openMetricEvent.Type][labelsHash]["labels"] = openMetricEvent.Labels
+ }
+ }
+
+ if m.enableMetadata {
+ if openMetricEvent.Help != "" {
+ eventList[openMetricEvent.Type][labelsHash]["help"] = openMetricEvent.Help
+ }
+ if openMetricEvent.Type != "" {
+ eventList[openMetricEvent.Type][labelsHash]["type"] = openMetricEvent.Type
+ }
+ if openMetricEvent.Unit != "" {
+ eventList[openMetricEvent.Type][labelsHash]["unit"] = openMetricEvent.Unit
+ }
+ }
+
+ if m.enableExemplars && len(openMetricEvent.Exemplars) > 0 {
+ eventList[openMetricEvent.Type][labelsHash]["exemplar"] = openMetricEvent.Exemplars
+ }
+ // Accumulate metrics in the event
+ eventList[openMetricEvent.Type][labelsHash].DeepUpdate(openMetricEvent.Data)
+ }
+ }
+
+ // Report events
+ for _, e := range eventList {
+ for _, ev := range e {
+ isOpen := reporter.Event(mb.Event{
+ RootFields: common.MapStr{m.namespace: ev},
+ })
+ if !isOpen {
+ break
+ }
+ }
+ }
+
+ return err
+}
+
+// Close stops the metricset
+func (m *MetricSet) Close() error {
+ if m.eventGenStarted {
+ m.openMetricsEventsGen.Stop()
+ }
+ return nil
+}
+
+func (m *MetricSet) upMetricFamily(value float64) *p.OpenMetricFamily {
+ gauge := p.Gauge{
+ Value: &value,
+ }
+ label1 := labels.Label{
+ Name: upMetricInstanceLabel,
+ Value: m.host,
+ }
+ label2 := labels.Label{
+ Name: upMetricJobLabel,
+ Value: m.Module().Name(),
+ }
+ metric := p.OpenMetric{
+ Gauge: &gauge,
+ Label: []*labels.Label{&label1, &label2},
+ }
+ return &p.OpenMetricFamily{
+ Name: &upMetricName,
+ Type: textparse.MetricType(upMetricType),
+ Metric: []*p.OpenMetric{&metric},
+ }
+}
+
+func (m *MetricSet) skipFamily(family *p.OpenMetricFamily) bool {
+ if family == nil || family.Name == nil {
+ return false
+ }
+ return m.skipFamilyName(*family.Name)
+}
+
+func (m *MetricSet) skipFamilyName(family string) bool {
+ // example:
+ // include_metrics:
+ // - node_*
+ // exclude_metrics:
+ // - node_disk_*
+ //
+ // This would mean that we want to keep only the metrics that start with node_ prefix but
+ // are not related to disk so we exclude node_disk_* metrics from them.
+
+ // if include_metrics are defined, check if this metric should be included
+ if len(m.includeMetrics) > 0 {
+ if !p.MatchMetricFamily(family, m.includeMetrics) {
+ return true
+ }
+ }
+ // now exclude the metric if it matches any of the given patterns
+ if len(m.excludeMetrics) > 0 {
+ if p.MatchMetricFamily(family, m.excludeMetrics) {
+ return true
+ }
+ }
+ return false
}
diff --git a/metricbeat/module/openmetrics/collector/collector_test.go b/metricbeat/module/openmetrics/collector/collector_test.go
index 06a48f15a0b..dd798676612 100644
--- a/metricbeat/module/openmetrics/collector/collector_test.go
+++ b/metricbeat/module/openmetrics/collector/collector_test.go
@@ -23,6 +23,15 @@ package collector
import (
"testing"
+ "github.com/golang/protobuf/proto"
+ prometheuslabels "github.com/prometheus/prometheus/pkg/labels"
+ "github.com/prometheus/prometheus/pkg/textparse"
+ "github.com/stretchr/testify/assert"
+
+ "github.com/elastic/beats/v7/libbeat/common"
+ "github.com/elastic/beats/v7/metricbeat/helper/openmetrics"
+ "github.com/elastic/beats/v7/metricbeat/mb"
+
mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing"
_ "github.com/elastic/beats/v7/metricbeat/module/openmetrics"
@@ -31,3 +40,361 @@ import (
func TestData(t *testing.T) {
mbtest.TestDataFiles(t, "openmetrics", "collector")
}
+
+func TestSameLabels(t *testing.T) {
+ dataConfig := mbtest.ReadDataConfig(t, "_meta/samelabeltestdata/config.yml")
+ mbtest.TestDataFilesWithConfig(t, "openmetrics", "collector", dataConfig)
+}
+func TestGetOpenMetricsEventsFromMetricFamily(t *testing.T) {
+ labels := common.MapStr{
+ "handler": "query",
+ }
+ tests := []struct {
+ Family *openmetrics.OpenMetricFamily
+ Event []OpenMetricEvent
+ }{
+ {
+ Family: &openmetrics.OpenMetricFamily{
+ Name: proto.String("http_request_duration_microseconds"),
+ Help: proto.String("foo"),
+ Type: textparse.MetricTypeCounter,
+ Metric: []*openmetrics.OpenMetric{
+ {
+ Name: proto.String("http_request_duration_microseconds_total"),
+ Label: []*prometheuslabels.Label{
+ {
+ Name: "handler",
+ Value: "query",
+ },
+ },
+ Counter: &openmetrics.Counter{
+ Value: proto.Float64(10),
+ },
+ },
+ },
+ },
+ Event: []OpenMetricEvent{
+ {
+ Data: common.MapStr{
+ "metrics": common.MapStr{
+ "http_request_duration_microseconds_total": float64(10),
+ },
+ },
+ Help: "foo",
+ Type: textparse.MetricTypeCounter,
+ Labels: labels,
+ Exemplars: common.MapStr{},
+ },
+ },
+ },
+ {
+ Family: &openmetrics.OpenMetricFamily{
+ Name: proto.String("http_request_duration_microseconds"),
+ Help: proto.String("foo"),
+ Type: textparse.MetricTypeGauge,
+ Metric: []*openmetrics.OpenMetric{
+ {
+ Gauge: &openmetrics.Gauge{
+ Value: proto.Float64(10),
+ },
+ },
+ },
+ },
+ Event: []OpenMetricEvent{
+ {
+ Data: common.MapStr{
+ "metrics": common.MapStr{
+ "http_request_duration_microseconds": float64(10),
+ },
+ },
+ Help: "foo",
+ Type: textparse.MetricTypeGauge,
+ Labels: common.MapStr{},
+ },
+ },
+ },
+ {
+ Family: &openmetrics.OpenMetricFamily{
+ Name: proto.String("http_request_duration_microseconds"),
+ Help: proto.String("foo"),
+ Type: textparse.MetricTypeSummary,
+ Metric: []*openmetrics.OpenMetric{
+ {
+ Summary: &openmetrics.Summary{
+ SampleCount: proto.Uint64(10),
+ SampleSum: proto.Float64(10),
+ Quantile: []*openmetrics.Quantile{
+ {
+ Quantile: proto.Float64(0.99),
+ Value: proto.Float64(10),
+ },
+ },
+ },
+ },
+ },
+ },
+ Event: []OpenMetricEvent{
+ {
+ Data: common.MapStr{
+ "metrics": common.MapStr{
+ "http_request_duration_microseconds_count": uint64(10),
+ "http_request_duration_microseconds_sum": float64(10),
+ },
+ },
+ Help: "foo",
+ Type: textparse.MetricTypeSummary,
+ Labels: common.MapStr{},
+ },
+ {
+ Data: common.MapStr{
+ "metrics": common.MapStr{
+ "http_request_duration_microseconds": float64(10),
+ },
+ },
+ Labels: common.MapStr{
+ "quantile": "0.99",
+ },
+ },
+ },
+ },
+ {
+ Family: &openmetrics.OpenMetricFamily{
+ Name: proto.String("http_request_duration_microseconds"),
+ Help: proto.String("foo"),
+ Type: textparse.MetricTypeHistogram,
+ Metric: []*openmetrics.OpenMetric{
+ {
+ Histogram: &openmetrics.Histogram{
+ SampleCount: proto.Uint64(10),
+ SampleSum: proto.Float64(10),
+ Bucket: []*openmetrics.Bucket{
+ {
+ UpperBound: proto.Float64(0.99),
+ CumulativeCount: proto.Uint64(10),
+ },
+ },
+ },
+ },
+ },
+ },
+ Event: []OpenMetricEvent{
+ {
+ Data: common.MapStr{
+ "metrics": common.MapStr{
+ "http_request_duration_microseconds_count": uint64(10),
+ "http_request_duration_microseconds_sum": float64(10),
+ },
+ },
+ Help: "foo",
+ Type: textparse.MetricTypeHistogram,
+ Labels: common.MapStr{},
+ },
+ {
+ Data: common.MapStr{
+ "metrics": common.MapStr{
+ "http_request_duration_microseconds_bucket": uint64(10),
+ },
+ },
+ Labels: common.MapStr{"le": "0.99"},
+ Exemplars: common.MapStr{},
+ },
+ },
+ },
+ {
+ Family: &openmetrics.OpenMetricFamily{
+ Name: proto.String("http_request_duration_microseconds"),
+ Help: proto.String("foo"),
+ Type: textparse.MetricTypeUnknown,
+ Metric: []*openmetrics.OpenMetric{
+ {
+ Label: []*prometheuslabels.Label{
+ {
+ Name: "handler",
+ Value: "query",
+ },
+ },
+ Unknown: &openmetrics.Unknown{
+ Value: proto.Float64(10),
+ },
+ },
+ },
+ },
+ Event: []OpenMetricEvent{
+ {
+ Data: common.MapStr{
+ "metrics": common.MapStr{
+ "http_request_duration_microseconds": float64(10),
+ },
+ },
+ Help: "foo",
+ Type: textparse.MetricTypeUnknown,
+ Labels: labels,
+ },
+ },
+ },
+ }
+
+ p := openmetricEventGenerator{}
+ for _, test := range tests {
+ event := p.GenerateOpenMetricsEvents(test.Family)
+ assert.Equal(t, test.Event, event)
+ }
+}
+
+func TestSkipMetricFamily(t *testing.T) {
+ testFamilies := []*openmetrics.OpenMetricFamily{
+ {
+ Name: proto.String("http_request_duration_microseconds_a_a_in"),
+ Help: proto.String("foo"),
+ Type: textparse.MetricTypeCounter,
+ Metric: []*openmetrics.OpenMetric{
+ {
+ Label: []*prometheuslabels.Label{
+ {
+ Name: "handler",
+ Value: "query",
+ },
+ },
+ Counter: &openmetrics.Counter{
+ Value: proto.Float64(10),
+ },
+ },
+ },
+ },
+ {
+ Name: proto.String("http_request_duration_microseconds_a_b_in"),
+ Help: proto.String("foo"),
+ Type: textparse.MetricTypeCounter,
+ Metric: []*openmetrics.OpenMetric{
+ {
+ Label: []*prometheuslabels.Label{
+ {
+ Name: "handler",
+ Value: "query",
+ },
+ },
+ Counter: &openmetrics.Counter{
+ Value: proto.Float64(10),
+ },
+ },
+ },
+ },
+ {
+ Name: proto.String("http_request_duration_microseconds_b_in"),
+ Help: proto.String("foo"),
+ Type: textparse.MetricTypeGauge,
+ Metric: []*openmetrics.OpenMetric{
+ {
+ Gauge: &openmetrics.Gauge{
+ Value: proto.Float64(10),
+ },
+ },
+ },
+ },
+ {
+ Name: proto.String("http_request_duration_microseconds_c_in"),
+ Help: proto.String("foo"),
+ Type: textparse.MetricTypeSummary,
+ Metric: []*openmetrics.OpenMetric{
+ {
+ Summary: &openmetrics.Summary{
+ SampleCount: proto.Uint64(10),
+ SampleSum: proto.Float64(10),
+ Quantile: []*openmetrics.Quantile{
+ {
+ Quantile: proto.Float64(0.99),
+ Value: proto.Float64(10),
+ },
+ },
+ },
+ },
+ },
+ },
+ {
+ Name: proto.String("http_request_duration_microseconds_d_in"),
+ Help: proto.String("foo"),
+ Type: textparse.MetricTypeHistogram,
+ Metric: []*openmetrics.OpenMetric{
+ {
+ Histogram: &openmetrics.Histogram{
+ SampleCount: proto.Uint64(10),
+ SampleSum: proto.Float64(10),
+ Bucket: []*openmetrics.Bucket{
+ {
+ UpperBound: proto.Float64(0.99),
+ CumulativeCount: proto.Uint64(10),
+ },
+ },
+ },
+ },
+ },
+ },
+ {
+ Name: proto.String("http_request_duration_microseconds_e_in"),
+ Help: proto.String("foo"),
+ Type: textparse.MetricTypeUnknown,
+ Metric: []*openmetrics.OpenMetric{
+ {
+ Label: []*prometheuslabels.Label{
+ {
+ Name: "handler",
+ Value: "query",
+ },
+ },
+ Unknown: &openmetrics.Unknown{
+ Value: proto.Float64(10),
+ },
+ },
+ },
+ },
+ }
+
+ ms := &MetricSet{
+ BaseMetricSet: mb.BaseMetricSet{},
+ }
+
+ // test with no filters
+ ms.includeMetrics, _ = openmetrics.CompilePatternList(&[]string{})
+ ms.excludeMetrics, _ = openmetrics.CompilePatternList(&[]string{})
+ metricsToKeep := 0
+ for _, testFamily := range testFamilies {
+ if !ms.skipFamily(testFamily) {
+ metricsToKeep++
+ }
+ }
+ assert.Equal(t, metricsToKeep, len(testFamilies))
+
+ // test with only one include filter
+ ms.includeMetrics, _ = openmetrics.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"})
+ ms.excludeMetrics, _ = openmetrics.CompilePatternList(&[]string{})
+ metricsToKeep = 0
+ for _, testFamily := range testFamilies {
+ if !ms.skipFamily(testFamily) {
+ metricsToKeep++
+ }
+ }
+ assert.Equal(t, metricsToKeep, 2)
+
+ // test with only one exclude filter
+ ms.includeMetrics, _ = openmetrics.CompilePatternList(&[]string{""})
+ ms.excludeMetrics, _ = openmetrics.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"})
+ metricsToKeep = 0
+ for _, testFamily := range testFamilies {
+ if !ms.skipFamily(testFamily) {
+ metricsToKeep++
+ }
+ }
+ assert.Equal(t, len(testFamilies)-2, metricsToKeep)
+
+ // test with one include and one exclude
+ ms.includeMetrics, _ = openmetrics.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"})
+ ms.excludeMetrics, _ = openmetrics.CompilePatternList(&[]string{"http_request_duration_microseconds_a_b_*"})
+ metricsToKeep = 0
+ for _, testFamily := range testFamilies {
+ if !ms.skipFamily(testFamily) {
+ metricsToKeep++
+ }
+ }
+ assert.Equal(t, 1, metricsToKeep)
+
+}
diff --git a/metricbeat/module/openmetrics/collector/config.go b/metricbeat/module/openmetrics/collector/config.go
new file mode 100644
index 00000000000..0e5a9884db4
--- /dev/null
+++ b/metricbeat/module/openmetrics/collector/config.go
@@ -0,0 +1,42 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package collector
+
+type metricsetConfig struct {
+ MetricsFilters MetricFilters `config:"metrics_filters" yaml:"metrics_filters,omitempty"`
+ EnableExemplars bool `config:"enable_exemplars" yaml:"enable_exemplars,omitempty"`
+ EnableMetadata bool `config:"enable_metadata" yaml:"enable_metadata,omitempty"`
+}
+
+type MetricFilters struct {
+ IncludeMetrics *[]string `config:"include" yaml:"include,omitempty"`
+ ExcludeMetrics *[]string `config:"exclude" yaml:"exclude,omitempty"`
+}
+
+var defaultConfig = metricsetConfig{
+ MetricsFilters: MetricFilters{
+ IncludeMetrics: nil,
+ ExcludeMetrics: nil},
+ EnableExemplars: false,
+ EnableMetadata: false,
+}
+
+func (c *metricsetConfig) Validate() error {
+ // validate configuration here
+ return nil
+}
diff --git a/metricbeat/module/openmetrics/collector/data.go b/metricbeat/module/openmetrics/collector/data.go
new file mode 100644
index 00000000000..a3b83ccd818
--- /dev/null
+++ b/metricbeat/module/openmetrics/collector/data.go
@@ -0,0 +1,289 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package collector
+
+import (
+ "math"
+ "strconv"
+
+ "github.com/prometheus/prometheus/pkg/textparse"
+
+ p "github.com/elastic/beats/v7/metricbeat/helper/openmetrics"
+
+ "github.com/elastic/beats/v7/libbeat/common"
+ "github.com/elastic/beats/v7/metricbeat/helper/labelhash"
+ "github.com/elastic/beats/v7/metricbeat/mb"
+)
+
+// OpenMetricEvent stores a set of one or more metrics with the same labels
+type OpenMetricEvent struct {
+ Data common.MapStr
+ Labels common.MapStr
+ Help string
+ Type textparse.MetricType
+ Unit string
+ Exemplars common.MapStr
+}
+
+// LabelsHash returns a repeatable string that is unique for the set of labels in this event
+func (p *OpenMetricEvent) LabelsHash() string {
+ return labelhash.LabelHash(p.Labels)
+}
+func (p *OpenMetricEvent) MetaDataHash() string {
+ m := common.MapStr{}
+ m.DeepUpdate(p.Labels)
+ if len(p.Help) > 0 {
+ m["help"] = p.Help
+ }
+ if len(p.Type) > 0 {
+ m["type"] = p.Type
+ }
+ if len(p.Unit) > 0 {
+ m["unit"] = p.Unit
+ }
+ return labelhash.LabelHash(m)
+}
+
+// DefaultOpenMetricEventsGeneratorFactory returns the default OpenMetrics events generator
+func DefaultOpenMetricsEventsGeneratorFactory(ms mb.BaseMetricSet) (OpenMetricsEventsGenerator, error) {
+ return &openmetricEventGenerator{}, nil
+}
+
+type openmetricEventGenerator struct{}
+
+func (p *openmetricEventGenerator) Start() {}
+func (p *openmetricEventGenerator) Stop() {}
+
+// Default openmetricEventsGenerator stores all OpenMetrics metrics using
+// only double field type in Elasticsearch.
+func (p *openmetricEventGenerator) GenerateOpenMetricsEvents(mf *p.OpenMetricFamily) []OpenMetricEvent {
+ var events []OpenMetricEvent
+
+ name := *mf.Name
+ metrics := mf.Metric
+ help := ""
+ unit := ""
+ if mf.Help != nil {
+ help = *mf.Help
+ }
+ if mf.Unit != nil {
+ unit = *mf.Unit
+ }
+
+ for _, metric := range metrics {
+ labels := common.MapStr{}
+ mn := metric.GetName()
+
+ if len(metric.Label) != 0 {
+ for _, label := range metric.Label {
+ if label.Name != "" && label.Value != "" {
+ labels[label.Name] = label.Value
+ }
+ }
+ }
+
+ exemplars := common.MapStr{}
+ if metric.Exemplar != nil {
+ exemplars = common.MapStr{*mn: metric.Exemplar.Value}
+ if metric.Exemplar.HasTs {
+ exemplars.Put("timestamp", metric.Exemplar.Ts)
+ }
+ for _, label := range metric.Exemplar.Labels {
+ if label.Name != "" && label.Value != "" {
+ exemplars.Put("labels."+label.Name, label.Value)
+ }
+ }
+ }
+
+ counter := metric.GetCounter()
+ if counter != nil {
+ if !math.IsNaN(counter.GetValue()) && !math.IsInf(counter.GetValue(), 0) {
+ events = append(events, OpenMetricEvent{
+ Type: textparse.MetricTypeCounter,
+ Help: help,
+ Unit: unit,
+ Data: common.MapStr{
+ "metrics": common.MapStr{
+ *mn: counter.GetValue(),
+ },
+ },
+ Labels: labels,
+ Exemplars: exemplars,
+ })
+ }
+ }
+
+ gauge := metric.GetGauge()
+ if gauge != nil {
+ if !math.IsNaN(gauge.GetValue()) && !math.IsInf(gauge.GetValue(), 0) {
+ events = append(events, OpenMetricEvent{
+ Type: textparse.MetricTypeGauge,
+ Help: help,
+ Unit: unit,
+ Data: common.MapStr{
+ "metrics": common.MapStr{
+ name: gauge.GetValue(),
+ },
+ },
+ Labels: labels,
+ })
+ }
+ }
+
+ info := metric.GetInfo()
+ if info != nil {
+ if info.HasValidValue() {
+ events = append(events, OpenMetricEvent{
+ Type: textparse.MetricTypeInfo,
+ Data: common.MapStr{
+ "metrics": common.MapStr{
+ name: info.GetValue(),
+ },
+ },
+ Labels: labels,
+ })
+ }
+ }
+
+ stateset := metric.GetStateset()
+ if stateset != nil {
+ if stateset.HasValidValue() {
+ events = append(events, OpenMetricEvent{
+ Type: textparse.MetricTypeStateset,
+ Data: common.MapStr{
+ "metrics": common.MapStr{
+ name: stateset.GetValue(),
+ },
+ },
+ Labels: labels,
+ })
+ }
+ }
+
+ summary := metric.GetSummary()
+ if summary != nil {
+ if !math.IsNaN(summary.GetSampleSum()) && !math.IsInf(summary.GetSampleSum(), 0) {
+ events = append(events, OpenMetricEvent{
+ Type: textparse.MetricTypeSummary,
+ Help: help,
+ Unit: unit,
+ Data: common.MapStr{
+ "metrics": common.MapStr{
+ name + "_sum": summary.GetSampleSum(),
+ name + "_count": summary.GetSampleCount(),
+ },
+ },
+ Labels: labels,
+ })
+ }
+
+ for _, quantile := range summary.GetQuantile() {
+ if math.IsNaN(quantile.GetValue()) || math.IsInf(quantile.GetValue(), 0) {
+ continue
+ }
+
+ quantileLabels := labels.Clone()
+ quantileLabels["quantile"] = strconv.FormatFloat(quantile.GetQuantile(), 'f', -1, 64)
+ events = append(events, OpenMetricEvent{
+ Data: common.MapStr{
+ "metrics": common.MapStr{
+ name: quantile.GetValue(),
+ },
+ },
+ Labels: quantileLabels,
+ })
+ }
+ }
+
+ histogram := metric.GetHistogram()
+ if histogram != nil {
+ if !math.IsNaN(histogram.GetSampleSum()) && !math.IsInf(histogram.GetSampleSum(), 0) {
+ var sum = "_sum"
+ var count = "_count"
+ var typ = textparse.MetricTypeHistogram
+ if histogram.IsGaugeHistogram {
+ sum = "_gsum"
+ count = "_gcount"
+ typ = textparse.MetricTypeGaugeHistogram
+ }
+
+ events = append(events, OpenMetricEvent{
+ Type: typ,
+ Help: help,
+ Unit: unit,
+ Data: common.MapStr{
+ "metrics": common.MapStr{
+ name + sum: histogram.GetSampleSum(),
+ name + count: histogram.GetSampleCount(),
+ },
+ },
+ Labels: labels,
+ })
+ }
+
+ for _, bucket := range histogram.GetBucket() {
+ if bucket.GetCumulativeCount() == uint64(math.NaN()) || bucket.GetCumulativeCount() == uint64(math.Inf(0)) {
+ continue
+ }
+
+ if bucket.Exemplar != nil {
+ exemplars = common.MapStr{name: bucket.Exemplar.Value}
+ if bucket.Exemplar.HasTs {
+ exemplars.Put("timestamp", bucket.Exemplar.Ts)
+ }
+ for _, label := range bucket.Exemplar.Labels {
+ if label.Name != "" && label.Value != "" {
+ exemplars.Put("labels."+label.Name, label.Value)
+ }
+ }
+ }
+
+ bucketLabels := labels.Clone()
+ bucketLabels["le"] = strconv.FormatFloat(bucket.GetUpperBound(), 'f', -1, 64)
+
+ events = append(events, OpenMetricEvent{
+ Data: common.MapStr{
+ "metrics": common.MapStr{
+ name + "_bucket": bucket.GetCumulativeCount(),
+ },
+ },
+ Labels: bucketLabels,
+ Exemplars: exemplars,
+ })
+ }
+ }
+
+ unknown := metric.GetUnknown()
+ if unknown != nil {
+ if !math.IsNaN(unknown.GetValue()) && !math.IsInf(unknown.GetValue(), 0) {
+ events = append(events, OpenMetricEvent{
+ Type: textparse.MetricTypeUnknown,
+ Help: help,
+ Unit: unit,
+ Data: common.MapStr{
+ "metrics": common.MapStr{
+ name: unknown.GetValue(),
+ },
+ },
+ Labels: labels,
+ })
+ }
+ }
+ }
+ return events
+}
diff --git a/metricbeat/module/openmetrics/fields.go b/metricbeat/module/openmetrics/fields.go
index b54ac18df5f..27c738406f9 100644
--- a/metricbeat/module/openmetrics/fields.go
+++ b/metricbeat/module/openmetrics/fields.go
@@ -32,5 +32,5 @@ func init() {
// AssetOpenmetrics returns asset data.
// This is the base64 encoded zlib format compressed contents of module/openmetrics.
func AssetOpenmetrics() string {
- return "eJycUsFuqzAQvPMVI94hUpTkAzi8X8i7P1WJwQu4sb3WelGUv68I0JK0PbRznGHYmZH3uNCtAieKgVRckwtAnXqqsDl+sJsCEPJkMlWoSU0BWMqNuKSOY4W/BQCsHAhsB08FkEnVxS5X+F/2qqncoczZly8F0DryNld38x7RBHoOM0JviSp0wkOamS9ujzivvGc0HNW4mLFEaoUDKNrELmqG9kZhhNCy93x1sXso0LIEo4f55+ukI/7gKJYELsOFxKImKnoS2sGbmnzG1XmPYLTp0TrJuoP2BKE8HbU81Pd9JiztJ/Nh+y4s9bl+pUZX9EScJvVCtyuLXcnfTDTin3Ag7WlYppmvfgozT/HjNE/dHtRTMCm52M2fltvyl6FXaR+f5lsAAAD//0qh20E="
+ return "eJzElL2O1EAQhHM/RckEJ5327gEcEBCQoXsAhO7Gdttudv7U09bit0f+W+w1BCwIKmzPVH1TM/ITzjQUCJG8IxWuUgYoq6UCDy8/pg8ZIGTJJCpQkpoMqClVwlE5+ALvMwDY7IALdW8pAxKpsm9Tgc95pxrzE/KUbP4lAxomW6di2vwEbxzdwozSIVKBVkIfl8kty6if8Ix62/i9oQpeDfuEFbOR4EC+joG9JmhnFEYITbA2XNi3u0M1QZzR58V8Sz/qHV6kJgEnsItB1HhFR0InWFOSTbiwtXBGqw4NS9ITtCMIpTm0Dn05dTZrbaQjG6/DtY4zDZcg9Wb+iwJGfRCmZrsAoZmiP00H+2gc2+GQOwb9We5svzda3XvP+lfcd0ar+1z48+MhIZRfqdoGz4PXO/J3z31mmWMPNMuq38a5eRC7r6/OxMi+XZbmj/m91Adc+kYuWiP/rr418VjdleU/3eiaf7za/U/oewAAAP//WDeHdA=="
}
diff --git a/metricbeat/module/system/_meta/config.yml b/metricbeat/module/system/_meta/config.yml
index 3f22bc5a496..d13c0ca4683 100644
--- a/metricbeat/module/system/_meta/config.yml
+++ b/metricbeat/module/system/_meta/config.yml
@@ -17,8 +17,8 @@
process.include_top_n:
by_cpu: 5 # include top 5 processes by CPU
by_memory: 5 # include top 5 processes by memory
- # Configure the mount point of the host’s filesystem for use in monitoring a host from within a container
- #system.hostfs: "/hostfs"
+# Configure the mount point of the host’s filesystem for use in monitoring a host from within a container
+#system.hostfs: "/hostfs"
- module: system
period: 1m
diff --git a/metricbeat/module/system/core/core.go b/metricbeat/module/system/core/core.go
index 3e35800bfbc..349d45b838f 100644
--- a/metricbeat/module/system/core/core.go
+++ b/metricbeat/module/system/core/core.go
@@ -26,6 +26,7 @@ import (
metrics "github.com/elastic/beats/v7/metricbeat/internal/metrics/cpu"
"github.com/elastic/beats/v7/metricbeat/mb"
"github.com/elastic/beats/v7/metricbeat/mb/parse"
+ "github.com/elastic/beats/v7/metricbeat/module/system"
)
func init() {
@@ -56,11 +57,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
if config.CPUTicks != nil && *config.CPUTicks {
config.Metrics = append(config.Metrics, "ticks")
}
-
+ sys := base.Module().(system.SystemModule)
return &MetricSet{
BaseMetricSet: base,
opts: opts,
- cores: metrics.New(""),
+ cores: metrics.New(sys.GetHostFS()),
}, nil
}
diff --git a/metricbeat/module/system/cpu/cpu.go b/metricbeat/module/system/cpu/cpu.go
index f992194d9b3..b530dab0879 100644
--- a/metricbeat/module/system/cpu/cpu.go
+++ b/metricbeat/module/system/cpu/cpu.go
@@ -27,6 +27,7 @@ import (
metrics "github.com/elastic/beats/v7/metricbeat/internal/metrics/cpu"
"github.com/elastic/beats/v7/metricbeat/mb"
"github.com/elastic/beats/v7/metricbeat/mb/parse"
+ "github.com/elastic/beats/v7/metricbeat/module/system"
)
func init() {
@@ -58,11 +59,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
if config.CPUTicks != nil && *config.CPUTicks {
config.Metrics = append(config.Metrics, "ticks")
}
-
+ sys := base.Module().(system.SystemModule)
return &MetricSet{
BaseMetricSet: base,
opts: opts,
- cpu: metrics.New(""),
+ cpu: metrics.New(sys.GetHostFS()),
}, nil
}
diff --git a/metricbeat/module/system/diskio/diskio.go b/metricbeat/module/system/diskio/diskio.go
index c4c79e3f6e9..20ec9e3f213 100644
--- a/metricbeat/module/system/diskio/diskio.go
+++ b/metricbeat/module/system/diskio/diskio.go
@@ -21,13 +21,10 @@
package diskio
import (
- "os"
- "path/filepath"
"runtime"
"github.com/elastic/beats/v7/libbeat/common"
"github.com/elastic/beats/v7/libbeat/metric/system/diskio"
- "github.com/elastic/beats/v7/libbeat/paths"
"github.com/elastic/beats/v7/metricbeat/mb"
"github.com/elastic/beats/v7/metricbeat/mb/parse"
@@ -63,7 +60,6 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
if err := base.Module().UnpackConfig(&config); err != nil {
return nil, err
}
- os.Setenv("HOST_PROC", filepath.Join(paths.Paths.Hostfs, "/proc"))
return &MetricSet{
BaseMetricSet: base,
diff --git a/metricbeat/module/system/entropy/entropy.go b/metricbeat/module/system/entropy/entropy.go
index 502ff29f933..f42ac41bac5 100644
--- a/metricbeat/module/system/entropy/entropy.go
+++ b/metricbeat/module/system/entropy/entropy.go
@@ -23,6 +23,7 @@ package entropy
import (
"io/ioutil"
"path"
+ "path/filepath"
"strconv"
"strings"
@@ -30,8 +31,8 @@ import (
"github.com/elastic/beats/v7/libbeat/common"
"github.com/elastic/beats/v7/libbeat/common/cfgwarn"
- "github.com/elastic/beats/v7/libbeat/paths"
"github.com/elastic/beats/v7/metricbeat/mb"
+ "github.com/elastic/beats/v7/metricbeat/module/system"
)
// init registers the MetricSet with the central registry as soon as the program
@@ -56,7 +57,8 @@ type MetricSet struct {
func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
cfgwarn.Beta("The system entropy metricset is beta.")
- totalPath := paths.Resolve(paths.Hostfs, "/proc/sys/kernel/random")
+ sys := base.Module().(system.SystemModule)
+ totalPath := filepath.Join(sys.GetHostFS(), "/proc/sys/kernel/random")
return &MetricSet{
BaseMetricSet: base,
diff --git a/metricbeat/module/system/fields.go b/metricbeat/module/system/fields.go
index 28a26765696..10611be6660 100644
--- a/metricbeat/module/system/fields.go
+++ b/metricbeat/module/system/fields.go
@@ -32,5 +32,5 @@ func init() {
// AssetSystem returns asset data.
// This is the base64 encoded zlib format compressed contents of module/system.
func AssetSystem() string {
- return "eJzsfXtvIzey7//5FMRcLOLZa2tsJ5nN+o8LTDybewzMxMbYs7vAwYGG6i5JXLPJDsmWrHz6Az76zX5JLVkOLBzk7NgW61fFYrGqWCyeoUfYXCG5kQqi7xBSRFG4Qm/uzQ/efIdQCDIQJFaEsyv0/75DCCH7SyQVVolEEShBAnmKKHkEdH33FWEWoggiLjYokXgBp0gtsUJYAAo4pRAoCNFc8AipJSAeg8CKsIVDMfkOIbnkQk0DzuZkcYWUSOA7hARQwBKu0AJ/h9CcAA3llQF0hhiO4ArFggcgpfkZQmoT6z8WPIndTzy86M+d/VrKycT9okihSEXzDdlPUzqPsFlzERZ+3kBNfx6WkIK1w03Qr1wgeMJRbOQvEsYIW7yZ1KgHcTKJA1WjLwNMIZzOKcfFX865iLC6QjGIAJgaAM9+AS8A8bmZVkUiQDIGptBsY6YuY4GwAMxPKJYKwQqYmlRGJBKtME0AEYmYBkXJHxCmI7EkmoFIKQVcgDRqRBQSmC1AlkYzunOOFEcXfgFJhYWaasA1OYXlyeuQguF5vQRW4neNzbQJBWGdvtX8Z5gjt+SKQHkQJDGBEBGGIqz/Y//m5MuHz28npbWTmQA0ZOl8s1/7hgLOFCZMIsoDTN1ofVeUnu+asIrUO2ThUJzpcQpQtCo5BFrGCGtFXVAw9LTEMIoSqoj5XsH6pJ+ywclmq8JEkRESln6cskI5W1R+0cKN/mjo1xqVXRg5qtJf/h90l2mA9AJSXGFa0UXUpY+oVSd7oH/QVBEOFFmBx2yUptsLO5EgDo+6y+oRZoAhGeMAGqakxIEiwaMcRyM0OBzxhKkdgTk1P0bhPoJgQIdwMaKAOyU8AB0jARyfhDlDlK/PYkG4IGqTbhIg+3BzMElvi5KE9AhlblD1AH44Re4BiK8xUUcoS4Y0MHTCGQqJfHzbj49D2ohh+MTvxydkCWJFAh2Nafd7iVlI9T+WWIRrHcARpkCIJFad61H8fjjRj4Za8rl6SfOi8W7H4XPPzRbIFTyHL9vDLBG24jRhCouNNQHO0V0RoRJMzTfWS0JtjLzcxFokkosaMRNYFuTF1RJEugVyMal94cMKE4pnFBBndKM3z6+MPPUS5CHt4vEKqJA12CkCDeKkFgRrrqTCRcXeJqg02ZARJ8qXa4kFSOd9mRngUk3sH3N2lqdrauPlK0OiNaEULfEKdFyNn0iURC7lw+fo28X5+V/QXy25b2bs2mCFtFBxXEwF4HCDFH7U+pEnkpjiCAeBUTtrW1b1QT1YNJStI+qXEJqiW1bPbMjT2rAbnqAAMztpRZFn+dqFAKxA6B8wK7diovIUkTn6oTasS98JQFih9+d/0dBOtV5Z5XLZmkkQJ5NUmt+s9swAXfzcODl/rhD2zxUkvtzw688S7bwgr/XVL/dw+OrdjuPdPlPKu4cgzUmfRJZts6PehBSM4tzc/ktboSan5LfcM+rln2hP6ihFMDRNfbSMDN3oj5ORnXb742Sp/5Z/pPi32PePk5PRN/8Xxea2HsBxMvlS3YBjk2YfL+A0TYRIX32MCa49vFc8hodadu+lnEwf85nuyzgFPcLDxKM+hHvuo5Dtd8TnRr7tJvd69lCUidZTwr+rimLI8YMeonD+oP+Jbm6z6reeZbfpZ/gZhf6vdz7rZbH6kxW6yhBfDJ9uw54m2aVsIAimU7t5DoDXE8L30lFIq/RsmWuEN4hxhWamDnNFQruNY0pzodfGdDn6DoYE4HBiDjxGXDzGUyp4GJqIVhk9Q1plZBJoDZ8nlG468K0FUbB3gIbKlgiNBGcb1f9ELXUFfV/aArwZxsAow0a3DH0iLHmyR1ykSgpV/EAJgeLCjWQOe2JKnKYxhKVMIi0Z81dIkj+MH/rTxWWvGXx+AWkcCtg4MkoH6ymm2qjdYjNqVak3bxXaFoKJCNUxQcBZKPOCWm1WzIrtNbHPBtGu2U5ncd8A/RhDrvfBm3e3sryJN4Hk8ZjOSxWjxqEdl1jwhQAp6w4DMCV4vNnFY8h9E1eqXx9zuBeA00GnM6JG9e8ytHpgLaQ63MI1oGeP93O8Dueplia29fDcXtHgnGZ2+cfzv7+vzfKcUCjdykBbuYb5MLUClfxXY9SpZEwfaOMwXqAJ3QvyVlzb9YTFgqwIhQWENgFBmCUz8UIPYUUCmA70Ygd5quULXt/ehbB6p3978c2LSNPdAxQ9RhUKPKkf/SBMVDWNOWlw57bGYgbWNteMXZONH43R1j3aXT0+YjwEY331GjU/qYdHBUgCnlXb27Vao5uOLbWCvATANkIzcj+oc1mQXbvEEgmHjQ40wYHwnn93q4BuS0Znqij1BrPTPuZUyo5U2MoKm1ia7sCLhYAFzvId2gE1JqdSwZh/decSzW0j3t/K5sehQXOesLBl+eywrB88Zk9O0G/cZJ3/RVjI1w36Z0lrp2XAKvDPdF0QIM185VJAIQ9kNavmmwXUbpFbRdOFvoazvkBQduPRWMTKmqgC1Ivn2QCaldsB0GeeD4fQmsETAzSmiTQyfVsPgSjH4S7m5PruqxkD4RUIvIAdDcCbizdDjbL+FWGL6RwHiosrdHF+PswwfyrAN/ebswv4EWGJAv8afvPTMSH9yWFtMDhvLo4K7YUHrh+3OXd+Lp3w6AIKSZaI7neeXGfnuabCrzBjcPRs2tWgVTvyZP7Iz9F+b4rUrLNtM7GTu2eHqKUsXAOLEdIVBwtDzL7muoK0z+BBw4+veovtBeuAUa6N1/LjXONRuTnPYqNiN5mQgzSnbYQFNAmzPw44s6n92SZ1JwMcLG1bmRrpWTKfg5DoREIWuzrR4EAlmE4qbog/CtAEencA2Vmlrg25lGHOakH30ceQvbTPTsB2QUUdyQczWt6eCkJT0aCntyvUaHXpvcsWHcBtdgwV5FlYKDcKCXAWWxp7HRKt6cACQDNQa3B3sty6Y6H5V55gcjPkva6nP9W/RCHEwEKZbg+39za5F3EBKASFCZWnKDa2GgVLCB6zwL6w0L41qAR6/kDPidtvl24UIhIFmAYJNdmHGdbTUpBF+QDTmrD05ttniPJTGZO3eBcLHryLICJszk/rstAfLooEzdeK4EwMlVu+zNKReXl025ZL5RNaDxD155ah2/t/I2IYxUgmUdVKpzpEmOv/k6rQbZZcOHXfh9/rC9vNIs/Uwn29r1o0mDfUx8ShTjOHeoay9QOh2irtKl1Z46pla7Z5sYA5ebpCb/7bsPU/VR+wnP/RmmdGyX0r7U4RqUgg7TkVhOkxlcZRauaXarMvw9udnnnm5ELOTF9Vei6zbryzYXifyyLmJ8nDxXt8KzVpFHxW6wZqzcXjTtGNG6MQ3rifFKv2Sj3r0t+bSst5JYN3uII9UMuBAa8JJKvg+1Tv8UQd9CymWoIkS10svRAJe1aEAgIgq2ITykZBxjh4hFFrMnIwbuyeAtsfEpEh6SkYwiYgBBf7EYsd2tUWW0SELXrM1aEwSWBhNyLCJqHgcdw/sh2EiLCAR6YUwM2d6T2xBh0vWLI9JLZPgDxRC94OsNLeFtM13tR303PtOn3EYk2Y8ZJ/uf+IZhDgRIJziLUDLiDmQuU5wOY67cp+NJVJFOEeWbdss5iBwv32q89uR7JFTGyhvcMF5TNMM9NuvH2iNj33HxJP/uqdLj77D9Scgo4Ju7mzJ7AgGrqgBmNSe7juIJeEY5L7+rGb3JQSBSPT/EQUtBMmQTTqLF5/9nDq7+2NtvK63BgFryvOW3/jECt8WmwafFrsZF5pZYzG9bowJbhqMWKslhnfE89XI7LQpkEz6lqk1ylWm5Wj3Yu3BjYuL6KJGxokd7Nf/2Yf7uMdCGKh3Zkt6S62p1v/ah+KQRRSwkae6XlCKQp4FGEWnunhbXSkuO1+Xmw1fuoS8GZz8CQLsVgkkclCSoixwG6H89YikAXjAqZ4xldwhS7Pf/zZb/ckiC0WlG2Qsd1qCtbbTqveIwlbTEMizF2DzRbUga36G1v7w+mOGgBsRQRneubQCgui43zZrAW2Z5w2pL7LGbhwHw79KgB+uf94avOh1tTe3qN/+w1HuT0fGi8bdn339UzGEJA5CYppsDi/2jc0x9V4wRp1ZWN6Jiw8tx1LrzG03byugrXX5I3ruie0Wds9DdamEO17EUZ7nL1oknV3Wx/0zPmiQS9jJHFo9swbVQgXJIkIxcJlXL1k/6KpZIIsEgiJjCne5PGC4nFqstMbp/XLhX7hNjRLeFES9rw9ko885hskGdP5WySltpJVEbd0N0AHtgv+rgdVwFYn9onXHjq2Tm+LPH1PvJTRhXXXdwi6/k+/oLbSF9T/uPqz+e7Q/ahrv+varzz1vOgQRzKZBqQ38T0P2CyxLJ4c2mPTypH2NY8iotD1EosFoBPlKSPJRsbWXUljOszwAoSmYmwmUeYM1aTdXSCTInmbNZ11uVdbwkVkt6YKKZ/tGEkL+QtIEuqldQ8K3ZM/YFKxFoMfDuqakSAROnhCzulFEpTRstOG+w1VaR3fHrTd20o+/uQSi+daboZ26GMmkY2XiPwRzxalN78SCtnfcOF8wTSvYrdnrSlG3DbfSGQhaJh7enLYYgq9S7t4YmzjyGNgO21/lTtTZRlIM37vPY+SiKiJ5PPm5bHbjqyHtlTSY/4O6Jn35B2yFBUWxg4wQzNAwVK7VWHVo8MKYbYx+2+XKJa4FtSOJQo99L5EURhbi8J0h5kBEjht+SU4Vw2BsG/hbb0k07y+XkAGj8wbxFhKpt/GkgRLG1xg+WgrfyIov0uWfty3sptYAvITjZozpfddO5BcklgbUlwbkHF2psXhRjYClFAiYORXSi4YszA0bq/l3VBHBq2HgJHTppuPxsHQmsTNdTTLjURYSh4Qkw5bE7W026kWsz+GuTHRn9ARDPteIZyOevPRJmVct4V0dDOa4TutMvOOimctR7dFEcVYLfcnJD16Wnfk9Kh6a979WCYzG099L+3FPnuPeJDIDLVDCM2NO12BkITvvpu4ccy1AAc5W2LpxYLqaUkzuFpiDbUalBqi5ukM4iSfKCSDJYQJBfssIzZdXSxcLB+zy8NukXvH/GC/k24enCnBKXVmd82zxHJGSshTdP3rvbFuXx78g+rfS4VZaMGkPYXoBs0xEflQzgjGgmtJE84wpdUoz0nH3OFwoUka26a1tumEZYWhayCLpZqgLw8FGN5xBWDqAuUKKAlKFt658KYBvM4yyvsKlifACNmV0KMwEabhGVqQFTDtGBMeNqw1ZrN8LASR8frPy9Pi0ETbfLFIDV6k93qX1HJGvTnPEsQJDgI10YRwGBI9Eaca0Vkuk+LOsODMhGz/bOrf48Zu2BlQ1+6Aehg/VF0xNx9Tfqva3gqgwfZuBcG/aPXnbhsb3Diazza3Mmnu9bRy2WSUajxamKvL1jHbZh6Vcvp4ARPWzGmHEW9BKNHq0sVChCGGGXfNiXqC8gfLZVRN0XIvWH2F05w9HgdMIWNbxtUDIIg9Tp7e6MxZS9rid9gket8TqoPbVmwldD1FdcCp9MPrxJm+D7C3SXVuyzZT2vg+UR3ctgIsoOstqgNOqg9eq90P5nLiHIuk3f63TGffLc7QMXuwm9yIBCKdXeMGLvkaCVgkFAsdWjYOZbn/Xqb+rOLG/xEgeSICkEgueUJDE9wDppQHWDUWNPpk8nvCFd6/SB4q+fJGwViHE1P/tR0DKXXncdGXFAlL/UjtktmpRidYohDmxOZOmqVcVI6mS5g+6Zl8575l94GZsvYFCHdEYE4Z3BkOaMc8c6AMnqJj3jhoqaFZmnkpiXVSOFxPiYXOi2+WZJw4odgcVpRI06f2EmmlJ4tl41PzVfEKdcTrNVuXzfJtWK/mLGPoQhVqIhJm8pXHIAxzFs7ZAqQyUTJhCU+kW3ONAxNWyfOVF7F919EvtSG+vdOafYspb6vkTI25ebLCVBqjU1owelGUTUyzcdNL24gCKI5lbw2xrKul4EpRCA8uBK0rsmlWZ/YSsMOGTgyTxPNcZPox90Qp5WtbBaZte1rHrpawcQJ6WuLEtHQyja/nrXapYO60VpdmyCbViUBmL+xr/qsS3/8Wmh07GxbCxJbzoZPKEn1b2EfzCenwMHwTdarFVLwt4Fyx1eUgwTR60IcQTMGrHk0u/sxUXkYOUibeE1g0PMdw50ZDJ6kxNBYXmP7123qXkuKnb+pB8hY/oQ/iGur71A1JtxDn1SlEAUtlKLo50H8oFTZpVs6yHGDKbQvFLvaKLF6cdwQmqHdwgnrVABQ//gnlKxDo4hx1xXxFNt4fKRvvh7Hxw/mR8vHD+TBGmi6b19noyBHsyIW1fvd6VaXmp1/kPk9aAq1Rlz6l5qCVhLTnykeSRAlVmAFPZMNJiBPcqyE4FjZeDUEXGz0MgWdp/5pQ2rC0a4MVDl5x0FLn1uvw1R2lpt20PXfU0s/rEVf2eeYjLldrf5iUXvHhwYKzXWqPpo1/8RC+w+cexGaz+ehVzTmA34zTkuLpGAlXajm1CdE8p98YNm/tWfTj4eq0csPB3mlImHKVlkSiecKCtJTBvIbjep6m7oEtyMc6dtW6YQob3Itpw3I+7edvwzQ+k0hRhTP1NSdJEQ/7TmoB39iTmt2/SI1J/VrWqW8iy7civJR6i3wfyjoOX83qOWTiuk4BR1etE3t35u1wHes8FNxuNh6aZqN4yWeIng2Q+j60ayx+dtUvPba3NA61X7tNP6Xrt7vv5plq1rJmma5yhgAHS/OnlV29JZ9NZPe23nq1CQ3zWO0Vp7TY2PZXeHVa9+S0DndOI4gmtpyn6aoJ6mNWu+6rDGC82D7ZlUnNNo11iyfpBaO+5wQ5wxF+Oh6ml5CVcxZb1Y7Nub1FcYxc57UI1qUrt1rV3KbdJuak9uJY/jGdT9+6i3/1QmOT5SocZSWy76aupTfHhCb7LzAo3yByR3mVm4z2MslJZU7fonWtLUX+EWAaSA9RF74+sLKk7PE1UksBcrnk1G9JiziXZLF8HqCa8hCkhzc62dXXpy6cneDNXfuRqnXrCl4o8RdICRLHEGZpaLsRUFhBU16v7/Ea5euWhN/wEsJcVZvkWqSu9WVU8gUF7EM/wk+jks/Vqg91zqNRqXNzdW0A9ekj6XHCMhSCHlTrbG8keiMZFYUeUO9oNQS9bb1cH5sfuIS03Xh6vbzkFJpG56Zvr31CyvlLjeON6UdlwjpWH7J2118HXnVhlYTSEjTuKqyjdzvTMjqncFWhtV+L2IuzqaX2MrwvuX45/pdcH50H1gPyEcUdVatrVnbjiCe15W8ilHok0sz7q8/pYeTV53z1OV+Az+mD8XisGUd33rC3xOPj8WceqyLoTEA2jjpcMkfvIvJ5RT5tbl/jwFu5g4/HmXysztuY2Uc99lQF8VGaipKN0KHDw/Vd/tBWrePZEEaP1TQUbUKVY4+NaBxzF+tpxPQS7IQTVlVONYPRJaWt48dMWsdpNKoT2Xz/yhsstLJuKxaqjxSUGW49yC+xbF8wzFvo3dy2dJeoQOihpCMC6YHIvs83xYz7XzEqYzvMAvrAONtEPJF5ssUc4ZkSdPueoLmjciYgAKbo5syYoJNPX742aw0lUpX600fxXKITuYwgeuvrSdlfeHNCD70b/UoonM1w8Fh6+9UJ59OXrxm7W3BlZH1gfu70rmkIjz1HSwICi2BJAkynVlTT49ovitUwWdIxhe1cyuytkoLxtBtC8w3NUcQl18cprTzn1FtujUOW5bmd3NKXTl+OJc3eZi2ai9LKa07hVVfkVpJ6BrPZLCm/QfXKaAvtiHAcQ3hcHN+TPwpdjc8sROT+n0Yqm03xuDYnxguYznFCO3K6e7gMr20EzlqRlkN2JchiAcIkf+O2sx4DfaA+/IeL6Qvg2wDtYBy9+az/6o39p0RLrUIsb/TqMiT29WO6MQ1fFW/LCdjHo80LMqbjX0iKrVB7apScNuai9tBgQhM0/zVdJnjhzXR7zQKnj5ptwQdP2sur98UITwqR666stDXA78XKIbZFV1GoV4jATNrnv9AyWYCRy9tTxHjzyda4jquQcqopH43Ufqs8PMvnCGeC9Mpr2N2INY6Phtf77IR/y9lLGKxIoMwj+sfC1OdCjjrAjHFle5IFFJMIwl6cplzO6CPx2fABtwB+oTwoPnX9Wvw/dvH/FrX/9oLjsWisTa1XX7w2tmYOQtgUqLbhxk3AlKKZUapQL75G4qjlBGuQmAg/zAXeXAA3727Tx4A5M+28tLRddwZKd2Dc9FuC/B0K10rHvH7DKQk2zc8w7GoIHIB/Xmpj8Dl9dlVATHGg6Rtb82odDmMdfCyMmz+PQZxZPdXz7R4D7J1A3xpFbaBRc/E7MtVpSvaN5OW1xDpcX5zXllivnXBeO+H0wbV1k6vD9bfLbkS/LuHXJbwrH3+ORZn7APZ5MplEES7d8VdEUdAc2nzxff0PvAu0xXd1Q2QPtVTeLAKZvb3pHl5bclnyUgXoTVkTLfYH9S3NNgk3SrTD7a7GZTlsA5fIGt5Cp2jL2EhI8qxc5bHSXlhIWLs3vTsQ00BwCApJAeJ9iCQdeBgaxeMY/C9e7gTGjjsIyx88mpHxZ8gOOwhJCHh8kehBm1CgG/W9RCsQG5QwSh6ButQlUfZJNhzHgAWaJaY1jHHOTcNoTJEkKnEpEqJQhDfuUMrPWsIeGV9XD4t25y5nrNDVeGmjMR0QJTRk37scrBIEVtoTEYjIFNGkZqIFLuUzBpvdyveHG1H9X6+g/FmMLlnhvKuZjVmbliRWtebdO9A1p/pEbc7sVPRA4LvxswOAh6V56TO045YB+CWwYcEUm05t46G4dndo9eDIDn6KiMXy5cPNR4SFwBv7HkKYsBAzhfzGgcjHtBxupGVUWEeuBsMSaaG/zw3eUChMkmm5RKSSiM/bMJkzsfFFYoYNu0Vi7+OMT9/d8+mkb9ZXPXXYktMq9czaSqtRhM2LtQKvDQprb6UXpTkuGFdzCsekZvCi0iw5DU1ZDbo4v/zxbLZRkEJog6fX5x4cEofPOdgOoi0NESZk1nQ70Gb2CUTFdvn3pmzHmYHC/fasYoiQviNqqckDbFqmjL2wTdUZLV7pxOHUaNsu1PQoqLQxtdHcmVy6Fw4gmcx251Ims7NhTE4lYbW8jKUZ1sHUCJrKJ4WjOCVITU7X+mLmEfKJeyY4hWKKXezeg1mYxlen1kfV/6ckSuL6E+UpaniCYBrwcCc53d/8/+v/+vQR6XHyd7kdwu8lijBhtZd+Ucm7JcpWHu4+Z8X50uPW+27Vqa6AhVxMYwESqsZ+EPUQTIHZEBTZ60Reup1vpTtrkz0mW3um26+13a+MB3EyaXlNtDXPU+tW2uvZ0HL7xo4bdP3pl2691aqBq8RN4nViqsd2olq4VmRTub0nprAngFpz8diIo9fJtRskfxChqSlIr5PqQ9eN22qKhirJAqoYB4+wfY3qYFyOXhcynqhdoXnJNpVbFunuNFGeSSjSrPtWXAPbJex/uL5zo8jcwbNb22451ZAIaA5KMSW1y78xVsts4Uyavh+Rha1xuUJKJA2NifMuBhGpvT7SF4H+u12IUx5gOiFVU2HJ134MTziKKVyhi79fTs4nl5MLxAW6PD+/uDr/+MvPVx9++cfHq59/+uH91dXFMLf+k8aBbu4QDkMBUrp6XfdQPmbo5m71oyZ2c7d6n/1RH95iLvz7tkfFM/4uqw+Q9YKvSXVgEhBxBUcg8C8GyMgSd9wdROSOgf4yX3I5xIHLgP3t/dnlxcXZxcXfzn54P2HrifvNJOBRtQqkA/PdwxckIOAi9G76Ip2TCbpR2kXnM4XNy7IrgpGAFQhZ355v7hDl/LGxoqsiBlA0nMY0kVPOhrjTmTy2Zl97wTCfQ+DKuuIzmz4MuYkCTuDh08e3qWfsZKEnzd6W4wxQxOslPhTPgE7Qr1ykyE7NAHq0/3thwu43c84nMywmC04xW0y4WEzeaPm+Kf6gVtHzkN3i4AKFoEBExBxRpcOjgEcgXfUmQxDNIAwhRAGPN1lSFKvaC4DmC0ul4qt37+JkRkkgk/mcPBkcvXV5CkLUbrfskHj6hx7O/dEsZdM+iZnNidFAp27I3cTvQJwey8a1UsauPa75m4O2uHSYgEcRZtuC8CRhtkMRhZQMWngd02YebnK8odLQrTjgyY+hWxLwBEFirgbsIg/zuMdglfB/azjhxpRaB+l5Qul0gCqUfeDm0oR783vk+f2ulQl8jngMLPOfSV6P4BIEO3nQ9WfUeyYn6or8wegxY9ajrk5CZ06iNSx3r5t3BcT+AmUNzMiwGV3B6SRSgadAYkQsGQnj/PjTZirwe5hbzouOwLafm45HN5oF0hV79xDY53Lnr2IomSZ8TtEMS1tGl6dmsgfU3Z1Cc9XOJtRiU5NM/oAJuuZCgIzNe2SKp0+CSDBn+u+0xXwnN/IdA/WOxKsf36kgnkYQTdAto5vCk9GcoU+EJU+T5itL9ZWGhmV7mhWqfXZRzwQQF/ESt99ZbZ7pnmgNYrvW3SQ5shBqlU+ntlm+rRw02ZCxGUjtSbfc+9mVPeDT0NrsTBUeSO0RELmsHfTtAWB+BlggO0iaAeUSpmvc2Oh1L2grCLWNmOZIpt7DsDJuRaLjgJ0B6YNabthUNhfKHgx0iqMvZgHB6hgwaxx9MM8JM3NSTQUdHHQGZAhq/5v/z4D6sg9qiqWa4sB3AnNQ0CmOPpi1rTnIDtJt8ghb+BBnQVo4qvv69eOfxH3VjDyj+5qEx+i+ts8u6um+Htr5a0Ld8j+y1RFXbiUNzhJ8s0N8K3dmc1ez2SJVFftXLpew41FbYhMkk8hfzeA5GkiXT/rVyq8JixM1Tf8oIpQSf/lAj2LW2/uUV8JKQ9VLxRIJQnbKfotCsU98sYDwLHuFFqQknFUTyG0ybkinbV3im18Zd2C8VCXULhrtQPcDKx6NUL4g2nJVSbTcTt+R54+/JNJVcZrR+0jAcwi7Iwr99axGqKANDRPgqxXZZQ4y5etbmlI+nvAimXFOoZYf6ESiv2Ye7g6sZcLpyVCrRHYpFfPPSPpgU6XorwVDwMfWisJsWAMdeqjkJf84rG1WW9eTLwEJzhW662cT7BxNBx65dm6hH0rHgu5MOn/pqAIo/x//GwAA///w7M0H"
+ return "eJzsfXtvIzey7//5FMRcLOLZa2tsJ5nN+o8LTDybewzMxMbYs7vAwYGG6i5JXLPJDsmWrHz6Az76zX5JLVkOLBzk7NgW+asHi1XFYvEMPcLmCsmNVBB9h5AiisIVenNvfvDmO4RCkIEgsSKcXaH/9x1CCNlfIqmwSiSKQAkSyFNEySOg67uvCLMQRRBxsUGJxAs4RWqJFcICUMAphUBBiOaCR0gtAfEYBFaELRyKyXcIySUXahpwNieLK6REAt8hJIAClnCFFvg7hOYEaCivDKAzxHAEVygWPAApzc8QUptY/7HgSex+4qFFf+7s11JKJu4XxRmKs2i6IftpOs8jbNZchIWfN8ymPw9LSMHa4SboVy4QPOEoNvwXCWOELd5MarMHcTKJA1WbXwaYQjidU46Lv5xzEWF1hWIQATA1AJ79Al4A4nMjVkUiQDIGptBsY0SXkUBYAOYnFEuFYAVMTSojEolWmCaAiERMg6LkDwjTkVgSzUCkMwVcgDRqRBQSmC1AlkYzunOOFEcXfgZJhYWaasA1PoVl4XVwwdC8XgIr0bvGRmxCQVif32r+M8jILbkiUB4ESUwgRIShCOv/2L85+fLh89tJae1kJgANWTrf7Ne+oYAzhQmTiPIAUzda3xWl5V1jVnH2Dl44FGd6nAIUrUoOgeYxwlpRFxTMfJpjGEUJVcR8r2B90k/Z4GTSqhBRJISEpR+npFDOFpVftFCjPxr6tUZlF0aOqvSX/wfdZRogvYAUV5hWdBF16SNq1cke6B/0rAgHiqzAYzZK4vbCTiSIw6PusnqEGWBIxjiABpGUKFAkeJTjaIQGhyOeMLUjMKfmx8jcRxAM6BAqRmRwJ4cHoGMkgOPjMGeI8vVZLAgXRG3STQJkH2oOxultUZKQHiHPDaoewA+nyD0A8TUm6gh5yZAGhk44QyGRj2/70XFIGzEMn/j9+JgsQaxIoKMx7X4vMQup/scSi3CtAzjCFAiRxKpzPYrfD8f60VBLPlcvSS4a73YUPrdstkCu4Dl82R5mibAVpwlTWGysCXCO7ooIlWBqvrFeEmpj5OUm1iyRXNQmM4FlgV9cLUGkWyAXk9oXPqwwoXhGAXFGN3rz/MrIUy9GHtIuHi+DClmDnSLQIE5qQbCmSipcVOxtgkqTDRlRUL5cSyxAOu/LSIBLNbF/zNlZnq6pjZevDInWhFK0xCvQcTV+IlESuZQPn6NvF+fnf0F/tdN9M2PXBiukhYrjYioAhxuk8KPWjzyRxBRHOAiM2lnbsqoP6sGioWwdUb+E0BTdsnpmQ57Wht3wBAWYWaEVWZ7laxcCsAKhf8As34qJylNE5uiH2rAufScAYYXen/9FQzvVemWVy2VrJkGcTFJufrPaMwN08XOjcP5cIeyfK0h8ueHXnyXaeUFe66tf7qHw1bsdx7t9ppR3D0aakz6JLNlmR70JKRjFubn9l7ZCTU7Jb7ln1Ms/0Z7UUbJgaJr6aAkZutEfJyE77fbHSVL/Lf9I8W+x7x8nJaNv/i+KzG09gOMk8qW6AcfGzT5ewGmaCJG++hgTXHtor3gMD7Xs3ks5mT7mM92XcQp6hIeJR30I99xHIdvviM+NfNtN7vXsocgTraeEf1dlxZDjBz1E4fxB/xPd3GbVbz3LbtPP8DMK/V+vPOtlsfqTFbrKEF8MF7chT0/ZpWwgCKZTu3kOgNcTwvfSzZBW6dky1whvEOMKzUwd5oqEdhvHlOZMr43pcvQdBAnA4cQceIy4eIynVPAw9CRaZbSEtMrIJNAaPk8o3XTgWwuiYO8AzSxbIjQcnG1U/xO11BX0fWkL8GYYA6MMG90y9Imw5MkecZHqVKjiB0oIFBduJHPYE1PiNI0hLGUSac6Yv0KS/GH80J8uLntJ8PkZpHEoYOPwKB2sJ5tqo3azzahVpd68lWlbMCYiVMcEAWehzAtqtVkxK7aXYJ8Nol2znc7ivgH6MYZc74M3725leRNvAsnjMZ2XKkaNQzsuseALAVLWHQZgSvB4s4vHkPsmrlS/PuZwLwCng05nRI3q32Vo9cCaSXW4hWtAzx7v53gdzlPNTWzr4bm9osE5zezyj+d/f1+T8pxQKN3KQFu5hvkwtQKV/Fdj1KlkRB9o4zBeoAndC/xWXNv1hMWCrAiFBYQ2AUGYnWbihR7CigQwHejFDvJUyxe8vr0LYfVO//bimxeRnncPUPQYVSjwpH78NkE3DEkeAQqwBHNd5l+EhXwt0e29jZdM+UxapvEtYRnTvyEsETb7tNVuvTczK13Cmb3xpfQ2wNcQohN4miB4UiAYpgaWfOsXi4nqpjEnDe7k1rwwA2ubb8auycYvErNa9mj39fiI8RCM9dcsNz+ph2cFSAKedbW1ryqNbjo21wr8EgDbMM3w/aDObYF37RxLJBw2OtETDoT3/LtrBXRbMjxTRak3uJ32UadSdqTCVlrYRNN0C14sBCxwlm/RDrAxOZUKyvyrO5eIbhtx/1Y2Pw4NmvOEhS3LZ4dl/eAxe3KCfuMm6+02nbaptdM0YBX4JV1nBEgjr5wLKOSBrGb1fFJA7Ra5lTVd6Gs46wsEZTcujUWsrIkqQL14ng2gWbkdAH3m+XAIrRk8MUBjmkjD07f1EIxyHO5iTq7vvpoxEF6BwAvY0QC8uXgz1CjrXxG2mM5xoLi4Qhfn58MM86cCfOMwZg0AIsISBf41/OanY0L6k8PaYHDeXBwV2gsPXD9uc+79XDrh0QUUkiwR3u88u07Oc4nCrzBjUPRs2tWgVTvSZP7IT9F+b6rUrLNtc7GTu2eHqKVMXAONEdIlBwtDzL7mupK0S/Cg4cdXvcX2gnXAKNfGa/lxsvGonMyz2KjYzSbkYLMbhAU0CbM/DjizRwuzTepOBjhY2rY2talnyXwOQqITCVns6liDA5VgOqm4If4oQE/QuwPJzip1baZLCeasFnQffQzZS/usALYLKupIPpjR8vZYEJqKCi3erlCj1aX3Llt0ALfZEVTgZ2Gh3CgkwFlsaex1SLSmAwsAzUCtwd0Jc+uOheZfeYLJSch7XVB/qn+JQoiBhTLdHm7vbXIv4gJQCAoTKk9RbGw1CpYQPGaBfWGhfWtQCfT8gZ5jt98u3ShEJAowDRJqsg8zrMVS4EX5ALWc0v0MUX4qZPIW72LBg3cRRITN+WmdF/rDRXFC87UiOBND5ZYvs3RkXh49SxKnCOoBov7cMnR7/29EDKEYySSqWulUhwhz/YdSFbrNkgun7vvwe31hOynyTC3c1/uqRYN5Q31MHOo0c6hnKFs/kKqt0q7SmTWuWrZmmxcLmJOnK/Tmvw1Z/1P1Acv5H615ZpTct9LuFJGKBNKek0GYHpNpHKVmgqk2+zK83emZZ04u5MT0VaXnMuvGOxuG97ksYn6SPZy9x7dSk0bGZ7V2oNZcPO4U3bgxCuGN+0mxarDUMy/9van0nFcyeIcrGAS1HBjwmkCyCr5P9SBP1EHPYqolULLURdMLkbBnRSggALIqNsFsZGSMg0cYtSYkB+PG7smw/SERGZKejCFsAkJwsR+22KFdbbNFRNiih6wOhUkCC7sRETYJBY/j/pHtIESEBTwypQBOdqb3xRp0vGCn7cGxfQLkiVrwdoCV9rqYrvGmvpuea9fpIxZrwoyX/Mv9RzSDACcSnEOsHXABMRcqzwE214lX9qOpTKII98i6ZZvFDBTut199djuSLaJiC+0dLiifYZqZduPtE7Xpuf+QePJXr7j47D9Qcwo6BHZzZ09gQTR0YQ3GnO3humO6JBxzuq8fu6ebUqJg5Dk/EQXtE5MgGlWK1589lPp7i6OtvC43RsHrivPW4zjECp8WmxafFjupV1opo3G9LkwJrlqMGKtlRvfE89WILAS2hLoW7fUZq83S0e7FWwMbpxfRxA0NmrvJr3+zD/XxDhNiod2ZLeddbD9v/at9ZgyikBI2sqTnCaUo4FGEWXimh7fRkeK2+3qx1fmpS8CbzcGTLMRikUQmCykhxgK7Hc5bi0AWjAuY4hlfwRW6PP/xZ7/dkyC2WFC2Qcd2qylYbytWvUcStpiGRJi7DpstZge26m9s7Q+nO2oAsBURnGnJoRUWRMf5slkLbM86bUh9l0Nw4T4e+lUA/HL/8dTmQ62pvb1H//YbjnJ7QDReNuz67uuZjCEgcxIU02BxfrVwaI6r8YI36srG9ExYeG5bll6DaLv5XQVrr+kb13VPaLO2fxqsTSHa9yqM9jh70cTr7rZC6JnzRYNe5kji0OyZN6oQLkgSEYqFy7h6p/2LniVjZHGCkMiY4k0eLygepyY7vfFav9zoZ25Ds4YXxWHP2yf5yGO+gZIRnb+FUmprWWVxS3cFdGC74O+6UAVsdWKfeO2hY6t4W/jpe2KmjC6su75D0PV/ega1lb6g/sfVn813h+5HXftd137lqedFhziSyTQg7QTgeUBniWXx5NAem1aOtK95FBGFrpdYLACdKE8ZSTYytu5KGtNhhhcg9CzGZhJlzlBN2t0FMimSt1nTW5d7tSVcRHZrqpDy2Y6RNJO/gCShXlr3oNA9+QMmFWsx+OGiLokEidDBE3JOL5KgjJadNtxvqHLr+Pag7d528tEnl1g813Izc4c+YhLZeInIH/FsUXrzK6GQ/Q0XzhdM8yp2e9aaYtht841EFoKGuacniC2m0Lu0iyfGNo48BrbT9le5M1XmgTTj997zKImImkg+b14eu+3Iemg7S3rM3wE98568Q5aiwsLYAWZoBihYarcqrHp0WCHMNmb/7WLFEteC2rFYoYfeFysKY2tWmO40M0ACpy3HBOeqIRD2Lbytl2Sa19cLyOCReYMaO5Pp97EkwdIGF1g+2sqfCMrvoqUf963sJpaA/ESj5kzpfdcOJJck1oYU1wZknJ1pdriRDQMllCYw/CslF4xZGBq31/JuqCOD1oPByGnTzUfjYGhN4uY6mqVGIiwlD4hJh62JWtrtVLPZH8PcmOhP6AiGfa8QTke9+WiTMq7bQzq6Gc3QnVaZeUfFs5aj2yKLYqyW+2OSHj2tO3J6VL21734sk5mNp76X9mKfvUc8iGVmtkMwzY07XYGQhO++m7hxzLUABzlbYunFguppSTO4WmINtRqUGqJmcQZxkgsKyWAJYULBPgvpbqsbuFg+ZpeH3SL3jvnBfifdPDhTglPqzO6aZ4nlbCohT9H1r/fGun158A+qfy8VZqEFk/Y0ohs0x0TkQzkjGAuuOU04w5RWozzHHXOHw4UmaWyb1tqmAssKQ9dAFks1QV8eCjC84wrA1AXKFVASlCy8s+FNA3idZZT3NSwLwDDZldCjMBGm4RpakBUw7RgTHjasNWazfCwEkdH6z8vT4tBE23yxSA1epPd6l9RyRr05zxLECQ4CZZol4DAkWhCnGtFZzpPizrDgzIRs/2zqH+TGbtgZUNfugHoYP1RdMTcfU3qr2t4KoMH2bgXBv2j1524bG9w4ms82txJp7vW0UtlklGo0Wpiry9Yx2ySPSjl9vIAJa6a0w4i3IJRodeliIcIQw4y75kg9QfmD5TKqpmi5F6y+zGnOHo8DppCxLePqARDEHoWnNzpz1pK2GB4mRO97RnVw27KthK4nqw4oSj+8Tpzp+wR7E6pzW7YRaeP7SHVw2zKwgK43qw4oVB+8VrsfzOXEORZJu/1vEWffLc7MY/ZgJ9yIBCKVrnEDl3yNBCwSioUOLRuHstR/X+y+pP0fAZInIgCJ5JInNDTBPWBKeYBVY0Gjjye/J1zh/bPkoZIvb2SMdTgx9V/bMZBSdx4XfUmRsNSP1C6ZFTU6wRKFMCc2d9LM5aJyNF3C9HHP5Dv3zbsPzJS1L0C4IwJzyuDOcEA75pkDZfAUHfPGQUsN1dLMS4mtk8LhejpZ6Lz4Zk7GiWOKzWFFiTR9ci+RVnqyWDY+dV9lr1BHvF6zddnM34b1as4yhi5UoSYiYSZfeQzMMGfhnC1AKhMlE5bwRLo11zgwYZU8X3kR23cl/Vwb4ts7rdk3m/K2Ss7UmJsnK0ylMTqlBaMXRdnENBs3vbQNK4DiWPbWEEu6WgquFIXw4EzQuiKbpDqzl4AdNnRiiCSe5yrTT7GZoOLGtqd17GoJG8egpyVOTEsn03h73mqXCuZOa3VJQjapTgQye2Ff81/l+P630OzY2ZAQJracD51Ulujbwj6aC6TDw/AJ6lSzqXhbwLliq8tBjGn0oA/BmIJXPRpf/JmpvIwcpEy8J7BoeI7hzo2GTlJjaCwuMP3rt/UuJcVP39SD5C1+Qh/ENdT3qRuSbiHOq1OIApbKtiG1MtB/KBU2aVbOshxgSm3LjF3kFUm8OO8ITFDv4AT1qgEofvwC5SsQ6OIcdcV8RTLeHykZ74eR8cP5kdLxw/kwQpoum9fJ6MgR7EiFtX73elWl5qdf5D5PWgKtUZc+peaglYS058pHkkQJVZgBT2TDSYhj3KshOBYyXg1BFxk9DIFnaf+aUNqwtGuDFQ5ecdBS59br8NUdpabdtD131NLP6xFX9nnmIy5Xa3+YlF7x4cOCs11qj6aNf/EQvsPnHkRms/noVc05gN6M0pLimc74lVpObUI0zek3hsmtPYt+PFSdVm442DsNCVOu0pJINE9YkJYymNd4XM/T1D2wBflYx65aN0xhg3uxbVjOp/38bZjGZxwpqnCmvuYkKeJhX6EW8I0t1Oz+RWpM6teyTn2CLN+K8M7Um+X7UNZx6GpWzyGC6zoFHF21TuzdmbfDdazzUHA7aTw0SaN4yWeIng3g+j60ayx6dtUvPba3NA61X7tNP6Xrt7vv5plq1rJmma5yhgAHS/OnlV29JZ9NZPe23nq1CQ3zWO0Vp7TY2PZXeHVa9+S0DndOI4gmtpyn6aoJ6mNWu+6rDCC82D7ZlUnNNo11iyfpBaO+5wQ5wRF+Oh6il5CVcxZb1Y5Nub1FcYxU57UI1qUrt1rV1KbdJuak9uJZ/jGdT9+6i3/1QmOT5SocZSWy76auuTfHhCb7LzAo3yByR3mVm4z2MslJRaZv0brWliL/CDANpIeoC18fWFlS8vgaqaUAuVxy6rekRZxLslg+D1A98xCkhzc62dXXpy6cneDNXfuRqnXrCl4o8RdICRLHEGZpaLsRUFhBU16v7/Ea5euWhN/wEsJcVZv4Wpxd68uo0xcUsM/8EX4adfpcrfrMznk06uzcXF0bMPv0kfQ4YRkKQQ+qdbY3Er2RjIpCD6h3tBqC3rZero/ND1xC2m48vV5ecgpNo3PTt9c+IeX8pcbxxvSjMmYdqw9Zu+uvA686s0pMaQkad2XW0budaRmdU7gq09qvRezF2dRcexnel1y/HP9Lro/OA+sB+YjijqrVNSu7ccST2vI3EUo9Emmm/dXn9BDy6nO++pwvwOf0wXg81oyjO2/YW+Lx8fgzj1UWdCYgG0cdzpmjdxH5vMKfNrevceCt3MHH40w+VuU2ZvZRjz1VQXyUpqJkI3To8HB9lz+0Vet4NoTQYzUNRZtQpdhjIxrH3MV6Gja9BDvhmFXlU81gdHFp6/gx49ZxGo2qIJvvX3mDhVbSbcVC9ZGCMsGtB/klku0LhnkLvZvblu4SFQg9lHREID0Q2ff5pphx/ytGZWyHWUAfGGebiCcyT7aYIzxTgm7fEzR3VM4EBMAU3ZwZE3Ty6cvXZq2hRKpSf/oonkt0IpcRRG99PSn7M29O6KF3o18JhbMZDh5Lb7865nz68jUjdwuqDK8PTM+d3jXNxGPLaElAYBEsSYDp1LJqelz7RbEaJks6prCdS5m9VVIwnnZDaL6hOQq75Po4uZXnnHrzrXHIMj+341v60unLsaTZ26xFc1Faec0pvOqK3IpTz2A2mznlN6heHm2hHRGOYwiPi+J78kehq/GZhYjc/9NIZbMpHtfmxHgB0zlOaEdOdw+X4bWNwFkr0nLIrgRZLECY5G/cdtZjoA/Uh/9wMX0BdBugHYSjN5/1X72x/5RoqVWI5Y1eXYbEvn5MN6bhq+JtOQH7eLR5QcZ0/AtJsRVqT42S08Zc1B4aTOgJzX9NlwleeDPdXrPA6aNmW9DBk/by6n0RwpNC5LorKW0N8HuRcoht0VUU6hUiMJP2+S+0TBZg+PL2FDHefLI1ruMqpJzqmY+Ga79VHp7lc4QzRnr5NexuxBrHR0PrfXbCv6X0EgYrEijziP6xEPW5kKMOMGNc2Z5kAcUkgrAXpSmVM/pIfDZ8wC2AXygPik9dvxb/j138v0Xtv73geCwaa1Pr1Revja2ZgxA2BaptuHETMKVoZpQq1IuvcXLUcoI1iE2EH+YCb86Am3e36WPAnJl2XprbrjsDpTsQbvotQf4OhWulY16/4ZQEm+ZnGHY1BA7APy+1MficPrsqIKY40PMbW/NqHQ5jHXwkjJs/j0GcWT3V8naPAfZOoG+NojbQqLn4HYnqNCX7RvLyWmIdri/Oa0us1044r51w+uDausnV4frbZTeiX5fw6xLelY4/x6LMfQD7PJlMogiX7vgroihoCm2++L7+B94F2uK7uiGyh1oqbxaBzN7edA+vLbkseakC9KasJy32B/UtzTYON3K0w+2uxmU5bAOXyBreQqdoS9hISPKsXOWx0l5YSFi7N707ENNAcAgKSQHifbAkHXgYGsXjGPwvXu4Exo47CMsfPJqR8SVkhx2EJAQ8Pkv0oE0o0I36XqIViA1KGCWPQF3qkij7JBuOY8ACzRLTGsY456ZhNKZIEpW4FAlRKMIbdyjlJy1hj4yvq4dFu1OXE1boary00ZgOiBIasu9dDlYJAivtiQhEZIpoUjPRApfyGYPNbuX7w42o/q+XUf4sRhevcN7VzMasTUsSq1rz7h3mNaf6RG3OrCh6IPDd+NkBwMPSvPQZ2nHLAPwc2LBgik2ntvFQXLs7tHpwZAc/RcRi+fLh5iPCQuCNfQ8hTFiImUJ+40DkY1oON9IyKqwjV4NhJ2mZf58bvJmhICTTcolIJRGft2EyZ2Ljs8QMG3azxN7HGX9+d8+nc36zvuqpw5acVqln1lZajSJsXqwVeG1QWHsrvSjNccG4mlM4JjWDF5VmyWloymrQxfnlj2ezjYIUQhs8vT734JA4fM7BdhBtaYgwIbOetwNtZp9AVGyXf2/KdpwZKNxvzyqGCOk7onY2eYBNy5SxF7apOqHFK504nBpt22U2PQoqbUxtc+48XboXDpgyme1OpUxmZ8OInErCankZO2dYB1Ob0FQ+KRzF6YTU5HStL2YeIZ+4Z4JTKKbYxe49mIVpfHVqfVT9f0qiJK4/UZ6ihicIpgEPd+LT/c3/v/6vTx+RHid/l9sh/F6iCBNWe+kXlbxbomzl4e4yK8pLj1vvu1WfdQUs5GIaC5BQNfaDZg/BFJgNQZG9TuSdt/OtdGdtssdka890+7W2+5XxIE4mLa+JtuZ5at1Kez0bWm7f2HGDrv/8pVtvtWrg6uQm8Tox1WM7zVq4VmRTub0FU9gTQK25eGzE0evk2g2SP4jQ1BSk10n1oevGbTVFQ5VkAVWMg0fYvkZ1MC43XxcynqhdoXmnbSq3LM67k6A8QijOWfetuAa2S9j/cH3nRpG5g2e3tt1yqiER0ByUYkpql39jrJbZwpk0fT8iC1vjcoWUSBoaE+ddDCJSe32kLwL9d7tMTnmA6YRUTYWdvvZjeMJRTOEKXfz9cnI+uZxcIC7Q5fn5xdX5x19+vvrwyz8+Xv380w/vr64uhrn1nzQOdHOHcBgKkNLV67qH8jFDN3erH/VkN3er99kf9aEt5sK/b3tUPKPvsvoAWS/4eqoOTAIiruAIGP7FABmZ4466g7DcEdCf50suhzhwGbC/vT+7vLg4u7j429kP7ydsPXG/mQQ8qlaBdGC+e/iCBARchN5NX6QymaAbpV10PlPYvCy7IhgJWIGQ9e355g5Rzh8bK7oqbABFw2lMEznlbIg7nfFja/K1FwzzOQSurCs+s+nDkJso4AQePn18m3rGjhdaaPa2HGeAIl4v8aF4BnSCfuUiRXZqBtCj/d8LE3a/mXM+mWExWXCK2WLCxWLyRvP3TfEHtYqeh+wWBxcoBAUiIuaIKh0eBTwC6ao3GYJoBmEIIQp4vMmSoljVXgA0X1gqFV+9excnM0oCmczn5Mng6K3LUxCidrtlh8TTP/Rw7o9mKZn2ScxMJkYDnbohdxO/A3F6LBvXShm79rjmbw7a4tJhAh5FmG0LwpOE2Q5FFFIyaOF1iM083ORoQ6WhW3HAkx9DNyfgCYLEXA3YhR/mcY/BKuH/1vCJG1NqHVPPE0qnA1Sh7AM3lybcm98jz+93rUzgc8RjYJn/TPJ6BJcg2MmDrj+j3jM5UVfkD0aPGbMedVUInTmJ1rDcvW7eFRD7C5Q1MMPDZnQFp5NIBZ4CiRGxZFMY58efNlOB38PcUi46AtteNh2PbjQzpCv27sGwz+XOX8VQMk34nKIZlraMLk/NZA+ouzuF5qqdTajFpiaZ/AETdM2FABmb98gUT58EkWDO9N9pi/lObuQ7BuodiVc/vlNBPI0gmqBbRjeFJ6M5Q58IS54mzVeW6isNDcv2NCtUu3RRzwQQF/ESt99ZbZZ0T7QGsV3rTkhuWgi1yqeibeZvKwVNNmRsAlJ70s33fnZlD/g0tDY7U4UHUnsERC5rB317AJifARamHcTNgHIJ0zVubPS6F7QVhNpGTHMkU+9hWBm3ItFxwM6A9EEtN2wqmwtlDwY6xdEXs4BgdQyYNY4+mOeEGZlUU0EHB50BGYLa/+b/M6C+7IOaYqmmOPCdwBwUdIqjD2Ztaw6yg3SbPMIWPsRZkBaO6r5+/fgncV81Ic/ovibhMbqv7dJFPd3XQzt/Tahb/ke2OuLKraTBWYJvdohv5c5s7mo2W6SqYv/K5RJ2PGpLbIJkEvmrGTxHA+nySb9a+TVhcaKm6R9FhFLiLx/oUcx6e5/SSlhpqHqpWCJByE7eb1Eo9okvFhCeZa/QgpSEs2oCuY3HDem0rUt88yvjDox3Vgm1i0Y7zPuBFY9GKF8QbbmqU7TcTt+R5o+/JNJVcZrR+3DAcwi7Iwr99axGqKANDQLw1YrsIoNM+fqWppSPJ7xIZpxTqOUHOpHor5mHuwNrmXB6MtTKkV1KxfwSSR9sqhT9tWAI+NhaUZCGNdChZ5a85B+Htc1q63ryJSDBuUJ3/WyCldF04JFr5xb6oXQs6M6k85eOKoDy//G/AQAA//+Zw/qY"
}
diff --git a/metricbeat/module/system/filesystem/_meta/fields.yml b/metricbeat/module/system/filesystem/_meta/fields.yml
index a66f7efb41e..0c1e7d55619 100644
--- a/metricbeat/module/system/filesystem/_meta/fields.yml
+++ b/metricbeat/module/system/filesystem/_meta/fields.yml
@@ -16,7 +16,7 @@
- name: type
type: keyword
description: >
- The disk type. For example: `ext4`
+ The disk type. For example: `ext4`. In some case for Windows OS the value will be `unavailable` as access to this information is not allowed (ex. external disks).
- name: mount_point
type: keyword
description: >
diff --git a/metricbeat/module/system/filesystem/filesystem.go b/metricbeat/module/system/filesystem/filesystem.go
index 579f1daaf6d..98633fd4345 100644
--- a/metricbeat/module/system/filesystem/filesystem.go
+++ b/metricbeat/module/system/filesystem/filesystem.go
@@ -78,15 +78,23 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error {
}
for _, fs := range fss {
- fsStat, err := GetFileSystemStat(fs)
+ stat, err := GetFileSystemStat(fs)
+ addStats := true
if err != nil {
- debugf("error getting filesystem stats for '%s': %v", fs.DirName, err)
- continue
+ addStats = false
+ m.Logger().Debugf("error fetching filesystem stats for '%s': %v", fs.DirName, err)
}
- AddFileSystemUsedPercentage(fsStat)
+ fsStat := FSStat{
+ FileSystemUsage: stat,
+ DevName: fs.DevName,
+ Mount: fs.DirName,
+ SysTypeName: fs.SysTypeName,
+ }
+
+ AddFileSystemUsedPercentage(&fsStat)
event := mb.Event{
- MetricSetFields: GetFilesystemEvent(fsStat),
+ MetricSetFields: GetFilesystemEvent(&fsStat, addStats),
}
if !r.Event(event) {
return nil
diff --git a/metricbeat/module/system/filesystem/helper.go b/metricbeat/module/system/filesystem/helper.go
index b42504d8825..29b68a34d4d 100644
--- a/metricbeat/module/system/filesystem/helper.go
+++ b/metricbeat/module/system/filesystem/helper.go
@@ -110,20 +110,13 @@ func filterFileSystemList(fsList []sigar.FileSystem) []sigar.FileSystem {
}
// GetFileSystemStat retreves stats for a single filesystem
-func GetFileSystemStat(fs sigar.FileSystem) (*FSStat, error) {
+func GetFileSystemStat(fs sigar.FileSystem) (sigar.FileSystemUsage, error) {
stat := sigar.FileSystemUsage{}
+ // In some case for Windows OS the disk type value will be `unavailable` and access to this information is not allowed (ex. external disks).
if err := stat.Get(fs.DirName); err != nil {
- return nil, err
- }
-
- filesystem := FSStat{
- FileSystemUsage: stat,
- DevName: fs.DevName,
- Mount: fs.DirName,
- SysTypeName: fs.SysTypeName,
+ return stat, err
}
-
- return &filesystem, nil
+ return stat, nil
}
// AddFileSystemUsedPercentage adds usage data to the filesystem struct
@@ -137,18 +130,20 @@ func AddFileSystemUsedPercentage(f *FSStat) {
}
// GetFilesystemEvent turns a stat struct into a MapStr
-func GetFilesystemEvent(fsStat *FSStat) common.MapStr {
+func GetFilesystemEvent(fsStat *FSStat, addStats bool) common.MapStr {
evt := common.MapStr{
"type": fsStat.SysTypeName,
"device_name": fsStat.DevName,
"mount_point": fsStat.Mount,
- "total": fsStat.Total,
- "available": fsStat.Avail,
- "free": fsStat.Free,
- "used": common.MapStr{
+ }
+ if addStats == true {
+ evt.Put("total", fsStat.Total)
+ evt.Put("available", fsStat.Avail)
+ evt.Put("free", fsStat.Free)
+ evt.Put("used", common.MapStr{
"pct": fsStat.UsedPercent,
"bytes": fsStat.Used,
- },
+ })
}
if runtime.GOOS != "windows" {
evt.Put("files", fsStat.Files)
diff --git a/metricbeat/module/system/filesystem/helper_test.go b/metricbeat/module/system/filesystem/helper_test.go
index 1f7d0027f5a..126a44d38a3 100644
--- a/metricbeat/module/system/filesystem/helper_test.go
+++ b/metricbeat/module/system/filesystem/helper_test.go
@@ -60,7 +60,7 @@ func TestFileSystemList(t *testing.T) {
assert.True(t, (stat.Used >= 0))
if runtime.GOOS != "windows" {
- assert.NotEqual(t, "", stat.SysTypeName)
+ assert.NotEqual(t, "", fs.SysTypeName)
}
}
}
diff --git a/metricbeat/module/system/fsstat/fsstat.go b/metricbeat/module/system/fsstat/fsstat.go
index ab80640a0c4..6a963dbaf6f 100644
--- a/metricbeat/module/system/fsstat/fsstat.go
+++ b/metricbeat/module/system/fsstat/fsstat.go
@@ -85,7 +85,7 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error {
m.Logger().Debugf("error fetching filesystem stats for '%s': %v", fs.DirName, err)
continue
}
- m.Logger().Debugf("filesystem: %s total=%d, used=%d, free=%d", stat.Mount, stat.Total, stat.Used, stat.Free)
+ m.Logger().Debugf("filesystem: %s total=%d, used=%d, free=%d", fs.DirName, stat.Total, stat.Used, stat.Free)
totalFiles += stat.Files
totalSize += stat.Total
diff --git a/metricbeat/module/system/load/load.go b/metricbeat/module/system/load/load.go
index 8e49c60a884..a671f41636a 100644
--- a/metricbeat/module/system/load/load.go
+++ b/metricbeat/module/system/load/load.go
@@ -15,8 +15,8 @@
// specific language governing permissions and limitations
// under the License.
-//go:build darwin || freebsd || linux || openbsd
-// +build darwin freebsd linux openbsd
+//go:build darwin || freebsd || linux || openbsd || aix
+// +build darwin freebsd linux openbsd aix
package load
diff --git a/metricbeat/module/system/load/load_test.go b/metricbeat/module/system/load/load_test.go
index 0c5f73caf8a..208f75e2157 100644
--- a/metricbeat/module/system/load/load_test.go
+++ b/metricbeat/module/system/load/load_test.go
@@ -15,8 +15,8 @@
// specific language governing permissions and limitations
// under the License.
-//go:build darwin || freebsd || linux || openbsd
-// +build darwin freebsd linux openbsd
+//go:build darwin || freebsd || linux || openbsd || aix
+// +build darwin freebsd linux openbsd aix
package load
diff --git a/metricbeat/module/system/memory/memory.go b/metricbeat/module/system/memory/memory.go
index 4a4da3cd9ed..af4dbb7f9d2 100644
--- a/metricbeat/module/system/memory/memory.go
+++ b/metricbeat/module/system/memory/memory.go
@@ -15,8 +15,8 @@
// specific language governing permissions and limitations
// under the License.
-//go:build darwin || freebsd || linux || openbsd || windows
-// +build darwin freebsd linux openbsd windows
+//go:build darwin || freebsd || linux || openbsd || windows || aix
+// +build darwin freebsd linux openbsd windows aix
package memory
@@ -28,6 +28,7 @@ import (
metrics "github.com/elastic/beats/v7/metricbeat/internal/metrics/memory"
"github.com/elastic/beats/v7/metricbeat/mb"
"github.com/elastic/beats/v7/metricbeat/mb/parse"
+ "github.com/elastic/beats/v7/metricbeat/module/system"
)
func init() {
@@ -40,17 +41,19 @@ func init() {
// MetricSet for fetching system memory metrics.
type MetricSet struct {
mb.BaseMetricSet
+ mod system.SystemModule
}
// New is a mb.MetricSetFactory that returns a memory.MetricSet.
func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
- return &MetricSet{BaseMetricSet: base}, nil
+ sys := base.Module().(system.SystemModule)
+ return &MetricSet{BaseMetricSet: base, mod: sys}, nil
}
// Fetch fetches memory metrics from the OS.
func (m *MetricSet) Fetch(r mb.ReporterV2) error {
- eventRaw, err := metrics.Get("")
+ eventRaw, err := metrics.Get(m.mod.GetHostFS())
if err != nil {
return errors.Wrap(err, "error fetching memory metrics")
}
diff --git a/metricbeat/module/system/network/network.go b/metricbeat/module/system/network/network.go
index 63b33da4944..7ed4199d440 100644
--- a/metricbeat/module/system/network/network.go
+++ b/metricbeat/module/system/network/network.go
@@ -15,8 +15,8 @@
// specific language governing permissions and limitations
// under the License.
-//go:build darwin || freebsd || linux || windows
-// +build darwin freebsd linux windows
+//go:build darwin || freebsd || linux || windows || aix
+// +build darwin freebsd linux windows aix
package network
diff --git a/metricbeat/module/system/network/network_test.go b/metricbeat/module/system/network/network_test.go
index 11b8b433de9..d7fda561b15 100644
--- a/metricbeat/module/system/network/network_test.go
+++ b/metricbeat/module/system/network/network_test.go
@@ -15,8 +15,8 @@
// specific language governing permissions and limitations
// under the License.
-//go:build darwin || freebsd || linux || windows
-// +build darwin freebsd linux windows
+//go:build darwin || freebsd || linux || windows || aix
+// +build darwin freebsd linux windows aix
package network
diff --git a/metricbeat/module/system/process/process.go b/metricbeat/module/system/process/process.go
index 875387ffefb..72eefa19d54 100644
--- a/metricbeat/module/system/process/process.go
+++ b/metricbeat/module/system/process/process.go
@@ -15,8 +15,8 @@
// specific language governing permissions and limitations
// under the License.
-//go:build darwin || freebsd || linux || windows
-// +build darwin freebsd linux windows
+//go:build darwin || freebsd || linux || windows || aix
+// +build darwin freebsd linux windows aix
package process
@@ -30,9 +30,9 @@ import (
"github.com/elastic/beats/v7/libbeat/logp"
"github.com/elastic/beats/v7/libbeat/metric/system/cgroup"
"github.com/elastic/beats/v7/libbeat/metric/system/process"
- "github.com/elastic/beats/v7/libbeat/paths"
"github.com/elastic/beats/v7/metricbeat/mb"
"github.com/elastic/beats/v7/metricbeat/mb/parse"
+ "github.com/elastic/beats/v7/metricbeat/module/system"
)
var debugf = logp.MakeDebug("system.process")
@@ -59,11 +59,13 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
return nil, err
}
+ sys := base.Module().(system.SystemModule)
+
enableCgroups := false
if runtime.GOOS == "linux" {
if config.Cgroups == nil || *config.Cgroups {
enableCgroups = true
- debugf("process cgroup data collection is enabled, using hostfs='%v'", paths.Paths.Hostfs)
+ debugf("process cgroup data collection is enabled, using hostfs='%v'", sys.GetHostFS())
}
}
@@ -77,7 +79,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
IncludeTop: config.IncludeTop,
EnableCgroups: enableCgroups,
CgroupOpts: cgroup.ReaderOptions{
- RootfsMountpoint: paths.Paths.Hostfs,
+ RootfsMountpoint: sys.GetHostFS(),
IgnoreRootCgroups: true,
},
},
@@ -85,7 +87,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
}
// If hostfs is set, we may not want to force the hierarchy override, as the user could be expecting a custom path.
- if len(paths.Paths.Hostfs) < 2 {
+ if len(sys.GetHostFS()) < 2 {
override, isset := os.LookupEnv("LIBBEAT_MONITORING_CGROUPS_HIERARCHY_OVERRIDE")
if isset {
m.stats.CgroupOpts.CgroupsHierarchyOverride = override
diff --git a/metricbeat/module/system/process/process_test.go b/metricbeat/module/system/process/process_test.go
index a66f3a6386c..0a585141cf4 100644
--- a/metricbeat/module/system/process/process_test.go
+++ b/metricbeat/module/system/process/process_test.go
@@ -15,8 +15,8 @@
// specific language governing permissions and limitations
// under the License.
-//go:build darwin || freebsd || linux || windows
-// +build darwin freebsd linux windows
+//go:build darwin || freebsd || linux || windows || aix
+// +build darwin freebsd linux windows aix
package process
diff --git a/metricbeat/module/system/process_summary/process_summary.go b/metricbeat/module/system/process_summary/process_summary.go
index a4f0e7b204a..1576025cee1 100644
--- a/metricbeat/module/system/process_summary/process_summary.go
+++ b/metricbeat/module/system/process_summary/process_summary.go
@@ -15,8 +15,8 @@
// specific language governing permissions and limitations
// under the License.
-//go:build darwin || freebsd || linux || windows
-// +build darwin freebsd linux windows
+//go:build darwin || freebsd || linux || windows || aix
+// +build darwin freebsd linux windows aix
package process_summary
diff --git a/metricbeat/module/system/raid/raid.go b/metricbeat/module/system/raid/raid.go
index 9ee16d9a129..9af6e87a9a3 100644
--- a/metricbeat/module/system/raid/raid.go
+++ b/metricbeat/module/system/raid/raid.go
@@ -24,9 +24,9 @@ import (
"github.com/prometheus/procfs"
"github.com/elastic/beats/v7/libbeat/common"
- "github.com/elastic/beats/v7/libbeat/paths"
"github.com/elastic/beats/v7/metricbeat/mb"
"github.com/elastic/beats/v7/metricbeat/mb/parse"
+ "github.com/elastic/beats/v7/metricbeat/module/system"
"github.com/elastic/beats/v7/metricbeat/module/system/raid/blockinfo"
)
@@ -54,9 +54,9 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
if err := base.Module().UnpackConfig(&config); err != nil {
return nil, err
}
-
+ sys := base.Module().(system.SystemModule)
if config.MountPoint == "" {
- config.MountPoint = paths.Paths.Hostfs
+ config.MountPoint = sys.GetHostFS()
}
mountPoint := filepath.Join(config.MountPoint, procfs.DefaultMountPoint)
diff --git a/metricbeat/module/system/system.go b/metricbeat/module/system/system.go
index c24988f3a97..dd1e514c60d 100644
--- a/metricbeat/module/system/system.go
+++ b/metricbeat/module/system/system.go
@@ -20,6 +20,8 @@ package system
import (
"sync"
+ "github.com/elastic/beats/v7/libbeat/common/fleetmode"
+ "github.com/elastic/beats/v7/libbeat/logp"
"github.com/elastic/beats/v7/libbeat/paths"
"github.com/elastic/beats/v7/metricbeat/mb"
)
@@ -33,17 +35,52 @@ func init() {
}
}
+type HostFSConfig struct {
+ HostFS string `config:"system.hostfs"`
+}
+
// Module represents the system module
type Module struct {
mb.BaseModule
+ HostFS string
+}
+
+type SystemModule interface {
+ GetHostFS() string
}
-// NewModule instatiates the system module
func NewModule(base mb.BaseModule) (mb.Module, error) {
+ var hostfs string
+
+ // If this is fleet, ignore the global path, as its not being set.
+ // This is a temporary hack
+ if fleetmode.Enabled() {
+ partialConfig := HostFSConfig{}
+ base.UnpackConfig(&partialConfig)
+
+ if partialConfig.HostFS != "" {
+ hostfs = partialConfig.HostFS
+ } else {
+ hostfs = "/"
+ }
+
+ logp.Info("In Fleet, using HostFS: %s", hostfs)
+ } else {
+ hostfs = paths.Paths.Hostfs
+ }
once.Do(func() {
- initModule(paths.Paths.Hostfs)
+ initModule(hostfs)
})
- return &Module{BaseModule: base}, nil
+ // set the main Path,
+ if fleetmode.Enabled() && len(paths.Paths.Hostfs) < 2 {
+ paths.Paths.Hostfs = hostfs
+ }
+
+ return &Module{BaseModule: base, HostFS: hostfs}, nil
+}
+
+func (m Module) GetHostFS() string {
+ return m.HostFS
}
diff --git a/metricbeat/modules.d/system.yml b/metricbeat/modules.d/system.yml
index 625e000bd5e..f3f929e8f58 100644
--- a/metricbeat/modules.d/system.yml
+++ b/metricbeat/modules.d/system.yml
@@ -20,8 +20,8 @@
process.include_top_n:
by_cpu: 5 # include top 5 processes by CPU
by_memory: 5 # include top 5 processes by memory
- # Configure the mount point of the host’s filesystem for use in monitoring a host from within a container
- #system.hostfs: "/hostfs"
+# Configure the mount point of the host’s filesystem for use in monitoring a host from within a container
+#system.hostfs: "/hostfs"
- module: system
period: 1m
diff --git a/packetbeat/packetbeat.reference.yml b/packetbeat/packetbeat.reference.yml
index 236087aae23..5f931ddde70 100644
--- a/packetbeat/packetbeat.reference.yml
+++ b/packetbeat/packetbeat.reference.yml
@@ -1878,11 +1878,6 @@ logging.files:
# file. Defaults to true.
# rotateonstartup: true
- # Rotated files are either suffixed with a number e.g. packetbeat.1 when
- # renamed during rotation. Or when set to date, the date is added to
- # the end of the file. On rotation a new file is created, older files are untouched.
- #suffix: count
-
# ============================= X-Pack Monitoring ==============================
# Packetbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
@@ -2067,6 +2062,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
# ============================== Process Security ==============================
# Enable or disable seccomp system call filtering on Linux. Default is enabled.
diff --git a/packetbeat/tests/system/packetbeat.py b/packetbeat/tests/system/packetbeat.py
index 32a9366ee33..c4727d13183 100644
--- a/packetbeat/tests/system/packetbeat.py
+++ b/packetbeat/tests/system/packetbeat.py
@@ -33,7 +33,7 @@ def setUpClass(self):
def run_packetbeat(self, pcap,
cmd=None,
config="packetbeat.yml",
- output="packetbeat.log",
+ output=None,
extra_args=[],
debug_selectors=[],
exit_code=0,
@@ -44,6 +44,9 @@ def run_packetbeat(self, pcap,
the caller.
"""
+ if output is None:
+ output = "packetbeat-" + self.today + ".ndjson"
+
if cmd is None:
cmd = self.beat_path + "/packetbeat.test"
@@ -87,7 +90,7 @@ def run_packetbeat(self, pcap,
def start_packetbeat(self,
cmd=None,
config="packetbeat.yml",
- output="packetbeat.log",
+ output=None,
extra_args=[],
debug_selectors=[]):
"""
@@ -95,6 +98,9 @@ def start_packetbeat(self,
caller is responsible for stopping / waiting for the
Proc instance.
"""
+ if output is None:
+ output = "packetbeat-" + self.today + ".ndjson"
+
if cmd is None:
cmd = self.beat_path + "/packetbeat.test"
@@ -119,9 +125,14 @@ def start_packetbeat(self,
return proc
def read_output(self,
- output_file="output/packetbeat",
+ output_file=None,
types=None,
required_fields=None):
+
+ if output_file is None:
+ output_file = "output/packetbeat-"+self.today+".ndjson"
+ print(output_file)
+
jsons = []
with open(os.path.join(self.working_dir, output_file), "r", encoding='utf_8') as f:
for line in f:
diff --git a/packetbeat/tests/system/test_0002_thrift_basics.py b/packetbeat/tests/system/test_0002_thrift_basics.py
index 6e0154a437c..a1a66742bdc 100644
--- a/packetbeat/tests/system/test_0002_thrift_basics.py
+++ b/packetbeat/tests/system/test_0002_thrift_basics.py
@@ -208,7 +208,7 @@ def test_thrift_send_request_response(self):
self.run_packetbeat(pcap="thrift_integration.pcap",
debug_selectors=["thrift"])
- objs = self.read_output()
+ objs = self.read_output(output_file="output/packetbeat-" + self.today + "-1.ndjson")
assert all(["request" not in o for o in objs])
assert all(["response" not in o for o in objs])
diff --git a/packetbeat/tests/system/test_0006_wsgi.py b/packetbeat/tests/system/test_0006_wsgi.py
index 6f905942449..02e52b885a3 100644
--- a/packetbeat/tests/system/test_0006_wsgi.py
+++ b/packetbeat/tests/system/test_0006_wsgi.py
@@ -100,7 +100,7 @@ def test_send_headers_options(self):
)
self.run_packetbeat(pcap="wsgi_loopback.pcap")
- objs = self.read_output()
+ objs = self.read_output(output_file="output/packetbeat-" + self.today + "-1.ndjson")
assert len(objs) == 1
o = objs[0]
@@ -119,7 +119,7 @@ def test_send_headers_options(self):
)
self.run_packetbeat(pcap="wsgi_loopback.pcap")
- objs = self.read_output()
+ objs = self.read_output(output_file="output/packetbeat-" + self.today + "-2.ndjson")
assert len(objs) == 1
o = objs[0]
diff --git a/testing/environments/docker/kafka/Dockerfile b/testing/environments/docker/kafka/Dockerfile
index ff38db49e39..1a5e58836bc 100644
--- a/testing/environments/docker/kafka/Dockerfile
+++ b/testing/environments/docker/kafka/Dockerfile
@@ -18,8 +18,11 @@ RUN mkdir -p ${KAFKA_LOGS_DIR} && mkdir -p ${KAFKA_HOME} && \
ADD run.sh /run.sh
ADD healthcheck.sh /healthcheck.sh
+ADD certs/broker.keystore.jks /broker.keystore.jks
+ADD certs/client.truststore.jks /broker.truststore.jks
EXPOSE 9092
+EXPOSE 9093
EXPOSE 2181
# healthcheck.sh tries to create and delete an empty kafka topic (the topic
diff --git a/testing/environments/docker/kafka/README.md b/testing/environments/docker/kafka/README.md
new file mode 100644
index 00000000000..6a7306e2423
--- /dev/null
+++ b/testing/environments/docker/kafka/README.md
@@ -0,0 +1,35 @@
+# Kafka test container
+
+This Docker container provides an environment for testing with Kafka. It exposes two ports to the host system, `9092` for `PLAINTEXT` and `9093` for `SASL/SSL` with username `beats` and password `KafkaTest`.
+
+## Certificates
+
+The test environment uses a self-signed SSL certificate in the broker. To connect, clients will need to set `certs/client.truststore.jks` as their trust store.
+
+The files in the `certs` directory were generated with these commands:
+
+```sh
+# create the broker's key
+keytool -keystore broker.keystore.jks -storepass KafkaTest -alias broker -validity 5000 -keyalg RSA -genkey
+
+What is your first and last name?
+ [Unknown]: kafka
+ ...
+
+# create a new certificate authority
+openssl req -new -x509 -keyout ca-key -out ca-cert -days 5000
+
+# add the CA to the kafka client's trust store
+keytool -keystore client.truststore.jks -storepass KafkaTest -alias CARoot -keyalg RSA -import -file ca-cert
+
+# export the server certificate
+keytool -keystore broker.keystore.jks -storepass KafkaTest -alias broker -certreq -file broker-cert
+
+# sign it with the CA
+openssl x509 -req -CA ca-cert -CAkey ca-key -in broker-cert -out broker-cert-signed -days 5000 -CAcreateserial -passin pass:KafkaTest
+
+# import CA and signed cert back into server keystore
+keytool -keystore broker.keystore.jks -storepass KafkaTest -alias CARoot -import -file ca-cert
+keytool -keystore broker.keystore.jks -storepass KafkaTest -alias broker -import -file broker-cert-signed
+
+```
diff --git a/testing/environments/docker/kafka/certs/broker-cert b/testing/environments/docker/kafka/certs/broker-cert
new file mode 100644
index 00000000000..3a7d9e2498a
--- /dev/null
+++ b/testing/environments/docker/kafka/certs/broker-cert
@@ -0,0 +1,18 @@
+-----BEGIN NEW CERTIFICATE REQUEST-----
+MIIC3zCCAccCAQAwajEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93
+bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMH
+VW5rbm93bjEOMAwGA1UEAxMFa2Fma2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCH8VYN9FMHXjnLUwT0AJDKM0u/jXE0ng1UfWPVQaVI+Eny+vmf1zDm
+d/AoqXaYKzVNvyRXCy1BZGaLVA3go1U7+tVjtniuLTmveE07PuX4w9/ukZPKlUxf
+KCjYCmh38BeYiJA2inaxScDO2hxHfB2pulsM+l9+q0NMXFe6RSUAKS0pAeY8KLz9
+yWg9hfq6JPuPT14HZmyxLn+1SwRbZZ+TQjlAHfZFpu/igg6cif/ez30z5Gqci+2i
+VPlwl9peEsaXn5wbuP6J2Uo6dMoGiFyxFdGCWVWP9WDncvfYKJwQs09QdbFLxAst
+BYSmOTszUP+h0SohaxpdC4AOcJxs+MwhAgMBAAGgMDAuBgkqhkiG9w0BCQ4xITAf
+MB0GA1UdDgQWBBRFzbnwQXp+h4xE233eH3D+KfozxTANBgkqhkiG9w0BAQsFAAOC
+AQEAQti4SPU8KfSoeLbLUic7UciVmwO0TZtiG+Y6fCTdRm7SYovg2zXH576ERClf
+JQCzUuMH1Fi6k5adhMUxopJrVirZWOANoffe3yY/PUuFPMv5rvjmG7JqRNloNFYC
+4Jah/XeITkw3BcwYxvY3lOZeXgBoRI+PwaD4JNHYf9ruc8cxY59lbWGCQOdbWYuk
+ex/Y/rdmiv1cZpVAYY3VkdUnISXf4eePz4+hUdyuNGYt8Rh/dCj0D/1Xdo9jguUw
+IWihuXNfH5hBzBp2hX49tCa7j8stOQW6+AS+ysUBRseFNnsu9j95PD+ue9GU5ZLR
+mQzlkeZcfimH796e6XF81oCDkA==
+-----END NEW CERTIFICATE REQUEST-----
diff --git a/testing/environments/docker/kafka/certs/broker-cert-signed b/testing/environments/docker/kafka/certs/broker-cert-signed
new file mode 100644
index 00000000000..b023f3c146d
--- /dev/null
+++ b/testing/environments/docker/kafka/certs/broker-cert-signed
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAdsCCQC1GCJdAf28SzANBgkqhkiG9w0BAQUFADANMQswCQYDVQQGEwJV
+UzAeFw0yMTEwMjEyMDM0MTBaFw0zNTA2MzAyMDM0MTBaMGoxEDAOBgNVBAYTB1Vu
+a25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNV
+BAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDjAMBgNVBAMTBWthZmthMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAh/FWDfRTB145y1ME9ACQyjNL
+v41xNJ4NVH1j1UGlSPhJ8vr5n9cw5nfwKKl2mCs1Tb8kVwstQWRmi1QN4KNVO/rV
+Y7Z4ri05r3hNOz7l+MPf7pGTypVMXygo2Apod/AXmIiQNop2sUnAztocR3wdqbpb
+DPpffqtDTFxXukUlACktKQHmPCi8/cloPYX6uiT7j09eB2ZssS5/tUsEW2Wfk0I5
+QB32Rabv4oIOnIn/3s99M+RqnIvtolT5cJfaXhLGl5+cG7j+idlKOnTKBohcsRXR
+gllVj/Vg53L32CicELNPUHWxS8QLLQWEpjk7M1D/odEqIWsaXQuADnCcbPjMIQID
+AQABMA0GCSqGSIb3DQEBBQUAA4IBAQCMGbXC2YdC9+jJjUvuEJIQGwpapJ5Dejng
+cnvE//+x8A4W9vC7OJUHcML2GGQIrgvYWlmsCEWX1lJtcVIbqkTqq9Sq99htdMfM
+ay4fJB/ey005bhcbEP+19342HkmoOUkEg7qGWZhhL05y0m1vxKvKSUX3p+4TyW1Y
+AheRbb9j41Ld3E8+COGwqIWpMNfsGjLqWjUIajemFH91Eo2FFvshM/5ly12GZEil
+ivmUqSzV7o6ri0V7DZ5NPOSXEbiMQj5FfmImqXbo7JtBqM/H9S2yAPXZBfAloVNv
+XvjG0dY8cnYwGL5MSRiZEuJdimptWnMzFXbD8zyRxSIUMpbDcHNf
+-----END CERTIFICATE-----
diff --git a/testing/environments/docker/kafka/certs/broker.keystore.jks b/testing/environments/docker/kafka/certs/broker.keystore.jks
new file mode 100644
index 00000000000..aa03364e3ac
Binary files /dev/null and b/testing/environments/docker/kafka/certs/broker.keystore.jks differ
diff --git a/testing/environments/docker/kafka/certs/ca-cert b/testing/environments/docker/kafka/certs/ca-cert
new file mode 100644
index 00000000000..725647f9d8b
--- /dev/null
+++ b/testing/environments/docker/kafka/certs/ca-cert
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICljCCAX4CCQD+dvzut8IfyTANBgkqhkiG9w0BAQsFADANMQswCQYDVQQGEwJV
+UzAeFw0yMTEwMjEyMDMyMDJaFw0zNTA2MzAyMDMyMDJaMA0xCzAJBgNVBAYTAlVT
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlR6sKchCTM0qdrjAdWqR
+BmSLfHHe+LB43B0T/+3Y1fporzg2eZC1dPCf7TXLzL92NOlJ+JQCsfb160gKTGfb
+7+z2jm+vumbYlKVffsD7MjNdW8SDu9hfMa2DyTY742n3R/X8pc4VK0fdlTQx22Zp
+aIA+XwD6hHxZQS9PHVNwTFUoPkP4jevcFANwjLUBgy3dPK0iWdVILnaAwEBg82z3
+zWRJ7I4Eg6KS+GtwZPovhiHqcJpz7QPrmggCglL8q0YZQrVrYNucRV1sjPAhEfTA
+Sh7Z0UVYdx5+jJq7MyslBqzEM0OrmKrldrTHOAo9+cTc1GiKGRBhVei2R2fP2XAC
+HQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA37KiWMR6SZRmlLKV7hP9/9H1cL1FJ
+OPa5MKcwh8Q38IRALCF5SlxxOByP8O01ZInkWjR3jJbMc/k4RwxQXfzYDvB4jleU
+MyX63qekIsxFdUn+fzt+wA0xb7tOPGVUbM6QI++YH28p8yzSdY/bXrjRweQuVRC0
+B+0zMijI1uU6GRME9+e1OLsN5rDzCFEJUra/+UDc23BTOjC6Az00UKpOGv6oAqg8
+iuCOeVCRVPtd7mGJK1dGW3WXV3pbsu4EvfXve9qFFV/7d811JNBjnhF5lFN2JGVs
+Ka9JebJ8EKWff6Ns14FJ2cOG3tx7KuWcnfTdma/mH4PeGoU1Og5Ln/ea
+-----END CERTIFICATE-----
diff --git a/testing/environments/docker/kafka/certs/ca-cert.srl b/testing/environments/docker/kafka/certs/ca-cert.srl
new file mode 100644
index 00000000000..3336d99a9a3
--- /dev/null
+++ b/testing/environments/docker/kafka/certs/ca-cert.srl
@@ -0,0 +1 @@
+B518225D01FDBC4B
diff --git a/testing/environments/docker/kafka/certs/ca-key b/testing/environments/docker/kafka/certs/ca-key
new file mode 100644
index 00000000000..63ab92b23aa
--- /dev/null
+++ b/testing/environments/docker/kafka/certs/ca-key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIPiUp46K/yl8CAggA
+MB0GCWCGSAFlAwQBKgQQ3vI4jI41do9rQtAyc+JwfwSCBNDDDv3uSHZ/12ACMLyu
+vhrz3en62CT4ooeZKjpep4H/s+2pfqfg5bDeQUguNUo2zsy0EKeK2rIBVUG6KWIa
+DWvnl0JaM/TrtGg1pMZMIFPowaf1mNcVcvN5IWEgLgoT+SY8lLtmVqIdU1d2F6nV
+t+7JEpktXA5ThS0FbBpW0XI+kG9W7Ln9YPjGLbjcPayJQX1yzWJYEUfmm8lJl7cT
+h5V94sB2KP9pwAP/SqElt2QK1BhStUVv3ezp6TT82PETi3No0Uh+oWaxltjPCr4z
+5MN/tTDJQGc3llDIrZT+umZcgB6DBsc+nXjrlAHWPeuhIcjNJGs3V0xazQs60M6n
+ldhcJH453Muwtp40VDkT21plVPwUrwQX/6gIWIHnyvK44sRG4NvmG+4NBA8V4TdK
+AKhkhYTYS+sAUDsAFo408OXvpdGy7G2/cZn+r2frLHLxUU2peqRFP7YqLVs2sdez
+sFyt6ZMSAh8UZDYK9kpyQMoeYj7Az14kMKIlE0JADsd3Mn8S/QJrrKWQzQhQVz6O
+0rpaGnIM3cICgTK7gTlK+lDIbqAmCYnFLQsU9rHIpzVMkx2iYEId+YNbxodHpFPa
+MCz6HU8qI9Tv9JIOfJKdE7tvlSnR89usOU/z+NSGqKm1dhYjG1BNI7wk8/mgMxOg
+9BAujodmGvFpMPba84+QT/AtTy9YMMi4Z0H7BKHGD7HwSOTx7kP9hMz/sVVnKxfO
+8C9gE91D4enrpQXu7J5JU07LCWSNLiZEegbdKvjBz5Cvfj5LPhazTLYuuU0KNIP9
+MjrgodrSp1LgESAA7z8qKUyhX2Z6uO0q1Q5OUFgGNEWXSYLplhWrvftPqdV0YAFI
+4y794sojVBBnHYo+Lm5gugm4cg6bLk/YY3ScQqPYEUwO1LZSMUoB9ixLHUYY48ND
+xbevM9V8vLgb6Q46zTCYPxwYfxNlcWxeQjwbVEaha5n2Sgu0dmrG/+LjrEwYtHY7
+zPdTbl28OyvXDqvilXcDQS8ZQBwqkZ00pg9fokElztgVIMp4cbtBTCiqipfNBGJg
+ALEu/lFNlGjvv4iwOdx/yhVjFt2Ri3ViTEoTJ3wAh3o4wh/o8wluNb3bMgfKzw61
+/WptUvLnqKIGQ0xZtunxG9WHIpc8oTRZMMUgLnoVzJvdU9cONT5GER9WuQbwXmEE
+ytIx9tVq4cb3CoJhynrL9cjGp716nBkx534gyu5N21elb8npk1XAHd6AHUViun0J
+TnVHPwSSLN7naaiMKS+8KaknAdjvKCIUytLSRpRb4rkoqD/7MlYlMTAPF5IX6/Xj
+fVfR8HKWtkvqhAM4lQ57zwGlpXifGM5Vi/Dq8JYcTOIHIzggbhfi+WVwWJ+SJVp3
+FQBSvyJ0XFV8piuP6J1PB6zXLioRiUMDbrl0Hmwo4spLswRsZ6D/6QuNUeNN2Lh1
+ZqtkAHWnIll1nviSEWPxiu0lA9ZwfPP1t+H0UkVi8JBUCrTh0gyr2e/CGZAd1GoP
+/LnvaRntmqytavI65NlPPlvF9S7enjeEkxvtqhAIuU9nTMORnmpXX+xStfm/AtQp
+2UNklwWW6bwPhMF9w+FnuJoK7mrQ5DphsZNcTly1RQ0uQkT6yrzWK5MNmLRiNOez
+OmM968GQKexUL9r0BmFi7T00rQ==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/testing/environments/docker/kafka/certs/client.truststore.jks b/testing/environments/docker/kafka/certs/client.truststore.jks
new file mode 100644
index 00000000000..7b18b3f645e
Binary files /dev/null and b/testing/environments/docker/kafka/certs/client.truststore.jks differ
diff --git a/testing/environments/docker/kafka/run.sh b/testing/environments/docker/kafka/run.sh
index 873f6951acc..bfacf2a7242 100755
--- a/testing/environments/docker/kafka/run.sh
+++ b/testing/environments/docker/kafka/run.sh
@@ -16,13 +16,31 @@ echo "Starting ZooKeeper"
${KAFKA_HOME}/bin/zookeeper-server-start.sh ${KAFKA_HOME}/config/zookeeper.properties &
wait_for_port 2181
+# create a user beats with password KafkaTest, for use in client SASL authentication
+/kafka/bin/kafka-configs.sh \
+ --zookeeper localhost:2181 \
+ --alter --add-config 'SCRAM-SHA-512=[password=KafkaTest]' \
+ --entity-type users \
+ --entity-name beats
+
echo "Starting Kafka broker"
mkdir -p ${KAFKA_LOGS_DIR}
${KAFKA_HOME}/bin/kafka-server-start.sh ${KAFKA_HOME}/config/server.properties \
- --override delete.topic.enable=true --override advertised.host.name=${KAFKA_ADVERTISED_HOST} \
- --override listeners=PLAINTEXT://0.0.0.0:9092 \
- --override logs.dir=${KAFKA_LOGS_DIR} --override log.flush.interval.ms=200 \
- --override num.partitions=3 &
+ --override delete.topic.enable=true \
+ --override advertised.host.name=${KAFKA_ADVERTISED_HOST} \
+ --override listeners=PLAINTEXT://0.0.0.0:9092,SASL_SSL://0.0.0.0:9093 \
+ --override advertised.listeners=PLAINTEXT://${KAFKA_ADVERTISED_HOST}:9092,SASL_SSL://${KAFKA_ADVERTISED_HOST}:9093 \
+ --override inter.broker.listener.name=PLAINTEXT \
+ --override sasl.enabled.mechanisms=SCRAM-SHA-512 \
+ --override listener.name.sasl_ssl.scram-sha-512.sasl.jaas.config="org.apache.kafka.common.security.scram.ScramLoginModule required;" \
+ --override logs.dir=${KAFKA_LOGS_DIR} \
+ --override log4j.logger.kafka=DEBUG,kafkaAppender \
+ --override log.flush.interval.ms=200 \
+ --override num.partitions=3 \
+ --override ssl.keystore.location=/broker.keystore.jks \
+ --override ssl.keystore.password=KafkaTest \
+ --override ssl.truststore.location=/broker.truststore.jks \
+ --override ssl.truststore.password=KafkaTest &
wait_for_port 9092
diff --git a/winlogbeat/tests/system/test_config.py b/winlogbeat/tests/system/test_config.py
index 306f6cf38ef..aefab4344ba 100644
--- a/winlogbeat/tests/system/test_config.py
+++ b/winlogbeat/tests/system/test_config.py
@@ -82,7 +82,7 @@ def run_config_tst(self, pcap=None, exit_code=0):
args.extend(["test", "config"])
- output = "winlogbeat.log"
+ output = "winlogbeat-" + self.today + ".ndjson"
with open(os.path.join(self.working_dir, output), "wb") as outfile:
proc = subprocess.Popen(args,
diff --git a/winlogbeat/tests/system/test_wineventlog.py b/winlogbeat/tests/system/test_wineventlog.py
index 347b8585d05..9bbf5a7ded4 100644
--- a/winlogbeat/tests/system/test_wineventlog.py
+++ b/winlogbeat/tests/system/test_wineventlog.py
@@ -52,7 +52,7 @@ def test_resume_reading_events(self):
# remove the output file, otherwise there is a race condition
# in read_events() below where it reads the results of the previous
# execution
- os.unlink(os.path.join(self.working_dir, "output", self.beat_name))
+ os.unlink(os.path.join(self.working_dir, "output", self.beat_name + "-" + self.today + ".ndjson"))
msg = "Second event"
self.write_event_log(msg)
diff --git a/winlogbeat/winlogbeat.reference.yml b/winlogbeat/winlogbeat.reference.yml
index f552d889c81..4cca1af761e 100644
--- a/winlogbeat/winlogbeat.reference.yml
+++ b/winlogbeat/winlogbeat.reference.yml
@@ -1306,11 +1306,6 @@ logging.files:
# file. Defaults to true.
# rotateonstartup: true
- # Rotated files are either suffixed with a number e.g. winlogbeat.1 when
- # renamed during rotation. Or when set to date, the date is added to
- # the end of the file. On rotation a new file is created, older files are untouched.
- #suffix: count
-
# ============================= X-Pack Monitoring ==============================
# Winlogbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
@@ -1495,6 +1490,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
# ============================== Process Security ==============================
# Enable or disable seccomp system call filtering on Linux. Default is enabled.
diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml
index f3d976b2edf..f52cc6feab1 100644
--- a/x-pack/auditbeat/auditbeat.reference.yml
+++ b/x-pack/auditbeat/auditbeat.reference.yml
@@ -1439,11 +1439,6 @@ logging.files:
# file. Defaults to true.
# rotateonstartup: true
- # Rotated files are either suffixed with a number e.g. auditbeat.1 when
- # renamed during rotation. Or when set to date, the date is added to
- # the end of the file. On rotation a new file is created, older files are untouched.
- #suffix: count
-
# ============================= X-Pack Monitoring ==============================
# Auditbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
@@ -1628,6 +1623,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
# ============================== Process Security ==============================
# Enable or disable seccomp system call filtering on Linux. Default is enabled.
diff --git a/x-pack/auditbeat/tracing/decoder.go b/x-pack/auditbeat/tracing/decoder.go
index 88797351e1e..f087a4f5225 100644
--- a/x-pack/auditbeat/tracing/decoder.go
+++ b/x-pack/auditbeat/tracing/decoder.go
@@ -320,9 +320,8 @@ func (d *structDecoder) Decode(raw []byte, meta Metadata) (s interface{}, err er
}
switch dec.typ {
case FieldTypeInteger:
- if err := copyInt(
- unsafe.Pointer(uintptr(destPtr)+dec.dst),
- unsafe.Pointer(&raw[dec.src]), uint8(dec.len)); err != nil {
+ err := copyInt(unsafe.Add(destPtr, dec.dst), unsafe.Pointer(&raw[dec.src]), uint8(dec.len))
+ if err != nil {
return nil, fmt.Errorf("bad size=%d for integer field=%s", dec.len, dec.name)
}
@@ -335,13 +334,13 @@ func (d *structDecoder) Decode(raw []byte, meta Metadata) (s interface{}, err er
if len > 0 && raw[offset+len-1] == 0 {
len--
}
- *((*string)(unsafe.Pointer(uintptr(destPtr) + dec.dst))) = string(raw[offset : offset+len])
+ *(*string)(unsafe.Add(destPtr, dec.dst)) = string(raw[offset : offset+len])
case FieldTypeMeta:
- *(*Metadata)(unsafe.Pointer(uintptr(destPtr) + dec.dst)) = meta
+ *(*Metadata)(unsafe.Add(destPtr, dec.dst)) = meta
case FieldTypeRaw:
- copy((*(*[maxRawCopySize]byte)(unsafe.Pointer(uintptr(destPtr) + dec.dst)))[:dec.len], raw[dec.src:dec.src+dec.len])
+ copy(unsafe.Slice((*byte)(unsafe.Add(destPtr, dec.dst)), dec.len), raw[dec.src:])
}
}
diff --git a/x-pack/elastic-agent/pkg/agent/operation/monitoring.go b/x-pack/elastic-agent/pkg/agent/operation/monitoring.go
index dedec28762a..19cd40cda91 100644
--- a/x-pack/elastic-agent/pkg/agent/operation/monitoring.go
+++ b/x-pack/elastic-agent/pkg/agent/operation/monitoring.go
@@ -234,10 +234,8 @@ func (o *Operator) getMonitoringFilebeatConfig(outputType string, output interfa
},
},
"paths": []string{
- filepath.Join(paths.Home(), "logs", "elastic-agent-json.log"),
- filepath.Join(paths.Home(), "logs", "elastic-agent-json.log*"),
- filepath.Join(paths.Home(), "logs", "elastic-agent-watcher-json.log"),
- filepath.Join(paths.Home(), "logs", "elastic-agent-watcher-json.log*"),
+ filepath.Join(paths.Home(), "logs", "elastic-agent-*.ndjson"),
+ filepath.Join(paths.Home(), "logs", "elastic-agent-watcher-*.ndjson"),
},
"index": fmt.Sprintf("logs-elastic_agent-%s", monitoringNamespace),
"processors": []map[string]interface{}{
diff --git a/x-pack/elastic-agent/pkg/core/logger/logger.go b/x-pack/elastic-agent/pkg/core/logger/logger.go
index 77cc4260acc..a63bc94f9de 100644
--- a/x-pack/elastic-agent/pkg/core/logger/logger.go
+++ b/x-pack/elastic-agent/pkg/core/logger/logger.go
@@ -103,7 +103,6 @@ func DefaultLoggingConfig() *Config {
cfg.ToFiles = true
cfg.Files.Path = paths.Logs()
cfg.Files.Name = agentName
- cfg.Files.Suffix = file.SuffixDate
return &cfg
}
@@ -115,7 +114,7 @@ func makeInternalFileOutput(cfg *Config) (zapcore.Core, error) {
// defaultCfg is used to set the defaults for the file rotation of the internal logging
// these settings cannot be changed by a user configuration
defaultCfg := logp.DefaultConfig(logp.DefaultEnvironment)
- filename := filepath.Join(paths.Home(), "logs", fmt.Sprintf("%s-json.log", cfg.Beat))
+ filename := filepath.Join(paths.Home(), "logs", cfg.Beat)
rotator, err := file.NewFileRotator(filename,
file.MaxSizeBytes(defaultCfg.Files.MaxSize),
@@ -124,7 +123,6 @@ func makeInternalFileOutput(cfg *Config) (zapcore.Core, error) {
file.Interval(defaultCfg.Files.Interval),
file.RotateOnStartup(defaultCfg.Files.RotateOnStartup),
file.RedirectStderr(defaultCfg.Files.RedirectStderr),
- file.Suffix(cfg.Files.Suffix),
)
if err != nil {
return nil, errors.New("failed to create internal file rotator")
diff --git a/x-pack/elastic-agent/pkg/core/monitoring/beats/beats_monitor.go b/x-pack/elastic-agent/pkg/core/monitoring/beats/beats_monitor.go
index f96f5ecf916..e00860ec1f1 100644
--- a/x-pack/elastic-agent/pkg/core/monitoring/beats/beats_monitor.go
+++ b/x-pack/elastic-agent/pkg/core/monitoring/beats/beats_monitor.go
@@ -131,7 +131,7 @@ func (b *Monitor) EnrichArgs(spec program.Spec, pipelineID string, args []string
if isSidecar {
logFile += "_monitor"
}
- logFile = fmt.Sprintf("%s-json.log", logFile)
+ logFile = fmt.Sprintf("%s", logFile)
appendix = append(appendix,
"-E", "logging.files.path="+loggingPath,
"-E", "logging.files.name="+logFile,
diff --git a/x-pack/elastic-agent/pkg/core/monitoring/beats/monitoring.go b/x-pack/elastic-agent/pkg/core/monitoring/beats/monitoring.go
index 240ce5adbb2..d56aee0ef2b 100644
--- a/x-pack/elastic-agent/pkg/core/monitoring/beats/monitoring.go
+++ b/x-pack/elastic-agent/pkg/core/monitoring/beats/monitoring.go
@@ -16,9 +16,9 @@ import (
const (
// args: data path, pipeline name, application name
- logFileFormat = "%s/logs/%s/%s-json.log"
+ logFileFormat = "%s/logs/%s/%s"
// args: data path, install path, pipeline name, application name
- logFileFormatWin = "%s\\logs\\%s\\%s-json.log"
+ logFileFormatWin = "%s\\logs\\%s\\%s"
// args: pipeline name, application name
mbEndpointFileFormatWin = `npipe:///%s-%s`
diff --git a/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc b/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc
index 5a4a6dc8b3d..ec7a16cd67b 100644
--- a/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc
+++ b/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc
@@ -17,7 +17,7 @@ The use of SQS notification is preferred: polling list of S3 objects is expensiv
in terms of performance and costs and should be preferably used only when no SQS
notification can be attached to the S3 buckets. This input can, for example, be
used to receive S3 access logs to monitor detailed records for the requests that
-are made to a bucket.
+are made to a bucket. This input also supports S3 notification from SNS to SQS.
SQS notification method is enabled setting `queue_url` configuration value.
S3 bucket list polling method is enabled setting `bucket_arn` configuration value.
@@ -282,6 +282,90 @@ attribute. The default value is 5.
If you have configured a dead letter queue then you can set this value to
`-1` to disable deletion on failure.
+[float]
+==== `sqs.notification_parsing_script.source`
+
+Inline Javascript source code.
+
+[source,yaml]
+----
+sqs.notification_parsing_script.source: >
+ function parse(notification) {
+ var evts = [];
+ var evt = new S3EventV2();
+ evt.SetS3BucketName(notification.bucket);
+ evt.SetS3ObjectKey(notification.path);
+ evts.push(evt);
+ return evts;
+ }
+----
+
+[float]
+==== `sqs.notification_parsing_script.file`
+
+Path to a script file to load. Relative paths are interpreted as
+relative to the `path.config` directory. Globs are expanded.
+
+This loads `filter.js` from disk.
+
+[source,yaml]
+----
+sqs.notification_parsing_script.file: ${path.config}/filter.js
+----
+
+[float]
+==== `sqs.notification_parsing_script.files`
+
+List of script files to load. The scripts are concatenated together.
+Relative paths are interpreted as relative to the `path.config` directory.
+And globs are expanded.
+
+[float]
+==== `sqs.notification_parsing_script.params`
+
+A dictionary of parameters that are passed to the `register` of the
+script.
+
+Parameters can be passed to the script by adding `params` to the config.
+This allows for a script to be made reusable. When using `params` the
+code must define a `register(params)` function to receive the parameters.
+
+[source,yaml]
+----
+sqs.notification_parsing_script:
+ params:
+ provider: aws:s3
+ source: >
+ var params = {provider: ""};
+ function register(scriptParams) {
+ params = scriptParams;
+ }
+ function parse(notification) {
+ var evts = [];
+ var evt = new S3EventV2();
+ evt.SetS3BucketName(notification.bucket);
+ evt.SetS3ObjectKey(notification.path);
+ evt.SetProvider(params.provider);
+ evts.push(evt);
+ return evts;
+ }
+----
+
+[float]
+==== `sqs.notification_parsing_script.timeout`
+
+This sets an execution timeout for the `process` function. When
+the `process` function takes longer than the `timeout` period the function
+is interrupted. You can set this option to prevent a script from running for
+too long (like preventing an infinite `while` loop). By default there is no
+timeout.
+
+[float]
+==== `sqs.notification_parsing_script.max_cached_sessions`
+
+This sets the maximum number of Javascript VM sessions
+that will be cached to avoid reallocation.
+
[float]
==== `sqs.wait_time`
@@ -386,6 +470,14 @@ create a notification through SQS. Please see
https://docs.aws.amazon.com/AmazonS3/latest/dev/ways-to-add-notification-config-to-bucket.html#step1-create-sqs-queue-for-notification[create-sqs-queue-for-notification]
for more details.
+[float]
+=== S3 -> SNS -> SQS setup
+If you would like to use the bucket notification in multiple different consumers
+(others than {beatname_lc}), you should use an SNS topic for the bucket notification.
+Please see https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html#step1-create-sns-topic-for-notification[create-SNS-topic-for-notification]
+for more details. SQS queue will be configured as a
+https://docs.aws.amazon.com/sns/latest/dg/sns-sqs-as-subscriber.html[subscriber to the SNS topic].
+
[float]
=== Parallel Processing
@@ -418,6 +510,177 @@ Therefore, when using the polling list of S3 bucket objects method, scaling shou
vertical, with a single bigger {beatname_uc} instance and higher `number_of_workers`
config value.
+[float]
+=== SQS Custom Notification Parsing Script
+
+Under some circumstances you might want to listen to events that are not following
+the standard SQS notifications format. To be able to parse them, it is possible to
+define a custom script that will take care of processing them and generating the
+required list of S3 Events used to download the files.
+
+The `sqs.notification_parsing_script` executes Javascript code to process an event.
+It uses a pure Go implementation of ECMAScript 5.1 and has no external dependencies.
+
+It can be configured by embedding Javascript in your configuration file or by pointing
+the processor at external file(s). Only one of the options `sqs.notification_parsing_script.source`, `sqs.notification_parsing_script.file`, and `sqs.notification_parsing_script.files`
+can be set at the same time.
+
+The script requires a `parse(notification)` function that receives the notification as
+a raw string and returns a list of `S3EventV2` objects. This raw string can then be
+processed as needed, e.g.: `JSON.parse(n)` or the provided helper for XML `new XMLDecoder(n)`.
+
+If the script defines a `test()` function it will be invoked when it is loaded. Any exceptions thrown will cause the processor to fail to load. This can be used to make assertions about the behavior of the script.
+
+[source,javascript]
+----
+function parse(n) {
+ var m = JSON.parse(n);
+ var evts = [];
+ var files = m.files;
+ var bucket = m.bucket;
+
+ if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") {
+ return evts;
+ }
+
+ files.forEach(function(f){
+ var evt = new S3EventV2();
+ evt.SetS3BucketName(bucket);
+ evt.SetS3ObjectKey(f.path);
+ evts.push(evt);
+ });
+
+ return evts;
+}
+
+function test() {
+ var events = parse({bucket: "aBucket", files: [{path: "path/to/file"}]});
+ if (events.length !== 1) {
+ throw "expecting one event";
+ }
+ if (events[0].S3.Bucket.Name === "aBucket") {
+ throw "expected bucket === aBucket";
+ }
+ if (events[0].S3.Object.Key === "path/to/file") {
+ throw "expected bucket === path/to/file";
+ }
+}
+----
+
+[float]
+==== S3EventV2 API
+
+The `S3EventV2` object returned by the `parse` method.
+
+[frame="topbot",options="header"]
+|===
+|Method |Description
+
+|`new S3EventV2()`
+|Returns a new `S3EventV2` object.
+
+*Example*: `var evt = new S3EventV2();`
+
+|`SetAWSRegion(string)`
+|Sets the AWS region.
+
+*Example*: `evt.SetAWSRegion("us-east-1");`
+
+|`SetProvider(string)`
+|Sets the provider.
+
+*Example*: `evt.SetProvider("provider");`
+
+|`SetEventName(string)`
+|Sets the event name.
+
+*Example*: `evt.SetEventName("event-type");`
+
+|`SetEventSource(string)`
+|Sets the event surce.
+
+*Example*: `evt.SetEventSource("aws:s3");`
+
+|`SetS3BucketName(string)`
+|Sets the bucket name.
+
+*Example*: `evt.SetS3BucketName("bucket-name");`
+
+|`SetS3BucketARN(string)`
+|Sets the bucket ARN.
+
+*Example*: `evt.SetS3BucketARN("bucket-ARN");`
+
+|`SetS3ObjectKey(string)`
+|Sets the object key.
+
+*Example*: `evt.SetS3ObjectKey("path/to/object");`
+
+|===
+
+In order to be able to retrieve an S3 object successfully, at least `S3.Object.Key`
+and `S3.Bucket.Name` properties must be set (using the provided setters). The other
+properties will be used as metadata in the resulting event when available.
+
+[float]
+==== XMLDecoder API
+
+To help with XML decoding, an `XMLDecoder` class is provided.
+
+Example XML input:
+
+[source,xml]
+-------------------------------------------------------------------------------
+
+
+ William H. Gaddis
+ The Recognitions
+ One of the great seminal American novels of the 20th century.
+
+
+-------------------------------------------------------------------------------
+
+Will produce the following output:
+
+[source,json]
+-------------------------------------------------------------------------------
+{
+ "catalog": {
+ "book": {
+ "author": "William H. Gaddis",
+ "review": "One of the great seminal American novels of the 20th century.",
+ "seq": "1",
+ "title": "The Recognitions"
+ }
+ }
+}
+-------------------------------------------------------------------------------
+
+[frame="topbot",options="header"]
+|===
+|Method |Description
+
+|`new XMLDecoder(string)`
+|Returns a new `XMLDecoder` object to decode the provided `string`.
+
+*Example*: `var dec = new XMLDecoder(n);`
+
+|`PrependHyphenToAttr()`
+|Causes the Decoder to prepend a hyphen (`-`) to to all XML attribute names.
+
+*Example*: `dec.PrependHyphenToAttr();`
+
+|`LowercaseKeys()`
+|Causes the Decoder to transform all key name to lowercase.
+
+*Example*: `dec.LowercaseKeys();`
+
+|`Decode()`
+|Reads the XML string and return a map containing the data.
+
+*Example*: `var m = dec.Decode();`
+
+|===
[float]
=== Metrics
diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml
index 79a75defc26..e96b8e7f97d 100644
--- a/x-pack/filebeat/filebeat.reference.yml
+++ b/x-pack/filebeat/filebeat.reference.yml
@@ -2489,7 +2489,8 @@ filebeat.inputs:
#max_bytes: 10485760
# Characters which separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed,
- # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator.
+ # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator,
+ # null_terminator
#line_terminator: auto
### Recursive glob configuration
@@ -2743,7 +2744,8 @@ filebeat.inputs:
#message_max_bytes: 10485760
# Characters which separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed,
- # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator.
+ # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator,
+ # null_terminator
#line_terminator: auto
# The ingest pipeline ID associated with this input. If this is set, it
@@ -4448,11 +4450,6 @@ logging.files:
# file. Defaults to true.
# rotateonstartup: true
- # Rotated files are either suffixed with a number e.g. filebeat.1 when
- # renamed during rotation. Or when set to date, the date is added to
- # the end of the file. On rotation a new file is created, older files are untouched.
- #suffix: count
-
# ============================= X-Pack Monitoring ==============================
# Filebeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
@@ -4637,6 +4634,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
# ============================== Process Security ==============================
# Enable or disable seccomp system call filtering on Linux. Default is enabled.
diff --git a/x-pack/filebeat/input/awss3/_meta/terraform/README.md b/x-pack/filebeat/input/awss3/_meta/terraform/README.md
index 7ab27781704..d5614b99a92 100644
--- a/x-pack/filebeat/input/awss3/_meta/terraform/README.md
+++ b/x-pack/filebeat/input/awss3/_meta/terraform/README.md
@@ -1,9 +1,9 @@
# Terraform setup for AWS S3 Input Integration Tests
-This directory contains a Terrafrom module that creates the AWS resources needed
+This directory contains a Terraform module that creates the AWS resources needed
for executing the integration tests for the `aws-s3` Filebeat input. It creates
an S3 bucket and SQS queue and configures S3 `ObjectCreated:*` notifications to
-be delivered to SQS.
+be delivered to SQS. It also creates a second S3 bucket, SNS topic, SQS queue and configures S3 `ObjectCreated:*` notifications to be delivered to SNS and also creates a subscription for this SNS topic to SQS queue to automatically place messages sent to SNS topic in SQS queue.
It outputs configuration information that is consumed by the tests to
`outputs.yml`. The AWS resources are randomly named to prevent name collisions
@@ -33,7 +33,7 @@ to match the AWS region of the profile you are using.
4. Execute the integration test.
```
- cd x-pack/filebeat/inputs/awss3
+ cd x-pack/filebeat/input/awss3
go test -tags aws,integration -run TestInputRun.+ -v .
```
diff --git a/x-pack/filebeat/input/awss3/_meta/terraform/main.tf b/x-pack/filebeat/input/awss3/_meta/terraform/main.tf
index 1b22b8bbfdb..62e86abc787 100644
--- a/x-pack/filebeat/input/awss3/_meta/terraform/main.tf
+++ b/x-pack/filebeat/input/awss3/_meta/terraform/main.tf
@@ -60,3 +60,77 @@ resource "aws_s3_bucket_notification" "bucket_notification" {
aws_sqs_queue.filebeat-integtest,
]
}
+
+resource "aws_sns_topic" "filebeat-integtest-sns" {
+ name = "filebeat-s3-integtest-sns-${random_string.random.result}"
+
+ policy = < 0} {
+ if set {
+ numConfigured++
+ }
+ }
+
+ switch {
+ case numConfigured == 0:
+ return errors.New("javascript must be defined via 'file', " +
+ "'files', or inline as 'source'")
+ case numConfigured > 1:
+ return errors.New("javascript can be defined in only one of " +
+ "'file', 'files', or inline as 'source'")
+ }
+
+ return nil
+}
+
func (rc *readerConfig) InitDefaults() {
rc.BufferSize = 16 * humanize.KiByte
rc.MaxBytes = 10 * humanize.MiByte
diff --git a/x-pack/filebeat/input/awss3/input.go b/x-pack/filebeat/input/awss3/input.go
index 67edf3b5919..bf3f8cf28b2 100644
--- a/x-pack/filebeat/input/awss3/input.go
+++ b/x-pack/filebeat/input/awss3/input.go
@@ -186,8 +186,12 @@ func (in *s3Input) createSQSReceiver(ctx v2.Context, client beat.Client) (*sqsRe
if len(in.config.FileSelectors) == 0 {
fileSelectors = []fileSelectorConfig{{ReaderConfig: in.config.ReaderConfig}}
}
+ script, err := newScriptFromConfig(log.Named("sqs_script"), in.config.SQSScript)
+ if err != nil {
+ return nil, err
+ }
s3EventHandlerFactory := newS3ObjectProcessorFactory(log.Named("s3"), metrics, s3API, client, fileSelectors)
- sqsMessageHandler := newSQSS3EventProcessor(log.Named("sqs_s3_event"), metrics, sqsAPI, in.config.VisibilityTimeout, in.config.SQSMaxReceiveCount, s3EventHandlerFactory)
+ sqsMessageHandler := newSQSS3EventProcessor(log.Named("sqs_s3_event"), metrics, sqsAPI, script, in.config.VisibilityTimeout, in.config.SQSMaxReceiveCount, s3EventHandlerFactory)
sqsReader := newSQSReader(log.Named("sqs"), metrics, sqsAPI, in.config.MaxNumberOfMessages, sqsMessageHandler)
return sqsReader, nil
@@ -318,9 +322,13 @@ func getProviderFromDomain(endpoint string, ProviderOverride string) string {
}
parsedEndpoint, _ := url.Parse(endpoint)
- domain := parsedEndpoint.Hostname()
for key, provider := range providers {
- if strings.HasSuffix(domain, key) {
+ // support endpoint with and without scheme (http(s)://abc.xyz, abc.xyz)
+ constraint := parsedEndpoint.Hostname()
+ if len(parsedEndpoint.Scheme) == 0 {
+ constraint = parsedEndpoint.Path
+ }
+ if strings.HasSuffix(constraint, key) {
return provider
}
}
diff --git a/x-pack/filebeat/input/awss3/input_benchmark_test.go b/x-pack/filebeat/input/awss3/input_benchmark_test.go
index aabb86b1a6c..ecdc1756ce4 100644
--- a/x-pack/filebeat/input/awss3/input_benchmark_test.go
+++ b/x-pack/filebeat/input/awss3/input_benchmark_test.go
@@ -166,7 +166,7 @@ func benchmarkInputSQS(t *testing.T, maxMessagesInflight int) testing.BenchmarkR
conf := makeBenchmarkConfig(t)
s3EventHandlerFactory := newS3ObjectProcessorFactory(log.Named("s3"), metrics, s3API, client, conf.FileSelectors)
- sqsMessageHandler := newSQSS3EventProcessor(log.Named("sqs_s3_event"), metrics, sqsAPI, time.Minute, 5, s3EventHandlerFactory)
+ sqsMessageHandler := newSQSS3EventProcessor(log.Named("sqs_s3_event"), metrics, sqsAPI, nil, time.Minute, 5, s3EventHandlerFactory)
sqsReader := newSQSReader(log.Named("sqs"), metrics, sqsAPI, maxMessagesInflight, sqsMessageHandler)
go func() {
diff --git a/x-pack/filebeat/input/awss3/input_integration_test.go b/x-pack/filebeat/input/awss3/input_integration_test.go
index 0ce1c85f505..a7f4f651c07 100644
--- a/x-pack/filebeat/input/awss3/input_integration_test.go
+++ b/x-pack/filebeat/input/awss3/input_integration_test.go
@@ -19,9 +19,12 @@ import (
"testing"
"time"
+ "github.com/aws/aws-sdk-go-v2/service/s3"
+
+ awscommon "github.com/elastic/beats/v7/x-pack/libbeat/common/aws"
+
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/aws/external"
- "github.com/aws/aws-sdk-go-v2/service/s3"
"github.com/aws/aws-sdk-go-v2/service/s3/s3manager"
"github.com/aws/aws-sdk-go-v2/service/sqs"
"github.com/stretchr/testify/assert"
@@ -36,7 +39,6 @@ import (
pubtest "github.com/elastic/beats/v7/libbeat/publisher/testing"
"github.com/elastic/beats/v7/libbeat/statestore"
"github.com/elastic/beats/v7/libbeat/statestore/storetest"
- awscommon "github.com/elastic/beats/v7/x-pack/libbeat/common/aws"
)
const (
@@ -48,9 +50,11 @@ const (
)
type terraformOutputData struct {
- AWSRegion string `yaml:"aws_region"`
- BucketName string `yaml:"bucket_name"`
- QueueURL string `yaml:"queue_url"`
+ AWSRegion string `yaml:"aws_region"`
+ BucketName string `yaml:"bucket_name"`
+ QueueURL string `yaml:"queue_url"`
+ BucketNameForSNS string `yaml:"bucket_name_for_sns"`
+ QueueURLForSNS string `yaml:"queue_url_for_sns"`
}
func getTerraformOutputs(t *testing.T) terraformOutputData {
@@ -174,11 +178,11 @@ func newV2Context() (v2.Context, func()) {
func TestInputRunSQS(t *testing.T) {
logp.TestingSetup()
- // Terraform is used to setup S3 and SQS and must be executed manually.
+ // Terraform is used to set up S3 and SQS and must be executed manually.
tfConfig := getTerraformOutputs(t)
// Ensure SQS is empty before testing.
- drainSQS(t, tfConfig)
+ drainSQS(t, tfConfig.AWSRegion, tfConfig.QueueURL)
// Ensure metrics are removed before testing.
monitoring.GetNamespace("dataset").GetRegistry().Remove(inputID)
@@ -240,7 +244,7 @@ func TestInputRunSQS(t *testing.T) {
func TestInputRunS3(t *testing.T) {
logp.TestingSetup()
- // Terraform is used to setup S3 and must be executed manually.
+ // Terraform is used to set up S3 and must be executed manually.
tfConfig := getTerraformOutputs(t)
// Ensure metrics are removed before testing.
@@ -297,6 +301,7 @@ func TestInputRunS3(t *testing.T) {
assertMetric(t, snap, "s3_objects_acked_total", 6)
assertMetric(t, snap, "s3_events_created_total", 12)
}
+
func assertMetric(t *testing.T, snapshot common.MapStr, name string, value interface{}) {
n, _ := snapshot.GetValue(inputID + "." + name)
assert.EqualValues(t, value, n, name)
@@ -332,16 +337,16 @@ func uploadS3TestFiles(t *testing.T, region, bucket string, filenames ...string)
}
}
-func drainSQS(t *testing.T, tfConfig terraformOutputData) {
+func drainSQS(t *testing.T, region string, queueURL string) {
cfg, err := external.LoadDefaultAWSConfig()
if err != nil {
t.Fatal(err)
}
- cfg.Region = tfConfig.AWSRegion
+ cfg.Region = region
sqs := &awsSQSAPI{
client: sqs.New(cfg),
- queueURL: tfConfig.QueueURL,
+ queueURL: queueURL,
apiTimeout: 1 * time.Minute,
visibilityTimeout: 30 * time.Second,
longPollWaitTime: 10,
@@ -370,13 +375,13 @@ func drainSQS(t *testing.T, tfConfig terraformOutputData) {
func TestGetBucketNameFromARN(t *testing.T) {
bucketName := getBucketNameFromARN("arn:aws:s3:::my_corporate_bucket")
- assert.Equal("my_corporate_bucket", bucketName)
+ assert.Equal(t, "my_corporate_bucket", bucketName)
}
func TestGetRegionForBucketARN(t *testing.T) {
logp.TestingSetup()
- // Terraform is used to setup S3 and must be executed manually.
+ // Terraform is used to set up S3 and must be executed manually.
tfConfig := getTerraformOutputs(t)
awsConfig, err := external.LoadDefaultAWSConfig()
@@ -393,7 +398,7 @@ func TestGetRegionForBucketARN(t *testing.T) {
func TestPaginatorListPrefix(t *testing.T) {
logp.TestingSetup()
- // Terraform is used to setup S3 and must be executed manually.
+ // Terraform is used to set up S3 and must be executed manually.
tfConfig := getTerraformOutputs(t)
uploadS3TestFiles(t, tfConfig.AWSRegion, tfConfig.BucketName,
@@ -439,9 +444,67 @@ func TestPaginatorListPrefix(t *testing.T) {
assert.Equal(t, expected, objects)
}
-func TestGetProviderFromDomain(t *testing.T) {
- assert.Equal("aws", getProviderFromDomain("", ""))
- assert.Equal("aws", getProviderFromDomain("c2s.ic.gov", ""))
- assert.Equal("abc", getProviderFromDomain("abc.com", "abc"))
- assert.Equal("xyz", getProviderFromDomain("oraclecloud.com", "xyz"))
+func TestInputRunSNS(t *testing.T) {
+ logp.TestingSetup()
+
+ // Terraform is used to set up S3, SNS and SQS and must be executed manually.
+ tfConfig := getTerraformOutputs(t)
+
+ // Ensure SQS is empty before testing.
+ drainSQS(t, tfConfig.AWSRegion, tfConfig.QueueURLForSNS)
+
+ // Ensure metrics are removed before testing.
+ monitoring.GetNamespace("dataset").GetRegistry().Remove(inputID)
+
+ uploadS3TestFiles(t, tfConfig.AWSRegion, tfConfig.BucketNameForSNS,
+ "testdata/events-array.json",
+ "testdata/invalid.json",
+ "testdata/log.json",
+ "testdata/log.ndjson",
+ "testdata/multiline.json",
+ "testdata/multiline.json.gz",
+ "testdata/multiline.txt",
+ "testdata/log.txt", // Skipped (no match).
+ )
+
+ s3Input := createInput(t, makeTestConfigSQS(tfConfig.QueueURLForSNS))
+
+ inputCtx, cancel := newV2Context()
+ t.Cleanup(cancel)
+ time.AfterFunc(15*time.Second, func() {
+ cancel()
+ })
+
+ client := pubtest.NewChanClient(0)
+ defer close(client.Channel)
+ go func() {
+ for event := range client.Channel {
+ event.Private.(*eventACKTracker).ACK()
+ }
+ }()
+
+ var errGroup errgroup.Group
+ errGroup.Go(func() error {
+ pipeline := pubtest.PublisherWithClient(client)
+ return s3Input.Run(inputCtx, pipeline)
+ })
+
+ if err := errGroup.Wait(); err != nil {
+ t.Fatal(err)
+ }
+
+ snap := common.MapStr(monitoring.CollectStructSnapshot(
+ monitoring.GetNamespace("dataset").GetRegistry(),
+ monitoring.Full,
+ false))
+ t.Log(snap.StringToPrint())
+
+ assertMetric(t, snap, "sqs_messages_received_total", 8) // S3 could batch notifications.
+ assertMetric(t, snap, "sqs_messages_inflight_gauge", 0)
+ assertMetric(t, snap, "sqs_messages_deleted_total", 7)
+ assertMetric(t, snap, "sqs_messages_returned_total", 1) // Invalid JSON is returned so that it can eventually be DLQed.
+ assertMetric(t, snap, "sqs_visibility_timeout_extensions_total", 0)
+ assertMetric(t, snap, "s3_objects_inflight_gauge", 0)
+ assertMetric(t, snap, "s3_objects_requested_total", 7)
+ assertMetric(t, snap, "s3_events_created_total", 12)
}
diff --git a/x-pack/filebeat/input/awss3/input_test.go b/x-pack/filebeat/input/awss3/input_test.go
new file mode 100644
index 00000000000..1a10eb0115f
--- /dev/null
+++ b/x-pack/filebeat/input/awss3/input_test.go
@@ -0,0 +1,38 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package awss3
+
+import (
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+)
+
+func TestGetProviderFromDomain(t *testing.T) {
+ assert.Equal(t, "aws", getProviderFromDomain("", ""))
+ assert.Equal(t, "aws", getProviderFromDomain("c2s.ic.gov", ""))
+ assert.Equal(t, "abc", getProviderFromDomain("abc.com", "abc"))
+ assert.Equal(t, "xyz", getProviderFromDomain("oraclecloud.com", "xyz"))
+ assert.Equal(t, "aws", getProviderFromDomain("amazonaws.com", ""))
+ assert.Equal(t, "aws", getProviderFromDomain("c2s.sgov.gov", ""))
+ assert.Equal(t, "aws", getProviderFromDomain("c2s.ic.gov", ""))
+ assert.Equal(t, "aws", getProviderFromDomain("amazonaws.com.cn", ""))
+ assert.Equal(t, "backblaze", getProviderFromDomain("https://backblazeb2.com", ""))
+ assert.Equal(t, "wasabi", getProviderFromDomain("https://wasabisys.com", ""))
+ assert.Equal(t, "digitalocean", getProviderFromDomain("https://digitaloceanspaces.com", ""))
+ assert.Equal(t, "dreamhost", getProviderFromDomain("https://dream.io", ""))
+ assert.Equal(t, "scaleway", getProviderFromDomain("https://scw.cloud", ""))
+ assert.Equal(t, "gcp", getProviderFromDomain("https://googleapis.com", ""))
+ assert.Equal(t, "arubacloud", getProviderFromDomain("https://cloud.it", ""))
+ assert.Equal(t, "linode", getProviderFromDomain("https://linodeobjects.com", ""))
+ assert.Equal(t, "vultr", getProviderFromDomain("https://vultrobjects.com", ""))
+ assert.Equal(t, "ibm", getProviderFromDomain("https://appdomain.cloud", ""))
+ assert.Equal(t, "alibaba", getProviderFromDomain("https://aliyuncs.com", ""))
+ assert.Equal(t, "oracle", getProviderFromDomain("https://oraclecloud.com", ""))
+ assert.Equal(t, "exoscale", getProviderFromDomain("https://exo.io", ""))
+ assert.Equal(t, "upcloud", getProviderFromDomain("https://upcloudobjects.com", ""))
+ assert.Equal(t, "iland", getProviderFromDomain("https://ilandcloud.com", ""))
+ assert.Equal(t, "zadara", getProviderFromDomain("https://zadarazios.com", ""))
+}
diff --git a/x-pack/filebeat/input/awss3/script.go b/x-pack/filebeat/input/awss3/script.go
new file mode 100644
index 00000000000..812fbe65dc5
--- /dev/null
+++ b/x-pack/filebeat/input/awss3/script.go
@@ -0,0 +1,150 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package awss3
+
+import (
+ "bytes"
+ "io"
+ "os"
+ "path/filepath"
+ "runtime"
+ "strings"
+
+ "github.com/dop251/goja"
+ "github.com/pkg/errors"
+
+ "github.com/elastic/beats/v7/libbeat/common"
+ "github.com/elastic/beats/v7/libbeat/logp"
+ "github.com/elastic/beats/v7/libbeat/paths"
+)
+
+type script struct {
+ scriptConfig
+ sessionPool *sessionPool
+ sourceProg *goja.Program
+ sourceFile string
+}
+
+// newScriptFromConfig constructs a new Javascript script from the given config
+// object. It loads the sources, compiles them, and validates the entry point.
+func newScriptFromConfig(log *logp.Logger, c *scriptConfig) (*script, error) {
+ if c == nil {
+ return nil, nil
+ }
+ err := c.Validate()
+ if err != nil {
+ return nil, err
+ }
+
+ var sourceFile string
+ var sourceCode []byte
+
+ switch {
+ case c.Source != "":
+ sourceFile = "inline.js"
+ sourceCode = []byte(c.Source)
+ case c.File != "":
+ sourceFile, sourceCode, err = loadSources(c.File)
+ case len(c.Files) > 0:
+ sourceFile, sourceCode, err = loadSources(c.Files...)
+ }
+ if err != nil {
+ return nil, err
+ }
+
+ // Validate processor source code.
+ prog, err := goja.Compile(sourceFile, string(sourceCode), true)
+ if err != nil {
+ return nil, err
+ }
+
+ pool, err := newSessionPool(prog, *c)
+ if err != nil {
+ return nil, err
+ }
+
+ return &script{
+ scriptConfig: *c,
+ sessionPool: pool,
+ sourceProg: prog,
+ sourceFile: sourceFile,
+ }, nil
+}
+
+// loadSources loads javascript source from files.
+func loadSources(files ...string) (string, []byte, error) {
+ var sources []string
+ buf := new(bytes.Buffer)
+
+ readFile := func(path string) error {
+ if common.IsStrictPerms() {
+ if err := common.OwnerHasExclusiveWritePerms(path); err != nil {
+ return err
+ }
+ }
+
+ f, err := os.Open(path)
+ if err != nil {
+ return errors.Wrapf(err, "failed to open file %v", path)
+ }
+ defer f.Close()
+
+ if _, err = io.Copy(buf, f); err != nil {
+ return errors.Wrapf(err, "failed to read file %v", path)
+ }
+ return nil
+ }
+
+ for _, filePath := range files {
+ filePath = paths.Resolve(paths.Config, filePath)
+
+ if hasMeta(filePath) {
+ matches, err := filepath.Glob(filePath)
+ if err != nil {
+ return "", nil, err
+ }
+ sources = append(sources, matches...)
+ } else {
+ sources = append(sources, filePath)
+ }
+ }
+
+ if len(sources) == 0 {
+ return "", nil, errors.Errorf("no sources were found in %v",
+ strings.Join(files, ", "))
+ }
+
+ for _, name := range sources {
+ if err := readFile(name); err != nil {
+ return "", nil, err
+ }
+ }
+
+ return strings.Join(sources, ";"), buf.Bytes(), nil
+}
+
+// run runs the parse function. It receives a raw notification
+// as a string and returns a list of S3 Events describing
+// which files are going to be downloaded.
+func (p *script) run(n string) ([]s3EventV2, error) {
+ s := p.sessionPool.Get()
+ defer p.sessionPool.Put(s)
+
+ return s.runParseFunc(n)
+}
+
+func (p *script) String() string {
+ return "script=[type=javascript, sources=" + p.sourceFile + "]"
+}
+
+// hasMeta reports whether path contains any of the magic characters
+// recognized by Match/Glob.
+func hasMeta(path string) bool {
+ magicChars := `*?[`
+ if runtime.GOOS != "windows" {
+ magicChars = `*?[\`
+ }
+ return strings.ContainsAny(path, magicChars)
+}
diff --git a/x-pack/filebeat/input/awss3/script_jss3event_v2.go b/x-pack/filebeat/input/awss3/script_jss3event_v2.go
new file mode 100644
index 00000000000..04cea00a08b
--- /dev/null
+++ b/x-pack/filebeat/input/awss3/script_jss3event_v2.go
@@ -0,0 +1,69 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package awss3
+
+import (
+ "strings"
+
+ "github.com/dop251/goja"
+ "github.com/pkg/errors"
+
+ "github.com/elastic/beats/v7/libbeat/common/encoding/xml"
+)
+
+func newJSS3EventV2Constructor(s *session) func(call goja.ConstructorCall) *goja.Object {
+ return func(call goja.ConstructorCall) *goja.Object {
+ if len(call.Arguments) != 0 {
+ panic(errors.New("Event constructor don't accept arguments"))
+ }
+ return s.vm.ToValue(&s3EventV2{}).(*goja.Object)
+ }
+}
+
+func (e *s3EventV2) SetAWSRegion(v string) {
+ e.AWSRegion = v
+}
+
+func (e *s3EventV2) SetProvider(v string) {
+ e.Provider = v
+}
+
+func (e *s3EventV2) SetEventName(v string) {
+ e.EventName = v
+}
+
+func (e *s3EventV2) SetEventSource(v string) {
+ e.EventSource = v
+}
+
+func (e *s3EventV2) SetS3BucketName(v string) {
+ e.S3.Bucket.Name = v
+}
+
+func (e *s3EventV2) SetS3BucketARN(v string) {
+ e.S3.Bucket.ARN = v
+}
+
+func (e *s3EventV2) SetS3ObjectKey(v string) {
+ e.S3.Object.Key = v
+}
+
+func newXMLDecoderConstructor(s *session) func(call goja.ConstructorCall) *goja.Object {
+ return func(call goja.ConstructorCall) *goja.Object {
+ if len(call.Arguments) != 1 {
+ panic(errors.New("Event constructor requires one argument"))
+ }
+
+ a0 := call.Argument(0).Export()
+ s0, ok := a0.(string)
+
+ if !ok {
+ panic(errors.Errorf("Event constructor requires a "+
+ "string argument but got %T", a0))
+ }
+
+ return s.vm.ToValue(xml.NewDecoder(strings.NewReader(s0))).(*goja.Object)
+ }
+}
diff --git a/x-pack/filebeat/input/awss3/script_jss3event_v2_test.go b/x-pack/filebeat/input/awss3/script_jss3event_v2_test.go
new file mode 100644
index 00000000000..dc387d95e33
--- /dev/null
+++ b/x-pack/filebeat/input/awss3/script_jss3event_v2_test.go
@@ -0,0 +1,60 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package awss3
+
+import (
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+
+ "github.com/elastic/beats/v7/libbeat/logp"
+)
+
+const (
+ header = `function parse(n) {`
+ footer = `}`
+)
+
+var log = logp.NewLogger("test")
+
+func TestJSS3EventV2(t *testing.T) {
+ logp.TestingSetup()
+
+ source := `
+ var evts = [];
+ var evt = new S3EventV2();
+ evt.SetAWSRegion("region");
+ evt.SetProvider("provider");
+ evt.SetEventName("name");
+ evt.SetEventSource("source");
+ evt.SetS3BucketName("bucket");
+ evt.SetS3BucketARN("arn");
+ evt.SetS3ObjectKey("key");
+ evts.push(evt);
+ return evts;
+ `
+
+ p, err := newScriptFromConfig(log, &scriptConfig{Source: header + source + footer})
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ evts, err := p.run(`{}`)
+ require.NoError(t, err)
+ require.Equal(t, 1, len(evts))
+
+ exp := s3EventV2{
+ AWSRegion: "region",
+ Provider: "provider",
+ EventName: "name",
+ EventSource: "source",
+ }
+ exp.S3.Bucket.Name = "bucket"
+ exp.S3.Bucket.ARN = "arn"
+ exp.S3.Object.Key = "key"
+
+ assert.EqualValues(t, exp, evts[0])
+}
diff --git a/x-pack/filebeat/input/awss3/script_session.go b/x-pack/filebeat/input/awss3/script_session.go
new file mode 100644
index 00000000000..aad0539665e
--- /dev/null
+++ b/x-pack/filebeat/input/awss3/script_session.go
@@ -0,0 +1,217 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package awss3
+
+import (
+ "fmt"
+ "reflect"
+ "time"
+
+ "github.com/dop251/goja"
+ "github.com/pkg/errors"
+ "go.uber.org/zap"
+
+ "github.com/elastic/beats/v7/libbeat/common"
+ "github.com/elastic/beats/v7/libbeat/logp"
+)
+
+const (
+ logName = "awss3.script"
+
+ entryPointFunction = "parse"
+ registerFunction = "register"
+ testFunction = "test"
+
+ timeoutError = "javascript parser execution timeout"
+)
+
+// session is a javascript runtime environment used throughout the life of
+// the input instance.
+type session struct {
+ vm *goja.Runtime
+ log *logp.Logger
+ parseFunc goja.Callable
+ timeout time.Duration
+}
+
+func newSession(p *goja.Program, conf scriptConfig, test bool) (*session, error) {
+ // Create a logger
+ logger := logp.NewLogger(logName)
+
+ // Setup JS runtime.
+ s := &session{
+ vm: goja.New(),
+ log: logger,
+ timeout: conf.Timeout,
+ }
+
+ // Register common.MapStr as being a simple map[string]interface{} for
+ // treatment within the JS VM.
+ s.vm.RegisterSimpleMapType(reflect.TypeOf(common.MapStr(nil)),
+ func(i interface{}) map[string]interface{} {
+ return map[string]interface{}(i.(common.MapStr))
+ },
+ )
+
+ // Register constructors for 'new S3EventV2' to enable creating them from the JS code.
+ s.vm.Set("S3EventV2", newJSS3EventV2Constructor(s))
+ s.vm.Set("XMLDecoder", newXMLDecoderConstructor(s))
+
+ if _, err := s.vm.RunProgram(p); err != nil {
+ return nil, err
+ }
+
+ if err := s.setParseFunction(); err != nil {
+ return nil, err
+ }
+
+ if len(conf.Params) > 0 {
+ if err := s.registerScriptParams(conf.Params); err != nil {
+ return nil, err
+ }
+ }
+
+ if test {
+ if err := s.executeTestFunction(); err != nil {
+ return nil, err
+ }
+ }
+
+ return s, nil
+}
+
+// setParseFunction validates that the parse() function exists and stores
+// the handle.
+func (s *session) setParseFunction() error {
+ parseFunc := s.vm.Get(entryPointFunction)
+ if parseFunc == nil {
+ return errors.New("parse function not found")
+ }
+ if parseFunc.ExportType().Kind() != reflect.Func {
+ return errors.New("parse is not a function")
+ }
+ if err := s.vm.ExportTo(parseFunc, &s.parseFunc); err != nil {
+ return errors.Wrap(err, "failed to export parse function")
+ }
+ return nil
+}
+
+// registerScriptParams calls the register() function and passes the params.
+func (s *session) registerScriptParams(params map[string]interface{}) error {
+ registerFunc := s.vm.Get(registerFunction)
+ if registerFunc == nil {
+ return errors.New("params were provided but no register function was found")
+ }
+ if registerFunc.ExportType().Kind() != reflect.Func {
+ return errors.New("register is not a function")
+ }
+ var register goja.Callable
+ if err := s.vm.ExportTo(registerFunc, ®ister); err != nil {
+ return errors.Wrap(err, "failed to export register function")
+ }
+ if _, err := register(goja.Undefined(), s.vm.ToValue(params)); err != nil {
+ return errors.Wrap(err, "failed to register script_params")
+ }
+ s.log.Debug("Registered params with script")
+ return nil
+}
+
+// executeTestFunction executes the test() function if it exists. Any exceptions
+// will cause the script to fail to load.
+func (s *session) executeTestFunction() error {
+ if testFunc := s.vm.Get(testFunction); testFunc != nil {
+ if testFunc.ExportType().Kind() != reflect.Func {
+ return errors.New("test is not a function")
+ }
+ var test goja.Callable
+ if err := s.vm.ExportTo(testFunc, &test); err != nil {
+ return errors.Wrap(err, "failed to export test function")
+ }
+ _, err := test(goja.Undefined(), nil)
+ if err != nil {
+ return errors.Wrap(err, "failed in test() function")
+ }
+ s.log.Debugf("Successful test() execution for script.")
+ }
+ return nil
+}
+
+// runParseFunc executes parse() from the JS script.
+func (s *session) runParseFunc(n string) (out []s3EventV2, err error) {
+ defer func() {
+ if r := recover(); r != nil {
+ s.log.Errorw("The javascript script caused an unexpected panic "+
+ "while parsing a notification. Recovering, but please report this.",
+ "notification", common.MapStr{"original": n},
+ "panic", r,
+ zap.Stack("stack"))
+ err = fmt.Errorf("unexpected panic in javascript script: %v", r)
+ }
+ }()
+
+ // Interrupt the JS code if execution exceeds timeout.
+ if s.timeout > 0 {
+ t := time.AfterFunc(s.timeout, func() {
+ s.vm.Interrupt(timeoutError)
+ })
+ defer t.Stop()
+ }
+
+ v, err := s.parseFunc(goja.Undefined(), s.vm.ToValue(n))
+ if err != nil {
+ return nil, fmt.Errorf("failed in parse function: %w", err)
+ }
+
+ if v.Equals(goja.Undefined()) {
+ return out, nil
+ }
+
+ if err := s.vm.ExportTo(v, &out); err != nil {
+ return nil, fmt.Errorf("can't export returned value: %w", err)
+ }
+
+ return out, nil
+}
+
+type sessionPool struct {
+ New func() *session
+ C chan *session
+}
+
+func newSessionPool(p *goja.Program, c scriptConfig) (*sessionPool, error) {
+ s, err := newSession(p, c, true)
+ if err != nil {
+ return nil, err
+ }
+
+ pool := sessionPool{
+ New: func() *session {
+ s, _ := newSession(p, c, false)
+ return s
+ },
+ C: make(chan *session, c.MaxCachedSessions),
+ }
+ pool.Put(s)
+
+ return &pool, nil
+}
+
+func (p *sessionPool) Get() *session {
+ select {
+ case s := <-p.C:
+ return s
+ default:
+ return p.New()
+ }
+}
+
+func (p *sessionPool) Put(s *session) {
+ if s != nil {
+ select {
+ case p.C <- s:
+ default:
+ }
+ }
+}
diff --git a/x-pack/filebeat/input/awss3/script_session_test.go b/x-pack/filebeat/input/awss3/script_session_test.go
new file mode 100644
index 00000000000..4cad65b03fd
--- /dev/null
+++ b/x-pack/filebeat/input/awss3/script_session_test.go
@@ -0,0 +1,317 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package awss3
+
+import (
+ "context"
+ "sync"
+ "testing"
+ "time"
+
+ "github.com/elastic/beats/v7/libbeat/logp"
+
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+)
+
+func TestSessionScriptParams(t *testing.T) {
+ logp.TestingSetup()
+
+ t.Run("register method is optional", func(t *testing.T) {
+ _, err := newScriptFromConfig(log, &scriptConfig{Source: header + footer})
+ if err != nil {
+ t.Fatal(err)
+ }
+ })
+
+ t.Run("register required for params", func(t *testing.T) {
+ _, err := newScriptFromConfig(log, &scriptConfig{Source: header + footer, Params: map[string]interface{}{
+ "p1": 42,
+ },
+ })
+ if assert.Error(t, err) {
+ assert.Contains(t, err.Error(), "params were provided")
+ }
+ })
+
+ t.Run("register params", func(t *testing.T) {
+ const script = `
+ function register(params) {
+ if (params["p1"] !== 42) {
+ throw "invalid p1";
+ }
+ }
+
+ function parse(n) {}
+ `
+ _, err := newScriptFromConfig(log, &scriptConfig{
+ Source: script,
+ Params: map[string]interface{}{
+ "p1": 42,
+ },
+ })
+ assert.NoError(t, err)
+ })
+}
+
+func TestSessionTestFunction(t *testing.T) {
+ logp.TestingSetup()
+
+ const script = `
+ var fail = false;
+
+ function register(params) {
+ fail = params["fail"];
+ }
+
+ function parse(n) {
+ if (fail) {
+ throw "intentional failure";
+ }
+ var m = JSON.parse(n);
+ var e = new S3EventV2();
+ e.SetS3ObjectKey(m["hello"]);
+ return [e];
+ }
+
+ function test() {
+ var n = "{\"hello\": \"earth\"}";
+ var evts = parse(n);
+
+ if (evts[0].S3.Object.Key !== "earth") {
+ throw "invalid key value";
+ }
+ }
+ `
+
+ t.Run("test method is optional", func(t *testing.T) {
+ _, err := newScriptFromConfig(log, &scriptConfig{
+ Source: header + footer,
+ })
+ if err != nil {
+ t.Fatal(err)
+ }
+ })
+
+ t.Run("test success", func(t *testing.T) {
+ _, err := newScriptFromConfig(log, &scriptConfig{
+ Source: script,
+ Params: map[string]interface{}{
+ "fail": false,
+ },
+ })
+ assert.NoError(t, err)
+ })
+
+ t.Run("test failure", func(t *testing.T) {
+ _, err := newScriptFromConfig(log, &scriptConfig{
+ Source: script,
+ Params: map[string]interface{}{
+ "fail": true,
+ },
+ })
+ assert.Error(t, err)
+ })
+}
+
+func TestSessionTimeout(t *testing.T) {
+ logp.TestingSetup()
+
+ const runawayLoop = `
+ var m = JSON.parse(n);
+ while (!m.stop) {
+ m.hello = "world";
+ }
+ `
+
+ p, err := newScriptFromConfig(log, &scriptConfig{
+ Source: header + runawayLoop + footer,
+ Timeout: 100 * time.Millisecond,
+ })
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ n := `{"stop": false}`
+
+ // Execute and expect a timeout.
+ _, err = p.run(n)
+ if assert.Error(t, err) {
+ assert.Contains(t, err.Error(), timeoutError)
+ }
+
+ // Verify that any internal runtime interrupt state has been cleared.
+ n = `{"stop": true}`
+ _, err = p.run(n)
+ assert.NoError(t, err)
+}
+
+func TestSessionParallel(t *testing.T) {
+ logp.TestingSetup()
+
+ const script = `
+ var m = JSON.parse(n);
+ var evt = new S3EventV2();
+ evt.SetS3ObjectKey(m.hello.world);
+ return [evt];
+ `
+
+ p, err := newScriptFromConfig(log, &scriptConfig{
+ Source: header + script + footer,
+ })
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ const goroutines = 10
+ ctx, cancel := context.WithCancel(context.Background())
+ defer cancel()
+
+ var wg sync.WaitGroup
+ wg.Add(goroutines)
+ for i := 0; i < goroutines; i++ {
+ go func() {
+ defer wg.Done()
+ for ctx.Err() == nil {
+ n := `{"hello":{"world": "hello"}}`
+ evts, err := p.run(n)
+ require.NoError(t, err)
+ require.Equal(t, 1, len(evts))
+ assert.Equal(t, "hello", evts[0].S3.Object.Key)
+ }
+ }()
+ }
+
+ time.AfterFunc(time.Second, cancel)
+ wg.Wait()
+}
+
+func TestCreateS3EventsFromNotification(t *testing.T) {
+ logp.TestingSetup()
+
+ n := `{
+ "cid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+ "timestamp": 1492726639222,
+ "fileCount": 4,
+ "totalSize": 349986221,
+ "bucket": "bucketNNNN",
+ "pathPrefix": "logs/aaaa-bbbb-cccc-dddd-eeee-ffff",
+ "files": [
+ {
+ "path": "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00000.gz",
+ "size": 90506437,
+ "checksum": "ffffffffffffffffffff"
+ },
+ {
+ "path": "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00001.gz",
+ "size": 86467594,
+ "checksum": "ffffffffffffffffffff"
+ },
+ {
+ "path": "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00002.gz",
+ "size": 83893710,
+ "checksum": "ffffffffffffffffffff"
+ },
+ {
+ "path": "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00003.gz",
+ "size": 89118480,
+ "checksum": "ffffffffffffffffffff"
+ }
+ ]
+ }`
+
+ const script = `
+ function parse(n) {
+ var m = JSON.parse(n);
+ var evts = [];
+ var files = m.files;
+ var bucket = m.bucket;
+
+ if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") {
+ return evts;
+ }
+
+ files.forEach(function(f){
+ var evt = new S3EventV2();
+ evt.SetS3BucketName(bucket);
+ evt.SetS3ObjectKey(f.path);
+ evts.push(evt);
+ });
+
+ return evts;
+ }
+`
+ s, err := newScriptFromConfig(log, &scriptConfig{Source: script})
+ require.NoError(t, err)
+
+ evts, err := s.run(n)
+ require.NoError(t, err)
+ require.Equal(t, 4, len(evts))
+
+ const expectedBucket = "bucketNNNN"
+ expectedObjectKeys := []string{
+ "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00000.gz",
+ "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00001.gz",
+ "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00002.gz",
+ "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00003.gz",
+ }
+
+ for i, e := range expectedObjectKeys {
+ assert.Equal(t, expectedBucket, evts[i].S3.Bucket.Name)
+ assert.Equal(t, e, evts[i].S3.Object.Key)
+ }
+}
+
+func TestParseXML(t *testing.T) {
+ logp.TestingSetup()
+
+ n := `
+ bucketNNNN
+
+ logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00000.gz
+ logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00001.gz
+
+ `
+
+ const script = `
+ function parse(n) {
+ var dec = new XMLDecoder(n);
+ var m = dec.Decode();
+ var evts = [];
+ var files = m.record.files.file;
+ var bucket = m.record.bucket;
+
+ if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") {
+ return evts;
+ }
+
+ files.forEach(function(f){
+ var evt = new S3EventV2();
+ evt.SetS3BucketName(bucket);
+ evt.SetS3ObjectKey(f.path);
+ evts.push(evt);
+ });
+
+ return evts;
+ }
+`
+ s, err := newScriptFromConfig(log, &scriptConfig{Source: script})
+ require.NoError(t, err)
+
+ evts, err := s.run(n)
+ require.NoError(t, err)
+ require.Equal(t, 2, len(evts))
+
+ const expectedBucket = "bucketNNNN"
+ expectedObjectKeys := []string{
+ "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00000.gz",
+ "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00001.gz",
+ }
+
+ for i, e := range expectedObjectKeys {
+ assert.Equal(t, expectedBucket, evts[i].S3.Bucket.Name)
+ assert.Equal(t, e, evts[i].S3.Object.Key)
+ }
+}
diff --git a/x-pack/filebeat/input/awss3/sqs_s3_event.go b/x-pack/filebeat/input/awss3/sqs_s3_event.go
index b2c1a7f169d..c906c74fa9e 100644
--- a/x-pack/filebeat/input/awss3/sqs_s3_event.go
+++ b/x-pack/filebeat/input/awss3/sqs_s3_event.go
@@ -53,8 +53,12 @@ func nonRetryableErrorWrap(err error) error {
// s3EventsV2 is the notification message that Amazon S3 sends to notify of S3 changes.
// This was derived from the version 2.2 schema.
// https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-content-structure.html
+// If the notification message is sent from SNS to SQS, then Records will be
+// replaced by TopicArn and Message fields.
type s3EventsV2 struct {
- Records []s3EventV2 `json:"Records"`
+ TopicArn string `json:"TopicArn"`
+ Message string `json:"Message"`
+ Records []s3EventV2 `json:"Records"`
}
// s3EventV2 is a S3 change notification event.
@@ -82,9 +86,10 @@ type sqsS3EventProcessor struct {
log *logp.Logger
warnOnce sync.Once
metrics *inputMetrics
+ script *script
}
-func newSQSS3EventProcessor(log *logp.Logger, metrics *inputMetrics, sqs sqsAPI, sqsVisibilityTimeout time.Duration, maxReceiveCount int, s3 s3ObjectHandlerFactory) *sqsS3EventProcessor {
+func newSQSS3EventProcessor(log *logp.Logger, metrics *inputMetrics, sqs sqsAPI, script *script, sqsVisibilityTimeout time.Duration, maxReceiveCount int, s3 s3ObjectHandlerFactory) *sqsS3EventProcessor {
if metrics == nil {
metrics = newInputMetrics(monitoring.NewRegistry(), "")
}
@@ -95,6 +100,7 @@ func newSQSS3EventProcessor(log *logp.Logger, metrics *inputMetrics, sqs sqsAPI,
sqs: sqs,
log: log,
metrics: metrics,
+ script: script,
}
}
@@ -181,6 +187,12 @@ func (p *sqsS3EventProcessor) keepalive(ctx context.Context, log *logp.Logger, w
}
func (p *sqsS3EventProcessor) getS3Notifications(body string) ([]s3EventV2, error) {
+ // Check if a parsing script is defined. If so, it takes precedence over
+ // format autodetection.
+ if p.script != nil {
+ return p.script.run(body)
+ }
+
// NOTE: If AWS introduces a V3 schema this will need updated to handle that schema.
var events s3EventsV2
dec := json.NewDecoder(strings.NewReader(body))
@@ -189,6 +201,24 @@ func (p *sqsS3EventProcessor) getS3Notifications(body string) ([]s3EventV2, erro
return nil, fmt.Errorf("failed to decode SQS message body as an S3 notification: %w", err)
}
+ // Check if the notification is from S3 -> SNS -> SQS
+ if events.TopicArn != "" {
+ dec := json.NewDecoder(strings.NewReader(events.Message))
+ if err := dec.Decode(&events); err != nil {
+ p.log.Debugw("Invalid SQS message body.", "sqs_message_body", body)
+ return nil, fmt.Errorf("failed to decode SQS message body as an S3 notification: %w", err)
+ }
+ }
+
+ if events.Records == nil {
+ p.log.Debugw("Invalid SQS message body: missing Records field", "sqs_message_body", body)
+ return nil, errors.New("the message is an invalid S3 notification: missing Records field")
+ }
+
+ return p.getS3Info(events)
+}
+
+func (p *sqsS3EventProcessor) getS3Info(events s3EventsV2) ([]s3EventV2, error) {
var out []s3EventV2
for _, record := range events.Records {
if !p.isObjectCreatedEvents(record) {
@@ -211,7 +241,6 @@ func (p *sqsS3EventProcessor) getS3Notifications(body string) ([]s3EventV2, erro
out = append(out, record)
}
-
return out, nil
}
diff --git a/x-pack/filebeat/input/awss3/sqs_s3_event_test.go b/x-pack/filebeat/input/awss3/sqs_s3_event_test.go
index 8865c5d30cd..ad6d30056d4 100644
--- a/x-pack/filebeat/input/awss3/sqs_s3_event_test.go
+++ b/x-pack/filebeat/input/awss3/sqs_s3_event_test.go
@@ -38,7 +38,7 @@ func TestSQSS3EventProcessor(t *testing.T) {
mockAPI.EXPECT().DeleteMessage(gomock.Any(), gomock.Eq(&msg)).Return(nil),
)
- p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, time.Minute, 5, mockS3HandlerFactory)
+ p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, nil, time.Minute, 5, mockS3HandlerFactory)
require.NoError(t, p.ProcessSQS(ctx, &msg))
})
@@ -60,7 +60,7 @@ func TestSQSS3EventProcessor(t *testing.T) {
mockAPI.EXPECT().DeleteMessage(gomock.Any(), gomock.Eq(&invalidBodyMsg)).Return(nil),
)
- p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, time.Minute, 5, mockS3HandlerFactory)
+ p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, nil, time.Minute, 5, mockS3HandlerFactory)
err := p.ProcessSQS(ctx, &invalidBodyMsg)
require.Error(t, err)
t.Log(err)
@@ -75,13 +75,13 @@ func TestSQSS3EventProcessor(t *testing.T) {
mockAPI := NewMockSQSAPI(ctrl)
mockS3HandlerFactory := NewMockS3ObjectHandlerFactory(ctrl)
- emptyRecordsMsg := newSQSMessage()
+ emptyRecordsMsg := newSQSMessage([]s3EventV2{}...)
gomock.InOrder(
mockAPI.EXPECT().DeleteMessage(gomock.Any(), gomock.Eq(&emptyRecordsMsg)).Return(nil),
)
- p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, time.Minute, 5, mockS3HandlerFactory)
+ p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, nil, time.Minute, 5, mockS3HandlerFactory)
require.NoError(t, p.ProcessSQS(ctx, &emptyRecordsMsg))
})
@@ -108,7 +108,7 @@ func TestSQSS3EventProcessor(t *testing.T) {
mockAPI.EXPECT().DeleteMessage(gomock.Any(), gomock.Eq(&msg)).Return(nil),
)
- p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, visibilityTimeout, 5, mockS3HandlerFactory)
+ p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, nil, visibilityTimeout, 5, mockS3HandlerFactory)
require.NoError(t, p.ProcessSQS(ctx, &msg))
})
@@ -127,7 +127,7 @@ func TestSQSS3EventProcessor(t *testing.T) {
mockS3Handler.EXPECT().ProcessS3Object().Return(errors.New("fake connectivity problem")),
)
- p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, time.Minute, 5, mockS3HandlerFactory)
+ p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, nil, time.Minute, 5, mockS3HandlerFactory)
err := p.ProcessSQS(ctx, &msg)
t.Log(err)
require.Error(t, err)
@@ -154,7 +154,7 @@ func TestSQSS3EventProcessor(t *testing.T) {
mockAPI.EXPECT().DeleteMessage(gomock.Any(), gomock.Eq(&msg)).Return(nil),
)
- p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, time.Minute, 5, mockS3HandlerFactory)
+ p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, nil, time.Minute, 5, mockS3HandlerFactory)
err := p.ProcessSQS(ctx, &msg)
t.Log(err)
require.Error(t, err)
@@ -164,7 +164,7 @@ func TestSQSS3EventProcessor(t *testing.T) {
func TestSqsProcessor_getS3Notifications(t *testing.T) {
logp.TestingSetup()
- p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, nil, time.Minute, 5, nil)
+ p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, nil, nil, time.Minute, 5, nil)
t.Run("s3 key is url unescaped", func(t *testing.T) {
msg := newSQSMessage(newS3Event("Happy+Face.jpg"))
@@ -184,6 +184,34 @@ func TestSqsProcessor_getS3Notifications(t *testing.T) {
require.NoError(t, err)
assert.Len(t, events, 0)
})
+
+ t.Run("sns-sqs notification", func(t *testing.T) {
+ msg := newSNSSQSMessage()
+ events, err := p.getS3Notifications(*msg.Body)
+ require.NoError(t, err)
+ assert.Len(t, events, 1)
+ assert.Equal(t, "test-object-key", events[0].S3.Object.Key)
+ assert.Equal(t, "arn:aws:s3:::vpc-flow-logs-ks", events[0].S3.Bucket.ARN)
+ assert.Equal(t, "vpc-flow-logs-ks", events[0].S3.Bucket.Name)
+ })
+
+ t.Run("missing Records fail", func(t *testing.T) {
+ msg := `{"message":"missing records"}`
+ _, err := p.getS3Notifications(msg)
+ require.Error(t, err)
+ assert.EqualError(t, err, "the message is an invalid S3 notification: missing Records field")
+ msg = `{"message":"null records", "Records": null}`
+ _, err = p.getS3Notifications(msg)
+ require.Error(t, err)
+ assert.EqualError(t, err, "the message is an invalid S3 notification: missing Records field")
+ })
+
+ t.Run("empty Records does not fail", func(t *testing.T) {
+ msg := `{"Records":[]}`
+ events, err := p.getS3Notifications(msg)
+ require.NoError(t, err)
+ assert.Equal(t, 0, len(events))
+ })
}
func TestNonRecoverableError(t *testing.T) {
diff --git a/x-pack/filebeat/input/awss3/sqs_test.go b/x-pack/filebeat/input/awss3/sqs_test.go
index 4940b4a6eca..a8b6e7b5f2a 100644
--- a/x-pack/filebeat/input/awss3/sqs_test.go
+++ b/x-pack/filebeat/input/awss3/sqs_test.go
@@ -126,6 +126,28 @@ func newSQSMessage(events ...s3EventV2) sqs.Message {
}
}
+func newSNSSQSMessage() sqs.Message {
+ body, err := json.Marshal(s3EventsV2{
+ TopicArn: "arn:aws:sns:us-east-1:1234:sns-topic",
+ Message: "{\"Records\":[{\"eventSource\":\"aws:s3\",\"awsRegion\":\"us-east-1\",\"eventName\":\"ObjectCreated:Put\",\"s3\":{\"configurationId\":\"sns-notification-vpc-flow-logs\",\"bucket\":{\"name\":\"vpc-flow-logs-ks\",\"arn\":\"arn:aws:s3:::vpc-flow-logs-ks\"},\"object\":{\"key\":\"test-object-key\"}}}]}",
+ })
+ if err != nil {
+ panic(err)
+ }
+
+ hash := sha256.Sum256(body)
+ id, _ := uuid.FromBytes(hash[:16])
+ messageID := id.String()
+ receipt := "receipt-" + messageID
+ bodyStr := string(body)
+
+ return sqs.Message{
+ Body: &bodyStr,
+ MessageId: &messageID,
+ ReceiptHandle: &receipt,
+ }
+}
+
func newS3Event(key string) s3EventV2 {
record := s3EventV2{
AWSRegion: "us-east-1",
diff --git a/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc b/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc
index c8eb358cd7d..79d27b36166 100644
--- a/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc
@@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "barracudawaf" devic
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
@@ -73,7 +73,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "barracudasf" device
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc b/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc
index b9ef6534d89..3497b6873ea 100644
--- a/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc
@@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "bluecoatdirector" d
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc
index e831bbb1e8f..e666da7fa66 100644
--- a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc
@@ -300,7 +300,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "cisconxos" device r
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
@@ -345,7 +345,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "ciscomeraki" device
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/x-pack/filebeat/module/cylance/_meta/docs.asciidoc b/x-pack/filebeat/module/cylance/_meta/docs.asciidoc
index 135260569a4..4cd22f8b797 100644
--- a/x-pack/filebeat/module/cylance/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/cylance/_meta/docs.asciidoc
@@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "cylance" device rev
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/x-pack/filebeat/module/f5/_meta/docs.asciidoc b/x-pack/filebeat/module/f5/_meta/docs.asciidoc
index d0448abd545..e83d14081ff 100644
--- a/x-pack/filebeat/module/f5/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/f5/_meta/docs.asciidoc
@@ -32,7 +32,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "bigipapm" device re
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
@@ -77,7 +77,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "bigipafm" device re
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc
index 46c62099197..2cd30c1437a 100644
--- a/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc
@@ -80,7 +80,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "forticlientendpoint
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
@@ -125,7 +125,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "fortinetfortimail"
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
@@ -170,7 +170,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "fortinetmgr" device
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/x-pack/filebeat/module/imperva/_meta/docs.asciidoc b/x-pack/filebeat/module/imperva/_meta/docs.asciidoc
index 918763f391d..c5b1ab37691 100644
--- a/x-pack/filebeat/module/imperva/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/imperva/_meta/docs.asciidoc
@@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "impervawaf" device
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc b/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc
index 286934fa4e4..1be04b5b739 100644
--- a/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc
@@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "infobloxnios" devic
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc
index a0e4ab1717f..b42de3eb091 100644
--- a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc
@@ -141,7 +141,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "junosrouter" device
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
@@ -186,7 +186,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "netscreen" device r
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc
index 577c87f6cc3..13ea8f43bdc 100644
--- a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc
@@ -219,7 +219,7 @@ include::../include/var-paths.asciidoc[]
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/x-pack/filebeat/module/netscout/_meta/docs.asciidoc b/x-pack/filebeat/module/netscout/_meta/docs.asciidoc
index 3d0477a9f43..463c93b5c0f 100644
--- a/x-pack/filebeat/module/netscout/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/netscout/_meta/docs.asciidoc
@@ -26,7 +26,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "arborpeakflowsp" de
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/x-pack/filebeat/module/proofpoint/_meta/docs.asciidoc b/x-pack/filebeat/module/proofpoint/_meta/docs.asciidoc
index b0accc04273..21a768ab432 100644
--- a/x-pack/filebeat/module/proofpoint/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/proofpoint/_meta/docs.asciidoc
@@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "proofpoint" device
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/x-pack/filebeat/module/radware/_meta/docs.asciidoc b/x-pack/filebeat/module/radware/_meta/docs.asciidoc
index 3e0a992b51f..ba9bc87444c 100644
--- a/x-pack/filebeat/module/radware/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/radware/_meta/docs.asciidoc
@@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "radwaredp" device r
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/x-pack/filebeat/module/snort/_meta/docs.asciidoc b/x-pack/filebeat/module/snort/_meta/docs.asciidoc
index f2ae38f0043..47c1c430934 100644
--- a/x-pack/filebeat/module/snort/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/snort/_meta/docs.asciidoc
@@ -26,7 +26,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "snort" device revis
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc b/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc
index 904e7f6d19c..595b2a31acb 100644
--- a/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc
@@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "sonicwall" device r
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/x-pack/filebeat/module/sophos/_meta/docs.asciidoc b/x-pack/filebeat/module/sophos/_meta/docs.asciidoc
index 41e86a0d1a4..6d6147984a1 100644
--- a/x-pack/filebeat/module/sophos/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/sophos/_meta/docs.asciidoc
@@ -151,7 +151,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "astarosg" device re
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/x-pack/filebeat/module/squid/_meta/docs.asciidoc b/x-pack/filebeat/module/squid/_meta/docs.asciidoc
index 0708c243f27..10411c4f73d 100644
--- a/x-pack/filebeat/module/squid/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/squid/_meta/docs.asciidoc
@@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "squid" device revis
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc
index a7acdb5f4bd..18c8d57e169 100644
--- a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc
@@ -12,7 +12,7 @@ https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-ind
Match rules], but is also compatible with other features like
https://www.elastic.co/guide/en/elasticsearch/reference/current/enrich-processor.html[Enrich
Processors]. The related threat intel attribute that is meant to be used for
-matching incoming source data is stored under the `threatintel.indicator.*`
+matching incoming source data is stored under the `threat.indicator.*`
fields.
The available filesets are:
@@ -68,9 +68,9 @@ Abuse.ch URL Threat Intel is mapped to the following ECS fields.
[options="header"]
|==============================================================
| URL Threat Intel Fields | ECS Fields
-| url | threatintel.indicator.url.full
+| url | threat.indicator.url.full
| date_added | @timestamp
-| host | threatintel.indicator.ip/domain
+| host | threat.indicator.ip/domain
|==============================================================
[[abusemalware]]
@@ -112,9 +112,9 @@ Abuse.ch Malware Threat Intel is mapped to the following ECS fields.
[options="header"]
|================================================================
| Malware Threat IntelFields | ECS Fields
-| md5_hash | threatintel.indicator.file.hash.md5
-| sha256_hash | threatintel.indicator.file.hash.sha256
-| file_size | threatintel.indicator.file.size
+| md5_hash | threat.indicator.file.hash.md5
+| sha256_hash | threat.indicator.file.hash.sha256
+| file_size | threat.indicator.file.size
|================================================================
[[malwarebazaar]]
@@ -156,24 +156,25 @@ Malware Bazaar Threat Intel is mapped to the following ECS fields.
[options="header"]
|================================================================
| Malware Threat IntelFields | ECS Fields
-| md5_hash | threatintel.indicator.file.hash.md5
-| sha256_hash | threatintel.indicator.file.hash.sha256
-| tlsh | threatintel.indicator.file.hash.tlsh
-| ssdeep | threatintel.indicator.file.hash.ssdeep
-| imphash | threatintel.indicator.file.pe.imphash
-| file_size | threatintel.indicator.file.size
-| file_name | threatintel.indicator.file.name
-| file_type_mime | threatintel.indicator.file.mime_type
-| file_type | threatintel.indicator.file.type
-| reporter | threatintel.indicator.provider
-| origin_country | threatintel.indicator.geo.country_iso_code
-| signature | threatintel.indicator.signature
-| code_sign.subject_cn | threatintel.indicator.file.x509.subject.common_name
-| code_sign.issuer_cn | threatintel.indicator.file.x509.issuer.common_name
-| code_sign.algorithm | threatintel.indicator.file.x509.public_key_algorithm
-| code_sign.valid_from | threatintel.indicator.file.x509.not_before
-| code_sign.valid_to | threatintel.indicator.file.x509.not_after
-| code_sign.serial_number | threatintel.indicator.file.x509.serial_number
+| md5_hash | threat.indicator.file.hash.md5
+| sha256_hash | threat.indicator.file.hash.sha256
+| sha384_hash | threat.indicator.file.hash.sha384
+| tlsh | threat.indicator.file.hash.tlsh
+| ssdeep | threat.indicator.file.hash.ssdeep
+| imphash | threat.indicator.file.pe.imphash
+| file_size | threat.indicator.file.size
+| file_name | threat.indicator.file.name
+| file_type_mime | threat.indicator.file.mime_type
+| file_type | threat.indicator.file.type
+| reporter | threat.indicator.provider
+| origin_country | threat.indicator.geo.country_iso_code
+| signature | threat.indicator.signature
+| code_sign.subject_cn | threat.indicator.file.x509.subject.common_name
+| code_sign.issuer_cn | threat.indicator.file.x509.issuer.common_name
+| code_sign.algorithm | threat.indicator.file.x509.public_key_algorithm
+| code_sign.valid_from | threat.indicator.file.x509.not_before
+| code_sign.valid_to | threat.indicator.file.x509.not_after
+| code_sign.serial_number | threat.indicator.file.x509.serial_number
|================================================================
[[misp]]
@@ -250,10 +251,10 @@ MISP Threat Intel is mapped to the following ECS fields.
[options="header"]
|==============================================================
| Malware Threat IntelFields | ECS Fields
-| misp.first_seen | threatintel.indicator.first_seen
-| misp.last_seen | threatintel.indicator.last_seen
+| misp.first_seen | threat.indicator.first_seen
+| misp.last_seen | threat.indicator.last_seen
| misp.tag | tag
-| misp.value | threatintel.indicator.*
+| misp.value | threat.indicator.*
|==============================================================
`misp.value` is mapped to the appropriate field dependent on attribute type.
@@ -331,9 +332,9 @@ OTX Threat Intel is mapped to the following ECS fields.
[options="header"]
|============================================================
| Malware Threat Intel Fields | ECS Fields
-| otx.type | threatintel.indicator.type
-| otx.description | threatintel.indicator.description
-| otx.indicator | threatintel.indicator.*
+| otx.type | threat.indicator.type
+| otx.description | threat.indicator.description
+| otx.indicator | threat.indicator.*
|============================================================
`otx.indicator` is mapped to the appropriate field dependent on attribute type.
@@ -415,10 +416,10 @@ Anomali Threat Intel is mapped to the following ECS fields.
[options="header"]
|=============================================================
| Malware Threat Intel Fields | ECS Fields
-| anomali.description | threatintel.indicator.description
-| anomali.created | threatintel.indicator.first_seen
-| anomali.modified | threatintel.indicator.last_seen
-| anomali.pattern | threatintel.indicator.*
+| anomali.description | threat.indicator.description
+| anomali.created | threat.indicator.first_seen
+| anomali.modified | threat.indicator.last_seen
+| anomali.pattern | threat.indicator.*
| anomali.labels | tags
|=============================================================
@@ -486,24 +487,24 @@ Anomali ThreatStream fields are mapped to the following ECS fields:
[options="header"]
|=============================================================
| ThreatStream fields | ECS Fields
-| asn | threatintel.indicator.as.number
-| classification<> | threatintel.indicator.marking.tlp
-| confidence<> | threatintel.indicator.confidence
-| country | threatintel.indicator.geo.country_iso_code
-| date_first | threatintel.indicator.first_seen
-| date_last | threatintel.indicator.last_seen
+| asn | threat.indicator.as.number
+| classification<> | threat.indicator.marking.tlp
+| confidence<> | threat.indicator.confidence
+| country | threat.indicator.geo.country_iso_code
+| date_first | threat.indicator.first_seen
+| date_last | threat.indicator.last_seen
| detail | tags
-| domain | threatintel.indicator.url.domain
-| email | threatintel.indicator.email.address
-| itype<> | threatintel.indicator.type
-| lat | threatintel.indicator.geo.location.lat
-| lon | threatintel.indicator.geo.location.lon
-| md5 | threatintel.indicator.file.hash
-| org | threatintel.indicator.as.organization.name
+| domain | threat.indicator.url.domain
+| email | threat.indicator.email.address
+| itype<> | threat.indicator.type
+| lat | threat.indicator.geo.location.lat
+| lon | threat.indicator.geo.location.lon
+| md5 | threat.indicator.file.hash
+| org | threat.indicator.as.organization.name
| severity<> | event.severity
-| source | threatintel.indicator.provider
-| srcip | threatintel.indicator.ip
-| url | threatintel.indicator.url.original
+| source | threat.indicator.provider
+| srcip | threat.indicator.ip
+| url | threat.indicator.url.original
|=============================================================
[[a]]
@@ -585,16 +586,16 @@ Recorded Future fields are mapped to the following ECS fields:
[options="header"]
|=============================================================
| Recorded Future fields | ECS Fields
-| entity.name | threatintel.indicator.{url,ip,domain,file.hash}
-| entity.type | threatintel.indicator.type
-| fileHashes | threatintel.indicator.file.hash
+| entity.name | threat.indicator.{url,ip,domain,file.hash}
+| entity.type | threat.indicator.type
+| fileHashes | threat.indicator.file.hash
| intelCard | event.reference
-| location.asn | threatintel.indicator.as.number
-| location.location | threatintel.indicator.geo
-| location.organization | threatintel.indicator.as.organization.name
+| location.asn | threat.indicator.as.number
+| location.location | threat.indicator.geo
+| location.organization | threat.indicator.as.organization.name
| risk.score | event.risk_score
-| timestamps.firstSeen | threatintel.indicator.first_seen
-| timestamps.lastSeen | threatintel.indicator.last_seen
+| timestamps.firstSeen | threat.indicator.first_seen
+| timestamps.lastSeen | threat.indicator.last_seen
|=============================================================
:has-dashboards!:
@@ -702,11 +703,11 @@ Recorded Future fields are mapped to the following ECS fields:
[options="header"]
|=============================================================
| ThreatQ fields | ECS Fields
-| type.name | threatintel.indicator.type
-| description | threatintel.indicator.description
-| score | threatintel.indicator.confidence
-| value | threatintel.indicator.{url,ip,domain,file.hash}
-| sources | threatintel.indicator.provider
+| type.name | threat.indicator.type
+| description | threat.indicator.description
+| score | threat.indicator.confidence
+| value | threat.indicator.{url,ip,domain,file.hash}
+| sources | threat.indicator.provider
|=============================================================
:has-dashboards!:
diff --git a/x-pack/filebeat/module/threatintel/_meta/fields.yml b/x-pack/filebeat/module/threatintel/_meta/fields.yml
index ee199daa6aa..5fb56abc40a 100644
--- a/x-pack/filebeat/module/threatintel/_meta/fields.yml
+++ b/x-pack/filebeat/module/threatintel/_meta/fields.yml
@@ -4,388 +4,21 @@
description: >
Threat intelligence Filebeat Module.
fields:
- - name: threatintel
+ - name: ""
type: group
- description: >
- Fields from the threatintel Filebeat module.
fields:
- - name: indicator.first_seen
- type: date
- description: >
- The date and time when intelligence source first reported sighting this indicator.
- - name: indicator.last_seen
- type: date
- description: >
- The date and time when intelligence source last reported sighting this indicator.
- - name: indicator.sightings
- type: long
- description: >
- Number of times this indicator was observed conducting threat activity.
- - name: indicator.type
+ - name: threat.indicator.file.hash.tlsh
type: keyword
description: >
- Type of indicator as represented by Cyber Observable in STIX 2.0.
- Expected values
- * autonomous-system
- * artifact
- * directory
- * domain-name
- * email-addr
- * file
- * ipv4-addr
- * ipv6-addr
- * mac-addr
- * mutex
- * process
- * software
- * url
- * user-account
- * windows-registry-key
- * x-509-certificate
- - name: indicator.description
- type: keyword
- description: >
- Describes the type of action conducted by the threat.
- - name: indicator.scanner_stats
- type: long
- description: >
- Count of AV/EDR vendors that successfully detected malicious file or URL.
- - name: indicator.provider
+ The file's import tlsh, if available.
+
+ - name: threat.indicator.file.hash.sha384
type: keyword
description: >
- Identifies the name of the intelligence provider.
- - name: indicator.confidence
+ The file's sha384 hash, if available.
+
+ - name: threat.feed.name
type: keyword
- description: >
- Identifies the confidence rating assigned by the provider using STIX confidence scales.
- Expected values
- * Not Specified, None, Low, Medium, High
- * 0-10
- * Admirality Scale (1-6)
- * DNI Scale (5-95)
- * WEP Scale (Impossible - Certain)
- - name: indicator.module
- type: keyword
- description: >
- Identifies the name of specific module this data is coming from.
- - name: indicator.dataset
- type: keyword
- description: >
- Identifies the name of specific dataset from the intelligence source.
- - name: indicator.reference
+
+ - name: threat.feed.dashboard_id
type: keyword
- description: >
- Reference URL linking to additional information about this indicator.
- - name: indicator.ip
- type: ip
- description: >
- Identifies a threat indicator as an IP address (irrespective of direction).
- - name: indicator.port
- type: long
- description: >
- Identifies a threat indicator as a port number (irrespective of direction).
- - name: indicator.email.address
- type: keyword
- description: >
- Identifies a threat indicator as an email address (irrespective of direction).
- - name: indicator.marking.tlp
- type: keyword
- description: >
- Traffic Light Protocol sharing markings.
- Expected values are:
- * White
- * Green
- * Amber
- * Red
- - name: indicator.matched
- type: group
- fields:
- - name: atomic
- type: keyword
- description: >
- Identifies the atomic indicator that matched a local environment endpoint or network event.
- - name: field
- type: keyword
- description: >
- Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
- - name: type
- type: keyword
- description: >
- Identifies the type of the atomic indicator that matched a local environment endpoint or network event.
- - name: indicator.as
- type: group
- fields:
- - name: number
- type: long
- description:
- Unique number allocated to the autonomous system. The autonomous system number (ASN)
- uniquely identifies each network on the Internet.
- example: 15169
- - name: organization.name
- type: keyword
- ignore_above: 1024
- multi_fields:
- - name: text
- type: text
- norms: false
- description: Organization name.
- example: Google LLC
- - name: indicator.registry
- type: group
- fields:
- - name: data.strings
- type: keyword
- ignore_above: 1024
- description: >
- Content when writing string types.
- Populated as an array when writing string data to the registry. For single
- string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
- one string. For sequences of string with REG_MULTI_SZ, this array will be
- variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
- be populated with the decimal representation (e.g `"1"`).
- example: '["C:\rta\red_ttp\bin\myapp.exe"]'
- - name: path
- type: keyword
- ignore_above: 1024
- description: Full path, including hive, key and value
- example:
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
- Options\winword.exe\Debugger
- - name: value
- type: keyword
- ignore_above: 1024
- description: Name of the value written.
- example: Debugger
- - name: key
- type: keyword
- ignore_above: 1024
- description: Registry key value
- - name: indicator.geo
- type: group
- fields:
- - name: city_name
- type: keyword
- ignore_above: 1024
- description: City name.
- example: Montreal
- - name: continent_name
- type: keyword
- ignore_above: 1024
- description: Name of the continent.
- example: North America
- - name: country_iso_code
- type: keyword
- ignore_above: 1024
- description: Country ISO code.
- example: CA
- - name: country_name
- type: keyword
- ignore_above: 1024
- description: Country name.
- example: Canada
- - name: location
- type: geo_point
- description: Longitude and latitude.
- example: '{ "lon": -73.614830, "lat": 45.505918 }'
- - name: region_iso_code
- type: keyword
- ignore_above: 1024
- description: Region ISO code.
- example: CA-QC
- - name: region_name
- type: keyword
- ignore_above: 1024
- description: Region name.
- example: Quebec
- - name: indicator.file.pe.imphash
- type: keyword
- ignore_above: 1024
- description:
- "A hash of the imports in a PE file. An imphash -- or import hash
- -- can be used to fingerprint binaries even after recompilation or other code-level
- transformations have occurred, which would change more traditional hash values.
- Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html."
- example: 0c6803c4e922103c4dca5963aad36ddf
- - name: indicator.file
- type: group
- fields:
- - name: hash
- type: group
- fields:
- - name: tlsh
- type: keyword
- description: >
- The file's import tlsh, if available.
- - name: ssdeep
- type: keyword
- description: >
- The file's ssdeep hash, if available.
- - name: md5
- type: keyword
- description: >
- The file's md5 hash, if available.
- - name: sha1
- type: keyword
- description: >
- The file's sha1 hash, if available.
- - name: sha256
- type: keyword
- description: >
- The file's sha256 hash, if available.
- - name: sha384
- type: keyword
- description: >
- The file's sha384 hash, if available.
- - name: sha512
- type: keyword
- description: >
- The file's sha512 hash, if available.
- - name: type
- type: keyword
- ignore_above: 1024
- description: >
- The file type.
- - name: size
- type: long
- description: >
- The file's total size.
- - name: name
- type: keyword
- description: >
- The file's name.
- - name: extension
- type: keyword
- description: >
- The file's extension.
- - name: mime_type
- type: keyword
- description: >
- The file's MIME type.
- - name: indicator.url
- type: group
- fields:
- - name: domain
- type: keyword
- description: >
- Domain of the url, such as "www.elastic.co".
- - name: extension
- type: keyword
- ignore_above: 1024
- description: >
- The field contains the file extension from the original request
- - name: fragment
- type: keyword
- ignore_above: 1024
- description: >
- Portion of the url after the `#`, such as "top".
- - name: full
- type: keyword
- description: >
- If full URLs are important to your use case, they should be stored
- in `url.full`, whether this field is reconstructed or present in the event
- source.
- - name: original
- type: keyword
- description: >
- Unmodified original url as seen in the event source.
- Note that in network monitoring, the observed URL may be a full URL, whereas
- in access logs, the URL is often just represented as a path.
- This field is meant to represent the URL as it was observed, complete or not.
- - name: password
- type: keyword
- ignore_above: 1024
- description: >
- Password of the request.
- - name: path
- type: keyword
- description: >
- Path of the request, such as "/search".
- - name: port
- type: long
- format: string
- description: >
- Port of the request, such as 443.
- - name: query
- type: keyword
- ignore_above: 1024
- description: >
- The query field describes the query string of the request, such
- as "q=elasticsearch".
- The `?` is excluded from the query string. If a URL contains no `?`, there
- is no query field. If there is a `?` but no query, the query field exists
- with an empty string. The `exists` query can be used to differentiate between
- the two cases.
- - name: registered_domain
- type: keyword
- description: >
- The highest registered url domain, stripped of the subdomain.
- For example, the registered domain for "foo.example.com" is "example.com".
- This value can be determined precisely with a list like the public suffix
- list (http://publicsuffix.org). Trying to approximate this by simply taking
- the last two labels will not work well for TLDs such as "co.uk".
- - name: scheme
- type: keyword
- ignore_above: 1024
- description: >
- Scheme of the request, such as "https".
- - name: subdomain
- type: keyword
- ignore_above: 1024
- description: >
- The subdomain portion of a fully qualified domain name includes
- all of the names except the host name under the registered_domain. In a partially
- qualified domain, or if the the qualification level of the full name cannot
- be determined, subdomain contains all of the names below the registered domain.
- For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
- If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
- the subdomain field should contain "sub2.sub1", with no trailing period.
- - name: top_level_domain
- type: keyword
- ignore_above: 1024
- description: >
- The effective top level domain (eTLD), also known as the domain
- suffix, is the last part of the domain name. For example, the top level domain
- for example.com is "com".
- This value can be determined precisely with a list like the public suffix
- list (http://publicsuffix.org). Trying to approximate this by simply taking
- the last label will not work well for effective TLDs such as "co.uk".
- - name: username
- type: keyword
- ignore_above: 1024
- description: >
- Username of the request.
- - name: indicator.x509
- type: group
- fields:
- - name: serial_number
- type: keyword
- ignore_above: 1024
- description:
- Unique serial number issued by the certificate authority. For consistency,
- if this value is alphanumeric, it should be formatted without colons and uppercase
- characters.
- example: 55FBB9C7DEBF09809D12CCAA
- - name: issuer
- type: keyword
- ignore_above: 1024
- description: Name of issuing certificate authority. Could be either Distinguished Name (DN) or Common Name (CN), depending on source.
- example:
- C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
- Server CA
- - name: subject
- type: keyword
- ignore_above: 1024
- description: Name of the certificate subject entity. Could be either Distinguished Name (DN) or Common Name (CN), depending on source.
- example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
- - name: alternative_names
- type: keyword
- ignore_above: 1024
- description:
- List of subject alternative names (SAN). Name types vary by certificate
- authority and certificate type but commonly contain IP addresses, DNS names
- (and wildcards), and email addresses.
- example: "*.elastic.co"
- - name: indicator.signature
- type: keyword
- description: >
- Malware family of sample (if available).
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/021ba940-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/021ba940-de96-11eb-8f2b-753caedf727d.json
index 993d2edccce..91a5cc79018 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/021ba940-de96-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/021ba940-de96-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 5
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.type"
+ "sourceField": "threat.indicator.type"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -96,4 +96,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1ODAsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/028175a0-ff74-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/028175a0-ff74-11eb-acb2-2960a7069ed1.json
index 14722019106..c6ef974933e 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/028175a0-ff74-11eb-acb2-2960a7069ed1.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/028175a0-ff74-11eb-acb2-2960a7069ed1.json
@@ -28,7 +28,7 @@
"size": 5
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.provider"
+ "sourceField": "threat.indicator.provider"
},
"11576d1f-5400-4a71-bf04-681099e755d5": {
"dataType": "number",
@@ -95,4 +95,4 @@
"type": "lens",
"updated_at": "2021-10-11T08:02:55.512Z",
"version": "WzUyOSwxXQ=="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/037e2af0-df50-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/037e2af0-df50-11eb-8f2b-753caedf727d.json
index 5be6f447603..0c677668719 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/037e2af0-df50-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/037e2af0-df50-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 5
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.type"
+ "sourceField": "threat.indicator.type"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -96,4 +96,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:33.127Z",
"version": "WzQ2NjIsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/06744e90-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/06744e90-df52-11eb-8f2b-753caedf727d.json
index b427db18d51..38b8c85420e 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/06744e90-df52-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/06744e90-df52-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.ip"
+ "sourceField": "threat.indicator.ip"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -47,7 +47,7 @@
"filters": [],
"query": {
"language": "kuery",
- "query": "event.dataset:\"threatintel.recordedfuture\" and threatintel.indicator.type:ipv6-addr"
+ "query": "event.dataset:\"threatintel.recordedfuture\" and threat.indicator.type:ipv6-addr"
},
"visualization": {
"columns": [
@@ -91,4 +91,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:33.127Z",
"version": "WzQ2NzAsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/0db62ee0-72e6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/0db62ee0-72e6-11eb-a3e3-b3cc7c78a70f.json
index a053c190ada..b4182474c23 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/0db62ee0-72e6-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/0db62ee0-72e6-11eb-a3e3-b3cc7c78a70f.json
@@ -14,7 +14,7 @@
"959db113-1ce6-46fc-97c3-dbf5fd5abb9a": {
"dataType": "string",
"isBucketed": true,
- "label": "Top values of threatintel.abusemalware.signature",
+ "label": "Top values of abusech.malware.signature",
"operationType": "terms",
"params": {
"missingBucket": false,
@@ -27,7 +27,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.abusemalware.signature"
+ "sourceField": "abusech.malware.signature"
},
"de396547-655b-4db2-8a21-e9850acff0b0": {
"dataType": "number",
@@ -91,13 +91,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.abusemalware.signature"
+ "field": "abusech.malware.signature"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "filter-index-pattern-2",
- "key": "threatintel.abusemalware.signature",
+ "key": "abusech.malware.signature",
"negate": false,
"type": "exists",
"value": "exists"
@@ -168,4 +168,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:29.041Z",
"version": "WzQ2MDMsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/1136ceb0-de95-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/1136ceb0-de95-11eb-8f2b-753caedf727d.json
index 05d17760abc..c771588f924 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/1136ceb0-de95-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/1136ceb0-de95-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.anomalithreatstream.resource_uri"
+ "sourceField": "anomali.threatstream.resource_uri"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -91,4 +91,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1OTksMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/139c7da0-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/139c7da0-df51-11eb-8f2b-753caedf727d.json
index d8abec34b65..e2269eea6d9 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/139c7da0-df51-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/139c7da0-df51-11eb-8f2b-753caedf727d.json
@@ -36,7 +36,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.file.hash.sha256"
+ "sourceField": "threat.indicator.file.hash.sha256"
}
},
"incompleteColumns": {}
@@ -90,4 +90,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:33.127Z",
"version": "WzQ2NzMsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/36f61650-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/36f61650-de96-11eb-8f2b-753caedf727d.json
index e48267b1fd8..86507728c60 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/36f61650-de96-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/36f61650-de96-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 5
},
"scale": "ordinal",
- "sourceField": "threatintel.anomalithreatstream.classification"
+ "sourceField": "anomali.threatstream.classification"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -94,4 +94,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1ODUsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c40f4d0-de97-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c40f4d0-de97-11eb-8f2b-753caedf727d.json
index 4f33f959e3a..bdfbd6b5096 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c40f4d0-de97-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c40f4d0-de97-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 5
},
"scale": "ordinal",
- "sourceField": "threatintel.anomalithreatstream.itype"
+ "sourceField": "anomali.threatstream.itype"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -94,4 +94,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1ODEsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c996410-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c996410-df52-11eb-8f2b-753caedf727d.json
index 88c19ed280d..da5e6785b5a 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c996410-df52-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c996410-df52-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.domain"
+ "sourceField": "threat.indicator.url.domain"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -91,4 +91,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:33.127Z",
"version": "WzQ2NzcsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5e76ef90-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5e76ef90-df51-11eb-8f2b-753caedf727d.json
index 03bafd193b3..a6fde56bd64 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5e76ef90-df51-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5e76ef90-df51-11eb-8f2b-753caedf727d.json
@@ -36,7 +36,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.url.domain"
+ "sourceField": "threat.indicator.url.domain"
}
},
"incompleteColumns": {}
@@ -90,4 +90,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:33.127Z",
"version": "WzQ2NzUsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5ef7b430-de94-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5ef7b430-de94-11eb-8f2b-753caedf727d.json
index 88642bb872e..27fee210ffd 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5ef7b430-de94-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5ef7b430-de94-11eb-8f2b-753caedf727d.json
@@ -36,7 +36,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.ip"
+ "sourceField": "threat.indicator.ip"
}
},
"incompleteColumns": {}
@@ -91,4 +91,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1OTIsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/790cd040-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/790cd040-df51-11eb-8f2b-753caedf727d.json
index 2abc0bb7316..781a6a42a39 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/790cd040-df51-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/790cd040-df51-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.url.original"
+ "sourceField": "threat.indicator.url.original"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -91,4 +91,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:33.127Z",
"version": "WzQ2NzgsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7d9c70f0-de95-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7d9c70f0-de95-11eb-8f2b-753caedf727d.json
index dbdc1f05605..741a17e6b10 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7d9c70f0-de95-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7d9c70f0-de95-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.anomali.name"
+ "sourceField": "anomali.limo.name"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -91,4 +91,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1OTYsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7ec83f60-de98-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7ec83f60-de98-11eb-8f2b-753caedf727d.json
index b321f95bae8..e1b1dfc2fc8 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7ec83f60-de98-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7ec83f60-de98-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.file.hash.sha256"
+ "sourceField": "threat.indicator.file.hash.sha256"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -91,4 +91,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1OTUsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8a6f7b20-de94-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8a6f7b20-de94-11eb-8f2b-753caedf727d.json
index 86e2c969773..16f93c3473b 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8a6f7b20-de94-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8a6f7b20-de94-11eb-8f2b-753caedf727d.json
@@ -36,7 +36,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.url.original"
+ "sourceField": "threat.indicator.url.original"
}
},
"incompleteColumns": {}
@@ -91,4 +91,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1OTAsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8fb01a00-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8fb01a00-df51-11eb-8f2b-753caedf727d.json
index be51533efa4..b8cc9578146 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8fb01a00-df51-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8fb01a00-df51-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.url.path"
+ "sourceField": "threat.indicator.url.path"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -91,4 +91,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:33.127Z",
"version": "WzQ2NzYsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9282afc0-72d9-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9282afc0-72d9-11eb-a3e3-b3cc7c78a70f.json
index 42d14abd0ec..09935680d66 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9282afc0-72d9-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9282afc0-72d9-11eb-a3e3-b3cc7c78a70f.json
@@ -22,7 +22,7 @@
"a6319ec8-2ec8-4d3a-bc54-efe0a306786f": {
"dataType": "string",
"isBucketed": true,
- "label": "Top values of threatintel.indicator.type",
+ "label": "Top values of threat.indicator.type",
"operationType": "terms",
"params": {
"missingBucket": false,
@@ -35,7 +35,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.type"
+ "sourceField": "threat.indicator.type"
}
},
"incompleteColumns": {}
@@ -70,13 +70,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.type"
+ "field": "threat.indicator.type"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "filter-index-pattern-1",
- "key": "threatintel.indicator.type",
+ "key": "threat.indicator.type",
"negate": false,
"type": "exists",
"value": "exists"
@@ -147,4 +147,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:32.145Z",
"version": "WzQ2NTMsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/949bc180-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/949bc180-df52-11eb-8f2b-753caedf727d.json
index b4784339ef2..ec09008e580 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/949bc180-df52-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/949bc180-df52-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.recordedfuture.risk.riskSummary"
+ "sourceField": "recordedfuture.risk.riskSummary"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -91,4 +91,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:33.127Z",
"version": "WzQ2NjYsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/976620a0-de98-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/976620a0-de98-11eb-8f2b-753caedf727d.json
index b9d9b336d1e..7bfea0d313e 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/976620a0-de98-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/976620a0-de98-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.file.hash.md5"
+ "sourceField": "threat.indicator.file.hash.md5"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -91,4 +91,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1OTMsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9c78ade0-de95-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9c78ade0-de95-11eb-8f2b-753caedf727d.json
index cb82ae74ba5..b6a60ae06c2 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9c78ade0-de95-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9c78ade0-de95-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.anomali.description"
+ "sourceField": "anomali.limo.description"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -91,4 +91,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1OTcsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/a0a31740-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/a0a31740-df51-11eb-8f2b-753caedf727d.json
index ce6d74b3763..7a4ccbec7ff 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/a0a31740-df51-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/a0a31740-df51-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.url.scheme"
+ "sourceField": "threat.indicator.url.scheme"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -91,4 +91,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:33.127Z",
"version": "WzQ2NzQsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/aac00bc0-de98-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/aac00bc0-de98-11eb-8f2b-753caedf727d.json
index 2e80121c2e4..062ccc359f7 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/aac00bc0-de98-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/aac00bc0-de98-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.file.hash.sha1"
+ "sourceField": "threat.indicator.file.hash.sha1"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -91,4 +91,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1OTQsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/ae5934e0-de94-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/ae5934e0-de94-11eb-8f2b-753caedf727d.json
index 02719d9dcb0..17f6d2ccc21 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/ae5934e0-de94-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/ae5934e0-de94-11eb-8f2b-753caedf727d.json
@@ -36,7 +36,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.url.domain"
+ "sourceField": "threat.indicator.url.domain"
}
},
"incompleteColumns": {}
@@ -91,4 +91,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1OTEsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/b0837690-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/b0837690-df52-11eb-8f2b-753caedf727d.json
index c7587803107..2ee5c4b1a2a 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/b0837690-df52-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/b0837690-df52-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.recordedfuture.risk.criticalityLabel"
+ "sourceField": "recordedfuture.risk.criticalityLabel"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -94,4 +94,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:33.127Z",
"version": "WzQ2NjMsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bd28cb00-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bd28cb00-de96-11eb-8f2b-753caedf727d.json
index ed51bcc85fb..5f95d44b92d 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bd28cb00-de96-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bd28cb00-de96-11eb-8f2b-753caedf727d.json
@@ -36,7 +36,7 @@
"size": 3
},
"scale": "ordinal",
- "sourceField": "threatintel.anomalithreatstream.severity"
+ "sourceField": "anomali.threatstream.severity"
}
},
"incompleteColumns": {}
@@ -98,4 +98,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1ODIsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bfd2bfe0-de97-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bfd2bfe0-de97-11eb-8f2b-753caedf727d.json
index 0850075db5b..c1110d8d611 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bfd2bfe0-de97-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bfd2bfe0-de97-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 5
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.confidence"
+ "sourceField": "threat.indicator.confidence"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -94,4 +94,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1NzgsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c2a5c180-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c2a5c180-df51-11eb-8f2b-753caedf727d.json
index 5915a46aca5..6163c46e0b0 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c2a5c180-df51-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c2a5c180-df51-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.ip"
+ "sourceField": "threat.indicator.ip"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -47,7 +47,7 @@
"filters": [],
"query": {
"language": "kuery",
- "query": "event.dataset:\"threatintel.recordedfuture\" and threatintel.indicator.type:ipv4-addr"
+ "query": "event.dataset:\"threatintel.recordedfuture\" and threat.indicator.type:ipv4-addr"
},
"visualization": {
"columns": [
@@ -91,4 +91,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:33.127Z",
"version": "WzQ2NjksMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c91fcd10-de95-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c91fcd10-de95-11eb-8f2b-753caedf727d.json
index 63c9a1eebde..9eecce1a1c3 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c91fcd10-de95-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c91fcd10-de95-11eb-8f2b-753caedf727d.json
@@ -36,7 +36,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.provider"
+ "sourceField": "threat.indicator.provider"
}
},
"incompleteColumns": {}
@@ -91,4 +91,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1ODQsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/cf4b4e40-ff69-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/cf4b4e40-ff69-11eb-acb2-2960a7069ed1.json
index 0d2bc89d441..ddb2717dd0e 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/cf4b4e40-ff69-11eb-acb2-2960a7069ed1.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/cf4b4e40-ff69-11eb-acb2-2960a7069ed1.json
@@ -15,7 +15,7 @@
"73cdbb81-57ca-4474-a86c-bca60a527d29": {
"dataType": "string",
"isBucketed": true,
- "label": "Top values of threatintel.indicator.type",
+ "label": "Top values of threat.indicator.type",
"operationType": "terms",
"params": {
"missingBucket": false,
@@ -28,7 +28,7 @@
"size": 15
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.type"
+ "sourceField": "threat.indicator.type"
},
"89f18519-9360-4d37-ae52-134604ac6cfc": {
"customLabel": true,
@@ -118,4 +118,4 @@
"type": "lens",
"updated_at": "2021-10-11T08:02:55.512Z",
"version": "WzUyOCwxXQ=="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/d991e510-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/d991e510-de96-11eb-8f2b-753caedf727d.json
index f630743094f..e718c098360 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/d991e510-de96-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/d991e510-de96-11eb-8f2b-753caedf727d.json
@@ -36,7 +36,7 @@
"size": 5
},
"scale": "ordinal",
- "sourceField": "threatintel.anomalithreatstream.state"
+ "sourceField": "anomali.threatstream.state"
}
},
"incompleteColumns": {}
@@ -112,4 +112,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1ODcsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/dd4a3da0-df50-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/dd4a3da0-df50-11eb-8f2b-753caedf727d.json
index b9b2341c0b1..4a25b4df0ef 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/dd4a3da0-df50-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/dd4a3da0-df50-11eb-8f2b-753caedf727d.json
@@ -36,7 +36,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.file.hash.md5"
+ "sourceField": "threat.indicator.file.hash.md5"
}
},
"incompleteColumns": {}
@@ -90,4 +90,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:33.127Z",
"version": "WzQ2NzEsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/e5f07800-de94-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/e5f07800-de94-11eb-8f2b-753caedf727d.json
index 1985a727380..03d75c58b2f 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/e5f07800-de94-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/e5f07800-de94-11eb-8f2b-753caedf727d.json
@@ -36,7 +36,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.anomalithreatstream.id"
+ "sourceField": "anomali.threatstream.id"
}
},
"incompleteColumns": {}
@@ -91,4 +91,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1OTgsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f37f8350-df50-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f37f8350-df50-11eb-8f2b-753caedf727d.json
index 45745f96eb0..f4c84cc7426 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f37f8350-df50-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f37f8350-df50-11eb-8f2b-753caedf727d.json
@@ -36,7 +36,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.file.hash.sha1"
+ "sourceField": "threat.indicator.file.hash.sha1"
}
},
"incompleteColumns": {}
@@ -90,4 +90,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:33.127Z",
"version": "WzQ2NzIsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f52a9720-de93-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f52a9720-de93-11eb-8f2b-753caedf727d.json
index a3740f838db..7e2446f1e8d 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f52a9720-de93-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f52a9720-de93-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 10
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.email.address"
+ "sourceField": "threat.indicator.email.address"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -91,4 +91,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1ODksMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f5f18940-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f5f18940-de96-11eb-8f2b-753caedf727d.json
index c5c7c021b28..9b281bf4769 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f5f18940-de96-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f5f18940-de96-11eb-8f2b-753caedf727d.json
@@ -28,7 +28,7 @@
"size": 5
},
"scale": "ordinal",
- "sourceField": "threatintel.indicator.marking.tlp"
+ "sourceField": "threat.indicator.marking.tlp"
},
"9afb1b09-0f20-488c-9242-a94f7d11800b": {
"dataType": "number",
@@ -112,4 +112,4 @@
"type": "lens",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1ODMsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json
index 63e7825a56b..b37986b02eb 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json
@@ -35,7 +35,7 @@
"type": "count"
}
],
- "term": "threatintel.indicator.geo.country_iso_code",
+ "term": "threat.indicator.geo.country_iso_code",
"type": "ES_TERM_SOURCE"
}
}
@@ -205,4 +205,4 @@
"type": "map",
"updated_at": "2021-08-04T16:34:30.070Z",
"version": "WzQ2MTksMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json
index 8100b60e6b3..e5e94752566 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json
@@ -29,16 +29,16 @@
"applyGlobalQuery": true,
"applyGlobalTime": true,
"filterByMapBounds": true,
- "geoField": "threatintel.indicator.geo.location",
+ "geoField": "threat.indicator.geo.location",
"id": "a3ecc6af-0299-4cb9-a29c-0b70f666b011",
"indexPatternRefName": "layer_1_source_index_pattern",
"scalingType": "LIMIT",
"sortField": "",
"sortOrder": "desc",
"tooltipProperties": [
- "threatintel.indicator.as.number",
- "threatintel.indicator.as.organization.name",
- "threatintel.indicator.geo.country_iso_code"
+ "threat.indicator.as.number",
+ "threat.indicator.as.organization.name",
+ "threat.indicator.geo.country_iso_code"
],
"topHitsSize": 1,
"topHitsSplitField": "",
@@ -195,4 +195,4 @@
"type": "map",
"updated_at": "2021-08-04T16:34:28.102Z",
"version": "WzQ1ODgsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/01c261b0-7aa9-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/01c261b0-7aa9-11eb-ac13-d5ca87cb8fa2.json
index 93d283d07e0..3bc7559fbf6 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/01c261b0-7aa9-11eb-ac13-d5ca87cb8fa2.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/01c261b0-7aa9-11eb-ac13-d5ca87cb8fa2.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.otx.title"
+ "field": "otx.title"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.otx.title",
+ "key": "otx.title",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"id": "2",
"params": {
"customLabel": "AlienVault OTX Indicator Title",
- "field": "threatintel.otx.title",
+ "field": "otx.title",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:27.014Z",
"version": "WzQ1NzQsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/02294f80-73c7-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/02294f80-73c7-11eb-a3e3-b3cc7c78a70f.json
index 822c006ccc2..ff5c6b0b875 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/02294f80-73c7-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/02294f80-73c7-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.file.hash.sha1"
+ "field": "threat.indicator.file.hash.sha1"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.file.hash.sha1",
+ "key": "threat.indicator.file.hash.sha1",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"id": "2",
"params": {
"customLabel": "MISP SHA1 Hash Indicator",
- "field": "threatintel.indicator.file.hash.sha1",
+ "field": "threat.indicator.file.hash.sha1",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:31.083Z",
"version": "WzQ2NDEsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/0ccdda50-76ce-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/0ccdda50-76ce-11eb-a3e3-b3cc7c78a70f.json
index 1197b8b4a7e..44b6e23d553 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/0ccdda50-76ce-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/0ccdda50-76ce-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.file.hash.md5"
+ "field": "threat.indicator.file.hash.md5"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.file.hash.md5",
+ "key": "threat.indicator.file.hash.md5",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"id": "2",
"params": {
"customLabel": "AlienVault OTX MD5 Hash Indicator",
- "field": "threatintel.indicator.file.hash.md5",
+ "field": "threat.indicator.file.hash.md5",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:27.014Z",
"version": "WzQ1NzMsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/142fb6c0-82a8-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/142fb6c0-82a8-11eb-ac13-d5ca87cb8fa2.json
index bf55ff3b237..624dde62b61 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/142fb6c0-82a8-11eb-ac13-d5ca87cb8fa2.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/142fb6c0-82a8-11eb-ac13-d5ca87cb8fa2.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.file.hash.sha1"
+ "field": "threat.indicator.file.hash.sha1"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.file.hash.sha1",
+ "key": "threat.indicator.file.hash.sha1",
"negate": false,
"type": "exists",
"value": "exists"
@@ -78,7 +78,7 @@
"id": "2",
"params": {
"customLabel": "SHA1 Hash",
- "field": "threatintel.indicator.file.hash.sha1",
+ "field": "threat.indicator.file.hash.sha1",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -134,4 +134,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:30.070Z",
"version": "WzQ2MjYsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a0d5250-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a0d5250-72e5-11eb-a3e3-b3cc7c78a70f.json
index f9fc2390a2b..f43232fe645 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a0d5250-72e5-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a0d5250-72e5-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.file.hash.sha256"
+ "field": "threat.indicator.file.hash.sha256"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.file.hash.sha256",
+ "key": "threat.indicator.file.hash.sha256",
"negate": false,
"type": "exists",
"value": "exists"
@@ -47,13 +47,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.type"
+ "field": "threat.indicator.type"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
- "key": "threatintel.indicator.type",
+ "key": "threat.indicator.type",
"negate": false,
"type": "exists",
"value": "exists"
@@ -84,7 +84,7 @@
"id": "2",
"params": {
"customLabel": "SHA256 Hash",
- "field": "threatintel.indicator.file.hash.sha256",
+ "field": "threat.indicator.file.hash.sha256",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -101,7 +101,7 @@
"id": "3",
"params": {
"customLabel": "File Type",
- "field": "threatintel.indicator.file.type",
+ "field": "threat.indicator.file.type",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -162,4 +162,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:29.041Z",
"version": "WzQ2MDYsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a1c60c0-72d5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a1c60c0-72d5-11eb-a3e3-b3cc7c78a70f.json
index b2e430cff4c..e972911d995 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a1c60c0-72d5-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a1c60c0-72d5-11eb-a3e3-b3cc7c78a70f.json
@@ -26,13 +26,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.type"
+ "field": "threat.indicator.type"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.type",
+ "key": "threat.indicator.type",
"negate": false,
"type": "exists",
"value": "exists"
@@ -78,7 +78,7 @@
"enabled": true,
"id": "3",
"params": {
- "field": "threatintel.indicator.type",
+ "field": "threat.indicator.type",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -143,4 +143,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:32.145Z",
"version": "WzQ2NDksMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1adff580-72ee-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1adff580-72ee-11eb-a3e3-b3cc7c78a70f.json
index 71144247760..550140b912f 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1adff580-72ee-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1adff580-72ee-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.domain"
+ "field": "threat.indicator.url.domain"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.domain",
+ "key": "threat.indicator.url.domain",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"id": "2",
"params": {
"customLabel": "Threat Indicator Domain",
- "field": "threatintel.indicator.domain",
+ "field": "threat.indicator.url.domain",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:25.974Z",
"version": "WzQ1NTQsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1c969990-73c7-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1c969990-73c7-11eb-a3e3-b3cc7c78a70f.json
index e2f3d6fda09..e77a6cee76b 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1c969990-73c7-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1c969990-73c7-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.file.hash.sha256"
+ "field": "threat.indicator.file.hash.sha256"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.file.hash.sha256",
+ "key": "threat.indicator.file.hash.sha256",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"id": "2",
"params": {
"customLabel": "MISP SHA256 Hash Indicator",
- "field": "threatintel.indicator.file.hash.sha256",
+ "field": "threat.indicator.file.hash.sha256",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:31.083Z",
"version": "WzQ2NDIsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1d8002d0-82a7-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1d8002d0-82a7-11eb-ac13-d5ca87cb8fa2.json
index 328a64f0785..57ca90543d3 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1d8002d0-82a7-11eb-ac13-d5ca87cb8fa2.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1d8002d0-82a7-11eb-ac13-d5ca87cb8fa2.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.file.pe.imphash"
+ "field": "threat.indicator.file.pe.imphash"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.file.pe.imphash",
+ "key": "threat.indicator.file.pe.imphash",
"negate": false,
"type": "exists",
"value": "exists"
@@ -78,7 +78,7 @@
"id": "2",
"params": {
"customLabel": "Imphash Hash",
- "field": "threatintel.indicator.file.pe.imphash",
+ "field": "threat.indicator.file.pe.imphash",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -134,4 +134,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:30.070Z",
"version": "WzQ2MjgsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/21ff17c0-82a6-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/21ff17c0-82a6-11eb-ac13-d5ca87cb8fa2.json
index b3e12fb4193..4bec354e536 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/21ff17c0-82a6-11eb-ac13-d5ca87cb8fa2.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/21ff17c0-82a6-11eb-ac13-d5ca87cb8fa2.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.file.hash.md5"
+ "field": "threat.indicator.file.hash.md5"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.file.hash.md5",
+ "key": "threat.indicator.file.hash.md5",
"negate": false,
"type": "exists",
"value": "exists"
@@ -78,7 +78,7 @@
"id": "2",
"params": {
"customLabel": "MD5 Hash",
- "field": "threatintel.indicator.file.hash.md5",
+ "field": "threat.indicator.file.hash.md5",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -134,4 +134,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:30.070Z",
"version": "WzQ2MjUsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302cd5b0-76cd-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302cd5b0-76cd-11eb-a3e3-b3cc7c78a70f.json
index 0e395ef2431..9bb6455feea 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302cd5b0-76cd-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302cd5b0-76cd-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.ip"
+ "field": "threat.indicator.ip"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.ip",
+ "key": "threat.indicator.ip",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"id": "2",
"params": {
"customLabel": "AlienVault OTX IP Indicator",
- "field": "threatintel.indicator.ip",
+ "field": "threat.indicator.ip",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:27.014Z",
"version": "WzQ1NjcsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302d0850-ff7b-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302d0850-ff7b-11eb-acb2-2960a7069ed1.json
index f931164c888..50f2a9cebc5 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302d0850-ff7b-11eb-acb2-2960a7069ed1.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302d0850-ff7b-11eb-acb2-2960a7069ed1.json
@@ -28,7 +28,7 @@
"id": "2",
"params": {
"customLabel": "Confidence",
- "field": "threatintel.indicator.confidence",
+ "field": "threat.indicator.confidence",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -148,4 +148,4 @@
"type": "visualization",
"updated_at": "2021-10-11T08:02:55.512Z",
"version": "WzUzMCwxXQ=="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/346136f0-76d5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/346136f0-76d5-11eb-a3e3-b3cc7c78a70f.json
index 3edcd79c797..bc86816afc3 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/346136f0-76d5-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/346136f0-76d5-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.url.original"
+ "field": "threat.indicator.url.original"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.url.original",
+ "key": "threat.indicator.url.original",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"id": "2",
"params": {
"customLabel": "AlienVault OTX URL Indicator",
- "field": "threatintel.indicator.url.original",
+ "field": "threat.indicator.url.original",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:27.014Z",
"version": "WzQ1NjksMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/40d61ab0-72e6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/40d61ab0-72e6-11eb-a3e3-b3cc7c78a70f.json
index f8d2e419a2b..a3e2646eea2 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/40d61ab0-72e6-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/40d61ab0-72e6-11eb-a3e3-b3cc7c78a70f.json
@@ -27,7 +27,7 @@
"enabled": true,
"id": "2",
"params": {
- "field": "threatintel.indicator.file.type",
+ "field": "threat.indicator.file.type",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -82,4 +82,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:29.041Z",
"version": "WzQ2MDcsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/41100be0-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/41100be0-72e5-11eb-a3e3-b3cc7c78a70f.json
index d1e07d3fbbb..37aa10e1c04 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/41100be0-72e5-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/41100be0-72e5-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.file.hash.ssdeep"
+ "field": "threat.indicator.file.hash.ssdeep"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.file.hash.ssdeep",
+ "key": "threat.indicator.file.hash.ssdeep",
"negate": false,
"type": "exists",
"value": "exists"
@@ -47,13 +47,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.type"
+ "field": "threat.indicator.type"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
- "key": "threatintel.indicator.type",
+ "key": "threat.indicator.type",
"negate": false,
"type": "exists",
"value": "exists"
@@ -84,7 +84,7 @@
"id": "2",
"params": {
"customLabel": "ssdeep Hash",
- "field": "threatintel.indicator.file.hash.ssdeep",
+ "field": "threat.indicator.file.hash.ssdeep",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -101,7 +101,7 @@
"id": "3",
"params": {
"customLabel": "File Type",
- "field": "threatintel.indicator.file.type",
+ "field": "threat.indicator.file.type",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -162,4 +162,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:29.041Z",
"version": "WzQ2MDgsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/49f0c060-76cd-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/49f0c060-76cd-11eb-a3e3-b3cc7c78a70f.json
index 79f94d2a046..65880a6f4bb 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/49f0c060-76cd-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/49f0c060-76cd-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.domain"
+ "field": "threat.indicator.url.domain"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.domain",
+ "key": "threat.indicator.url.domain",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"id": "2",
"params": {
"customLabel": "AlienVault OTX IP Indicator",
- "field": "threatintel.indicator.domain",
+ "field": "threat.indicator.url.domain",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:27.014Z",
"version": "WzQ1NjgsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/4e5d25c0-76ce-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/4e5d25c0-76ce-11eb-a3e3-b3cc7c78a70f.json
index f44f7a32fa3..324c632ab27 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/4e5d25c0-76ce-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/4e5d25c0-76ce-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.file.hash.sha256"
+ "field": "threat.indicator.file.hash.sha256"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.file.hash.sha256",
+ "key": "threat.indicator.file.hash.sha256",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"id": "2",
"params": {
"customLabel": "AlienVault OTX SHA256 Hash Indicator",
- "field": "threatintel.indicator.file.hash.sha256",
+ "field": "threat.indicator.file.hash.sha256",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:27.014Z",
"version": "WzQ1NzIsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/57faae10-73c5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/57faae10-73c5-11eb-a3e3-b3cc7c78a70f.json
index 927f457e351..014612f2d3c 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/57faae10-73c5-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/57faae10-73c5-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.provider"
+ "field": "threat.indicator.provider"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.provider",
+ "key": "threat.indicator.provider",
"negate": false,
"type": "exists",
"value": "exists"
@@ -72,7 +72,7 @@
"enabled": true,
"id": "2",
"params": {
- "field": "threatintel.indicator.provider",
+ "field": "threat.indicator.provider",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -137,4 +137,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:31.083Z",
"version": "WzQ2NDMsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5b4877b0-82a6-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5b4877b0-82a6-11eb-ac13-d5ca87cb8fa2.json
index db8a7fcef7e..ad4c74b0110 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5b4877b0-82a6-11eb-ac13-d5ca87cb8fa2.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5b4877b0-82a6-11eb-ac13-d5ca87cb8fa2.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.file.hash.sha256"
+ "field": "threat.indicator.file.hash.sha256"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.file.hash.sha256",
+ "key": "threat.indicator.file.hash.sha256",
"negate": false,
"type": "exists",
"value": "exists"
@@ -78,7 +78,7 @@
"id": "2",
"params": {
"customLabel": "SHA256 Hash",
- "field": "threatintel.indicator.file.hash.sha256",
+ "field": "threat.indicator.file.hash.sha256",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -134,4 +134,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:30.070Z",
"version": "WzQ2MjcsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5d395d80-ff71-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5d395d80-ff71-11eb-acb2-2960a7069ed1.json
index f559210728b..b5fe450d273 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5d395d80-ff71-11eb-acb2-2960a7069ed1.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5d395d80-ff71-11eb-acb2-2960a7069ed1.json
@@ -28,7 +28,7 @@
"id": "2",
"params": {
"customLabel": "Most Linked Adversaries",
- "field": "threatintel.threatq.adversaries",
+ "field": "threatq.adversaries",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -74,4 +74,4 @@
"type": "visualization",
"updated_at": "2021-10-11T08:02:55.512Z",
"version": "WzUyNiwxXQ=="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5eb61d00-ff72-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5eb61d00-ff72-11eb-acb2-2960a7069ed1.json
index fde00ab644d..3626ee406b7 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5eb61d00-ff72-11eb-acb2-2960a7069ed1.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5eb61d00-ff72-11eb-acb2-2960a7069ed1.json
@@ -31,7 +31,7 @@
"id": "2",
"params": {
"customLabel": "Indicator Type",
- "field": "threatintel.indicator.type",
+ "field": "threat.indicator.type",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -48,7 +48,7 @@
"id": "3",
"params": {
"customLabel": "Indicator Value",
- "field": "threatintel.threatq.indicator_value",
+ "field": "threatq.indicator_value",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -94,4 +94,4 @@
"type": "visualization",
"updated_at": "2021-10-11T08:07:14.354Z",
"version": "WzYxNCwxXQ=="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/6077fd00-76d5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/6077fd00-76d5-11eb-a3e3-b3cc7c78a70f.json
index 4e9740c9a10..75b7601754b 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/6077fd00-76d5-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/6077fd00-76d5-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.url.path"
+ "field": "threat.indicator.url.path"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.url.path",
+ "key": "threat.indicator.url.path",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"id": "2",
"params": {
"customLabel": "AlienVault OTX URI Indicator",
- "field": "threatintel.indicator.url.path",
+ "field": "threat.indicator.url.path",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:27.014Z",
"version": "WzQ1NzEsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/62f6daa0-72ee-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/62f6daa0-72ee-11eb-a3e3-b3cc7c78a70f.json
index c0879c8aff7..039e88b7677 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/62f6daa0-72ee-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/62f6daa0-72ee-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.url.full"
+ "field": "threat.indicator.url.full"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.url.full",
+ "key": "threat.indicator.url.full",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"id": "2",
"params": {
"customLabel": "Threat Indicator URL",
- "field": "threatintel.indicator.url.full",
+ "field": "threat.indicator.url.full",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:25.974Z",
"version": "WzQ1NTUsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7546ac40-82a6-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7546ac40-82a6-11eb-ac13-d5ca87cb8fa2.json
index 479d7e408e3..4de8710a0e2 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7546ac40-82a6-11eb-ac13-d5ca87cb8fa2.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7546ac40-82a6-11eb-ac13-d5ca87cb8fa2.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.file.hash.ssdeep"
+ "field": "threat.indicator.file.hash.ssdeep"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.file.hash.ssdeep",
+ "key": "threat.indicator.file.hash.ssdeep",
"negate": false,
"type": "exists",
"value": "exists"
@@ -78,7 +78,7 @@
"id": "2",
"params": {
"customLabel": "ssdeep Hash",
- "field": "threatintel.indicator.file.hash.ssdeep",
+ "field": "threat.indicator.file.hash.ssdeep",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -134,4 +134,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:30.070Z",
"version": "WzQ2MjQsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7582b030-73c6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7582b030-73c6-11eb-a3e3-b3cc7c78a70f.json
index 6767b7e0d19..e2833363e12 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7582b030-73c6-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7582b030-73c6-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.domain"
+ "field": "threat.indicator.url.domain"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.domain",
+ "key": "threat.indicator.url.domain",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"id": "2",
"params": {
"customLabel": "MISP Domain Indicator",
- "field": "threatintel.indicator.domain",
+ "field": "threat.indicator.url.domain",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:31.083Z",
"version": "WzQ2MzIsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/786546d0-82a5-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/786546d0-82a5-11eb-ac13-d5ca87cb8fa2.json
index bc70c5824da..773a823e514 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/786546d0-82a5-11eb-ac13-d5ca87cb8fa2.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/786546d0-82a5-11eb-ac13-d5ca87cb8fa2.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.file.hash.tlsh"
+ "field": "threat.indicator.file.hash.tlsh"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.file.hash.tlsh",
+ "key": "threat.indicator.file.hash.tlsh",
"negate": false,
"type": "exists",
"value": "exists"
@@ -78,7 +78,7 @@
"id": "2",
"params": {
"customLabel": "TLSH Hash",
- "field": "threatintel.indicator.file.hash.tlsh",
+ "field": "threat.indicator.file.hash.tlsh",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -134,4 +134,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:30.070Z",
"version": "WzQ2MjMsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/79da77d0-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/79da77d0-72e5-11eb-a3e3-b3cc7c78a70f.json
index 50bed6e06e4..0551a2e4428 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/79da77d0-72e5-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/79da77d0-72e5-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.file.hash.tlsh"
+ "field": "threat.indicator.file.hash.tlsh"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.file.hash.tlsh",
+ "key": "threat.indicator.file.hash.tlsh",
"negate": false,
"type": "exists",
"value": "exists"
@@ -47,13 +47,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.type"
+ "field": "threat.indicator.type"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
- "key": "threatintel.indicator.type",
+ "key": "threat.indicator.type",
"negate": false,
"type": "exists",
"value": "exists"
@@ -84,7 +84,7 @@
"id": "2",
"params": {
"customLabel": "TLSH Hash",
- "field": "threatintel.indicator.file.hash.tlsh",
+ "field": "threat.indicator.file.hash.tlsh",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -101,7 +101,7 @@
"id": "3",
"params": {
"customLabel": "File Type",
- "field": "threatintel.indicator.file.type",
+ "field": "threat.indicator.file.type",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -162,4 +162,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:29.041Z",
"version": "WzQ2MDIsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7c7d3750-73c3-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7c7d3750-73c3-11eb-a3e3-b3cc7c78a70f.json
index 6ca2835a167..ffb99fa0838 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7c7d3750-73c3-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7c7d3750-73c3-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.type"
+ "field": "threat.indicator.type"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.type",
+ "key": "threat.indicator.type",
"negate": false,
"type": "exists",
"value": "exists"
@@ -66,7 +66,7 @@
"enabled": true,
"id": "2",
"params": {
- "field": "threatintel.indicator.type",
+ "field": "threat.indicator.type",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -131,4 +131,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:31.083Z",
"version": "WzQ2MzQsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7cbe5900-82ab-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7cbe5900-82ab-11eb-ac13-d5ca87cb8fa2.json
index 08ea90539c1..75f21ca1a42 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7cbe5900-82ab-11eb-ac13-d5ca87cb8fa2.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7cbe5900-82ab-11eb-ac13-d5ca87cb8fa2.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.first_seen"
+ "field": "threat.indicator.first_seen"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.first_seen",
+ "key": "threat.indicator.first_seen",
"negate": false,
"type": "exists",
"value": "exists"
@@ -76,7 +76,7 @@
"id": "2",
"params": {
"customLabel": "Indicator First Seen",
- "field": "threatintel.indicator.first_seen",
+ "field": "threat.indicator.first_seen",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -132,4 +132,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:30.070Z",
"version": "WzQ2MjIsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/87980f70-72ec-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/87980f70-72ec-11eb-a3e3-b3cc7c78a70f.json
index 3001eca6082..0b947ec09cd 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/87980f70-72ec-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/87980f70-72ec-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.abuseurl.threat"
+ "field": "abusech.url.threat"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.abuseurl.threat",
+ "key": "abusech.url.threat",
"negate": false,
"type": "exists",
"value": "exists"
@@ -73,7 +73,7 @@
"id": "2",
"params": {
"customLabel": "Abuse URL Threat",
- "field": "threatintel.abuseurl.threat",
+ "field": "abusech.url.threat",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -204,4 +204,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:25.974Z",
"version": "WzQ1NTAsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/8b2a64a0-82a8-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/8b2a64a0-82a8-11eb-ac13-d5ca87cb8fa2.json
index 8fd2ef65b07..13aee45f317 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/8b2a64a0-82a8-11eb-ac13-d5ca87cb8fa2.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/8b2a64a0-82a8-11eb-ac13-d5ca87cb8fa2.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.file.extension"
+ "field": "threat.indicator.file.extension"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.file.extension",
+ "key": "threat.indicator.file.extension",
"negate": false,
"type": "exists",
"value": "exists"
@@ -66,7 +66,7 @@
"enabled": true,
"id": "2",
"params": {
- "field": "threatintel.indicator.file.extension",
+ "field": "threat.indicator.file.extension",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -131,4 +131,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:30.070Z",
"version": "WzQ2MTcsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9047e8b0-72de-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9047e8b0-72de-11eb-a3e3-b3cc7c78a70f.json
index cfa8fad3789..652e363bbf0 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9047e8b0-72de-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9047e8b0-72de-11eb-a3e3-b3cc7c78a70f.json
@@ -34,7 +34,7 @@
"id": "2",
"params": {
"customLabel": "Threat Indicator Provider",
- "field": "threatintel.indicator.provider",
+ "field": "threat.indicator.provider",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -156,4 +156,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:32.145Z",
"version": "WzQ2NTUsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9109e490-76cd-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9109e490-76cd-11eb-a3e3-b3cc7c78a70f.json
index 3e1c8861ced..9146d87144a 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9109e490-76cd-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9109e490-76cd-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.url.domain"
+ "field": "threat.indicator.url.domain"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.url.domain",
+ "key": "threat.indicator.url.domain",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"id": "2",
"params": {
"customLabel": "AlienVault OTX URL Domain Indicator",
- "field": "threatintel.indicator.url.domain",
+ "field": "threat.indicator.url.domain",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:27.014Z",
"version": "WzQ1NzAsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/92961600-7621-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/92961600-7621-11eb-a3e3-b3cc7c78a70f.json
index f9a63566f09..c6ec332aa22 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/92961600-7621-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/92961600-7621-11eb-a3e3-b3cc7c78a70f.json
@@ -33,7 +33,7 @@
"type": "list"
},
{
- "fieldName": "threatintel.indicator.provider",
+ "fieldName": "threat.indicator.provider",
"id": "1614117093181",
"indexPatternRefName": "control_1_index_pattern",
"label": "Indicator Provider",
@@ -48,7 +48,7 @@
"type": "list"
},
{
- "fieldName": "threatintel.indicator.type",
+ "fieldName": "threat.indicator.type",
"id": "1614117117360",
"indexPatternRefName": "control_2_index_pattern",
"label": "Indicator Type",
@@ -101,4 +101,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:32.145Z",
"version": "WzQ2NDcsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/95f384b0-76d8-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/95f384b0-76d8-11eb-a3e3-b3cc7c78a70f.json
index a9c17ee0611..b2f747547b3 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/95f384b0-76d8-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/95f384b0-76d8-11eb-a3e3-b3cc7c78a70f.json
@@ -35,7 +35,7 @@
"id": "2",
"params": {
"customLabel": "",
- "field": "threatintel.indicator.url.scheme",
+ "field": "threat.indicator.url.scheme",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -156,4 +156,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:27.014Z",
"version": "WzQ1NjQsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/98d42ee0-76b6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/98d42ee0-76b6-11eb-a3e3-b3cc7c78a70f.json
index 0c5102dfd14..03edc5edc0b 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/98d42ee0-76b6-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/98d42ee0-76b6-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.abuseurl.tags"
+ "field": "abusech.url.tags"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.abuseurl.tags",
+ "key": "abusech.url.tags",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"id": "2",
"params": {
"customLabel": "Abuse URL Tags",
- "field": "threatintel.abuseurl.tags",
+ "field": "abusech.url.tags",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:25.974Z",
"version": "WzQ1NTEsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a09329d0-73c6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a09329d0-73c6-11eb-a3e3-b3cc7c78a70f.json
index d81abd72e48..d34f5079186 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a09329d0-73c6-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a09329d0-73c6-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.ip"
+ "field": "threat.indicator.ip"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.ip",
+ "key": "threat.indicator.ip",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"id": "2",
"params": {
"customLabel": "MISP IP Indicator",
- "field": "threatintel.indicator.ip",
+ "field": "threat.indicator.ip",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:31.083Z",
"version": "WzQ2MzMsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a1616dd0-72eb-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a1616dd0-72eb-11eb-a3e3-b3cc7c78a70f.json
index 419dcc323d1..ba4ce6e4ea7 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a1616dd0-72eb-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a1616dd0-72eb-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.abuseurl.blacklists.spamhaus_dbl"
+ "field": "abusech.url.blacklists.spamhaus_dbl"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.abuseurl.blacklists.spamhaus_dbl",
+ "key": "abusech.url.blacklists.spamhaus_dbl",
"negate": false,
"type": "exists",
"value": "exists"
@@ -47,13 +47,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.abuseurl.blacklists.surbl"
+ "field": "abusech.url.blacklists.surbl"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
- "key": "threatintel.abuseurl.blacklists.surbl",
+ "key": "abusech.url.blacklists.surbl",
"negate": false,
"type": "exists",
"value": "exists"
@@ -84,7 +84,7 @@
"id": "2",
"params": {
"customLabel": "Spamhaus DBL Blacklist Status",
- "field": "threatintel.abuseurl.blacklists.spamhaus_dbl",
+ "field": "abusech.url.blacklists.spamhaus_dbl",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -101,7 +101,7 @@
"id": "3",
"params": {
"customLabel": "SURBL Blacklist Status",
- "field": "threatintel.abuseurl.blacklists.surbl",
+ "field": "abusech.url.blacklists.surbl",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -162,4 +162,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:25.974Z",
"version": "WzQ1NjAsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a7b6e910-72ed-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a7b6e910-72ed-11eb-a3e3-b3cc7c78a70f.json
index 007929c6d0a..81340059012 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a7b6e910-72ed-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a7b6e910-72ed-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.url.scheme"
+ "field": "threat.indicator.url.scheme"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.url.scheme",
+ "key": "threat.indicator.url.scheme",
"negate": false,
"type": "exists",
"value": "exists"
@@ -74,7 +74,7 @@
"id": "2",
"params": {
"customLabel": "URL Scheme",
- "field": "threatintel.indicator.url.scheme",
+ "field": "threat.indicator.url.scheme",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -90,7 +90,7 @@
"enabled": true,
"id": "3",
"params": {
- "field": "threatintel.indicator.url.scheme",
+ "field": "threat.indicator.url.scheme",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -220,4 +220,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:25.974Z",
"version": "WzQ1NTIsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a911a8b0-ff77-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a911a8b0-ff77-11eb-acb2-2960a7069ed1.json
index 59f66be7644..25929d8fef8 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a911a8b0-ff77-11eb-acb2-2960a7069ed1.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a911a8b0-ff77-11eb-acb2-2960a7069ed1.json
@@ -27,7 +27,7 @@
"enabled": true,
"id": "2",
"params": {
- "field": "threatintel.indicator.marking.tlp",
+ "field": "threat.indicator.marking.tlp",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -82,4 +82,4 @@
"type": "visualization",
"updated_at": "2021-10-11T08:02:55.512Z",
"version": "WzUyNSwxXQ=="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ad55b1e0-73c8-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ad55b1e0-73c8-11eb-a3e3-b3cc7c78a70f.json
index a0719389fc8..0b6cc17dce5 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ad55b1e0-73c8-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ad55b1e0-73c8-11eb-a3e3-b3cc7c78a70f.json
@@ -35,7 +35,7 @@
"id": "2",
"params": {
"customLabel": "Indicator Marking TLP",
- "field": "threatintel.indicator.marking.tlp",
+ "field": "threat.indicator.marking.tlp",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -51,7 +51,7 @@
"enabled": true,
"id": "3",
"params": {
- "field": "threatintel.indicator.marking.tlp",
+ "field": "threat.indicator.marking.tlp",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -171,4 +171,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:31.083Z",
"version": "WzQ2MzgsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/aebde030-72d2-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/aebde030-72d2-11eb-a3e3-b3cc7c78a70f.json
index 0d3c70a156f..09bbd1da8a4 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/aebde030-72d2-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/aebde030-72d2-11eb-a3e3-b3cc7c78a70f.json
@@ -9,13 +9,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.marking.tlp"
+ "field": "threat.indicator.marking.tlp"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
- "key": "threatintel.indicator.marking.tlp",
+ "key": "threat.indicator.marking.tlp",
"negate": false,
"type": "exists",
"value": "exists"
@@ -55,7 +55,7 @@
"id": "2",
"params": {
"customLabel": "Indicator Marking TLP",
- "field": "threatintel.indicator.marking.tlp",
+ "field": "threat.indicator.marking.tlp",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -71,7 +71,7 @@
"enabled": true,
"id": "3",
"params": {
- "field": "threatintel.indicator.marking.tlp",
+ "field": "threat.indicator.marking.tlp",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -196,4 +196,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:32.145Z",
"version": "WzQ2NTcsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/b9533f50-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/b9533f50-72e5-11eb-a3e3-b3cc7c78a70f.json
index dd4771dced6..6b53ad4b086 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/b9533f50-72e5-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/b9533f50-72e5-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.file.pe.imphash"
+ "field": "threat.indicator.file.pe.imphash"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.file.pe.imphash",
+ "key": "threat.indicator.file.pe.imphash",
"negate": false,
"type": "exists",
"value": "exists"
@@ -47,13 +47,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.type"
+ "field": "threat.indicator.type"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
- "key": "threatintel.indicator.type",
+ "key": "threat.indicator.type",
"negate": false,
"type": "exists",
"value": "exists"
@@ -84,7 +84,7 @@
"id": "2",
"params": {
"customLabel": "Imphash Hash",
- "field": "threatintel.indicator.file.pe.imphash",
+ "field": "threat.indicator.file.pe.imphash",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -101,7 +101,7 @@
"id": "3",
"params": {
"customLabel": "File Type",
- "field": "threatintel.indicator.file.type",
+ "field": "threat.indicator.file.type",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -162,4 +162,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:29.041Z",
"version": "WzQ2MDUsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bc4790b0-82aa-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bc4790b0-82aa-11eb-ac13-d5ca87cb8fa2.json
index f1fc5472b6b..395627036b1 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bc4790b0-82aa-11eb-ac13-d5ca87cb8fa2.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bc4790b0-82aa-11eb-ac13-d5ca87cb8fa2.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.malwarebazaar.intelligence.downloads"
+ "field": "abusech.malwarebazaar.intelligence.downloads"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.malwarebazaar.intelligence.downloads",
+ "key": "abusech.malwarebazaar.intelligence.downloads",
"negate": false,
"type": "exists",
"value": "exists"
@@ -76,7 +76,7 @@
"id": "2",
"params": {
"customLabel": "Malware Bazaar Downloads",
- "field": "threatintel.malwarebazaar.intelligence.downloads",
+ "field": "abusech.malwarebazaar.intelligence.downloads",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -132,4 +132,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:30.070Z",
"version": "WzQ2MjAsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bf3dfde0-73c3-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bf3dfde0-73c3-11eb-a3e3-b3cc7c78a70f.json
index f65bf82d5b3..f71bb235922 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bf3dfde0-73c3-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bf3dfde0-73c3-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.misp.published"
+ "field": "misp.published"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.misp.published",
+ "key": "misp.published",
"negate": false,
"type": "exists",
"value": "exists"
@@ -72,7 +72,7 @@
"enabled": true,
"id": "2",
"params": {
- "field": "threatintel.misp.published",
+ "field": "misp.published",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -137,4 +137,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:31.083Z",
"version": "WzQ2MzksMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c102b0f0-73c6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c102b0f0-73c6-11eb-a3e3-b3cc7c78a70f.json
index 4ee6602cf67..e992bfb8585 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c102b0f0-73c6-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c102b0f0-73c6-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.url.full"
+ "field": "threat.indicator.url.full"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.url.full",
+ "key": "threat.indicator.url.full",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"id": "2",
"params": {
"customLabel": "MISP URL Indicator",
- "field": "threatintel.indicator.url.full",
+ "field": "threat.indicator.url.full",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:31.083Z",
"version": "WzQ2MzYsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c7d5db50-82a8-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c7d5db50-82a8-11eb-ac13-d5ca87cb8fa2.json
index 225ca993710..ad6317b4101 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c7d5db50-82a8-11eb-ac13-d5ca87cb8fa2.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c7d5db50-82a8-11eb-ac13-d5ca87cb8fa2.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.provider"
+ "field": "threat.indicator.provider"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.provider",
+ "key": "threat.indicator.provider",
"negate": false,
"type": "exists",
"value": "exists"
@@ -73,7 +73,7 @@
"id": "2",
"params": {
"customLabel": "Indicator Provider",
- "field": "threatintel.indicator.provider",
+ "field": "threat.indicator.provider",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -204,4 +204,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:30.070Z",
"version": "WzQ2MTgsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c813c5d0-72dd-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c813c5d0-72dd-11eb-a3e3-b3cc7c78a70f.json
index 18539863d1a..6619c3564fe 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c813c5d0-72dd-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c813c5d0-72dd-11eb-a3e3-b3cc7c78a70f.json
@@ -9,13 +9,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.type"
+ "field": "threat.indicator.type"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
- "key": "threatintel.indicator.type",
+ "key": "threat.indicator.type",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"enabled": true,
"id": "3",
"params": {
- "field": "threatintel.indicator.type",
+ "field": "threat.indicator.type",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -192,4 +192,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:32.145Z",
"version": "WzQ2NTgsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d22c1090-82a5-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d22c1090-82a5-11eb-ac13-d5ca87cb8fa2.json
index 107bf321eac..340bcc359c8 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d22c1090-82a5-11eb-ac13-d5ca87cb8fa2.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d22c1090-82a5-11eb-ac13-d5ca87cb8fa2.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.file.mime_type"
+ "field": "threat.indicator.file.mime_type"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.file.mime_type",
+ "key": "threat.indicator.file.mime_type",
"negate": false,
"type": "exists",
"value": "exists"
@@ -78,7 +78,7 @@
"id": "3",
"params": {
"customLabel": "File MIME Type",
- "field": "threatintel.indicator.file.mime_type",
+ "field": "threat.indicator.file.mime_type",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -134,4 +134,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:30.070Z",
"version": "WzQ2MTUsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d5d76c60-72ee-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d5d76c60-72ee-11eb-a3e3-b3cc7c78a70f.json
index 26f577c2864..7450b383291 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d5d76c60-72ee-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d5d76c60-72ee-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.url.full"
+ "field": "threat.indicator.url.full"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.url.full",
+ "key": "threat.indicator.url.full",
"negate": false,
"type": "exists",
"value": "exists"
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:25.974Z",
"version": "WzQ1NTgsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/dbd199d0-82aa-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/dbd199d0-82aa-11eb-ac13-d5ca87cb8fa2.json
index bd6250bdc9b..a3f14f00b0e 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/dbd199d0-82aa-11eb-ac13-d5ca87cb8fa2.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/dbd199d0-82aa-11eb-ac13-d5ca87cb8fa2.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.malwarebazaar.intelligence.uploads"
+ "field": "abusech.malwarebazaar.intelligence.uploads"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.malwarebazaar.intelligence.uploads",
+ "key": "abusech.malwarebazaar.intelligence.uploads",
"negate": false,
"type": "exists",
"value": "exists"
@@ -76,7 +76,7 @@
"id": "2",
"params": {
"customLabel": "Malware Bazaar Uploads",
- "field": "threatintel.malwarebazaar.intelligence.uploads",
+ "field": "abusech.malwarebazaar.intelligence.uploads",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -132,4 +132,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:30.070Z",
"version": "WzQ2MjEsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ea5879c0-72eb-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ea5879c0-72eb-11eb-a3e3-b3cc7c78a70f.json
index 3674297d158..fa58d2934c7 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ea5879c0-72eb-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ea5879c0-72eb-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.abuseurl.url_status"
+ "field": "abusech.url.url_status"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.abuseurl.url_status",
+ "key": "abusech.url.url_status",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"id": "2",
"params": {
"customLabel": "URL Status",
- "field": "threatintel.abuseurl.url_status",
+ "field": "abusech.url.url_status",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:25.974Z",
"version": "WzQ1NTksMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/eba4ec60-72ea-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/eba4ec60-72ea-11eb-a3e3-b3cc7c78a70f.json
index e05220ceeab..8745f6c3ca3 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/eba4ec60-72ea-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/eba4ec60-72ea-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.abuseurl.larted"
+ "field": "abusech.url.larted"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.abuseurl.larted",
+ "key": "abusech.url.larted",
"negate": false,
"type": "exists",
"value": "exists"
@@ -73,7 +73,7 @@
"id": "2",
"params": {
"customLabel": "Hosting Provider Notified",
- "field": "threatintel.abuseurl.larted",
+ "field": "abusech.url.larted",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -138,4 +138,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:25.974Z",
"version": "WzQ1NTMsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ec68c4a0-73c6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ec68c4a0-73c6-11eb-a3e3-b3cc7c78a70f.json
index 4a7c4dfa740..517fa9c84ce 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ec68c4a0-73c6-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ec68c4a0-73c6-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.file.hash.md5"
+ "field": "threat.indicator.file.hash.md5"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.file.hash.md5",
+ "key": "threat.indicator.file.hash.md5",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"id": "2",
"params": {
"customLabel": "MISP MD5 Hash Indicator",
- "field": "threatintel.indicator.file.hash.md5",
+ "field": "threat.indicator.file.hash.md5",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:31.083Z",
"version": "WzQ2NDAsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ecf74b10-72ec-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ecf74b10-72ec-11eb-a3e3-b3cc7c78a70f.json
index ea0aef5cb86..16d083d8762 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ecf74b10-72ec-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ecf74b10-72ec-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.abuseurl.threat"
+ "field": "abusech.url.threat"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.abuseurl.threat",
+ "key": "abusech.url.threat",
"negate": false,
"type": "exists",
"value": "exists"
@@ -72,7 +72,7 @@
"enabled": true,
"id": "2",
"params": {
- "field": "threatintel.indicator.provider",
+ "field": "threat.indicator.provider",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -203,4 +203,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:25.974Z",
"version": "WzQ1NTYsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f33125b0-76d8-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f33125b0-76d8-11eb-a3e3-b3cc7c78a70f.json
index 3d473b4e17d..41b0ecfa65b 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f33125b0-76d8-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f33125b0-76d8-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.indicator.type"
+ "field": "threat.indicator.type"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.indicator.type",
+ "key": "threat.indicator.type",
"negate": false,
"type": "exists",
"value": "exists"
@@ -66,7 +66,7 @@
"enabled": true,
"id": "2",
"params": {
- "field": "threatintel.indicator.type",
+ "field": "threat.indicator.type",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -131,4 +131,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:27.014Z",
"version": "WzQ1NjYsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f91e9620-82a8-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f91e9620-82a8-11eb-ac13-d5ca87cb8fa2.json
index 958c15dba69..664816cccba 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f91e9620-82a8-11eb-ac13-d5ca87cb8fa2.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f91e9620-82a8-11eb-ac13-d5ca87cb8fa2.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.malwarebazaar.tags"
+ "field": "abusech.malwarebazaar.tags"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.malwarebazaar.tags",
+ "key": "abusech.malwarebazaar.tags",
"negate": false,
"type": "exists",
"value": "exists"
@@ -67,7 +67,7 @@
"id": "2",
"params": {
"customLabel": "Malware Bazaar Tags",
- "field": "threatintel.malwarebazaar.tags",
+ "field": "abusech.malwarebazaar.tags",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -123,4 +123,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:30.070Z",
"version": "WzQ2MTQsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f9c6ba80-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f9c6ba80-72e5-11eb-a3e3-b3cc7c78a70f.json
index 21660b248e4..516a572fb88 100644
--- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f9c6ba80-72e5-11eb-a3e3-b3cc7c78a70f.json
+++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f9c6ba80-72e5-11eb-a3e3-b3cc7c78a70f.json
@@ -30,13 +30,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.abusemalware.virustotal.link"
+ "field": "abusech.malware.virustotal.link"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "threatintel.abusemalware.virustotal.link",
+ "key": "abusech.malware.virustotal.link",
"negate": false,
"type": "exists",
"value": "exists"
@@ -47,13 +47,13 @@
"store": "appState"
},
"exists": {
- "field": "threatintel.abusemalware.virustotal.result"
+ "field": "abusech.malware.virustotal.result"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
- "key": "threatintel.abusemalware.virustotal.result",
+ "key": "abusech.malware.virustotal.result",
"negate": false,
"type": "exists",
"value": "exists"
@@ -95,7 +95,7 @@
"id": "2",
"params": {
"customLabel": "VirusTotal URL",
- "field": "threatintel.abusemalware.virustotal.link",
+ "field": "abusech.malware.virustotal.link",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -112,7 +112,7 @@
"id": "3",
"params": {
"customLabel": "VirusTotal Result",
- "field": "threatintel.abusemalware.virustotal.result",
+ "field": "abusech.malware.virustotal.result",
"missingBucket": false,
"missingBucketLabel": "Missing",
"order": "desc",
@@ -173,4 +173,4 @@
"type": "visualization",
"updated_at": "2021-08-04T16:34:29.041Z",
"version": "WzQ2MTAsMV0="
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/threatintel/abusemalware/_meta/fields.yml b/x-pack/filebeat/module/threatintel/abusemalware/_meta/fields.yml
index 55f8657bc6e..73aae20e07f 100644
--- a/x-pack/filebeat/module/threatintel/abusemalware/_meta/fields.yml
+++ b/x-pack/filebeat/module/threatintel/abusemalware/_meta/fields.yml
@@ -1,4 +1,4 @@
-- name: abusemalware
+- name: abusech.malware
type: group
description: >
Fields for AbuseCH Malware Threat Intel
@@ -31,4 +31,4 @@
- name: virustotal.link
type: keyword
description: >
- Link to the Virustotal report.
\ No newline at end of file
+ Link to the Virustotal report.
diff --git a/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml b/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml
index e7f4f8cc264..b4365bd3e5b 100644
--- a/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml
+++ b/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml
@@ -11,10 +11,9 @@ request.ssl: {{ .ssl | tojson }}
request.proxy_url: {{ .proxy_url }}
{{ end }}
request.url: {{ .url }}
-request.transforms:
-- set:
- target: header.Content-Type
- value: application/json
+{{ if .http_client_timeout }}
+request.timeout: {{ .http_client_timeout }}
+{{ end }}
response.split:
target: body.payloads
@@ -30,17 +29,12 @@ exclude_files: [".gz$"]
{{ end }}
-tags: {{.tags | tojson}}
-publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
+tags:
+{{if .preserve_original_event}}
+ - preserve_original_event
+{{end}}
+{{range $val := .tags}}
+ - {{$val}}
+{{end}}
-processors:
- - decode_json_fields:
- fields: [message]
- target: json
- - fingerprint:
- fields: ["json.md5_hash"]
- target_field: "@metadata._id"
- - add_fields:
- target: ''
- fields:
- ecs.version: 1.12.0
+publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
diff --git a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml
index 5e24b68c52e..da0b365724f 100644
--- a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml
@@ -1,4 +1,5 @@
-description: Pipeline for parsing Abuse.ch Malware Threat Intel
+---
+description: Pipeline for parsing Abuse.ch URL Threat Intel
processors:
####################
# Event ECS fields #
@@ -6,6 +7,9 @@ processors:
- set:
field: event.ingested
value: "{{_ingest.timestamp}}"
+ - set:
+ field: ecs.version
+ value: "1.12"
- set:
field: event.kind
value: enrichment
@@ -20,92 +24,110 @@ processors:
# General ECS fields #
######################
- rename:
- field: json
- target_field: threatintel.abusemalware
+ field: message
+ target_field: event.original
ignore_missing: true
+ - json:
+ field: event.original
+ target_field: abusech.malware
+ - fingerprint:
+ fields:
+ - abusech.malware.md5_hash
+ - abusech.malware.sha256_hash
+ target_field: "_id"
#####################
# Threat ECS Fields #
#####################
+ - set:
+ field: threat.feed.name
+ value: "[Filebeat] AbuseCH Malware"
+ - set:
+ field: threat.feed.dashboard_id
+ value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f"
- date:
- field: threatintel.abusemalware.firstseen
- target_field: threatintel.indicator.first_seen
+ field: abusech.malware.firstseen
+ target_field: threat.indicator.first_seen
formats:
- "yyyy-MM-dd HH:mm:ss z"
- "yyyy-MM-dd HH:mm:ss Z"
- "yyyy-MM-dd HH:mm:ss"
- if: "ctx?.threatintel?.abusemalware.firstseen != null"
+ if: "ctx.abusech?.malware?.firstseen != null"
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: file
- rename:
- field: threatintel.abusemalware.file_size
- target_field: threatintel.indicator.file.size
+ field: abusech.malware.file_size
+ target_field: threat.indicator.file.size
ignore_missing: true
- rename:
- field: threatintel.abusemalware.file_type
- target_field: threatintel.indicator.file.type
+ field: abusech.malware.file_type
+ target_field: threat.indicator.file.type
ignore_missing: true
# This includes a direct link to malicious files, we do not want them to appear in Kibana
# in case they are accidently clicked.
- remove:
- field: threatintel.abusemalware.urlhaus_download
+ field: abusech.malware.urlhaus_download
ignore_missing: true
- convert:
- field: threatintel.indicator.file.size
+ field: threat.indicator.file.size
type: long
ignore_missing: true
+ - convert:
+ field: abusech.malware.virustotal.percent
+ type: float
+ ignore_missing: true
- rename:
- field: threatintel.abusemalware.md5_hash
- target_field: threatintel.indicator.file.hash.md5
+ field: abusech.malware.md5_hash
+ target_field: threat.indicator.file.hash.md5
ignore_missing: true
- rename:
- field: threatintel.abusemalware.sha256_hash
- target_field: threatintel.indicator.file.hash.sha256
+ field: abusech.malware.sha256_hash
+ target_field: threat.indicator.file.hash.sha256
ignore_missing: true
- rename:
- field: threatintel.abusemalware.imphash
- target_field: threatintel.indicator.file.pe.imphash
+ field: abusech.malware.imphash
+ target_field: threat.indicator.file.pe.imphash
ignore_missing: true
- rename:
- field: threatintel.abusemalware.ssdeep
- target_field: threatintel.indicator.file.hash.ssdeep
+ field: abusech.malware.ssdeep
+ target_field: threat.indicator.file.hash.ssdeep
ignore_missing: true
- rename:
- field: threatintel.abusemalware.tlsh
- target_field: threatintel.indicator.file.hash.tlsh
+ field: abusech.malware.tlsh
+ target_field: threat.indicator.file.hash.tlsh
ignore_missing: true
- append:
field: related.hash
- value: "{{ threatintel.indicator.file.hash.md5 }}"
- if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null
+ value: "{{{threat.indicator.file.hash.md5}}}"
+ if: ctx?.threat?.indicator?.file?.hash?.md5 != null
- append:
field: related.hash
- value: "{{ threatintel.indicator.file.hash.sha256 }}"
- if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null
+ value: "{{{threat.indicator.file.hash.sha256}}}"
+ if: ctx?.threat?.indicator?.file?.hash?.sha256 != null
- append:
field: related.hash
- value: "{{ threatintel.indicator.file.hash.ssdeep }}"
- if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null
+ value: "{{{threat.indicator.file.hash.ssdeep}}}"
+ if: ctx?.threat?.indicator?.file?.hash?.ssdeep != null
- append:
field: related.hash
- value: "{{ threatintel.indicator.file.pe.imphash }}"
- if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null
+ value: "{{{threat.indicator.file.pe.imphash}}}"
+ if: ctx?.threat?.indicator?.file?.pe?.imphash != null
- append:
field: related.hash
- value: "{{ threatintel.indicator.file.hash.tlsh }}"
- if: ctx?.threatintel?.indicator?.file?.hash?.tlsh != null
+ value: "{{{threat.indicator.file.hash.tlsh}}}"
+ if: ctx?.threat?.indicator?.file?.hash?.tlsh != null
######################
# Cleanup processors #
######################
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: unknown
- if: ctx?.threatintel?.indicator?.type == null
+ if: ctx?.threat?.indicator?.type == null
- script:
lang: painless
- if: ctx?.threatintel != null
+ if: ctx?.abusech != null
source: |
void handleMap(Map map) {
for (def x : map.values()) {
@@ -127,9 +149,14 @@ processors:
}
}
handleMap(ctx);
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
- remove:
field:
- - threatintel.abusemalware.firstseen
+ - abusech.malware.firstseen
- message
ignore_missing: true
on_failure:
diff --git a/x-pack/filebeat/module/threatintel/abusemalware/manifest.yml b/x-pack/filebeat/module/threatintel/abusemalware/manifest.yml
index 5fe3a155180..0d755b7b38d 100644
--- a/x-pack/filebeat/module/threatintel/abusemalware/manifest.yml
+++ b/x-pack/filebeat/module/threatintel/abusemalware/manifest.yml
@@ -11,6 +11,9 @@ var:
- name: tags
default: [threatintel-abusemalware, forwarded]
- name: proxy_url
+ - name: preserve_original_event
+ default: false
+ - name: http_client_timeout
ingest_pipeline:
- ingest/pipeline.yml
diff --git a/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json
index 6c31b6f779c..75a4d118ba3 100644
--- a/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json
@@ -20,15 +20,17 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.indicator.file.hash.md5": "7871286a8f1f68a14b18ae475683f724",
- "threatintel.indicator.file.hash.sha256": "48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f",
- "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG5:X5DpBw/KViMTB1MnEWk0115JW",
- "threatintel.indicator.file.hash.tlsh": "1344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 277504,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:14:05.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "7871286a8f1f68a14b18ae475683f724",
+ "threat.indicator.file.hash.sha256": "48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f",
+ "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG5:X5DpBw/KViMTB1MnEWk0115JW",
+ "threat.indicator.file.hash.tlsh": "1344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 277504,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:14:05.000Z",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -51,17 +53,22 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.indicator.file.hash.md5": "7b4c77dc293347b467fb860e34515163",
- "threatintel.indicator.file.hash.sha256": "ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4",
- "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGY:X5DpBw/KViMTB1MnEWk0115Jr",
- "threatintel.indicator.file.hash.tlsh": "4E44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 277504,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:11:41.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "7b4c77dc293347b467fb860e34515163",
+ "threat.indicator.file.hash.sha256": "ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4",
+ "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGY:X5DpBw/KViMTB1MnEWk0115Jr",
+ "threat.indicator.file.hash.tlsh": "4E44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 277504,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:11:41.000Z",
+ "threat.indicator.type": "file"
},
{
+ "abusech.malware.virustotal.link": "https://www.virustotal.com/gui/file/b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7/detection/f-b0e914d",
+ "abusech.malware.virustotal.percent": 37.88,
+ "abusech.malware.virustotal.result": "25 / 66",
"event.category": "threat",
"event.dataset": "threatintel.abusemalware",
"event.kind": "enrichment",
@@ -82,18 +89,17 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.abusemalware.virustotal.link": "https://www.virustotal.com/gui/file/b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7/detection/f-b0e914d",
- "threatintel.abusemalware.virustotal.percent": "37.88",
- "threatintel.abusemalware.virustotal.result": "25 / 66",
- "threatintel.indicator.file.hash.md5": "373d34874d7bc89fd4cefa6272ee80bf",
- "threatintel.indicator.file.hash.sha256": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7",
- "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGG:X5DpBw/KViMTB1MnEWk0115Jd",
- "threatintel.indicator.file.hash.tlsh": "7544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 277504,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:11:22.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "373d34874d7bc89fd4cefa6272ee80bf",
+ "threat.indicator.file.hash.sha256": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7",
+ "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGG:X5DpBw/KViMTB1MnEWk0115Jd",
+ "threat.indicator.file.hash.tlsh": "7544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 277504,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:11:22.000Z",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -116,15 +122,17 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.indicator.file.hash.md5": "e2e02aae857488dbdbe6631c29abf3f8",
- "threatintel.indicator.file.hash.sha256": "7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8",
- "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ9:0h3eZgRQCcw+MN54dEq7kqRtoLZH",
- "threatintel.indicator.file.hash.tlsh": "5554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 284672,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:11:21.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "e2e02aae857488dbdbe6631c29abf3f8",
+ "threat.indicator.file.hash.sha256": "7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8",
+ "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ9:0h3eZgRQCcw+MN54dEq7kqRtoLZH",
+ "threat.indicator.file.hash.tlsh": "5554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 284672,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:11:21.000Z",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -146,16 +154,21 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.indicator.file.hash.md5": "3e988e32b0c3c230d534e286665b89a5",
- "threatintel.indicator.file.hash.sha256": "760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b",
- "threatintel.indicator.file.hash.ssdeep": "6:TE6ll8uXi0jIAv6BHvPuA7RKTmOQamsQMGvMQgTYbtsWsQ72hCqPZG/:TTll8uTo5uA7RKtQamsS0QJfsQ7mCR",
- "threatintel.indicator.file.hash.tlsh": "3CE0C002AB26C036500D154C221655B3B871911503CA14E6A6824BEA765D4A3290D190",
- "threatintel.indicator.file.size": 352,
- "threatintel.indicator.file.type": "unknown",
- "threatintel.indicator.first_seen": "2021-01-14T06:08:02.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "3e988e32b0c3c230d534e286665b89a5",
+ "threat.indicator.file.hash.sha256": "760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b",
+ "threat.indicator.file.hash.ssdeep": "6:TE6ll8uXi0jIAv6BHvPuA7RKTmOQamsQMGvMQgTYbtsWsQ72hCqPZG/:TTll8uTo5uA7RKtQamsS0QJfsQ7mCR",
+ "threat.indicator.file.hash.tlsh": "3CE0C002AB26C036500D154C221655B3B871911503CA14E6A6824BEA765D4A3290D190",
+ "threat.indicator.file.size": 352,
+ "threat.indicator.file.type": "unknown",
+ "threat.indicator.first_seen": "2021-01-14T06:08:02.000Z",
+ "threat.indicator.type": "file"
},
{
+ "abusech.malware.virustotal.link": "https://www.virustotal.com/gui/file/86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac/detection/f-86655c0",
+ "abusech.malware.virustotal.percent": 39.13,
+ "abusech.malware.virustotal.result": "27 / 69",
"event.category": "threat",
"event.dataset": "threatintel.abusemalware",
"event.kind": "enrichment",
@@ -176,18 +189,17 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.abusemalware.virustotal.link": "https://www.virustotal.com/gui/file/86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac/detection/f-86655c0",
- "threatintel.abusemalware.virustotal.percent": "39.13",
- "threatintel.abusemalware.virustotal.result": "27 / 69",
- "threatintel.indicator.file.hash.md5": "dcc20d534cdf29eab03d8148bf728857",
- "threatintel.indicator.file.hash.sha256": "86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac",
- "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGI:X5DpBw/KViMTB1MnEWk0115JH",
- "threatintel.indicator.file.hash.tlsh": "0D44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 277504,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:08:02.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "dcc20d534cdf29eab03d8148bf728857",
+ "threat.indicator.file.hash.sha256": "86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac",
+ "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGI:X5DpBw/KViMTB1MnEWk0115JH",
+ "threat.indicator.file.hash.tlsh": "0D44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 277504,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:08:02.000Z",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -210,15 +222,17 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.indicator.file.hash.md5": "f6facbf7a90b9e67a6de9f6634eb40ba",
- "threatintel.indicator.file.hash.sha256": "e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be",
- "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ1:0h3eZgRQCcw+MN54dEq7kqRtoLZL",
- "threatintel.indicator.file.hash.tlsh": "2554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 284672,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:07:53.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "f6facbf7a90b9e67a6de9f6634eb40ba",
+ "threat.indicator.file.hash.sha256": "e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be",
+ "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ1:0h3eZgRQCcw+MN54dEq7kqRtoLZL",
+ "threat.indicator.file.hash.tlsh": "2554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 284672,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:07:53.000Z",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -241,17 +255,20 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.indicator.file.hash.md5": "44325fd5bdda2e2cdea07c3a39953bb1",
- "threatintel.indicator.file.hash.sha256": "beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac",
- "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Jg",
- "threatintel.indicator.file.hash.tlsh": "A044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 277504,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:07:41.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "44325fd5bdda2e2cdea07c3a39953bb1",
+ "threat.indicator.file.hash.sha256": "beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac",
+ "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Jg",
+ "threat.indicator.file.hash.tlsh": "A044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 277504,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:07:41.000Z",
+ "threat.indicator.type": "file"
},
{
+ "abusech.malware.signature": "Heodo",
"event.category": "threat",
"event.dataset": "threatintel.abusemalware",
"event.kind": "enrichment",
@@ -272,16 +289,17 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.abusemalware.signature": "Heodo",
- "threatintel.indicator.file.hash.md5": "4c549051950522a3f1b0814aa9b1f6d1",
- "threatintel.indicator.file.hash.sha256": "7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf",
- "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG4:X5DpBw/KViMTB1MnEWk0115Jv",
- "threatintel.indicator.file.hash.tlsh": "4544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 277504,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:07:31.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "4c549051950522a3f1b0814aa9b1f6d1",
+ "threat.indicator.file.hash.sha256": "7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf",
+ "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG4:X5DpBw/KViMTB1MnEWk0115Jv",
+ "threat.indicator.file.hash.tlsh": "4544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 277504,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:07:31.000Z",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -304,15 +322,17 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.indicator.file.hash.md5": "d7333113098d88b6a5dd5b8eb24f9b87",
- "threatintel.indicator.file.hash.sha256": "426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4",
- "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJw:0h3eZgRQCcw+MN54dEq7kqRtoLZW",
- "threatintel.indicator.file.hash.tlsh": "9454CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 284672,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:07:07.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "d7333113098d88b6a5dd5b8eb24f9b87",
+ "threat.indicator.file.hash.sha256": "426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4",
+ "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJw:0h3eZgRQCcw+MN54dEq7kqRtoLZW",
+ "threat.indicator.file.hash.tlsh": "9454CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 284672,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:07:07.000Z",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -335,15 +355,17 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.indicator.file.hash.md5": "c8dbb261c1f450534c3693da2f4b479f",
- "threatintel.indicator.file.hash.sha256": "25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9",
- "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGe:X5DpBw/KViMTB1MnEWk0115JR",
- "threatintel.indicator.file.hash.tlsh": "F344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 277504,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:07:07.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "c8dbb261c1f450534c3693da2f4b479f",
+ "threat.indicator.file.hash.sha256": "25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9",
+ "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGe:X5DpBw/KViMTB1MnEWk0115JR",
+ "threat.indicator.file.hash.tlsh": "F344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 277504,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:07:07.000Z",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -366,15 +388,17 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.indicator.file.hash.md5": "714953f1d0031a4bb2f0c44afd015931",
- "threatintel.indicator.file.hash.sha256": "b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5",
- "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115J7",
- "threatintel.indicator.file.hash.tlsh": "F644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 277504,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:07:06.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "714953f1d0031a4bb2f0c44afd015931",
+ "threat.indicator.file.hash.sha256": "b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5",
+ "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115J7",
+ "threat.indicator.file.hash.tlsh": "F644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 277504,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:07:06.000Z",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -397,15 +421,17 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.indicator.file.hash.md5": "20fd22742500d4cec123398afc3d3672",
- "threatintel.indicator.file.hash.sha256": "e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b",
- "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115JP",
- "threatintel.indicator.file.hash.tlsh": "BE44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 277504,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:07:00.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "20fd22742500d4cec123398afc3d3672",
+ "threat.indicator.file.hash.sha256": "e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b",
+ "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115JP",
+ "threat.indicator.file.hash.tlsh": "BE44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 277504,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:07:00.000Z",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -428,17 +454,20 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.indicator.file.hash.md5": "aa81ceea053797a6f8c38a0f2f9b80b0",
- "threatintel.indicator.file.hash.sha256": "dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e",
- "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGf:X5DpBw/KViMTB1MnEWk0115Jo",
- "threatintel.indicator.file.hash.tlsh": "CC44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 277504,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:06:36.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "aa81ceea053797a6f8c38a0f2f9b80b0",
+ "threat.indicator.file.hash.sha256": "dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e",
+ "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGf:X5DpBw/KViMTB1MnEWk0115Jo",
+ "threat.indicator.file.hash.tlsh": "CC44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 277504,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:06:36.000Z",
+ "threat.indicator.type": "file"
},
{
+ "abusech.malware.signature": "Heodo",
"event.category": "threat",
"event.dataset": "threatintel.abusemalware",
"event.kind": "enrichment",
@@ -459,16 +488,17 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.abusemalware.signature": "Heodo",
- "threatintel.indicator.file.hash.md5": "a2ce6795664c0fa93b07fa54ba868991",
- "threatintel.indicator.file.hash.sha256": "0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1",
- "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGD:X5DpBw/KViMTB1MnEWk0115JY",
- "threatintel.indicator.file.hash.tlsh": "8C44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 277504,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:06:13.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "a2ce6795664c0fa93b07fa54ba868991",
+ "threat.indicator.file.hash.sha256": "0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1",
+ "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGD:X5DpBw/KViMTB1MnEWk0115JY",
+ "threat.indicator.file.hash.tlsh": "8C44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 277504,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:06:13.000Z",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -491,15 +521,17 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.indicator.file.hash.md5": "9b9bac158dacb9c2f5511e9c464a7de4",
- "threatintel.indicator.file.hash.sha256": "07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e",
- "threatintel.indicator.file.hash.ssdeep": "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKk:W5MT4WNaHy9P1FjbrjlKk",
- "threatintel.indicator.file.hash.tlsh": "6B54CF217A53C826F5E800FCA6E9878914167F346F44A4C773D40F6AA8759E2EF2B317",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 280064,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:05:52.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "9b9bac158dacb9c2f5511e9c464a7de4",
+ "threat.indicator.file.hash.sha256": "07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e",
+ "threat.indicator.file.hash.ssdeep": "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKk:W5MT4WNaHy9P1FjbrjlKk",
+ "threat.indicator.file.hash.tlsh": "6B54CF217A53C826F5E800FCA6E9878914167F346F44A4C773D40F6AA8759E2EF2B317",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 280064,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:05:52.000Z",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -522,17 +554,20 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.indicator.file.hash.md5": "e48e3fa5e0f7b21c1ecf1efc81ff91e8",
- "threatintel.indicator.file.hash.sha256": "708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5",
- "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGo:X5DpBw/KViMTB1MnEWk0115Jj",
- "threatintel.indicator.file.hash.tlsh": "6644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 277504,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:05:51.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "e48e3fa5e0f7b21c1ecf1efc81ff91e8",
+ "threat.indicator.file.hash.sha256": "708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5",
+ "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGo:X5DpBw/KViMTB1MnEWk0115Jj",
+ "threat.indicator.file.hash.tlsh": "6644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 277504,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:05:51.000Z",
+ "threat.indicator.type": "file"
},
{
+ "abusech.malware.signature": "Heodo",
"event.category": "threat",
"event.dataset": "threatintel.abusemalware",
"event.kind": "enrichment",
@@ -553,16 +588,17 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.abusemalware.signature": "Heodo",
- "threatintel.indicator.file.hash.md5": "8957f5347633ab4b10c2ae4fb92c8572",
- "threatintel.indicator.file.hash.sha256": "f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37",
- "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJy:0h3eZgRQCcw+MN54dEq7kqRtoLZM",
- "threatintel.indicator.file.hash.tlsh": "0754CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 284672,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:05:50.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "8957f5347633ab4b10c2ae4fb92c8572",
+ "threat.indicator.file.hash.sha256": "f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37",
+ "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJy:0h3eZgRQCcw+MN54dEq7kqRtoLZM",
+ "threat.indicator.file.hash.tlsh": "0754CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 284672,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:05:50.000Z",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -585,15 +621,17 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.indicator.file.hash.md5": "09cc76b7077b4d5704e46e864575ff03",
- "threatintel.indicator.file.hash.sha256": "94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1",
- "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Js",
- "threatintel.indicator.file.hash.tlsh": "BB44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 277504,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:05:36.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "09cc76b7077b4d5704e46e864575ff03",
+ "threat.indicator.file.hash.sha256": "94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1",
+ "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Js",
+ "threat.indicator.file.hash.tlsh": "BB44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 277504,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:05:36.000Z",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -616,17 +654,20 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.indicator.file.hash.md5": "98a1cdf7de4232363f1d1e0f33dbfd99",
- "threatintel.indicator.file.hash.sha256": "909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f",
- "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJQ:0h3eZgRQCcw+MN54dEq7kqRtoLZ+",
- "threatintel.indicator.file.hash.tlsh": "C554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 284672,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:05:16.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "98a1cdf7de4232363f1d1e0f33dbfd99",
+ "threat.indicator.file.hash.sha256": "909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f",
+ "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJQ:0h3eZgRQCcw+MN54dEq7kqRtoLZ+",
+ "threat.indicator.file.hash.tlsh": "C554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 284672,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:05:16.000Z",
+ "threat.indicator.type": "file"
},
{
+ "abusech.malware.signature": "Heodo",
"event.category": "threat",
"event.dataset": "threatintel.abusemalware",
"event.kind": "enrichment",
@@ -647,16 +688,17 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.abusemalware.signature": "Heodo",
- "threatintel.indicator.file.hash.md5": "8a51830c1662513ba6bd44e2f7849547",
- "threatintel.indicator.file.hash.sha256": "d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa",
- "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJh:0h3eZgRQCcw+MN54dEq7kqRtoLZ/",
- "threatintel.indicator.file.hash.tlsh": "1654CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 284672,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:05:15.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "8a51830c1662513ba6bd44e2f7849547",
+ "threat.indicator.file.hash.sha256": "d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa",
+ "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJh:0h3eZgRQCcw+MN54dEq7kqRtoLZ/",
+ "threat.indicator.file.hash.tlsh": "1654CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 284672,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:05:15.000Z",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -679,15 +721,17 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.indicator.file.hash.md5": "ae21d742a8118d6b86674aa5370bd6a7",
- "threatintel.indicator.file.hash.sha256": "3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51",
- "threatintel.indicator.file.hash.ssdeep": "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKS:W5MT4WNaHy9P1FjbrjlKS",
- "threatintel.indicator.file.hash.tlsh": "5454CF217A53C826F5E800FCA6E9878925167F346F44A4C373D40F6AA8759E2DF2B317",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 280064,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:05:12.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "ae21d742a8118d6b86674aa5370bd6a7",
+ "threat.indicator.file.hash.sha256": "3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51",
+ "threat.indicator.file.hash.ssdeep": "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKS:W5MT4WNaHy9P1FjbrjlKS",
+ "threat.indicator.file.hash.tlsh": "5454CF217A53C826F5E800FCA6E9878925167F346F44A4C373D40F6AA8759E2DF2B317",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 280064,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:05:12.000Z",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -710,15 +754,17 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.indicator.file.hash.md5": "78c9d88d24ed1d982a83216eed1590f6",
- "threatintel.indicator.file.hash.sha256": "d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99",
- "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG8:X5DpBw/KViMTB1MnEWk0115Jr",
- "threatintel.indicator.file.hash.tlsh": "6044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 277504,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:04:38.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "78c9d88d24ed1d982a83216eed1590f6",
+ "threat.indicator.file.hash.sha256": "d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99",
+ "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG8:X5DpBw/KViMTB1MnEWk0115Jr",
+ "threat.indicator.file.hash.tlsh": "6044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 277504,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:04:38.000Z",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -741,15 +787,17 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.indicator.file.hash.md5": "236577d5d83e2a8d08623a7a7f724188",
- "threatintel.indicator.file.hash.sha256": "8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa",
- "threatintel.indicator.file.hash.ssdeep": "6144:X1G3WVIOY6Bdjehj+qudd96ou/6mv5wdC:X1GmSafShjYdd96z/6cwdC",
- "threatintel.indicator.file.hash.tlsh": "8D34BE41B28B8B4BD163163C2976D1F8953CFC909761CE693B64B22F0F739D0892E7A5",
- "threatintel.indicator.file.pe.imphash": "ed2860c18f5483e3b5388bad75169dc1",
- "threatintel.indicator.file.size": 241664,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:04:26.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "236577d5d83e2a8d08623a7a7f724188",
+ "threat.indicator.file.hash.sha256": "8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa",
+ "threat.indicator.file.hash.ssdeep": "6144:X1G3WVIOY6Bdjehj+qudd96ou/6mv5wdC:X1GmSafShjYdd96z/6cwdC",
+ "threat.indicator.file.hash.tlsh": "8D34BE41B28B8B4BD163163C2976D1F8953CFC909761CE693B64B22F0F739D0892E7A5",
+ "threat.indicator.file.pe.imphash": "ed2860c18f5483e3b5388bad75169dc1",
+ "threat.indicator.file.size": 241664,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:04:26.000Z",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -772,14 +820,16 @@
"forwarded",
"threatintel-abusemalware"
],
- "threatintel.indicator.file.hash.md5": "ff60107d82dcda7e6726d214528758e7",
- "threatintel.indicator.file.hash.sha256": "fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27",
- "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGz:X5DpBw/KViMTB1MnEWk0115JU",
- "threatintel.indicator.file.hash.tlsh": "9244D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
- "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
- "threatintel.indicator.file.size": 277504,
- "threatintel.indicator.file.type": "dll",
- "threatintel.indicator.first_seen": "2021-01-14T06:04:20.000Z",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH Malware",
+ "threat.indicator.file.hash.md5": "ff60107d82dcda7e6726d214528758e7",
+ "threat.indicator.file.hash.sha256": "fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27",
+ "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGz:X5DpBw/KViMTB1MnEWk0115JU",
+ "threat.indicator.file.hash.tlsh": "9244D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717",
+ "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088",
+ "threat.indicator.file.size": 277504,
+ "threat.indicator.file.type": "dll",
+ "threat.indicator.first_seen": "2021-01-14T06:04:20.000Z",
+ "threat.indicator.type": "file"
}
]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/threatintel/abuseurl/_meta/fields.yml b/x-pack/filebeat/module/threatintel/abuseurl/_meta/fields.yml
index a93f91d339c..f407bb8d615 100644
--- a/x-pack/filebeat/module/threatintel/abuseurl/_meta/fields.yml
+++ b/x-pack/filebeat/module/threatintel/abuseurl/_meta/fields.yml
@@ -1,4 +1,4 @@
-- name: abuseurl
+- name: abusech.url
type: group
description: >
Fields for AbuseCH Malware Threat Intel
diff --git a/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml b/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml
index da01bc61c40..f577594ec06 100644
--- a/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml
+++ b/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml
@@ -11,10 +11,6 @@ request.ssl: {{ .ssl | tojson }}
request.proxy_url: {{ .proxy_url }}
{{ end }}
request.url: {{ .url }}
-request.transforms:
-- set:
- target: header.Content-Type
- value: application/json
response.split:
target: body.urls
@@ -30,17 +26,12 @@ exclude_files: [".gz$"]
{{ end }}
-tags: {{.tags | tojson}}
-publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
+tags:
+{{if .preserve_original_event}}
+ - preserve_original_event
+{{end}}
+{{range $val := .tags}}
+ - {{$val}}
+{{end}}
-processors:
- - decode_json_fields:
- fields: [message]
- target: json
- - fingerprint:
- fields: ["json.id"]
- target_field: "@metadata._id"
- - add_fields:
- target: ''
- fields:
- ecs.version: 1.12.0
+publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
diff --git a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml
index bf674ba2c88..f762db7351e 100644
--- a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml
@@ -1,3 +1,4 @@
+---
description: Pipeline for parsing Abuse.ch URL Threat Intel
processors:
####################
@@ -6,6 +7,9 @@ processors:
- set:
field: event.ingested
value: "{{_ingest.timestamp}}"
+ - set:
+ field: ecs.version
+ value: "1.12"
- set:
field: event.kind
value: enrichment
@@ -20,62 +24,75 @@ processors:
# General ECS fields #
######################
- rename:
- field: json
- target_field: threatintel.abuseurl
+ field: message
+ target_field: event.original
ignore_missing: true
+ - json:
+ field: event.original
+ target_field: abusech.url
+ - fingerprint:
+ fields:
+ - abusech.url.id
+ target_field: "_id"
#####################
# Threat ECS Fields #
#####################
- set:
- field: threatintel.indicator.type
+ field: threat.feed.name
+ value: "[Filebeat] AbuseCH URL"
+ - set:
+ field: threat.feed.dashboard_id
+ value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f"
+ - set:
+ field: threat.indicator.type
value: url
- date:
- field: threatintel.abuseurl.date_added
- target_field: threatintel.indicator.first_seen
+ field: abusech.url.date_added
+ target_field: threat.indicator.first_seen
formats:
- "yyyy-MM-dd HH:mm:ss z"
- "yyyy-MM-dd HH:mm:ss Z"
- if: "ctx?.threatintel?.abuseurl?.date_added != null"
+ if: "ctx.abusech?.url?.date_added != null"
- uri_parts:
- field: threatintel.abuseurl.url
- target_field: threatintel.indicator.url
+ field: abusech.url.url
+ target_field: threat.indicator.url
keep_original: true
remove_if_successful: true
- set:
- field: threatintel.indicator.url.full
- value: "{{{threatintel.indicator.url.original}}}"
+ field: threat.indicator.url.full
+ value: "{{{threat.indicator.url.original}}}"
ignore_empty_value: true
- rename:
- field: threatintel.abuseurl.urlhaus_reference
- target_field: threatintel.indicator.reference
+ field: abusech.url.urlhaus_reference
+ target_field: threat.indicator.reference
ignore_missing: true
# Host can be both IP addresses and domain names
- grok:
- field: threatintel.abuseurl.host
+ field: abusech.url.host
patterns:
- - "(?:%{IP:threatintel.indicator.ip}|%{GREEDYDATA:threatintel.indicator.url.domain})"
+ - "(?:%{IP:threat.indicator.ip}|%{GREEDYDATA:threat.indicator.url.domain})"
ignore_failure: true
- rename:
- field: threatintel.abuseurl.reporter
- target_field: threatintel.indicator.provider
+ field: abusech.url.reporter
+ target_field: threat.indicator.provider
ignore_missing: true
######################
# Cleanup processors #
######################
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: unknown
- if: ctx?.threatintel?.indicator?.type == null
+ if: ctx?.threat?.indicator?.type == null
- convert:
- field: threatintel.abuseurl.larted
+ field: abusech.url.larted
type: boolean
ignore_missing: true
- script:
lang: painless
- if: ctx?.threatintel != null
+ if: ctx?.abusech != null
source: |
void handleMap(Map map) {
for (def x : map.values()) {
@@ -97,11 +114,16 @@ processors:
}
}
handleMap(ctx);
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
- remove:
field:
- - threatintel.abuseurl.date_added
- - threatintel.abuseurl.url
- - threatintel.abuseurl.host
+ - abusech.url.date_added
+ - abusech.url.url
+ - abusech.url.host
- message
ignore_missing: true
on_failure:
diff --git a/x-pack/filebeat/module/threatintel/abuseurl/manifest.yml b/x-pack/filebeat/module/threatintel/abuseurl/manifest.yml
index 13b5e663c4a..2f71ad88253 100644
--- a/x-pack/filebeat/module/threatintel/abuseurl/manifest.yml
+++ b/x-pack/filebeat/module/threatintel/abuseurl/manifest.yml
@@ -11,6 +11,8 @@ var:
- name: tags
default: [threatintel-abuseurls, forwarded]
- name: proxy_url
+ - name: preserve_original_event
+ default: false
ingest_pipeline:
- ingest/pipeline.yml
diff --git a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json
index 3b312440b34..c76728b3c16 100644
--- a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json
@@ -1,5 +1,15 @@
[
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961548",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "Mozi",
+ "elf"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -13,30 +23,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961548",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:19:13.000Z",
+ "threat.indicator.ip": "103.72.223.103",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961548/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "103.72.223.103",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://103.72.223.103:34613/Mozi.m",
+ "threat.indicator.url.original": "http://103.72.223.103:34613/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 34613,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961546",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:19:13.000Z",
- "threatintel.indicator.ip": "103.72.223.103",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961548/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "103.72.223.103",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://103.72.223.103:34613/Mozi.m",
- "threatintel.indicator.url.original": "http://103.72.223.103:34613/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 34613,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -50,30 +62,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961546",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:19:05.000Z",
+ "threat.indicator.ip": "112.30.97.184",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961546/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "112.30.97.184",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://112.30.97.184:44941/Mozi.m",
+ "threat.indicator.url.original": "http://112.30.97.184:44941/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 44941,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961547",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:19:05.000Z",
- "threatintel.indicator.ip": "112.30.97.184",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961546/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "112.30.97.184",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://112.30.97.184:44941/Mozi.m",
- "threatintel.indicator.url.original": "http://112.30.97.184:44941/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 44941,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -87,30 +101,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961547",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:19:05.000Z",
+ "threat.indicator.ip": "113.110.198.53",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961547/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "113.110.198.53",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://113.110.198.53:37173/Mozi.m",
+ "threat.indicator.url.original": "http://113.110.198.53:37173/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 37173,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961545",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:19:05.000Z",
- "threatintel.indicator.ip": "113.110.198.53",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961547/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "113.110.198.53",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://113.110.198.53:37173/Mozi.m",
- "threatintel.indicator.url.original": "http://113.110.198.53:37173/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 37173,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -124,30 +140,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961545",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:19:04.000Z",
+ "threat.indicator.ip": "101.20.183.170",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961545/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "101.20.183.170",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://101.20.183.170:47545/Mozi.m",
+ "threat.indicator.url.original": "http://101.20.183.170:47545/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 47545,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961544",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:19:04.000Z",
- "threatintel.indicator.ip": "101.20.183.170",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961545/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "101.20.183.170",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://101.20.183.170:47545/Mozi.m",
- "threatintel.indicator.url.original": "http://101.20.183.170:47545/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 47545,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -161,30 +179,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961544",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:07:07.000Z",
+ "threat.indicator.ip": "59.8.35.22",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961544/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "59.8.35.22",
+ "threat.indicator.url.extension": "a",
+ "threat.indicator.url.full": "http://59.8.35.22:44782/Mozi.a",
+ "threat.indicator.url.original": "http://59.8.35.22:44782/Mozi.a",
+ "threat.indicator.url.path": "/Mozi.a",
+ "threat.indicator.url.port": 44782,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961543",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:07:07.000Z",
- "threatintel.indicator.ip": "59.8.35.22",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961544/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "59.8.35.22",
- "threatintel.indicator.url.extension": "a",
- "threatintel.indicator.url.full": "http://59.8.35.22:44782/Mozi.a",
- "threatintel.indicator.url.original": "http://59.8.35.22:44782/Mozi.a",
- "threatintel.indicator.url.path": "/Mozi.a",
- "threatintel.indicator.url.port": 44782,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -198,30 +218,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961543",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:07:06.000Z",
+ "threat.indicator.ip": "59.96.37.35",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961543/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "59.96.37.35",
+ "threat.indicator.url.extension": "a",
+ "threat.indicator.url.full": "http://59.96.37.35:44359/Mozi.a",
+ "threat.indicator.url.original": "http://59.96.37.35:44359/Mozi.a",
+ "threat.indicator.url.path": "/Mozi.a",
+ "threat.indicator.url.port": 44359,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961540",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:07:06.000Z",
- "threatintel.indicator.ip": "59.96.37.35",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961543/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "59.96.37.35",
- "threatintel.indicator.url.extension": "a",
- "threatintel.indicator.url.full": "http://59.96.37.35:44359/Mozi.a",
- "threatintel.indicator.url.original": "http://59.96.37.35:44359/Mozi.a",
- "threatintel.indicator.url.path": "/Mozi.a",
- "threatintel.indicator.url.port": 44359,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -235,30 +257,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961540",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:07:05.000Z",
+ "threat.indicator.ip": "42.239.233.17",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961540/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "42.239.233.17",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://42.239.233.17:56507/Mozi.m",
+ "threat.indicator.url.original": "http://42.239.233.17:56507/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 56507,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961541",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z",
- "threatintel.indicator.ip": "42.239.233.17",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961540/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "42.239.233.17",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://42.239.233.17:56507/Mozi.m",
- "threatintel.indicator.url.original": "http://42.239.233.17:56507/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 56507,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -272,30 +296,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961541",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:07:05.000Z",
+ "threat.indicator.ip": "58.252.178.20",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961541/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "58.252.178.20",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://58.252.178.20:57562/Mozi.m",
+ "threat.indicator.url.original": "http://58.252.178.20:57562/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 57562,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961542",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z",
- "threatintel.indicator.ip": "58.252.178.20",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961541/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "58.252.178.20",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://58.252.178.20:57562/Mozi.m",
- "threatintel.indicator.url.original": "http://58.252.178.20:57562/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 57562,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -309,30 +335,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961542",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:07:05.000Z",
+ "threat.indicator.ip": "45.176.111.95",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961542/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "45.176.111.95",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://45.176.111.95:48845/Mozi.m",
+ "threat.indicator.url.original": "http://45.176.111.95:48845/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 48845,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961539",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z",
- "threatintel.indicator.ip": "45.176.111.95",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961542/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "45.176.111.95",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://45.176.111.95:48845/Mozi.m",
- "threatintel.indicator.url.original": "http://45.176.111.95:48845/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 48845,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -346,30 +374,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961539",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:07:04.000Z",
+ "threat.indicator.ip": "42.224.68.97",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961539/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "42.224.68.97",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://42.224.68.97:58245/Mozi.m",
+ "threat.indicator.url.original": "http://42.224.68.97:58245/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 58245,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961538",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:07:04.000Z",
- "threatintel.indicator.ip": "42.224.68.97",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961539/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "42.224.68.97",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://42.224.68.97:58245/Mozi.m",
- "threatintel.indicator.url.original": "http://42.224.68.97:58245/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 58245,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -383,30 +413,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961538",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:06:08.000Z",
+ "threat.indicator.ip": "222.81.144.207",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961538/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "222.81.144.207",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://222.81.144.207:37198/Mozi.m",
+ "threat.indicator.url.original": "http://222.81.144.207:37198/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 37198,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961537",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:06:08.000Z",
- "threatintel.indicator.ip": "222.81.144.207",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961538/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "222.81.144.207",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://222.81.144.207:37198/Mozi.m",
- "threatintel.indicator.url.original": "http://222.81.144.207:37198/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 37198,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -420,30 +452,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961537",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:06:06.000Z",
+ "threat.indicator.ip": "182.127.185.137",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961537/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "182.127.185.137",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://182.127.185.137:33524/Mozi.m",
+ "threat.indicator.url.original": "http://182.127.185.137:33524/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 33524,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961531",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:06:06.000Z",
- "threatintel.indicator.ip": "182.127.185.137",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961537/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "182.127.185.137",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://182.127.185.137:33524/Mozi.m",
- "threatintel.indicator.url.original": "http://182.127.185.137:33524/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 33524,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -457,30 +491,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961531",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z",
+ "threat.indicator.ip": "39.84.175.185",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961531/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "39.84.175.185",
+ "threat.indicator.url.extension": "a",
+ "threat.indicator.url.full": "http://39.84.175.185:48261/Mozi.a",
+ "threat.indicator.url.original": "http://39.84.175.185:48261/Mozi.a",
+ "threat.indicator.url.path": "/Mozi.a",
+ "threat.indicator.url.port": 48261,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961532",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z",
- "threatintel.indicator.ip": "39.84.175.185",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961531/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "39.84.175.185",
- "threatintel.indicator.url.extension": "a",
- "threatintel.indicator.url.full": "http://39.84.175.185:48261/Mozi.a",
- "threatintel.indicator.url.original": "http://39.84.175.185:48261/Mozi.a",
- "threatintel.indicator.url.path": "/Mozi.a",
- "threatintel.indicator.url.port": 48261,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -494,30 +530,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961532",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z",
+ "threat.indicator.ip": "27.41.11.238",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961532/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "27.41.11.238",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://27.41.11.238:34478/Mozi.m",
+ "threat.indicator.url.original": "http://27.41.11.238:34478/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 34478,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961533",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z",
- "threatintel.indicator.ip": "27.41.11.238",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961532/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "27.41.11.238",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://27.41.11.238:34478/Mozi.m",
- "threatintel.indicator.url.original": "http://27.41.11.238:34478/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 34478,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -531,30 +569,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961533",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z",
+ "threat.indicator.ip": "182.127.133.68",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961533/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "182.127.133.68",
+ "threat.indicator.url.extension": "a",
+ "threat.indicator.url.full": "http://182.127.133.68:35703/Mozi.a",
+ "threat.indicator.url.original": "http://182.127.133.68:35703/Mozi.a",
+ "threat.indicator.url.path": "/Mozi.a",
+ "threat.indicator.url.port": 35703,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961534",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z",
- "threatintel.indicator.ip": "182.127.133.68",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961533/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "182.127.133.68",
- "threatintel.indicator.url.extension": "a",
- "threatintel.indicator.url.full": "http://182.127.133.68:35703/Mozi.a",
- "threatintel.indicator.url.original": "http://182.127.133.68:35703/Mozi.a",
- "threatintel.indicator.url.path": "/Mozi.a",
- "threatintel.indicator.url.port": 35703,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -568,30 +608,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961534",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z",
+ "threat.indicator.ip": "27.46.44.102",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961534/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "27.46.44.102",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://27.46.44.102:48666/Mozi.m",
+ "threat.indicator.url.original": "http://27.46.44.102:48666/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 48666,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961535",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z",
- "threatintel.indicator.ip": "27.46.44.102",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961534/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "27.46.44.102",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://27.46.44.102:48666/Mozi.m",
- "threatintel.indicator.url.original": "http://27.46.44.102:48666/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 48666,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -605,30 +647,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961535",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z",
+ "threat.indicator.ip": "39.70.88.65",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961535/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "39.70.88.65",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://39.70.88.65:53923/Mozi.m",
+ "threat.indicator.url.original": "http://39.70.88.65:53923/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 53923,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961536",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z",
- "threatintel.indicator.ip": "39.70.88.65",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961535/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "39.70.88.65",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://39.70.88.65:53923/Mozi.m",
- "threatintel.indicator.url.original": "http://39.70.88.65:53923/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 53923,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -642,30 +686,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961536",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z",
+ "threat.indicator.ip": "42.224.136.237",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961536/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "42.224.136.237",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://42.224.136.237:52794/Mozi.m",
+ "threat.indicator.url.original": "http://42.224.136.237:52794/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 52794,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961530",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z",
- "threatintel.indicator.ip": "42.224.136.237",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961536/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "42.224.136.237",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://42.224.136.237:52794/Mozi.m",
- "threatintel.indicator.url.original": "http://42.224.136.237:52794/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 52794,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -679,30 +725,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961530",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:05:34.000Z",
+ "threat.indicator.ip": "117.208.135.63",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961530/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "117.208.135.63",
+ "threat.indicator.url.extension": "a",
+ "threat.indicator.url.full": "http://117.208.135.63:49312/Mozi.a",
+ "threat.indicator.url.original": "http://117.208.135.63:49312/Mozi.a",
+ "threat.indicator.url.path": "/Mozi.a",
+ "threat.indicator.url.port": 49312,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961525",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T21:05:34.000Z",
- "threatintel.indicator.ip": "117.208.135.63",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961530/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "117.208.135.63",
- "threatintel.indicator.url.extension": "a",
- "threatintel.indicator.url.full": "http://117.208.135.63:49312/Mozi.a",
- "threatintel.indicator.url.original": "http://117.208.135.63:49312/Mozi.a",
- "threatintel.indicator.url.path": "/Mozi.a",
- "threatintel.indicator.url.port": 49312,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -716,30 +764,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961525",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z",
+ "threat.indicator.ip": "125.47.66.60",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961525/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "125.47.66.60",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://125.47.66.60:38961/Mozi.m",
+ "threat.indicator.url.original": "http://125.47.66.60:38961/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 38961,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961526",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z",
- "threatintel.indicator.ip": "125.47.66.60",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961525/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "125.47.66.60",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://125.47.66.60:38961/Mozi.m",
- "threatintel.indicator.url.original": "http://125.47.66.60:38961/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 38961,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -753,30 +803,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961526",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z",
+ "threat.indicator.ip": "182.117.95.148",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961526/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "182.117.95.148",
+ "threat.indicator.url.extension": "a",
+ "threat.indicator.url.full": "http://182.117.95.148:50420/Mozi.a",
+ "threat.indicator.url.original": "http://182.117.95.148:50420/Mozi.a",
+ "threat.indicator.url.path": "/Mozi.a",
+ "threat.indicator.url.port": 50420,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961527",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z",
- "threatintel.indicator.ip": "182.117.95.148",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961526/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "182.117.95.148",
- "threatintel.indicator.url.extension": "a",
- "threatintel.indicator.url.full": "http://182.117.95.148:50420/Mozi.a",
- "threatintel.indicator.url.original": "http://182.117.95.148:50420/Mozi.a",
- "threatintel.indicator.url.path": "/Mozi.a",
- "threatintel.indicator.url.port": 50420,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -790,30 +842,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961527",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z",
+ "threat.indicator.ip": "117.202.71.48",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961527/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "117.202.71.48",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://117.202.71.48:55007/Mozi.m",
+ "threat.indicator.url.original": "http://117.202.71.48:55007/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 55007,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961528",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z",
- "threatintel.indicator.ip": "117.202.71.48",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961527/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "117.202.71.48",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://117.202.71.48:55007/Mozi.m",
- "threatintel.indicator.url.original": "http://117.202.71.48:55007/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 55007,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -827,30 +881,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961528",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z",
+ "threat.indicator.ip": "125.99.132.118",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961528/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "125.99.132.118",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://125.99.132.118:51143/Mozi.m",
+ "threat.indicator.url.original": "http://125.99.132.118:51143/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 51143,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961529",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z",
- "threatintel.indicator.ip": "125.99.132.118",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961528/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "125.99.132.118",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://125.99.132.118:51143/Mozi.m",
- "threatintel.indicator.url.original": "http://125.99.132.118:51143/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 51143,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -864,30 +920,31 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961529",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
- "Mozi",
- "elf"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z",
- "threatintel.indicator.ip": "182.114.123.69",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961529/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "182.114.123.69",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://182.114.123.69:41003/Mozi.m",
- "threatintel.indicator.url.original": "http://182.114.123.69:41003/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 41003,
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z",
+ "threat.indicator.ip": "182.114.123.69",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961529/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "182.114.123.69",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://182.114.123.69:41003/Mozi.m",
+ "threat.indicator.url.original": "http://182.114.123.69:41003/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 41003,
+ "threat.indicator.url.scheme": "http"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961524",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "Mozi"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -901,29 +958,31 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961524",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "Mozi"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T21:04:38.000Z",
- "threatintel.indicator.ip": "116.19.127.37",
- "threatintel.indicator.provider": "Gandylyan1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961524/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "116.19.127.37",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://116.19.127.37:35739/Mozi.m",
- "threatintel.indicator.url.original": "http://116.19.127.37:35739/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 35739,
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:04:38.000Z",
+ "threat.indicator.ip": "116.19.127.37",
+ "threat.indicator.provider": "Gandylyan1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961524/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "116.19.127.37",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://116.19.127.37:35739/Mozi.m",
+ "threat.indicator.url.original": "http://116.19.127.37:35739/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 35739,
+ "threat.indicator.url.scheme": "http"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961523",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "Mozi"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -937,29 +996,31 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961523",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "Mozi"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T21:04:36.000Z",
- "threatintel.indicator.ip": "42.239.253.55",
- "threatintel.indicator.provider": "Gandylyan1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961523/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "42.239.253.55",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://42.239.253.55:45653/Mozi.m",
- "threatintel.indicator.url.original": "http://42.239.253.55:45653/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 45653,
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:04:36.000Z",
+ "threat.indicator.ip": "42.239.253.55",
+ "threat.indicator.provider": "Gandylyan1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961523/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "42.239.253.55",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://42.239.253.55:45653/Mozi.m",
+ "threat.indicator.url.original": "http://42.239.253.55:45653/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 45653,
+ "threat.indicator.url.scheme": "http"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961520",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "Mozi"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -973,29 +1034,31 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961520",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "Mozi"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z",
- "threatintel.indicator.ip": "103.217.121.228",
- "threatintel.indicator.provider": "Gandylyan1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961520/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "103.217.121.228",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://103.217.121.228:41349/Mozi.m",
- "threatintel.indicator.url.original": "http://103.217.121.228:41349/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 41349,
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:04:33.000Z",
+ "threat.indicator.ip": "103.217.121.228",
+ "threat.indicator.provider": "Gandylyan1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961520/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "103.217.121.228",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://103.217.121.228:41349/Mozi.m",
+ "threat.indicator.url.original": "http://103.217.121.228:41349/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 41349,
+ "threat.indicator.url.scheme": "http"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961521",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "Mozi"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1009,29 +1072,31 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961521",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "Mozi"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z",
- "threatintel.indicator.ip": "111.92.81.255",
- "threatintel.indicator.provider": "Gandylyan1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961521/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "111.92.81.255",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://111.92.81.255:48586/Mozi.m",
- "threatintel.indicator.url.original": "http://111.92.81.255:48586/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 48586,
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:04:33.000Z",
+ "threat.indicator.ip": "111.92.81.255",
+ "threat.indicator.provider": "Gandylyan1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961521/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "111.92.81.255",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://111.92.81.255:48586/Mozi.m",
+ "threat.indicator.url.original": "http://111.92.81.255:48586/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 48586,
+ "threat.indicator.url.scheme": "http"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961522",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "Mozi"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1045,29 +1110,31 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961522",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "Mozi"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z",
- "threatintel.indicator.ip": "45.229.55.75",
- "threatintel.indicator.provider": "Gandylyan1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961522/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "45.229.55.75",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://45.229.55.75:38111/Mozi.m",
- "threatintel.indicator.url.original": "http://45.229.55.75:38111/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 38111,
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:04:33.000Z",
+ "threat.indicator.ip": "45.229.55.75",
+ "threat.indicator.provider": "Gandylyan1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961522/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "45.229.55.75",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://45.229.55.75:38111/Mozi.m",
+ "threat.indicator.url.original": "http://45.229.55.75:38111/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 38111,
+ "threat.indicator.url.scheme": "http"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961518",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
+ "Mozi"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1081,29 +1148,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961518",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
- "Mozi"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:04:10.000Z",
- "threatintel.indicator.ip": "182.121.242.148",
- "threatintel.indicator.provider": "Gandylyan1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961518/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "182.121.242.148",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://182.121.242.148:34556/Mozi.m",
- "threatintel.indicator.url.original": "http://182.121.242.148:34556/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 34556,
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:04:10.000Z",
+ "threat.indicator.ip": "182.121.242.148",
+ "threat.indicator.provider": "Gandylyan1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961518/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "182.121.242.148",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://182.121.242.148:34556/Mozi.m",
+ "threat.indicator.url.original": "http://182.121.242.148:34556/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 34556,
+ "threat.indicator.url.scheme": "http"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961519",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
+ "Mozi",
+ "elf"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1117,30 +1187,33 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961519",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
- "Mozi",
- "elf"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:04:10.000Z",
- "threatintel.indicator.ip": "106.115.189.249",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961519/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "106.115.189.249",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://106.115.189.249:59815/Mozi.m",
- "threatintel.indicator.url.original": "http://106.115.189.249:59815/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 59815,
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:04:10.000Z",
+ "threat.indicator.ip": "106.115.189.249",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961519/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "106.115.189.249",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://106.115.189.249:59815/Mozi.m",
+ "threat.indicator.url.original": "http://106.115.189.249:59815/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 59815,
+ "threat.indicator.url.scheme": "http"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961516",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
+ "32-bit",
+ "elf",
+ "mips"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1154,31 +1227,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961516",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
- "32-bit",
- "elf",
- "mips"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:04:08.000Z",
- "threatintel.indicator.ip": "182.117.93.110",
- "threatintel.indicator.provider": "geenensp",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961516/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "182.117.93.110",
- "threatintel.indicator.url.extension": "sh",
- "threatintel.indicator.url.full": "http://182.117.93.110:50587/bin.sh",
- "threatintel.indicator.url.original": "http://182.117.93.110:50587/bin.sh",
- "threatintel.indicator.url.path": "/bin.sh",
- "threatintel.indicator.url.port": 50587,
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:04:08.000Z",
+ "threat.indicator.ip": "182.117.93.110",
+ "threat.indicator.provider": "geenensp",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961516/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "182.117.93.110",
+ "threat.indicator.url.extension": "sh",
+ "threat.indicator.url.full": "http://182.117.93.110:50587/bin.sh",
+ "threat.indicator.url.original": "http://182.117.93.110:50587/bin.sh",
+ "threat.indicator.url.path": "/bin.sh",
+ "threat.indicator.url.port": 50587,
+ "threat.indicator.url.scheme": "http"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961517",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
+ "Mozi",
+ "elf"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1192,30 +1266,31 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961517",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
- "Mozi",
- "elf"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:04:08.000Z",
- "threatintel.indicator.ip": "110.251.5.169",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961517/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "110.251.5.169",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://110.251.5.169:48322/Mozi.m",
- "threatintel.indicator.url.original": "http://110.251.5.169:48322/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 48322,
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:04:08.000Z",
+ "threat.indicator.ip": "110.251.5.169",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961517/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "110.251.5.169",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://110.251.5.169:48322/Mozi.m",
+ "threat.indicator.url.original": "http://110.251.5.169:48322/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 48322,
+ "threat.indicator.url.scheme": "http"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961515",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
+ "Mozi"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1229,29 +1304,31 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961515",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
- "Mozi"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:04:06.000Z",
- "threatintel.indicator.ip": "101.51.117.186",
- "threatintel.indicator.provider": "Gandylyan1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961515/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "101.51.117.186",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://101.51.117.186:33317/Mozi.m",
- "threatintel.indicator.url.original": "http://101.51.117.186:33317/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 33317,
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:04:06.000Z",
+ "threat.indicator.ip": "101.51.117.186",
+ "threat.indicator.provider": "Gandylyan1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961515/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "101.51.117.186",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://101.51.117.186:33317/Mozi.m",
+ "threat.indicator.url.original": "http://101.51.117.186:33317/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 33317,
+ "threat.indicator.url.scheme": "http"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961513",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
+ "Mozi"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1265,29 +1342,31 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961513",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
- "Mozi"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:04:05.000Z",
- "threatintel.indicator.ip": "121.151.78.166",
- "threatintel.indicator.provider": "Gandylyan1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961513/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "121.151.78.166",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://121.151.78.166:41516/Mozi.m",
- "threatintel.indicator.url.original": "http://121.151.78.166:41516/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 41516,
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:04:05.000Z",
+ "threat.indicator.ip": "121.151.78.166",
+ "threat.indicator.provider": "Gandylyan1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961513/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "121.151.78.166",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://121.151.78.166:41516/Mozi.m",
+ "threat.indicator.url.original": "http://121.151.78.166:41516/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 41516,
+ "threat.indicator.url.scheme": "http"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961514",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
+ "Mozi"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1301,29 +1380,31 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961514",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
- "Mozi"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:04:05.000Z",
- "threatintel.indicator.ip": "116.72.92.97",
- "threatintel.indicator.provider": "Gandylyan1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961514/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "116.72.92.97",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://116.72.92.97:57798/Mozi.m",
- "threatintel.indicator.url.original": "http://116.72.92.97:57798/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 57798,
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:04:05.000Z",
+ "threat.indicator.ip": "116.72.92.97",
+ "threat.indicator.provider": "Gandylyan1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961514/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "116.72.92.97",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://116.72.92.97:57798/Mozi.m",
+ "threat.indicator.url.original": "http://116.72.92.97:57798/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 57798,
+ "threat.indicator.url.scheme": "http"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961509",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
+ "Mozi"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1337,29 +1418,31 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961509",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
- "Mozi"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z",
- "threatintel.indicator.ip": "27.218.15.209",
- "threatintel.indicator.provider": "Gandylyan1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961509/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "27.218.15.209",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://27.218.15.209:47671/Mozi.m",
- "threatintel.indicator.url.original": "http://27.218.15.209:47671/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 47671,
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:04:04.000Z",
+ "threat.indicator.ip": "27.218.15.209",
+ "threat.indicator.provider": "Gandylyan1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961509/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "27.218.15.209",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://27.218.15.209:47671/Mozi.m",
+ "threat.indicator.url.original": "http://27.218.15.209:47671/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 47671,
+ "threat.indicator.url.scheme": "http"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961510",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
+ "Mozi"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1373,29 +1456,33 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961510",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
- "Mozi"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z",
- "threatintel.indicator.ip": "120.85.171.210",
- "threatintel.indicator.provider": "Gandylyan1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961510/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "120.85.171.210",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://120.85.171.210:57690/Mozi.m",
- "threatintel.indicator.url.original": "http://120.85.171.210:57690/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 57690,
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:04:04.000Z",
+ "threat.indicator.ip": "120.85.171.210",
+ "threat.indicator.provider": "Gandylyan1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961510/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "120.85.171.210",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://120.85.171.210:57690/Mozi.m",
+ "threat.indicator.url.original": "http://120.85.171.210:57690/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 57690,
+ "threat.indicator.url.scheme": "http"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961511",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
+ "32-bit",
+ "elf",
+ "mips"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1409,30 +1496,30 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961511",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
- "32-bit",
- "elf",
- "mips"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z",
- "threatintel.indicator.ip": "117.251.59.53",
- "threatintel.indicator.provider": "geenensp",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961511/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "117.251.59.53",
- "threatintel.indicator.url.full": "http://117.251.59.53:50611/i",
- "threatintel.indicator.url.original": "http://117.251.59.53:50611/i",
- "threatintel.indicator.url.path": "/i",
- "threatintel.indicator.url.port": 50611,
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:04:04.000Z",
+ "threat.indicator.ip": "117.251.59.53",
+ "threat.indicator.provider": "geenensp",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961511/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "117.251.59.53",
+ "threat.indicator.url.full": "http://117.251.59.53:50611/i",
+ "threat.indicator.url.original": "http://117.251.59.53:50611/i",
+ "threat.indicator.url.path": "/i",
+ "threat.indicator.url.port": 50611,
+ "threat.indicator.url.scheme": "http"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961512",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
+ "Mozi"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1446,29 +1533,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961512",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
- "Mozi"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z",
- "threatintel.indicator.ip": "115.58.83.167",
- "threatintel.indicator.provider": "Gandylyan1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961512/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "115.58.83.167",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://115.58.83.167:34141/Mozi.m",
- "threatintel.indicator.url.original": "http://115.58.83.167:34141/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 34141,
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T21:04:04.000Z",
+ "threat.indicator.ip": "115.58.83.167",
+ "threat.indicator.provider": "Gandylyan1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961512/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "115.58.83.167",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://115.58.83.167:34141/Mozi.m",
+ "threat.indicator.url.original": "http://115.58.83.167:34141/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 34141,
+ "threat.indicator.url.scheme": "http"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961507",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
+ "Mozi",
+ "elf"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1482,30 +1572,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961507",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:52:08.000Z",
+ "threat.indicator.ip": "94.178.124.83",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961507/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "94.178.124.83",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://94.178.124.83:44399/Mozi.m",
+ "threat.indicator.url.original": "http://94.178.124.83:44399/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 44399,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961508",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T20:52:08.000Z",
- "threatintel.indicator.ip": "94.178.124.83",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961507/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "94.178.124.83",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://94.178.124.83:44399/Mozi.m",
- "threatintel.indicator.url.original": "http://94.178.124.83:44399/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 44399,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1519,30 +1611,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961508",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:52:08.000Z",
+ "threat.indicator.ip": "182.122.75.232",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961508/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "182.122.75.232",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://182.122.75.232:49120/Mozi.m",
+ "threat.indicator.url.original": "http://182.122.75.232:49120/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 49120,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961506",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T20:52:08.000Z",
- "threatintel.indicator.ip": "182.122.75.232",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961508/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "182.122.75.232",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://182.122.75.232:49120/Mozi.m",
- "threatintel.indicator.url.original": "http://182.122.75.232:49120/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 49120,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1556,30 +1650,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961506",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:52:07.000Z",
+ "threat.indicator.ip": "115.63.202.43",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961506/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "115.63.202.43",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://115.63.202.43:51136/Mozi.m",
+ "threat.indicator.url.original": "http://115.63.202.43:51136/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 51136,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961504",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T20:52:07.000Z",
- "threatintel.indicator.ip": "115.63.202.43",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961506/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "115.63.202.43",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://115.63.202.43:51136/Mozi.m",
- "threatintel.indicator.url.original": "http://115.63.202.43:51136/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 51136,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1593,30 +1689,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961504",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:52:06.000Z",
+ "threat.indicator.ip": "59.99.40.204",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961504/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "59.99.40.204",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://59.99.40.204:45773/Mozi.m",
+ "threat.indicator.url.original": "http://59.99.40.204:45773/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 45773,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961505",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T20:52:06.000Z",
- "threatintel.indicator.ip": "59.99.40.204",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961504/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "59.99.40.204",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://59.99.40.204:45773/Mozi.m",
- "threatintel.indicator.url.original": "http://59.99.40.204:45773/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 45773,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1630,30 +1728,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961505",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:52:06.000Z",
+ "threat.indicator.ip": "117.247.128.213",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961505/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "117.247.128.213",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://117.247.128.213:56528/Mozi.m",
+ "threat.indicator.url.original": "http://117.247.128.213:56528/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 56528,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961500",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T20:52:06.000Z",
- "threatintel.indicator.ip": "117.247.128.213",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961505/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "117.247.128.213",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://117.247.128.213:56528/Mozi.m",
- "threatintel.indicator.url.original": "http://117.247.128.213:56528/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 56528,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1667,30 +1767,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961500",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:52:05.000Z",
+ "threat.indicator.ip": "14.137.219.132",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961500/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "14.137.219.132",
+ "threat.indicator.url.extension": "a",
+ "threat.indicator.url.full": "http://14.137.219.132:44427/Mozi.a",
+ "threat.indicator.url.original": "http://14.137.219.132:44427/Mozi.a",
+ "threat.indicator.url.path": "/Mozi.a",
+ "threat.indicator.url.port": 44427,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961501",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z",
- "threatintel.indicator.ip": "14.137.219.132",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961500/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "14.137.219.132",
- "threatintel.indicator.url.extension": "a",
- "threatintel.indicator.url.full": "http://14.137.219.132:44427/Mozi.a",
- "threatintel.indicator.url.original": "http://14.137.219.132:44427/Mozi.a",
- "threatintel.indicator.url.path": "/Mozi.a",
- "threatintel.indicator.url.port": 44427,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1704,30 +1806,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961501",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:52:05.000Z",
+ "threat.indicator.ip": "42.224.40.14",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961501/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "42.224.40.14",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://42.224.40.14:36134/Mozi.m",
+ "threat.indicator.url.original": "http://42.224.40.14:36134/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 36134,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961502",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z",
- "threatintel.indicator.ip": "42.224.40.14",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961501/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "42.224.40.14",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://42.224.40.14:36134/Mozi.m",
- "threatintel.indicator.url.original": "http://42.224.40.14:36134/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 36134,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1741,30 +1845,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961502",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:52:05.000Z",
+ "threat.indicator.ip": "186.33.104.107",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961502/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "186.33.104.107",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://186.33.104.107:43973/Mozi.m",
+ "threat.indicator.url.original": "http://186.33.104.107:43973/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 43973,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961503",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z",
- "threatintel.indicator.ip": "186.33.104.107",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961502/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "186.33.104.107",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://186.33.104.107:43973/Mozi.m",
- "threatintel.indicator.url.original": "http://186.33.104.107:43973/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 43973,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1778,30 +1884,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961503",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:52:05.000Z",
+ "threat.indicator.ip": "85.105.16.154",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961503/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "85.105.16.154",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://85.105.16.154:41319/Mozi.m",
+ "threat.indicator.url.original": "http://85.105.16.154:41319/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 41319,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961496",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z",
- "threatintel.indicator.ip": "85.105.16.154",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961503/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "85.105.16.154",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://85.105.16.154:41319/Mozi.m",
- "threatintel.indicator.url.original": "http://85.105.16.154:41319/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 41319,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1815,30 +1923,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961496",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:52:04.000Z",
+ "threat.indicator.ip": "178.141.73.115",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961496/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "178.141.73.115",
+ "threat.indicator.url.extension": "a",
+ "threat.indicator.url.full": "http://178.141.73.115:51847/Mozi.a",
+ "threat.indicator.url.original": "http://178.141.73.115:51847/Mozi.a",
+ "threat.indicator.url.path": "/Mozi.a",
+ "threat.indicator.url.port": 51847,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961497",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z",
- "threatintel.indicator.ip": "178.141.73.115",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961496/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "178.141.73.115",
- "threatintel.indicator.url.extension": "a",
- "threatintel.indicator.url.full": "http://178.141.73.115:51847/Mozi.a",
- "threatintel.indicator.url.original": "http://178.141.73.115:51847/Mozi.a",
- "threatintel.indicator.url.path": "/Mozi.a",
- "threatintel.indicator.url.port": 51847,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1852,30 +1962,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961497",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:52:04.000Z",
+ "threat.indicator.ip": "186.33.104.135",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961497/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "186.33.104.135",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://186.33.104.135:54469/Mozi.m",
+ "threat.indicator.url.original": "http://186.33.104.135:54469/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 54469,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961498",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z",
- "threatintel.indicator.ip": "186.33.104.135",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961497/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "186.33.104.135",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://186.33.104.135:54469/Mozi.m",
- "threatintel.indicator.url.original": "http://186.33.104.135:54469/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 54469,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1889,30 +2001,32 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961498",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:52:04.000Z",
+ "threat.indicator.ip": "115.56.159.43",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961498/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "115.56.159.43",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://115.56.159.43:34547/Mozi.m",
+ "threat.indicator.url.original": "http://115.56.159.43:34547/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 34547,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961499",
+ "abusech.url.larted": true,
+ "abusech.url.tags": [
"Mozi",
"elf"
],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z",
- "threatintel.indicator.ip": "115.56.159.43",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961498/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "115.56.159.43",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://115.56.159.43:34547/Mozi.m",
- "threatintel.indicator.url.original": "http://115.56.159.43:34547/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 34547,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "online",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1926,30 +2040,31 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961499",
- "threatintel.abuseurl.larted": true,
- "threatintel.abuseurl.tags": [
- "Mozi",
- "elf"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "online",
- "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z",
- "threatintel.indicator.ip": "42.230.138.170",
- "threatintel.indicator.provider": "lrz_urlhaus",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961499/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "42.230.138.170",
- "threatintel.indicator.url.extension": "m",
- "threatintel.indicator.url.full": "http://42.230.138.170:33932/Mozi.m",
- "threatintel.indicator.url.original": "http://42.230.138.170:33932/Mozi.m",
- "threatintel.indicator.url.path": "/Mozi.m",
- "threatintel.indicator.url.port": 33932,
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:52:04.000Z",
+ "threat.indicator.ip": "42.230.138.170",
+ "threat.indicator.provider": "lrz_urlhaus",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961499/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "42.230.138.170",
+ "threat.indicator.url.extension": "m",
+ "threat.indicator.url.full": "http://42.230.138.170:33932/Mozi.m",
+ "threat.indicator.url.original": "http://42.230.138.170:33932/Mozi.m",
+ "threat.indicator.url.path": "/Mozi.m",
+ "threat.indicator.url.port": 33932,
+ "threat.indicator.url.scheme": "http"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961494",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1963,27 +2078,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961494",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:51:47.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961494/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "univirtek.com",
- "threatintel.indicator.url.extension": "jpg",
- "threatintel.indicator.url.full": "https://univirtek.com/viro/02478080035/blank.jpg",
- "threatintel.indicator.url.original": "https://univirtek.com/viro/02478080035/blank.jpg",
- "threatintel.indicator.url.path": "/viro/02478080035/blank.jpg",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:51:47.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961494/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "univirtek.com",
+ "threat.indicator.url.extension": "jpg",
+ "threat.indicator.url.full": "https://univirtek.com/viro/02478080035/blank.jpg",
+ "threat.indicator.url.original": "https://univirtek.com/viro/02478080035/blank.jpg",
+ "threat.indicator.url.path": "/viro/02478080035/blank.jpg",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961495",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -1997,27 +2114,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961495",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:51:47.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961495/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "univirtek.com",
- "threatintel.indicator.url.extension": "png",
- "threatintel.indicator.url.full": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png",
- "threatintel.indicator.url.original": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png",
- "threatintel.indicator.url.path": "/viro/FRRNDR77C25D325O/map.png",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:51:47.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961495/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "univirtek.com",
+ "threat.indicator.url.extension": "png",
+ "threat.indicator.url.full": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png",
+ "threat.indicator.url.original": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png",
+ "threat.indicator.url.path": "/viro/FRRNDR77C25D325O/map.png",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961492",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2031,27 +2150,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961492",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:51:45.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961492/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "ladiesincode.com",
- "threatintel.indicator.url.extension": "jpg",
- "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg",
- "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg",
- "threatintel.indicator.url.path": "/ladi/CNNSRG83H04F158R/blank.jpg",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:51:45.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961492/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "ladiesincode.com",
+ "threat.indicator.url.extension": "jpg",
+ "threat.indicator.url.full": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg",
+ "threat.indicator.url.original": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg",
+ "threat.indicator.url.path": "/ladi/CNNSRG83H04F158R/blank.jpg",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961493",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2065,27 +2186,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961493",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:51:45.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961493/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "letonguesc.com",
- "threatintel.indicator.url.extension": "css",
- "threatintel.indicator.url.full": "https://letonguesc.com/leto/02328510512/logo.css",
- "threatintel.indicator.url.original": "https://letonguesc.com/leto/02328510512/logo.css",
- "threatintel.indicator.url.path": "/leto/02328510512/logo.css",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:51:45.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961493/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "letonguesc.com",
+ "threat.indicator.url.extension": "css",
+ "threat.indicator.url.full": "https://letonguesc.com/leto/02328510512/logo.css",
+ "threat.indicator.url.original": "https://letonguesc.com/leto/02328510512/logo.css",
+ "threat.indicator.url.path": "/leto/02328510512/logo.css",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961490",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2099,27 +2222,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961490",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:51:44.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961490/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "cxminute.com",
- "threatintel.indicator.url.extension": "png",
- "threatintel.indicator.url.full": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png",
- "threatintel.indicator.url.original": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png",
- "threatintel.indicator.url.path": "/minu/MLILSN74B21E507L/uk.png",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:51:44.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961490/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "cxminute.com",
+ "threat.indicator.url.extension": "png",
+ "threat.indicator.url.full": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png",
+ "threat.indicator.url.original": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png",
+ "threat.indicator.url.path": "/minu/MLILSN74B21E507L/uk.png",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961491",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2133,27 +2258,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961491",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:51:44.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961491/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "cxminute.com",
- "threatintel.indicator.url.extension": "css",
- "threatintel.indicator.url.full": "https://cxminute.com/minu/12875710159/blank.css",
- "threatintel.indicator.url.original": "https://cxminute.com/minu/12875710159/blank.css",
- "threatintel.indicator.url.path": "/minu/12875710159/blank.css",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:51:44.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961491/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "cxminute.com",
+ "threat.indicator.url.extension": "css",
+ "threat.indicator.url.full": "https://cxminute.com/minu/12875710159/blank.css",
+ "threat.indicator.url.original": "https://cxminute.com/minu/12875710159/blank.css",
+ "threat.indicator.url.path": "/minu/12875710159/blank.css",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961489",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2167,27 +2294,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961489",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:51:41.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961489/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "cxminute.com",
- "threatintel.indicator.url.extension": "gif",
- "threatintel.indicator.url.full": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif",
- "threatintel.indicator.url.original": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif",
- "threatintel.indicator.url.path": "/minu/CPNLNZ65M20A200N/maps.gif",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:51:41.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961489/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "cxminute.com",
+ "threat.indicator.url.extension": "gif",
+ "threat.indicator.url.full": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif",
+ "threat.indicator.url.original": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif",
+ "threat.indicator.url.path": "/minu/CPNLNZ65M20A200N/maps.gif",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961488",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2201,27 +2330,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961488",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:51:40.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961488/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "belfetproduction.com",
- "threatintel.indicator.url.extension": "png",
- "threatintel.indicator.url.full": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png",
- "threatintel.indicator.url.original": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png",
- "threatintel.indicator.url.path": "/bella/DLPCMN64D02D789E/logo.png",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:51:40.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961488/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "belfetproduction.com",
+ "threat.indicator.url.extension": "png",
+ "threat.indicator.url.full": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png",
+ "threat.indicator.url.original": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png",
+ "threat.indicator.url.path": "/bella/DLPCMN64D02D789E/logo.png",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961487",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2235,27 +2366,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961487",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:51:17.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961487/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "belfetproduction.com",
- "threatintel.indicator.url.extension": "jpg",
- "threatintel.indicator.url.full": "https://belfetproduction.com/bella/01844510469/1x1.jpg",
- "threatintel.indicator.url.original": "https://belfetproduction.com/bella/01844510469/1x1.jpg",
- "threatintel.indicator.url.path": "/bella/01844510469/1x1.jpg",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:51:17.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961487/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "belfetproduction.com",
+ "threat.indicator.url.extension": "jpg",
+ "threat.indicator.url.full": "https://belfetproduction.com/bella/01844510469/1x1.jpg",
+ "threat.indicator.url.original": "https://belfetproduction.com/bella/01844510469/1x1.jpg",
+ "threat.indicator.url.path": "/bella/01844510469/1x1.jpg",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961485",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2269,27 +2402,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961485",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:51:16.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961485/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "ladiesincode.com",
- "threatintel.indicator.url.extension": "css",
- "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css",
- "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css",
- "threatintel.indicator.url.path": "/ladi/FRRDNI52M71E522D/logo.css",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:51:16.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961485/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "ladiesincode.com",
+ "threat.indicator.url.extension": "css",
+ "threat.indicator.url.full": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css",
+ "threat.indicator.url.original": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css",
+ "threat.indicator.url.path": "/ladi/FRRDNI52M71E522D/logo.css",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961486",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2303,27 +2438,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961486",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:51:16.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961486/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "letonguesc.com",
- "threatintel.indicator.url.extension": "gif",
- "threatintel.indicator.url.full": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif",
- "threatintel.indicator.url.original": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif",
- "threatintel.indicator.url.path": "/leto/CPPMRC65E04H980Q/it.gif",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:51:16.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961486/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "letonguesc.com",
+ "threat.indicator.url.extension": "gif",
+ "threat.indicator.url.full": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif",
+ "threat.indicator.url.original": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif",
+ "threat.indicator.url.path": "/leto/CPPMRC65E04H980Q/it.gif",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961482",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2337,27 +2474,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961482",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961482/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "univirtek.com",
- "threatintel.indicator.url.extension": "css",
- "threatintel.indicator.url.full": "https://univirtek.com/viro/06389650018/it.css",
- "threatintel.indicator.url.original": "https://univirtek.com/viro/06389650018/it.css",
- "threatintel.indicator.url.path": "/viro/06389650018/it.css",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:51:15.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961482/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "univirtek.com",
+ "threat.indicator.url.extension": "css",
+ "threat.indicator.url.full": "https://univirtek.com/viro/06389650018/it.css",
+ "threat.indicator.url.original": "https://univirtek.com/viro/06389650018/it.css",
+ "threat.indicator.url.path": "/viro/06389650018/it.css",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961483",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2371,27 +2510,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961483",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961483/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "belfetproduction.com",
- "threatintel.indicator.url.extension": "png",
- "threatintel.indicator.url.full": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png",
- "threatintel.indicator.url.original": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png",
- "threatintel.indicator.url.path": "/bella/CRSRRT61E15H501H/logo.png",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:51:15.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961483/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "belfetproduction.com",
+ "threat.indicator.url.extension": "png",
+ "threat.indicator.url.full": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png",
+ "threat.indicator.url.original": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png",
+ "threat.indicator.url.path": "/bella/CRSRRT61E15H501H/logo.png",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961484",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2405,27 +2546,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961484",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961484/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "cxminute.com",
- "threatintel.indicator.url.extension": "jpg",
- "threatintel.indicator.url.full": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg",
- "threatintel.indicator.url.original": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg",
- "threatintel.indicator.url.path": "/minu/SMPMSM67P05F205U/it.jpg",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:51:15.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961484/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "cxminute.com",
+ "threat.indicator.url.extension": "jpg",
+ "threat.indicator.url.full": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg",
+ "threat.indicator.url.original": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg",
+ "threat.indicator.url.path": "/minu/SMPMSM67P05F205U/it.jpg",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961480",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2439,27 +2582,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961480",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:51:13.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961480/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "univirtek.com",
- "threatintel.indicator.url.extension": "png",
- "threatintel.indicator.url.full": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png",
- "threatintel.indicator.url.original": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png",
- "threatintel.indicator.url.path": "/viro/SBNPQL78A24A783E/uk.png",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:51:13.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961480/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "univirtek.com",
+ "threat.indicator.url.extension": "png",
+ "threat.indicator.url.full": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png",
+ "threat.indicator.url.original": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png",
+ "threat.indicator.url.path": "/viro/SBNPQL78A24A783E/uk.png",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961481",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2473,27 +2618,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961481",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:51:13.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961481/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "cxminute.com",
- "threatintel.indicator.url.extension": "jpg",
- "threatintel.indicator.url.full": "https://cxminute.com/minu/15578761007/maps.jpg",
- "threatintel.indicator.url.original": "https://cxminute.com/minu/15578761007/maps.jpg",
- "threatintel.indicator.url.path": "/minu/15578761007/maps.jpg",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:51:13.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961481/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "cxminute.com",
+ "threat.indicator.url.extension": "jpg",
+ "threat.indicator.url.full": "https://cxminute.com/minu/15578761007/maps.jpg",
+ "threat.indicator.url.original": "https://cxminute.com/minu/15578761007/maps.jpg",
+ "threat.indicator.url.path": "/minu/15578761007/maps.jpg",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961478",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2507,27 +2654,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961478",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:51:10.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961478/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "univirtek.com",
- "threatintel.indicator.url.extension": "png",
- "threatintel.indicator.url.full": "https://univirtek.com/viro/03079590133/1x1.png",
- "threatintel.indicator.url.original": "https://univirtek.com/viro/03079590133/1x1.png",
- "threatintel.indicator.url.path": "/viro/03079590133/1x1.png",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:51:10.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961478/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "univirtek.com",
+ "threat.indicator.url.extension": "png",
+ "threat.indicator.url.full": "https://univirtek.com/viro/03079590133/1x1.png",
+ "threat.indicator.url.original": "https://univirtek.com/viro/03079590133/1x1.png",
+ "threat.indicator.url.path": "/viro/03079590133/1x1.png",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961479",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2541,27 +2690,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961479",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:51:10.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961479/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "ladiesincode.com",
- "threatintel.indicator.url.extension": "gif",
- "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif",
- "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif",
- "threatintel.indicator.url.path": "/ladi/BNCLNR77T56M082U/it.gif",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:51:10.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961479/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "ladiesincode.com",
+ "threat.indicator.url.extension": "gif",
+ "threat.indicator.url.full": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif",
+ "threat.indicator.url.original": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif",
+ "threat.indicator.url.path": "/ladi/BNCLNR77T56M082U/it.gif",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961476",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2575,27 +2726,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961476",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:45.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961476/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "cxminute.com",
- "threatintel.indicator.url.extension": "css",
- "threatintel.indicator.url.full": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css",
- "threatintel.indicator.url.original": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css",
- "threatintel.indicator.url.path": "/minu/JNKMTJ64B29L424O/uk.css",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:45.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961476/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "cxminute.com",
+ "threat.indicator.url.extension": "css",
+ "threat.indicator.url.full": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css",
+ "threat.indicator.url.original": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css",
+ "threat.indicator.url.path": "/minu/JNKMTJ64B29L424O/uk.css",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961477",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2609,27 +2762,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961477",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:45.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961477/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "belfetproduction.com",
- "threatintel.indicator.url.extension": "png",
- "threatintel.indicator.url.full": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png",
- "threatintel.indicator.url.original": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png",
- "threatintel.indicator.url.path": "/bella/PGNMRA64S22I608Z/en.png",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:45.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961477/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "belfetproduction.com",
+ "threat.indicator.url.extension": "png",
+ "threat.indicator.url.full": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png",
+ "threat.indicator.url.original": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png",
+ "threat.indicator.url.path": "/bella/PGNMRA64S22I608Z/en.png",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961470",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2643,27 +2798,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961470",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961470/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "cxminute.com",
- "threatintel.indicator.url.extension": "jpg",
- "threatintel.indicator.url.full": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg",
- "threatintel.indicator.url.original": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg",
- "threatintel.indicator.url.path": "/minu/RZKDRD77T23Z229T/logo.jpg",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961470/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "cxminute.com",
+ "threat.indicator.url.extension": "jpg",
+ "threat.indicator.url.full": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg",
+ "threat.indicator.url.original": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg",
+ "threat.indicator.url.path": "/minu/RZKDRD77T23Z229T/logo.jpg",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961471",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2677,27 +2834,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961471",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961471/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "fhivelifestyle.online",
- "threatintel.indicator.url.extension": "jpg",
- "threatintel.indicator.url.full": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg",
- "threatintel.indicator.url.original": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg",
- "threatintel.indicator.url.path": "/nhbrwvdffsgt/adf/maps.jpg",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961471/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "fhivelifestyle.online",
+ "threat.indicator.url.extension": "jpg",
+ "threat.indicator.url.full": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg",
+ "threat.indicator.url.original": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg",
+ "threat.indicator.url.path": "/nhbrwvdffsgt/adf/maps.jpg",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961472",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2711,27 +2870,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961472",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961472/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "belfetproduction.com",
- "threatintel.indicator.url.extension": "css",
- "threatintel.indicator.url.full": "https://belfetproduction.com/bella/05739900487/1x1.css",
- "threatintel.indicator.url.original": "https://belfetproduction.com/bella/05739900487/1x1.css",
- "threatintel.indicator.url.path": "/bella/05739900487/1x1.css",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961472/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "belfetproduction.com",
+ "threat.indicator.url.extension": "css",
+ "threat.indicator.url.full": "https://belfetproduction.com/bella/05739900487/1x1.css",
+ "threat.indicator.url.original": "https://belfetproduction.com/bella/05739900487/1x1.css",
+ "threat.indicator.url.path": "/bella/05739900487/1x1.css",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961473",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2745,27 +2906,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961473",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961473/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "belfetproduction.com",
- "threatintel.indicator.url.extension": "css",
- "threatintel.indicator.url.full": "https://belfetproduction.com/bella/01767180597/map.css",
- "threatintel.indicator.url.original": "https://belfetproduction.com/bella/01767180597/map.css",
- "threatintel.indicator.url.path": "/bella/01767180597/map.css",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961473/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "belfetproduction.com",
+ "threat.indicator.url.extension": "css",
+ "threat.indicator.url.full": "https://belfetproduction.com/bella/01767180597/map.css",
+ "threat.indicator.url.original": "https://belfetproduction.com/bella/01767180597/map.css",
+ "threat.indicator.url.path": "/bella/01767180597/map.css",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961474",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2779,27 +2942,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961474",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961474/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "belfetproduction.com",
- "threatintel.indicator.url.extension": "css",
- "threatintel.indicator.url.full": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css",
- "threatintel.indicator.url.original": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css",
- "threatintel.indicator.url.path": "/bella/BRNGRG55D21F394K/map.css",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961474/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "belfetproduction.com",
+ "threat.indicator.url.extension": "css",
+ "threat.indicator.url.full": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css",
+ "threat.indicator.url.original": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css",
+ "threat.indicator.url.path": "/bella/BRNGRG55D21F394K/map.css",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961475",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2813,27 +2978,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961475",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961475/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "cxminute.com",
- "threatintel.indicator.url.extension": "css",
- "threatintel.indicator.url.full": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css",
- "threatintel.indicator.url.original": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css",
- "threatintel.indicator.url.path": "/minu/DLLTZN67L20L157J/1x1.css",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961475/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "cxminute.com",
+ "threat.indicator.url.extension": "css",
+ "threat.indicator.url.full": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css",
+ "threat.indicator.url.original": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css",
+ "threat.indicator.url.path": "/minu/DLLTZN67L20L157J/1x1.css",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961468",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2847,27 +3014,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961468",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:38.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961468/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "cxminute.com",
- "threatintel.indicator.url.extension": "jpg",
- "threatintel.indicator.url.full": "https://cxminute.com/minu/08035410722/logo.jpg",
- "threatintel.indicator.url.original": "https://cxminute.com/minu/08035410722/logo.jpg",
- "threatintel.indicator.url.path": "/minu/08035410722/logo.jpg",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:38.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961468/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "cxminute.com",
+ "threat.indicator.url.extension": "jpg",
+ "threat.indicator.url.full": "https://cxminute.com/minu/08035410722/logo.jpg",
+ "threat.indicator.url.original": "https://cxminute.com/minu/08035410722/logo.jpg",
+ "threat.indicator.url.path": "/minu/08035410722/logo.jpg",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961469",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2881,27 +3050,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961469",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:38.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961469/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "univirtek.com",
- "threatintel.indicator.url.extension": "css",
- "threatintel.indicator.url.full": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css",
- "threatintel.indicator.url.original": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css",
- "threatintel.indicator.url.path": "/viro/GRNZEI60M13G346L/en.css",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:38.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961469/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "univirtek.com",
+ "threat.indicator.url.extension": "css",
+ "threat.indicator.url.full": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css",
+ "threat.indicator.url.original": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css",
+ "threat.indicator.url.path": "/viro/GRNZEI60M13G346L/en.css",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961467",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2915,27 +3086,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961467",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:13.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961467/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "letonguesc.com",
- "threatintel.indicator.url.extension": "png",
- "threatintel.indicator.url.full": "https://letonguesc.com/leto/03253350239/1x1.png",
- "threatintel.indicator.url.original": "https://letonguesc.com/leto/03253350239/1x1.png",
- "threatintel.indicator.url.path": "/leto/03253350239/1x1.png",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:13.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961467/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "letonguesc.com",
+ "threat.indicator.url.extension": "png",
+ "threat.indicator.url.full": "https://letonguesc.com/leto/03253350239/1x1.png",
+ "threat.indicator.url.original": "https://letonguesc.com/leto/03253350239/1x1.png",
+ "threat.indicator.url.path": "/leto/03253350239/1x1.png",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961464",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2949,27 +3122,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961464",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961464/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "ladiesincode.com",
- "threatintel.indicator.url.extension": "css",
- "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/10582470158/uk.css",
- "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/10582470158/uk.css",
- "threatintel.indicator.url.path": "/ladi/10582470158/uk.css",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:09.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961464/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "ladiesincode.com",
+ "threat.indicator.url.extension": "css",
+ "threat.indicator.url.full": "https://ladiesincode.com/ladi/10582470158/uk.css",
+ "threat.indicator.url.original": "https://ladiesincode.com/ladi/10582470158/uk.css",
+ "threat.indicator.url.path": "/ladi/10582470158/uk.css",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961465",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -2983,27 +3158,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961465",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961465/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "ladiesincode.com",
- "threatintel.indicator.url.extension": "css",
- "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css",
- "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css",
- "threatintel.indicator.url.path": "/ladi/BTTLNZ68A56D325C/map.css",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:09.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961465/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "ladiesincode.com",
+ "threat.indicator.url.extension": "css",
+ "threat.indicator.url.full": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css",
+ "threat.indicator.url.original": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css",
+ "threat.indicator.url.path": "/ladi/BTTLNZ68A56D325C/map.css",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961466",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -3017,27 +3194,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961466",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961466/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "letonguesc.com",
- "threatintel.indicator.url.extension": "jpg",
- "threatintel.indicator.url.full": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg",
- "threatintel.indicator.url.original": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg",
- "threatintel.indicator.url.path": "/leto/NNTLRT68P28A717L/en.jpg",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:09.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961466/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "letonguesc.com",
+ "threat.indicator.url.extension": "jpg",
+ "threat.indicator.url.full": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg",
+ "threat.indicator.url.original": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg",
+ "threat.indicator.url.path": "/leto/NNTLRT68P28A717L/en.jpg",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961461",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -3051,27 +3230,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961461",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961461/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "univirtek.com",
- "threatintel.indicator.url.extension": "png",
- "threatintel.indicator.url.full": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png",
- "threatintel.indicator.url.original": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png",
- "threatintel.indicator.url.path": "/viro/CTTNDR89A19B149W/maps.png",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:08.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961461/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "univirtek.com",
+ "threat.indicator.url.extension": "png",
+ "threat.indicator.url.full": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png",
+ "threat.indicator.url.original": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png",
+ "threat.indicator.url.path": "/viro/CTTNDR89A19B149W/maps.png",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961462",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -3085,27 +3266,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961462",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961462/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "cxminute.com",
- "threatintel.indicator.url.extension": "css",
- "threatintel.indicator.url.full": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css",
- "threatintel.indicator.url.original": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css",
- "threatintel.indicator.url.path": "/minu/DRSNTN77B16I197U/logo.css",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:08.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961462/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "cxminute.com",
+ "threat.indicator.url.extension": "css",
+ "threat.indicator.url.full": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css",
+ "threat.indicator.url.original": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css",
+ "threat.indicator.url.path": "/minu/DRSNTN77B16I197U/logo.css",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961463",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -3119,27 +3302,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961463",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961463/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "univirtek.com",
- "threatintel.indicator.url.extension": "css",
- "threatintel.indicator.url.full": "https://univirtek.com/viro/02941830735/uk.css",
- "threatintel.indicator.url.original": "https://univirtek.com/viro/02941830735/uk.css",
- "threatintel.indicator.url.path": "/viro/02941830735/uk.css",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:08.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961463/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "univirtek.com",
+ "threat.indicator.url.extension": "css",
+ "threat.indicator.url.full": "https://univirtek.com/viro/02941830735/uk.css",
+ "threat.indicator.url.original": "https://univirtek.com/viro/02941830735/uk.css",
+ "threat.indicator.url.path": "/viro/02941830735/uk.css",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961458",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -3153,27 +3338,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961458",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961458/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "belfetproduction.com",
- "threatintel.indicator.url.extension": "css",
- "threatintel.indicator.url.full": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css",
- "threatintel.indicator.url.original": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css",
- "threatintel.indicator.url.path": "/bella/MNSGCM91A04G240K/it.css",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:07.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961458/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "belfetproduction.com",
+ "threat.indicator.url.extension": "css",
+ "threat.indicator.url.full": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css",
+ "threat.indicator.url.original": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css",
+ "threat.indicator.url.path": "/bella/MNSGCM91A04G240K/it.css",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961459",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -3187,27 +3374,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961459",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961459/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "ladiesincode.com",
- "threatintel.indicator.url.extension": "jpg",
- "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/03108100615/it.jpg",
- "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/03108100615/it.jpg",
- "threatintel.indicator.url.path": "/ladi/03108100615/it.jpg",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:07.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961459/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "ladiesincode.com",
+ "threat.indicator.url.extension": "jpg",
+ "threat.indicator.url.full": "https://ladiesincode.com/ladi/03108100615/it.jpg",
+ "threat.indicator.url.original": "https://ladiesincode.com/ladi/03108100615/it.jpg",
+ "threat.indicator.url.path": "/ladi/03108100615/it.jpg",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961460",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -3221,27 +3410,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961460",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961460/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "cxminute.com",
- "threatintel.indicator.url.extension": "png",
- "threatintel.indicator.url.full": "https://cxminute.com/minu/PTACSM56A31F604X/en.png",
- "threatintel.indicator.url.original": "https://cxminute.com/minu/PTACSM56A31F604X/en.png",
- "threatintel.indicator.url.path": "/minu/PTACSM56A31F604X/en.png",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:50:07.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961460/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "cxminute.com",
+ "threat.indicator.url.extension": "png",
+ "threat.indicator.url.full": "https://cxminute.com/minu/PTACSM56A31F604X/en.png",
+ "threat.indicator.url.original": "https://cxminute.com/minu/PTACSM56A31F604X/en.png",
+ "threat.indicator.url.path": "/minu/PTACSM56A31F604X/en.png",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961455",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -3255,27 +3446,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961455",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961455/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "univirtek.com",
- "threatintel.indicator.url.extension": "gif",
- "threatintel.indicator.url.full": "https://univirtek.com/viro/00183050368/en.gif",
- "threatintel.indicator.url.original": "https://univirtek.com/viro/00183050368/en.gif",
- "threatintel.indicator.url.path": "/viro/00183050368/en.gif",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:49:39.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961455/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "univirtek.com",
+ "threat.indicator.url.extension": "gif",
+ "threat.indicator.url.full": "https://univirtek.com/viro/00183050368/en.gif",
+ "threat.indicator.url.original": "https://univirtek.com/viro/00183050368/en.gif",
+ "threat.indicator.url.path": "/viro/00183050368/en.gif",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961456",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -3289,27 +3482,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961456",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961456/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "cxminute.com",
- "threatintel.indicator.url.extension": "gif",
- "threatintel.indicator.url.full": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif",
- "threatintel.indicator.url.original": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif",
- "threatintel.indicator.url.path": "/minu/TSNLSN58H30G912H/uk.gif",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:49:39.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961456/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "cxminute.com",
+ "threat.indicator.url.extension": "gif",
+ "threat.indicator.url.full": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif",
+ "threat.indicator.url.original": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif",
+ "threat.indicator.url.path": "/minu/TSNLSN58H30G912H/uk.gif",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961457",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -3323,27 +3518,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961457",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961457/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "letonguesc.com",
- "threatintel.indicator.url.extension": "gif",
- "threatintel.indicator.url.full": "https://letonguesc.com/leto/08658331007/blank.gif",
- "threatintel.indicator.url.original": "https://letonguesc.com/leto/08658331007/blank.gif",
- "threatintel.indicator.url.path": "/leto/08658331007/blank.gif",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:49:39.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961457/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "letonguesc.com",
+ "threat.indicator.url.extension": "gif",
+ "threat.indicator.url.full": "https://letonguesc.com/leto/08658331007/blank.gif",
+ "threat.indicator.url.original": "https://letonguesc.com/leto/08658331007/blank.gif",
+ "threat.indicator.url.path": "/leto/08658331007/blank.gif",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961450",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -3357,27 +3554,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961450",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961450/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "cxminute.com",
- "threatintel.indicator.url.extension": "png",
- "threatintel.indicator.url.full": "https://cxminute.com/minu/01098910324/blank.png",
- "threatintel.indicator.url.original": "https://cxminute.com/minu/01098910324/blank.png",
- "threatintel.indicator.url.path": "/minu/01098910324/blank.png",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961450/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "cxminute.com",
+ "threat.indicator.url.extension": "png",
+ "threat.indicator.url.full": "https://cxminute.com/minu/01098910324/blank.png",
+ "threat.indicator.url.original": "https://cxminute.com/minu/01098910324/blank.png",
+ "threat.indicator.url.path": "/minu/01098910324/blank.png",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961451",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -3391,27 +3590,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961451",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961451/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "univirtek.com",
- "threatintel.indicator.url.extension": "css",
- "threatintel.indicator.url.full": "https://univirtek.com/viro/02794390233/uk.css",
- "threatintel.indicator.url.original": "https://univirtek.com/viro/02794390233/uk.css",
- "threatintel.indicator.url.path": "/viro/02794390233/uk.css",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961451/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "univirtek.com",
+ "threat.indicator.url.extension": "css",
+ "threat.indicator.url.full": "https://univirtek.com/viro/02794390233/uk.css",
+ "threat.indicator.url.original": "https://univirtek.com/viro/02794390233/uk.css",
+ "threat.indicator.url.path": "/viro/02794390233/uk.css",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961452",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -3425,27 +3626,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961452",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961452/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "univirtek.com",
- "threatintel.indicator.url.extension": "css",
- "threatintel.indicator.url.full": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css",
- "threatintel.indicator.url.original": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css",
- "threatintel.indicator.url.path": "/viro/CSTDNT69D63F754D/en.css",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961452/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "univirtek.com",
+ "threat.indicator.url.extension": "css",
+ "threat.indicator.url.full": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css",
+ "threat.indicator.url.original": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css",
+ "threat.indicator.url.path": "/viro/CSTDNT69D63F754D/en.css",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961453",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -3459,27 +3662,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961453",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961453/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "univirtek.com",
- "threatintel.indicator.url.extension": "jpg",
- "threatintel.indicator.url.full": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg",
- "threatintel.indicator.url.original": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg",
- "threatintel.indicator.url.path": "/viro/GSTGNE91B06L219W/1x1.jpg",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961453/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "univirtek.com",
+ "threat.indicator.url.extension": "jpg",
+ "threat.indicator.url.full": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg",
+ "threat.indicator.url.original": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg",
+ "threat.indicator.url.path": "/viro/GSTGNE91B06L219W/1x1.jpg",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961454",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -3493,27 +3698,29 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961454",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961454/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "univirtek.com",
- "threatintel.indicator.url.extension": "jpg",
- "threatintel.indicator.url.full": "https://univirtek.com/viro/03610140125/map.jpg",
- "threatintel.indicator.url.original": "https://univirtek.com/viro/03610140125/map.jpg",
- "threatintel.indicator.url.path": "/viro/03610140125/map.jpg",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961454/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "univirtek.com",
+ "threat.indicator.url.extension": "jpg",
+ "threat.indicator.url.full": "https://univirtek.com/viro/03610140125/map.jpg",
+ "threat.indicator.url.original": "https://univirtek.com/viro/03610140125/map.jpg",
+ "threat.indicator.url.path": "/viro/03610140125/map.jpg",
+ "threat.indicator.url.scheme": "https"
},
{
+ "abusech.url.blacklists.spamhaus_dbl": "not listed",
+ "abusech.url.blacklists.surbl": "not listed",
+ "abusech.url.id": "961448",
+ "abusech.url.larted": false,
+ "abusech.url.tags": [
+ "sLoad"
+ ],
+ "abusech.url.threat": "malware_download",
+ "abusech.url.url_status": "offline",
"event.category": "threat",
"event.dataset": "threatintel.abuseurl",
"event.kind": "enrichment",
@@ -3527,24 +3734,17 @@
"forwarded",
"threatintel-abuseurls"
],
- "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed",
- "threatintel.abuseurl.blacklists.surbl": "not listed",
- "threatintel.abuseurl.id": "961448",
- "threatintel.abuseurl.larted": false,
- "threatintel.abuseurl.tags": [
- "sLoad"
- ],
- "threatintel.abuseurl.threat": "malware_download",
- "threatintel.abuseurl.url_status": "offline",
- "threatintel.indicator.first_seen": "2021-01-14T20:49:36.000Z",
- "threatintel.indicator.provider": "Cryptolaemus1",
- "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961448/",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "belfetproduction.com",
- "threatintel.indicator.url.extension": "png",
- "threatintel.indicator.url.full": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png",
- "threatintel.indicator.url.original": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png",
- "threatintel.indicator.url.path": "/bella/CRRLRD74E09A462T/blank.png",
- "threatintel.indicator.url.scheme": "https"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH URL",
+ "threat.indicator.first_seen": "2021-01-14T20:49:36.000Z",
+ "threat.indicator.provider": "Cryptolaemus1",
+ "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961448/",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "belfetproduction.com",
+ "threat.indicator.url.extension": "png",
+ "threat.indicator.url.full": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png",
+ "threat.indicator.url.original": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png",
+ "threat.indicator.url.path": "/bella/CRRLRD74E09A462T/blank.png",
+ "threat.indicator.url.scheme": "https"
}
]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/threatintel/anomali/_meta/fields.yml b/x-pack/filebeat/module/threatintel/anomali/_meta/fields.yml
index 69ab6e22e9b..696b062b6b2 100644
--- a/x-pack/filebeat/module/threatintel/anomali/_meta/fields.yml
+++ b/x-pack/filebeat/module/threatintel/anomali/_meta/fields.yml
@@ -1,4 +1,4 @@
-- name: anomali
+- name: anomali.limo
type: group
description: >
Fields for Anomali Threat Intel
@@ -50,4 +50,4 @@
- name: object_marking_refs
type: keyword
description: >
- The STIX reference object.
\ No newline at end of file
+ The STIX reference object.
diff --git a/x-pack/filebeat/module/threatintel/anomali/config/config.yml b/x-pack/filebeat/module/threatintel/anomali/config/config.yml
index a268ddb7559..1a30d874635 100644
--- a/x-pack/filebeat/module/threatintel/anomali/config/config.yml
+++ b/x-pack/filebeat/module/threatintel/anomali/config/config.yml
@@ -30,7 +30,7 @@ request.transforms:
value: items 0-10000
- set:
target: url.params.match[type]
- value: {{ .types }}
+ value: indicator
- set:
target: url.params.added_after
value: '[[.cursor.timestamp]]'
@@ -54,17 +54,12 @@ exclude_files: [".gz$"]
{{ end }}
-tags: {{.tags | tojson}}
-publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
+tags:
+{{if .preserve_original_event}}
+ - preserve_original_event
+{{end}}
+{{range $val := .tags}}
+ - {{$val}}
+{{end}}
-processors:
- - decode_json_fields:
- fields: [message]
- target: json
- - fingerprint:
- fields: ["json.id"]
- target_field: "@metadata._id"
- - add_fields:
- target: ''
- fields:
- ecs.version: 1.12.0
+publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
diff --git a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml
index eccbf5e9826..94ca3a84751 100644
--- a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml
@@ -1,4 +1,5 @@
-description: Pipeline for parsing Anomali Threat Intel
+---
+description: Pipeline for parsing Anomali Limo indicators
processors:
####################
# Event ECS fields #
@@ -6,6 +7,9 @@ processors:
- set:
field: event.ingested
value: "{{_ingest.timestamp}}"
+ - set:
+ field: ecs.version
+ value: "1.12"
- set:
field: event.kind
value: enrichment
@@ -20,16 +24,30 @@ processors:
# General ECS fields #
######################
- rename:
- field: json
- target_field: threatintel.anomali
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: anomali.limo
+ - fingerprint:
+ fields:
+ - anomali.limo.id
+ target_field: "_id"
ignore_missing: true
#####################
# Threat ECS Fields #
#####################
+ - set:
+ field: threat.feed.name
+ value: "[Filebeat] Anomali Limo"
+ - set:
+ field: threat.feed.dashboard_id
+ value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f"
## File indicator operations
- date:
- field: threatintel.anomali.created
+ field: anomali.limo.created
formats:
- "yyyy-MM-dd'T'HH:mm:ssz"
- "yyyy-MM-dd'T'HH:mm:ssZ"
@@ -39,68 +57,73 @@ processors:
- "yyyy-MM-dd'T'HH:mm:ss.SSZ"
- "yyyy-MM-dd'T'HH:mm:ss.SSSz"
- "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
- if: "ctx?.threatintel?.anomali?.created != null"
+ if: "ctx.anomali?.limo?.created != null"
- date:
- field: threatintel.anomali.modified
- target_field: threatintel.anomali.modified
+ field: anomali.limo.modified
+ target_field: anomali.limo.modified
formats:
+ - "yyyy-MM-dd'T'HH:mm:ssz"
+ - "yyyy-MM-dd'T'HH:mm:ssZ"
- "yyyy-MM-dd'T'HH:mm:ss.Sz"
- "yyyy-MM-dd'T'HH:mm:ss.SZ"
- "yyyy-MM-dd'T'HH:mm:ss.SSz"
- "yyyy-MM-dd'T'HH:mm:ss.SSZ"
- "yyyy-MM-dd'T'HH:mm:ss.SSSz"
- "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
- if: "ctx?.threatintel?.anomali?.modified != null"
+ if: "ctx.anomali?.limo?.modified != null"
- date:
- field: threatintel.anomali.valid_from
- target_field: threatintel.indicator.first_seen
+ field: anomali.limo.valid_from
+ target_field: threat.indicator.first_seen
formats:
+ - "yyyy-MM-dd'T'HH:mm:ssz"
+ - "yyyy-MM-dd'T'HH:mm:ssZ"
- "yyyy-MM-dd'T'HH:mm:ss.Sz"
- "yyyy-MM-dd'T'HH:mm:ss.SZ"
- "yyyy-MM-dd'T'HH:mm:ss.SSz"
- "yyyy-MM-dd'T'HH:mm:ss.SSZ"
- "yyyy-MM-dd'T'HH:mm:ss.SSSz"
- "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
- if: "ctx?.threatintel?.anomali?.valid_from != null"
+ if: "ctx.anomali?.limo?.valid_from != null"
- grok:
- field: threatintel.anomali.pattern
+ field: anomali.limo.pattern
patterns:
- "^\\[%{DATA:_tmp.threattype}:value%{SPACE}=%{SPACE}'%{DATA:_tmp.threatvalue}'\\]"
+ if: ctx.anomali?.limo?.pattern != null
- rename:
field: _tmp.threattype
- target_field: threatintel.indicator.type
+ target_field: threat.indicator.type
ignore_missing: true
- rename:
field: _tmp.threatvalue
- target_field: threatintel.indicator.ip
+ target_field: threat.indicator.ip
ignore_missing: true
- if: "['ipv4-addr', 'ipv6-addr'].contains(ctx?.threatintel?.indicator?.type)"
+ if: "['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)"
- uri_parts:
field: _tmp.threatvalue
- target_field: threatintel.indicator.url
+ target_field: threat.indicator.url
keep_original: true
remove_if_successful: true
- if: ctx?.threatintel?.indicator?.type == 'url'
+ if: ctx.threat?.indicator?.type == 'url'
- set:
- field: threatintel.indicator.url.full
- value: "{{{threatintel.indicator.url.original}}}"
+ field: threat.indicator.url.full
+ value: "{{{threat.indicator.url.original}}}"
ignore_empty_value: true
- rename:
field: _tmp.threatvalue
- target_field: threatintel.indicator.email.address
+ target_field: threat.indicator.email.address
ignore_missing: true
- if: ctx?.threatintel?.indicator?.type == 'email-addr'
+ if: ctx.threat?.indicator?.type == 'email-addr'
- rename:
field: _tmp.threatvalue
- target_field: threatintel.indicator.url.domain
+ target_field: threat.indicator.url.domain
ignore_missing: true
- if: ctx?.threatintel?.indicator?.type == 'domain-name'
+ if: ctx.threat?.indicator?.type == 'domain-name'
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: unknown
- if: ctx?.threatintel?.indicator?.type == null
+ if: ctx.threat?.indicator?.type == null
- foreach:
- field: threatintel.anomali.labels
+ field: anomali.limo.labels
ignore_missing: true
processor:
append:
@@ -108,9 +131,9 @@ processors:
value: "{{_ingest._value}}"
allow_duplicates: false
- grok:
- field: threatintel.anomali.description
+ field: anomali.limo.description
patterns:
- - "^%{GREEDYDATA}Source: %{GREEDYDATA:threatintel.indicator.provider}"
+ - "^%{GREEDYDATA}Source: %{GREEDYDATA:threat.indicator.provider}"
ignore_missing: true
ignore_failure: true
######################
@@ -140,9 +163,14 @@ processors:
}
}
handleMap(ctx);
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
- remove:
field:
- - threatintel.anomali.created
+ - anomali.limo.created
- message
- _tmp
ignore_missing: true
diff --git a/x-pack/filebeat/module/threatintel/anomali/manifest.yml b/x-pack/filebeat/module/threatintel/anomali/manifest.yml
index 1087e00df8a..bdfcf20a3ad 100644
--- a/x-pack/filebeat/module/threatintel/anomali/manifest.yml
+++ b/x-pack/filebeat/module/threatintel/anomali/manifest.yml
@@ -8,8 +8,6 @@ var:
- name: first_interval
default: 24h
- name: ssl
- - name: types
- default: indicators
- name: username
- name: password
- name: url
@@ -17,6 +15,8 @@ var:
- name: tags
default: [threatintel-anomali, forwarded]
- name: proxy_url
+ - name: preserve_original_event
+ default: false
ingest_pipeline:
- ingest/pipeline.yml
diff --git a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json
index f527da1ed98..7f998f8c778 100644
--- a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json
@@ -1,5 +1,20 @@
[
{
+ "anomali.limo.description": "TS ID: 55241332361; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
+ "anomali.limo.id": "indicator--44c85d4f-45ca-4977-b693-c810bbfb7a28",
+ "anomali.limo.labels": [
+ "malicious-activity",
+ "threatstream-confidence-76",
+ "threatstream-severity-medium"
+ ],
+ "anomali.limo.modified": "2020-01-22T02:58:57.431Z",
+ "anomali.limo.name": "mal_url: http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
+ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
+ ],
+ "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T02:58:57.431Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -16,32 +31,34 @@
"threatstream-confidence-76",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332361; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--44c85d4f-45ca-4977-b693-c810bbfb7a28",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T02:58:57.431Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "chol.cc",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/Work6/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332307; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime",
+ "anomali.limo.id": "indicator--f9fe5c81-6869-4247-af81-62b7c8aba209",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-76",
+ "threatstream-confidence-68",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T02:58:57.431Z",
- "threatintel.anomali.name": "mal_url: http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T02:58:57.503Z",
+ "anomali.limo.name": "mal_url: http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T02:58:57.431Z",
- "threatintel.indicator.first_seen": "2020-01-22T02:58:57.431Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "chol.cc",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/Work6/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T02:58:57.503Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -58,32 +75,34 @@
"threatstream-confidence-68",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332307; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--f9fe5c81-6869-4247-af81-62b7c8aba209",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T02:58:57.503Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "worldatdoor.in",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332302; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
+ "anomali.limo.id": "indicator--b0e14122-9005-4776-99fc-00872476c6d1",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-68",
+ "threatstream-confidence-71",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T02:58:57.503Z",
- "threatintel.anomali.name": "mal_url: http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T02:58:57.570Z",
+ "anomali.limo.name": "mal_url: http://f0387770.xsph.ru/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T02:58:57.503Z",
- "threatintel.indicator.first_seen": "2020-01-22T02:58:57.503Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "worldatdoor.in",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://f0387770.xsph.ru/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T02:58:57.57Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -100,31 +119,33 @@
"threatstream-confidence-71",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332302; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--b0e14122-9005-4776-99fc-00872476c6d1",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T02:58:57.570Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "f0387770.xsph.ru",
+ "threat.indicator.url.full": "http://f0387770.xsph.ru/login",
+ "threat.indicator.url.original": "http://f0387770.xsph.ru/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332312; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime",
+ "anomali.limo.id": "indicator--111ec76f-616d-4aa8-80fd-e11ef0066aba",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-71",
+ "threatstream-confidence-50",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T02:58:57.570Z",
- "threatintel.anomali.name": "mal_url: http://f0387770.xsph.ru/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T02:58:59.366Z",
+ "anomali.limo.name": "mal_url: http://178.62.187.103/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://f0387770.xsph.ru/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T02:58:57.57Z",
- "threatintel.indicator.first_seen": "2020-01-22T02:58:57.570Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "f0387770.xsph.ru",
- "threatintel.indicator.url.full": "http://f0387770.xsph.ru/login",
- "threatintel.indicator.url.original": "http://f0387770.xsph.ru/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://178.62.187.103/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T02:58:59.366Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -141,31 +162,33 @@
"threatstream-confidence-50",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332312; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--111ec76f-616d-4aa8-80fd-e11ef0066aba",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T02:58:59.366Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "178.62.187.103",
+ "threat.indicator.url.full": "http://178.62.187.103/login",
+ "threat.indicator.url.original": "http://178.62.187.103/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332386; iType: mal_url; State: active; Source: CyberCrime",
+ "anomali.limo.id": "indicator--189ce776-6d7e-4e85-9222-de5876644988",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-50",
+ "threatstream-confidence-66",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T02:58:59.366Z",
- "threatintel.anomali.name": "mal_url: http://178.62.187.103/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T02:58:59.457Z",
+ "anomali.limo.name": "mal_url: http://appareluea.com/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://178.62.187.103/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T02:58:59.366Z",
- "threatintel.indicator.first_seen": "2020-01-22T02:58:59.366Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "178.62.187.103",
- "threatintel.indicator.url.full": "http://178.62.187.103/login",
- "threatintel.indicator.url.original": "http://178.62.187.103/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://appareluea.com/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T02:58:59.457Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -182,32 +205,34 @@
"threatstream-confidence-66",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332386; iType: mal_url; State: active; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--189ce776-6d7e-4e85-9222-de5876644988",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T02:58:59.457Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "appareluea.com",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://appareluea.com/panel/admin.php",
+ "threat.indicator.url.original": "http://appareluea.com/panel/admin.php",
+ "threat.indicator.url.path": "/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332391; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
+ "anomali.limo.id": "indicator--a4144d34-b86d-475e-8047-eb46b48ee325",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-66",
+ "threatstream-confidence-93",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T02:58:59.457Z",
- "threatintel.anomali.name": "mal_url: http://appareluea.com/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T02:59:06.402Z",
+ "anomali.limo.name": "mal_url: http://nkpotu.xyz/Kpot3/login.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://appareluea.com/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T02:58:59.457Z",
- "threatintel.indicator.first_seen": "2020-01-22T02:58:59.457Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "appareluea.com",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://appareluea.com/panel/admin.php",
- "threatintel.indicator.url.original": "http://appareluea.com/panel/admin.php",
- "threatintel.indicator.url.path": "/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://nkpotu.xyz/Kpot3/login.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T02:59:06.402Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -224,32 +249,34 @@
"threatstream-confidence-93",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332391; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--a4144d34-b86d-475e-8047-eb46b48ee325",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T02:59:06.402Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "nkpotu.xyz",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://nkpotu.xyz/Kpot3/login.php",
+ "threat.indicator.url.original": "http://nkpotu.xyz/Kpot3/login.php",
+ "threat.indicator.url.path": "/Kpot3/login.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332372; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime",
+ "anomali.limo.id": "indicator--983d9c3d-b7f8-4345-b643-b1d18e6ac6b2",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-93",
+ "threatstream-confidence-49",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T02:59:06.402Z",
- "threatintel.anomali.name": "mal_url: http://nkpotu.xyz/Kpot3/login.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T02:59:19.990Z",
+ "anomali.limo.name": "mal_ip: 162.144.128.116",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot3/login.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T02:59:06.402Z",
- "threatintel.indicator.first_seen": "2020-01-22T02:59:06.402Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "nkpotu.xyz",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://nkpotu.xyz/Kpot3/login.php",
- "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot3/login.php",
- "threatintel.indicator.url.path": "/Kpot3/login.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[ipv4-addr:value = '162.144.128.116']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T02:59:19.99Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -266,27 +293,29 @@
"threatstream-confidence-49",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332372; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--983d9c3d-b7f8-4345-b643-b1d18e6ac6b2",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T02:59:19.990Z",
+ "threat.indicator.ip": "162.144.128.116",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "ipv4-addr"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332313; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime",
+ "anomali.limo.id": "indicator--f9c6386b-dba2-41f9-8160-d307671e5c8e",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-49",
+ "threatstream-confidence-79",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T02:59:19.990Z",
- "threatintel.anomali.name": "mal_ip: 162.144.128.116",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T02:59:20.155Z",
+ "anomali.limo.name": "mal_url: http://ntrcgroup.com/nze/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[ipv4-addr:value = '162.144.128.116']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T02:59:19.99Z",
- "threatintel.indicator.first_seen": "2020-01-22T02:59:19.990Z",
- "threatintel.indicator.ip": "162.144.128.116",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "ipv4-addr"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://ntrcgroup.com/nze/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T02:59:20.155Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -303,32 +332,34 @@
"threatstream-confidence-79",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332313; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--f9c6386b-dba2-41f9-8160-d307671e5c8e",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T02:59:20.155Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "ntrcgroup.com",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://ntrcgroup.com/nze/panel/admin.php",
+ "threat.indicator.url.original": "http://ntrcgroup.com/nze/panel/admin.php",
+ "threat.indicator.url.path": "/nze/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332350; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
+ "anomali.limo.id": "indicator--98fad53e-5389-47f7-a3ff-44d334af2d6b",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-79",
+ "threatstream-confidence-76",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T02:59:20.155Z",
- "threatintel.anomali.name": "mal_url: http://ntrcgroup.com/nze/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T02:59:25.521Z",
+ "anomali.limo.name": "mal_url: http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://ntrcgroup.com/nze/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T02:59:20.155Z",
- "threatintel.indicator.first_seen": "2020-01-22T02:59:20.155Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "ntrcgroup.com",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://ntrcgroup.com/nze/panel/admin.php",
- "threatintel.indicator.url.original": "http://ntrcgroup.com/nze/panel/admin.php",
- "threatintel.indicator.url.path": "/nze/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T02:59:25.521Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -345,32 +376,34 @@
"threatstream-confidence-76",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332350; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--98fad53e-5389-47f7-a3ff-44d334af2d6b",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T02:59:25.521Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "chol.cc",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/Work8/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332291; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
+ "anomali.limo.id": "indicator--76c01735-fb76-463d-9609-9ea3aedf3f4f",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-76",
+ "threatstream-confidence-68",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T02:59:25.521Z",
- "threatintel.anomali.name": "mal_url: http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T02:59:25.626Z",
+ "anomali.limo.name": "mal_url: http://f0390764.xsph.ru/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T02:59:25.521Z",
- "threatintel.indicator.first_seen": "2020-01-22T02:59:25.521Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "chol.cc",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/Work8/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://f0390764.xsph.ru/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T02:59:25.626Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -387,31 +420,33 @@
"threatstream-confidence-68",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332291; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--76c01735-fb76-463d-9609-9ea3aedf3f4f",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T02:59:25.626Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "f0390764.xsph.ru",
+ "threat.indicator.url.full": "http://f0390764.xsph.ru/login",
+ "threat.indicator.url.original": "http://f0390764.xsph.ru/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332343; iType: mal_ip; State: active; Source: CyberCrime",
+ "anomali.limo.id": "indicator--e0a812dc-63c8-4949-b038-2241b2dbfcdc",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-68",
+ "threatstream-confidence-85",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T02:59:25.626Z",
- "threatintel.anomali.name": "mal_url: http://f0390764.xsph.ru/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T02:59:36.461Z",
+ "anomali.limo.name": "mal_ip: 45.143.138.39",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://f0390764.xsph.ru/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T02:59:25.626Z",
- "threatintel.indicator.first_seen": "2020-01-22T02:59:25.626Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "f0390764.xsph.ru",
- "threatintel.indicator.url.full": "http://f0390764.xsph.ru/login",
- "threatintel.indicator.url.original": "http://f0390764.xsph.ru/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[ipv4-addr:value = '45.143.138.39']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T02:59:36.461Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -428,27 +463,29 @@
"threatstream-confidence-85",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332343; iType: mal_ip; State: active; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--e0a812dc-63c8-4949-b038-2241b2dbfcdc",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T02:59:36.461Z",
+ "threat.indicator.ip": "45.143.138.39",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "ipv4-addr"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332316; iType: mal_url; State: active; Org: Sksa Technology Sdn Bhd; Source: CyberCrime",
+ "anomali.limo.id": "indicator--6f0d8607-21cb-4738-9712-f4fd91a37f7d",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-85",
+ "threatstream-confidence-82",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T02:59:36.461Z",
- "threatintel.anomali.name": "mal_ip: 45.143.138.39",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T02:59:41.193Z",
+ "anomali.limo.name": "mal_url: http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[ipv4-addr:value = '45.143.138.39']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T02:59:36.461Z",
- "threatintel.indicator.first_seen": "2020-01-22T02:59:36.461Z",
- "threatintel.indicator.ip": "45.143.138.39",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "ipv4-addr"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T02:59:41.193Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -465,32 +502,34 @@
"threatstream-confidence-82",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332316; iType: mal_url; State: active; Org: Sksa Technology Sdn Bhd; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--6f0d8607-21cb-4738-9712-f4fd91a37f7d",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T02:59:41.193Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "aglfreight.com.my",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php",
+ "threat.indicator.url.original": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php",
+ "threat.indicator.url.path": "/inc/js/jstree/biu/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332284; iType: mal_url; State: active; Org: Oltelecom Jsc; Source: CyberCrime",
+ "anomali.limo.id": "indicator--c649d6d4-87c4-4b76-bfc2-75a509ccb187",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-82",
+ "threatstream-confidence-61",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T02:59:41.193Z",
- "threatintel.anomali.name": "mal_url: http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T02:59:41.228Z",
+ "anomali.limo.name": "mal_url: http://95.182.122.184/",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T02:59:41.193Z",
- "threatintel.indicator.first_seen": "2020-01-22T02:59:41.193Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "aglfreight.com.my",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php",
- "threatintel.indicator.url.original": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php",
- "threatintel.indicator.url.path": "/inc/js/jstree/biu/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://95.182.122.184/']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T02:59:41.228Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -507,31 +546,33 @@
"threatstream-confidence-61",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332284; iType: mal_url; State: active; Org: Oltelecom Jsc; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--c649d6d4-87c4-4b76-bfc2-75a509ccb187",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T02:59:41.228Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "95.182.122.184",
+ "threat.indicator.url.full": "http://95.182.122.184/",
+ "threat.indicator.url.original": "http://95.182.122.184/",
+ "threat.indicator.url.path": "/",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332337; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime",
+ "anomali.limo.id": "indicator--408ebd2d-063f-4646-b2e7-c00519869736",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-61",
+ "threatstream-confidence-62",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T02:59:41.228Z",
- "threatintel.anomali.name": "mal_url: http://95.182.122.184/",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T02:59:51.313Z",
+ "anomali.limo.name": "mal_ip: 198.54.115.121",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://95.182.122.184/']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T02:59:41.228Z",
- "threatintel.indicator.first_seen": "2020-01-22T02:59:41.228Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "95.182.122.184",
- "threatintel.indicator.url.full": "http://95.182.122.184/",
- "threatintel.indicator.url.original": "http://95.182.122.184/",
- "threatintel.indicator.url.path": "/",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[ipv4-addr:value = '198.54.115.121']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T02:59:51.313Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -548,27 +589,29 @@
"threatstream-confidence-62",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332337; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--408ebd2d-063f-4646-b2e7-c00519869736",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T02:59:51.313Z",
+ "threat.indicator.ip": "198.54.115.121",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "ipv4-addr"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332324; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime",
+ "anomali.limo.id": "indicator--e1d215cb-c7a5-40e0-bc53-8f92a2bcaba8",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-62",
+ "threatstream-confidence-38",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T02:59:51.313Z",
- "threatintel.anomali.name": "mal_ip: 198.54.115.121",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T02:59:51.372Z",
+ "anomali.limo.name": "mal_ip: 192.185.119.172",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[ipv4-addr:value = '198.54.115.121']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T02:59:51.313Z",
- "threatintel.indicator.first_seen": "2020-01-22T02:59:51.313Z",
- "threatintel.indicator.ip": "198.54.115.121",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "ipv4-addr"
- },
- {
+ "anomali.limo.pattern": "[ipv4-addr:value = '192.185.119.172']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T02:59:51.372Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -585,27 +628,29 @@
"threatstream-confidence-38",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332324; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--e1d215cb-c7a5-40e0-bc53-8f92a2bcaba8",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T02:59:51.372Z",
+ "threat.indicator.ip": "192.185.119.172",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "ipv4-addr"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332296; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
+ "anomali.limo.id": "indicator--6f3a4a2b-62e3-48ef-94ae-70103f09cf7e",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-38",
+ "threatstream-confidence-61",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T02:59:51.372Z",
- "threatintel.anomali.name": "mal_ip: 192.185.119.172",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T02:59:51.442Z",
+ "anomali.limo.name": "mal_url: http://f0389246.xsph.ru/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[ipv4-addr:value = '192.185.119.172']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T02:59:51.372Z",
- "threatintel.indicator.first_seen": "2020-01-22T02:59:51.372Z",
- "threatintel.indicator.ip": "192.185.119.172",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "ipv4-addr"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://f0389246.xsph.ru/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T02:59:51.442Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -622,31 +667,33 @@
"threatstream-confidence-61",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332296; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--6f3a4a2b-62e3-48ef-94ae-70103f09cf7e",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T02:59:51.442Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "f0389246.xsph.ru",
+ "threat.indicator.url.full": "http://f0389246.xsph.ru/login",
+ "threat.indicator.url.original": "http://f0389246.xsph.ru/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332400; iType: mal_url; State: active; Source: CyberCrime",
+ "anomali.limo.id": "indicator--213519c9-f511-4188-89c8-159f35f08008",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-61",
+ "threatstream-confidence-66",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T02:59:51.442Z",
- "threatintel.anomali.name": "mal_url: http://f0389246.xsph.ru/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:00:01.563Z",
+ "anomali.limo.name": "mal_url: http://appareluea.com/server/cp.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://f0389246.xsph.ru/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T02:59:51.442Z",
- "threatintel.indicator.first_seen": "2020-01-22T02:59:51.442Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "f0389246.xsph.ru",
- "threatintel.indicator.url.full": "http://f0389246.xsph.ru/login",
- "threatintel.indicator.url.original": "http://f0389246.xsph.ru/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://appareluea.com/server/cp.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:00:01.563Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -663,32 +710,34 @@
"threatstream-confidence-66",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332400; iType: mal_url; State: active; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--213519c9-f511-4188-89c8-159f35f08008",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:00:01.563Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "appareluea.com",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://appareluea.com/server/cp.php",
+ "threat.indicator.url.original": "http://appareluea.com/server/cp.php",
+ "threat.indicator.url.path": "/server/cp.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332396; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
+ "anomali.limo.id": "indicator--5a563c85-c528-4e33-babe-2dcff34f73c4",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-66",
+ "threatstream-confidence-93",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:00:01.563Z",
- "threatintel.anomali.name": "mal_url: http://appareluea.com/server/cp.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:00:03.138Z",
+ "anomali.limo.name": "mal_url: http://nkpotu.xyz/Kpot2/login.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://appareluea.com/server/cp.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:00:01.563Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:00:01.563Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "appareluea.com",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://appareluea.com/server/cp.php",
- "threatintel.indicator.url.original": "http://appareluea.com/server/cp.php",
- "threatintel.indicator.url.path": "/server/cp.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://nkpotu.xyz/Kpot2/login.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:00:03.138Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -705,32 +754,34 @@
"threatstream-confidence-93",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332396; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--5a563c85-c528-4e33-babe-2dcff34f73c4",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:00:03.138Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "nkpotu.xyz",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://nkpotu.xyz/Kpot2/login.php",
+ "threat.indicator.url.original": "http://nkpotu.xyz/Kpot2/login.php",
+ "threat.indicator.url.path": "/Kpot2/login.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332363; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
+ "anomali.limo.id": "indicator--f3e33aab-e2af-4c15-8cb9-f008a37cf986",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-93",
+ "threatstream-confidence-76",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:00:03.138Z",
- "threatintel.anomali.name": "mal_url: http://nkpotu.xyz/Kpot2/login.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:00:03.396Z",
+ "anomali.limo.name": "mal_url: http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot2/login.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:00:03.138Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:00:03.138Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "nkpotu.xyz",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://nkpotu.xyz/Kpot2/login.php",
- "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot2/login.php",
- "threatintel.indicator.url.path": "/Kpot2/login.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:00:03.396Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -747,32 +798,34 @@
"threatstream-confidence-76",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332363; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--f3e33aab-e2af-4c15-8cb9-f008a37cf986",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:00:03.396Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "chol.cc",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/Work5/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332320; iType: mal_url; State: active; Source: CyberCrime",
+ "anomali.limo.id": "indicator--f03f098d-2fa9-49e1-a7dd-02518aa105fa",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-76",
+ "threatstream-confidence-87",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:00:03.396Z",
- "threatintel.anomali.name": "mal_url: http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:00:03.642Z",
+ "anomali.limo.name": "mal_url: http://mecharnise.ir/ca4/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:00:03.396Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:00:03.396Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "chol.cc",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/Work5/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://mecharnise.ir/ca4/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:00:03.642Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -789,32 +842,34 @@
"threatstream-confidence-87",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332320; iType: mal_url; State: active; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--f03f098d-2fa9-49e1-a7dd-02518aa105fa",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:00:03.642Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "mecharnise.ir",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://mecharnise.ir/ca4/panel/admin.php",
+ "threat.indicator.url.original": "http://mecharnise.ir/ca4/panel/admin.php",
+ "threat.indicator.url.path": "/ca4/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332367; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
+ "anomali.limo.id": "indicator--e72e3ba0-7de5-46bb-ab1e-efdf3e0a0b3b",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-87",
+ "threatstream-confidence-76",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:00:03.642Z",
- "threatintel.anomali.name": "mal_url: http://mecharnise.ir/ca4/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:00:27.534Z",
+ "anomali.limo.name": "mal_url: http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://mecharnise.ir/ca4/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:00:03.642Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:00:03.642Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "mecharnise.ir",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://mecharnise.ir/ca4/panel/admin.php",
- "threatintel.indicator.url.original": "http://mecharnise.ir/ca4/panel/admin.php",
- "threatintel.indicator.url.path": "/ca4/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:00:27.534Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -831,32 +886,34 @@
"threatstream-confidence-76",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332367; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--e72e3ba0-7de5-46bb-ab1e-efdf3e0a0b3b",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:00:27.534Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "chol.cc",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/Work4/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332317; iType: mal_url; State: active; Org: SoftLayer Technologies; Source: CyberCrime",
+ "anomali.limo.id": "indicator--d6b59b66-5020-4368-85a7-196026856ea9",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-76",
+ "threatstream-confidence-78",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:00:27.534Z",
- "threatintel.anomali.name": "mal_url: http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:00:27.591Z",
+ "anomali.limo.name": "mal_url: http://kironofer.com/webpanel/login.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:00:27.534Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:00:27.534Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "chol.cc",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/Work4/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://kironofer.com/webpanel/login.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:00:27.591Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -873,32 +930,34 @@
"threatstream-confidence-78",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332317; iType: mal_url; State: active; Org: SoftLayer Technologies; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--d6b59b66-5020-4368-85a7-196026856ea9",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:00:27.591Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "kironofer.com",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://kironofer.com/webpanel/login.php",
+ "threat.indicator.url.original": "http://kironofer.com/webpanel/login.php",
+ "threat.indicator.url.path": "/webpanel/login.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332309; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime",
+ "anomali.limo.id": "indicator--aff7b07f-acc7-4bec-ab19-1fce972bfd09",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-78",
+ "threatstream-confidence-68",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:00:27.591Z",
- "threatintel.anomali.name": "mal_url: http://kironofer.com/webpanel/login.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:00:45.787Z",
+ "anomali.limo.name": "mal_url: http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://kironofer.com/webpanel/login.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:00:27.591Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:00:27.591Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "kironofer.com",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://kironofer.com/webpanel/login.php",
- "threatintel.indicator.url.original": "http://kironofer.com/webpanel/login.php",
- "threatintel.indicator.url.path": "/webpanel/login.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:00:45.787Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -915,32 +974,34 @@
"threatstream-confidence-68",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332309; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--aff7b07f-acc7-4bec-ab19-1fce972bfd09",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:00:45.787Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "worldatdoor.in",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332286; iType: mal_url; State: active; Org: Garanntor-Hosting; Source: CyberCrime",
+ "anomali.limo.id": "indicator--ba71ba3a-1efd-40da-ab0d-f4397d6fc337",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-68",
+ "threatstream-confidence-91",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:00:45.787Z",
- "threatintel.anomali.name": "mal_url: http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:00:45.841Z",
+ "anomali.limo.name": "mal_url: http://smartlinktelecom.top/kings/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:00:45.787Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:00:45.787Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "worldatdoor.in",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://smartlinktelecom.top/kings/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:00:45.841Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -957,32 +1018,34 @@
"threatstream-confidence-91",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332286; iType: mal_url; State: active; Org: Garanntor-Hosting; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--ba71ba3a-1efd-40da-ab0d-f4397d6fc337",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:00:45.841Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "smartlinktelecom.top",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://smartlinktelecom.top/kings/panel/admin.php",
+ "threat.indicator.url.original": "http://smartlinktelecom.top/kings/panel/admin.php",
+ "threat.indicator.url.path": "/kings/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332339; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
+ "anomali.limo.id": "indicator--17777e7f-3e91-4446-a43d-79139de8a948",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-91",
+ "threatstream-confidence-64",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:00:45.841Z",
- "threatintel.anomali.name": "mal_url: http://smartlinktelecom.top/kings/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:00:45.959Z",
+ "anomali.limo.name": "mal_url: http://carirero.net/login.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://smartlinktelecom.top/kings/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:00:45.841Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:00:45.841Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "smartlinktelecom.top",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://smartlinktelecom.top/kings/panel/admin.php",
- "threatintel.indicator.url.original": "http://smartlinktelecom.top/kings/panel/admin.php",
- "threatintel.indicator.url.path": "/kings/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://carirero.net/login.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:00:45.959Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -999,32 +1062,34 @@
"threatstream-confidence-64",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332339; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--17777e7f-3e91-4446-a43d-79139de8a948",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:00:45.959Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "carirero.net",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://carirero.net/login.php",
+ "threat.indicator.url.original": "http://carirero.net/login.php",
+ "threat.indicator.url.path": "/login.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332319; iType: mal_ip; State: active; Org: SoftLayer Technologies; Source: CyberCrime",
+ "anomali.limo.id": "indicator--f6be1804-cfe4-4f41-9338-2b65f5b1dda1",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-64",
+ "threatstream-confidence-30",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:00:45.959Z",
- "threatintel.anomali.name": "mal_url: http://carirero.net/login.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:00:46.025Z",
+ "anomali.limo.name": "mal_ip: 74.116.84.20",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://carirero.net/login.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:00:45.959Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:00:45.959Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "carirero.net",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://carirero.net/login.php",
- "threatintel.indicator.url.original": "http://carirero.net/login.php",
- "threatintel.indicator.url.path": "/login.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[ipv4-addr:value = '74.116.84.20']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:00:46.025Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1041,27 +1106,29 @@
"threatstream-confidence-30",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332319; iType: mal_ip; State: active; Org: SoftLayer Technologies; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--f6be1804-cfe4-4f41-9338-2b65f5b1dda1",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:00:46.025Z",
+ "threat.indicator.ip": "74.116.84.20",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "ipv4-addr"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332305; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
+ "anomali.limo.id": "indicator--b4fd8489-9589-4f70-996c-84989245a21b",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-30",
+ "threatstream-confidence-43",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:00:46.025Z",
- "threatintel.anomali.name": "mal_ip: 74.116.84.20",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:00:57.729Z",
+ "anomali.limo.name": "mal_url: http://tuu.nu/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[ipv4-addr:value = '74.116.84.20']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:00:46.025Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:00:46.025Z",
- "threatintel.indicator.ip": "74.116.84.20",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "ipv4-addr"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://tuu.nu/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:00:57.729Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1078,31 +1145,33 @@
"threatstream-confidence-43",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332305; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--b4fd8489-9589-4f70-996c-84989245a21b",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:00:57.729Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "tuu.nu",
+ "threat.indicator.url.full": "http://tuu.nu/login",
+ "threat.indicator.url.original": "http://tuu.nu/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332346; iType: mal_url; State: active; Org: Ifx Networks Colombia; Source: CyberCrime",
+ "anomali.limo.id": "indicator--bc50c62f-a015-4460-87df-2137626877e3",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-43",
+ "threatstream-confidence-36",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:00:57.729Z",
- "threatintel.anomali.name": "mal_url: http://tuu.nu/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:01:02.696Z",
+ "anomali.limo.name": "mal_url: http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://tuu.nu/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:00:57.729Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:00:57.729Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "tuu.nu",
- "threatintel.indicator.url.full": "http://tuu.nu/login",
- "threatintel.indicator.url.original": "http://tuu.nu/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:01:02.696Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1119,32 +1188,34 @@
"threatstream-confidence-36",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332346; iType: mal_url; State: active; Org: Ifx Networks Colombia; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--bc50c62f-a015-4460-87df-2137626877e3",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:01:02.696Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "dulfix.com",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332323; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime",
+ "anomali.limo.id": "indicator--2765af4b-bfb7-4ac8-82d2-ab6ed8a52461",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-36",
+ "threatstream-confidence-65",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:01:02.696Z",
- "threatintel.anomali.name": "mal_url: http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:01:02.807Z",
+ "anomali.limo.name": "mal_url: http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:01:02.696Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:01:02.696Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "dulfix.com",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:01:02.807Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1161,32 +1232,34 @@
"threatstream-confidence-65",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332323; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--2765af4b-bfb7-4ac8-82d2-ab6ed8a52461",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:01:02.807Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "deliciasdvally.com.pe",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/includes/gter/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332399; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
+ "anomali.limo.id": "indicator--9c0e63a1-c32a-470a-bf09-51488e239c63",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-65",
+ "threatstream-confidence-93",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:01:02.807Z",
- "threatintel.anomali.name": "mal_url: http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:01:24.810Z",
+ "anomali.limo.name": "mal_url: http://nkpotu.xyz/Kpot1/login.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:01:02.807Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:01:02.807Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "deliciasdvally.com.pe",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/includes/gter/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://nkpotu.xyz/Kpot1/login.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:01:24.81Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1203,32 +1276,34 @@
"threatstream-confidence-93",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332399; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--9c0e63a1-c32a-470a-bf09-51488e239c63",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:01:24.810Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "nkpotu.xyz",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://nkpotu.xyz/Kpot1/login.php",
+ "threat.indicator.url.original": "http://nkpotu.xyz/Kpot1/login.php",
+ "threat.indicator.url.path": "/Kpot1/login.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332328; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime",
+ "anomali.limo.id": "indicator--8047678e-20be-4116-9bc4-7bb7c26554e0",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-93",
+ "threatstream-confidence-87",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:01:24.810Z",
- "threatintel.anomali.name": "mal_url: http://nkpotu.xyz/Kpot1/login.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:01:41.158Z",
+ "anomali.limo.name": "mal_ip: 194.87.147.80",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot1/login.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:01:24.81Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:01:24.810Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "nkpotu.xyz",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://nkpotu.xyz/Kpot1/login.php",
- "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot1/login.php",
- "threatintel.indicator.url.path": "/Kpot1/login.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[ipv4-addr:value = '194.87.147.80']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:01:41.158Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1245,27 +1320,29 @@
"threatstream-confidence-87",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332328; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--8047678e-20be-4116-9bc4-7bb7c26554e0",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:01:41.158Z",
+ "threat.indicator.ip": "194.87.147.80",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "ipv4-addr"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332377; iType: mal_url; State: active; Org: A100 ROW GmbH; Source: CyberCrime",
+ "anomali.limo.id": "indicator--c57a880c-1ce0-45de-9bab-fb2910454a61",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-87",
+ "threatstream-confidence-85",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:01:41.158Z",
- "threatintel.anomali.name": "mal_ip: 194.87.147.80",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:01:57.189Z",
+ "anomali.limo.name": "mal_url: http://35.158.92.3/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[ipv4-addr:value = '194.87.147.80']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:01:41.158Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:01:41.158Z",
- "threatintel.indicator.ip": "194.87.147.80",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "ipv4-addr"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://35.158.92.3/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:01:57.189Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1282,32 +1359,34 @@
"threatstream-confidence-85",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332377; iType: mal_url; State: active; Org: A100 ROW GmbH; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--c57a880c-1ce0-45de-9bab-fb2910454a61",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:01:57.189Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "35.158.92.3",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://35.158.92.3/panel/admin.php",
+ "threat.indicator.url.original": "http://35.158.92.3/panel/admin.php",
+ "threat.indicator.url.path": "/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332101; iType: mal_ip; State: active; Source: CyberCrime",
+ "anomali.limo.id": "indicator--6056152c-0fa5-4e34-871a-3c8990f1ee46",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-85",
+ "threatstream-confidence-42",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:01:57.189Z",
- "threatintel.anomali.name": "mal_url: http://35.158.92.3/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:01:57.279Z",
+ "anomali.limo.name": "mal_ip: 45.95.168.70",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://35.158.92.3/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:01:57.189Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:01:57.189Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "35.158.92.3",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://35.158.92.3/panel/admin.php",
- "threatintel.indicator.url.original": "http://35.158.92.3/panel/admin.php",
- "threatintel.indicator.url.path": "/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[ipv4-addr:value = '45.95.168.70']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:01:57.279Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1324,27 +1403,29 @@
"threatstream-confidence-42",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332101; iType: mal_ip; State: active; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--6056152c-0fa5-4e34-871a-3c8990f1ee46",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:01:57.279Z",
+ "threat.indicator.ip": "45.95.168.70",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "ipv4-addr"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332357; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
+ "anomali.limo.id": "indicator--23215acb-4989-4434-ac6d-8f9367734f0f",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-42",
+ "threatstream-confidence-76",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:01:57.279Z",
- "threatintel.anomali.name": "mal_ip: 45.95.168.70",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:02:50.570Z",
+ "anomali.limo.name": "mal_url: http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[ipv4-addr:value = '45.95.168.70']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:01:57.279Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:01:57.279Z",
- "threatintel.indicator.ip": "45.95.168.70",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "ipv4-addr"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:02:50.57Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1361,32 +1442,34 @@
"threatstream-confidence-76",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332357; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--23215acb-4989-4434-ac6d-8f9367734f0f",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:02:50.570Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "chol.cc",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/Work7/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332289; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
+ "anomali.limo.id": "indicator--452ece92-9ff2-4f99-8a7f-fd614ebea8cf",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-76",
+ "threatstream-confidence-26",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:02:50.570Z",
- "threatintel.anomali.name": "mal_url: http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:02:52.496Z",
+ "anomali.limo.name": "mal_url: http://f0391600.xsph.ru/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:02:50.57Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:02:50.570Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "chol.cc",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/Work7/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://f0391600.xsph.ru/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:02:52.496Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1403,31 +1486,33 @@
"threatstream-confidence-26",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332289; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--452ece92-9ff2-4f99-8a7f-fd614ebea8cf",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:02:52.496Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "f0391600.xsph.ru",
+ "threat.indicator.url.full": "http://f0391600.xsph.ru/login",
+ "threat.indicator.url.original": "http://f0391600.xsph.ru/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332334; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime",
+ "anomali.limo.id": "indicator--10958d74-ec60-41af-a1ab-1613257e670f",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-26",
+ "threatstream-confidence-94",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:02:52.496Z",
- "threatintel.anomali.name": "mal_url: http://f0391600.xsph.ru/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:03:42.819Z",
+ "anomali.limo.name": "mal_url: http://extraclick.space/login.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://f0391600.xsph.ru/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:02:52.496Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:02:52.496Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "f0391600.xsph.ru",
- "threatintel.indicator.url.full": "http://f0391600.xsph.ru/login",
- "threatintel.indicator.url.original": "http://f0391600.xsph.ru/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://extraclick.space/login.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:03:42.819Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1444,32 +1529,34 @@
"threatstream-confidence-94",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332334; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--10958d74-ec60-41af-a1ab-1613257e670f",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:03:42.819Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "extraclick.space",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://extraclick.space/login.php",
+ "threat.indicator.url.original": "http://extraclick.space/login.php",
+ "threat.indicator.url.path": "/login.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332326; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime",
+ "anomali.limo.id": "indicator--19556daa-6293-400d-8706-d0baa6b16b7a",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-94",
+ "threatstream-confidence-87",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:03:42.819Z",
- "threatintel.anomali.name": "mal_url: http://extraclick.space/login.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:03:52.044Z",
+ "anomali.limo.name": "mal_url: http://petrogarmani.pw/login.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://extraclick.space/login.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:03:42.819Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:03:42.819Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "extraclick.space",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://extraclick.space/login.php",
- "threatintel.indicator.url.original": "http://extraclick.space/login.php",
- "threatintel.indicator.url.path": "/login.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://petrogarmani.pw/login.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:03:52.044Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1486,32 +1573,34 @@
"threatstream-confidence-87",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332326; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--19556daa-6293-400d-8706-d0baa6b16b7a",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:03:52.044Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "petrogarmani.pw",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://petrogarmani.pw/login.php",
+ "threat.indicator.url.original": "http://petrogarmani.pw/login.php",
+ "threat.indicator.url.path": "/login.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332311; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime",
+ "anomali.limo.id": "indicator--b09d9be9-6703-4a7d-a066-2baebb6418fc",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-87",
+ "threatstream-confidence-68",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:03:52.044Z",
- "threatintel.anomali.name": "mal_url: http://petrogarmani.pw/login.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:04:01.650Z",
+ "anomali.limo.name": "mal_url: http://worldatdoor.in/mighty/32/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://petrogarmani.pw/login.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:03:52.044Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:03:52.044Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "petrogarmani.pw",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://petrogarmani.pw/login.php",
- "threatintel.indicator.url.original": "http://petrogarmani.pw/login.php",
- "threatintel.indicator.url.path": "/login.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://worldatdoor.in/mighty/32/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:04:01.65Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1528,32 +1617,34 @@
"threatstream-confidence-68",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332311; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--b09d9be9-6703-4a7d-a066-2baebb6418fc",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:04:01.650Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "worldatdoor.in",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://worldatdoor.in/mighty/32/panel/admin.php",
+ "threat.indicator.url.original": "http://worldatdoor.in/mighty/32/panel/admin.php",
+ "threat.indicator.url.path": "/mighty/32/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332341; iType: mal_url; State: active; Org: Institute of Philosophy, Russian Academy of Scienc; Source: CyberCrime",
+ "anomali.limo.id": "indicator--43febf7d-4185-4a12-a868-e7be690b14aa",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-68",
+ "threatstream-confidence-92",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:04:01.650Z",
- "threatintel.anomali.name": "mal_url: http://worldatdoor.in/mighty/32/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:04:32.717Z",
+ "anomali.limo.name": "mal_url: http://zanlma.com/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/mighty/32/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:04:01.65Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:04:01.650Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "worldatdoor.in",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://worldatdoor.in/mighty/32/panel/admin.php",
- "threatintel.indicator.url.original": "http://worldatdoor.in/mighty/32/panel/admin.php",
- "threatintel.indicator.url.path": "/mighty/32/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://zanlma.com/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:04:32.717Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1570,31 +1661,33 @@
"threatstream-confidence-92",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332341; iType: mal_url; State: active; Org: Institute of Philosophy, Russian Academy of Scienc; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--43febf7d-4185-4a12-a868-e7be690b14aa",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:04:32.717Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "zanlma.com",
+ "threat.indicator.url.full": "http://zanlma.com/login",
+ "threat.indicator.url.original": "http://zanlma.com/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332303; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
+ "anomali.limo.id": "indicator--a34728e6-f91d-47e6-a4d8-a69176299e45",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-92",
+ "threatstream-confidence-84",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:04:32.717Z",
- "threatintel.anomali.name": "mal_url: http://zanlma.com/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:04:56.858Z",
+ "anomali.limo.name": "mal_url: http://f0369688.xsph.ru/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://zanlma.com/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:04:32.717Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:04:32.717Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "zanlma.com",
- "threatintel.indicator.url.full": "http://zanlma.com/login",
- "threatintel.indicator.url.original": "http://zanlma.com/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://f0369688.xsph.ru/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:04:56.858Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1611,31 +1704,33 @@
"threatstream-confidence-84",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332303; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--a34728e6-f91d-47e6-a4d8-a69176299e45",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:04:56.858Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "f0369688.xsph.ru",
+ "threat.indicator.url.full": "http://f0369688.xsph.ru/login",
+ "threat.indicator.url.original": "http://f0369688.xsph.ru/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55241332380; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
+ "anomali.limo.id": "indicator--ac821704-5eb2-4f8f-a8b6-2a168dbd0e54",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-84",
+ "threatstream-confidence-76",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:04:56.858Z",
- "threatintel.anomali.name": "mal_url: http://f0369688.xsph.ru/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-22T03:04:59.245Z",
+ "anomali.limo.name": "mal_url: http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://f0369688.xsph.ru/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:04:56.858Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:04:56.858Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "f0369688.xsph.ru",
- "threatintel.indicator.url.full": "http://f0369688.xsph.ru/login",
- "threatintel.indicator.url.original": "http://f0369688.xsph.ru/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-22T03:04:59.245Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1652,32 +1747,34 @@
"threatstream-confidence-76",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55241332380; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--ac821704-5eb2-4f8f-a8b6-2a168dbd0e54",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-22T03:04:59.245Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "chol.cc",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/Work2/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55245868747; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime",
+ "anomali.limo.id": "indicator--0d3e1bd8-0f16-4c22-b8a1-663ec255ad79",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-76",
+ "threatstream-confidence-57",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-22T03:04:59.245Z",
- "threatintel.anomali.name": "mal_url: http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-23T03:00:22.287Z",
+ "anomali.limo.name": "mal_ip: 192.185.214.199",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-22T03:04:59.245Z",
- "threatintel.indicator.first_seen": "2020-01-22T03:04:59.245Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "chol.cc",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/Work2/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[ipv4-addr:value = '192.185.214.199']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-23T03:00:22.287Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1694,27 +1791,29 @@
"threatstream-confidence-57",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55245868747; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--0d3e1bd8-0f16-4c22-b8a1-663ec255ad79",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-23T03:00:22.287Z",
+ "threat.indicator.ip": "192.185.214.199",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "ipv4-addr"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55245868770; iType: mal_url; State: active; Org: Mills College; Source: CyberCrime",
+ "anomali.limo.id": "indicator--2cdd130a-c884-402d-b63c-e03f9448f5d9",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-57",
+ "threatstream-confidence-24",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-23T03:00:22.287Z",
- "threatintel.anomali.name": "mal_ip: 192.185.214.199",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-23T03:01:11.329Z",
+ "anomali.limo.name": "mal_url: http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[ipv4-addr:value = '192.185.214.199']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-23T03:00:22.287Z",
- "threatintel.indicator.first_seen": "2020-01-23T03:00:22.287Z",
- "threatintel.indicator.ip": "192.185.214.199",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "ipv4-addr"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-23T03:01:11.329Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1731,32 +1830,34 @@
"threatstream-confidence-24",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55245868770; iType: mal_url; State: active; Org: Mills College; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--2cdd130a-c884-402d-b63c-e03f9448f5d9",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-23T03:01:11.329Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "softtouchcollars.com",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55245868769; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime",
+ "anomali.limo.id": "indicator--88e98e13-4bfd-4188-941a-f696a7b86b71",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-24",
+ "threatstream-confidence-61",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-23T03:01:11.329Z",
- "threatintel.anomali.name": "mal_url: http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-23T03:01:36.682Z",
+ "anomali.limo.name": "mal_url: http://imobiliariatirol.com/gh/panelnew/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-23T03:01:11.329Z",
- "threatintel.indicator.first_seen": "2020-01-23T03:01:11.329Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "softtouchcollars.com",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://imobiliariatirol.com/gh/panelnew/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-23T03:01:36.682Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1773,32 +1874,34 @@
"threatstream-confidence-61",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55245868769; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--88e98e13-4bfd-4188-941a-f696a7b86b71",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-23T03:01:36.682Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "imobiliariatirol.com",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://imobiliariatirol.com/gh/panelnew/admin.php",
+ "threat.indicator.url.original": "http://imobiliariatirol.com/gh/panelnew/admin.php",
+ "threat.indicator.url.path": "/gh/panelnew/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55245868772; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime",
+ "anomali.limo.id": "indicator--27323b7d-85d3-4e89-8249-b7696925a772",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-61",
+ "threatstream-confidence-93",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-23T03:01:36.682Z",
- "threatintel.anomali.name": "mal_url: http://imobiliariatirol.com/gh/panelnew/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-23T03:02:15.854Z",
+ "anomali.limo.name": "mal_url: http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://imobiliariatirol.com/gh/panelnew/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-23T03:01:36.682Z",
- "threatintel.indicator.first_seen": "2020-01-23T03:01:36.682Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "imobiliariatirol.com",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://imobiliariatirol.com/gh/panelnew/admin.php",
- "threatintel.indicator.url.original": "http://imobiliariatirol.com/gh/panelnew/admin.php",
- "threatintel.indicator.url.path": "/gh/panelnew/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-23T03:02:15.854Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1815,32 +1918,34 @@
"threatstream-confidence-93",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55245868772; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--27323b7d-85d3-4e89-8249-b7696925a772",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-23T03:02:15.854Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "deliveryexpressworld.xyz",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55245868766; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
+ "anomali.limo.id": "indicator--b0639721-de55-48c6-b237-3859d61aecfb",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-93",
+ "threatstream-confidence-62",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-23T03:02:15.854Z",
- "threatintel.anomali.name": "mal_url: http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-23T03:02:47.364Z",
+ "anomali.limo.name": "mal_url: http://f0392261.xsph.ru/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-23T03:02:15.854Z",
- "threatintel.indicator.first_seen": "2020-01-23T03:02:15.854Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "deliveryexpressworld.xyz",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://f0392261.xsph.ru/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-23T03:02:47.364Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1857,31 +1962,33 @@
"threatstream-confidence-62",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55245868766; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--b0639721-de55-48c6-b237-3859d61aecfb",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-23T03:02:47.364Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "f0392261.xsph.ru",
+ "threat.indicator.url.full": "http://f0392261.xsph.ru/login",
+ "threat.indicator.url.original": "http://f0392261.xsph.ru/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55245868749; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime",
+ "anomali.limo.id": "indicator--677e714d-c237-42a1-b6b7-9145acd13eee",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-62",
+ "threatstream-confidence-80",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-23T03:02:47.364Z",
- "threatintel.anomali.name": "mal_url: http://f0392261.xsph.ru/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-23T03:03:05.048Z",
+ "anomali.limo.name": "mal_url: http://104.168.99.168/panel/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://f0392261.xsph.ru/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-23T03:02:47.364Z",
- "threatintel.indicator.first_seen": "2020-01-23T03:02:47.364Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "f0392261.xsph.ru",
- "threatintel.indicator.url.full": "http://f0392261.xsph.ru/login",
- "threatintel.indicator.url.original": "http://f0392261.xsph.ru/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://104.168.99.168/panel/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-23T03:03:05.048Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1898,32 +2005,34 @@
"threatstream-confidence-80",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55245868749; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--677e714d-c237-42a1-b6b7-9145acd13eee",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-23T03:03:05.048Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "104.168.99.168",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://104.168.99.168/panel/panel/admin.php",
+ "threat.indicator.url.original": "http://104.168.99.168/panel/panel/admin.php",
+ "threat.indicator.url.path": "/panel/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55245868767; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
+ "anomali.limo.id": "indicator--5baa1dbd-d74e-408c-92b5-0a9f97e4b87a",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-80",
+ "threatstream-confidence-69",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-23T03:03:05.048Z",
- "threatintel.anomali.name": "mal_url: http://104.168.99.168/panel/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-23T03:03:15.734Z",
+ "anomali.limo.name": "mal_url: http://f0387404.xsph.ru/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://104.168.99.168/panel/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-23T03:03:05.048Z",
- "threatintel.indicator.first_seen": "2020-01-23T03:03:05.048Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "104.168.99.168",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://104.168.99.168/panel/panel/admin.php",
- "threatintel.indicator.url.original": "http://104.168.99.168/panel/panel/admin.php",
- "threatintel.indicator.url.path": "/panel/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://f0387404.xsph.ru/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-23T03:03:15.734Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1940,32 +2049,34 @@
"threatstream-confidence-69",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55245868767; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--5baa1dbd-d74e-408c-92b5-0a9f97e4b87a",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-23T03:03:15.734Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "f0387404.xsph.ru",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://f0387404.xsph.ru/panel/admin.php",
+ "threat.indicator.url.original": "http://f0387404.xsph.ru/panel/admin.php",
+ "threat.indicator.url.path": "/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55245868768; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
+ "anomali.limo.id": "indicator--4563241e-5d2f-41a7-adb9-3925a5eeb1b1",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-69",
+ "threatstream-confidence-72",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-23T03:03:15.734Z",
- "threatintel.anomali.name": "mal_url: http://f0387404.xsph.ru/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-23T03:03:42.599Z",
+ "anomali.limo.name": "mal_url: http://a0386457.xsph.ru/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://f0387404.xsph.ru/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-23T03:03:15.734Z",
- "threatintel.indicator.first_seen": "2020-01-23T03:03:15.734Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "f0387404.xsph.ru",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://f0387404.xsph.ru/panel/admin.php",
- "threatintel.indicator.url.original": "http://f0387404.xsph.ru/panel/admin.php",
- "threatintel.indicator.url.path": "/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://a0386457.xsph.ru/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-23T03:03:42.599Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -1982,32 +2093,34 @@
"threatstream-confidence-72",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55245868768; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--4563241e-5d2f-41a7-adb9-3925a5eeb1b1",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-23T03:03:42.599Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "a0386457.xsph.ru",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://a0386457.xsph.ru/panel/admin.php",
+ "threat.indicator.url.original": "http://a0386457.xsph.ru/panel/admin.php",
+ "threat.indicator.url.path": "/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078037; iType: mal_url; State: active; Source: CyberCrime",
+ "anomali.limo.id": "indicator--70cb5d42-91d3-4efe-8c47-995fc0ac4141",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-72",
+ "threatstream-confidence-74",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-23T03:03:42.599Z",
- "threatintel.anomali.name": "mal_url: http://a0386457.xsph.ru/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:57:04.821Z",
+ "anomali.limo.name": "mal_url: http://defenseisrael.com/dis/index.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://a0386457.xsph.ru/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-23T03:03:42.599Z",
- "threatintel.indicator.first_seen": "2020-01-23T03:03:42.599Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "a0386457.xsph.ru",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://a0386457.xsph.ru/panel/admin.php",
- "threatintel.indicator.url.original": "http://a0386457.xsph.ru/panel/admin.php",
- "threatintel.indicator.url.path": "/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://defenseisrael.com/dis/index.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:57:04.821Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2024,32 +2137,34 @@
"threatstream-confidence-74",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078037; iType: mal_url; State: active; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--70cb5d42-91d3-4efe-8c47-995fc0ac4141",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:57:04.821Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "defenseisrael.com",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://defenseisrael.com/dis/index.php",
+ "threat.indicator.url.original": "http://defenseisrael.com/dis/index.php",
+ "threat.indicator.url.path": "/dis/index.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078030; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime",
+ "anomali.limo.id": "indicator--3aa712bb-b5d4-4632-bf50-48a4aeeaeb6d",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-74",
+ "threatstream-confidence-83",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:57:04.821Z",
- "threatintel.anomali.name": "mal_url: http://defenseisrael.com/dis/index.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:57:04.857Z",
+ "anomali.limo.name": "mal_ip: 91.215.170.249",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://defenseisrael.com/dis/index.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:57:04.821Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:57:04.821Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "defenseisrael.com",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://defenseisrael.com/dis/index.php",
- "threatintel.indicator.url.original": "http://defenseisrael.com/dis/index.php",
- "threatintel.indicator.url.path": "/dis/index.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[ipv4-addr:value = '91.215.170.249']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:57:04.857Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2066,27 +2181,29 @@
"threatstream-confidence-83",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078030; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--3aa712bb-b5d4-4632-bf50-48a4aeeaeb6d",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:57:04.857Z",
+ "threat.indicator.ip": "91.215.170.249",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "ipv4-addr"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078019; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime",
+ "anomali.limo.id": "indicator--64227c7d-86ea-4146-a868-3decb5aa5f1d",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-83",
+ "threatstream-confidence-79",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:57:04.857Z",
- "threatintel.anomali.name": "mal_ip: 91.215.170.249",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:57:04.883Z",
+ "anomali.limo.name": "mal_url: http://lbfb3f03.justinstalledpanel.com/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[ipv4-addr:value = '91.215.170.249']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:57:04.857Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:57:04.857Z",
- "threatintel.indicator.ip": "91.215.170.249",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "ipv4-addr"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://lbfb3f03.justinstalledpanel.com/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:57:04.883Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2103,31 +2220,33 @@
"threatstream-confidence-79",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078019; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--64227c7d-86ea-4146-a868-3decb5aa5f1d",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:57:04.883Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "lbfb3f03.justinstalledpanel.com",
+ "threat.indicator.url.full": "http://lbfb3f03.justinstalledpanel.com/login",
+ "threat.indicator.url.original": "http://lbfb3f03.justinstalledpanel.com/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078035; iType: mal_url; State: active; Source: CyberCrime",
+ "anomali.limo.id": "indicator--37fcf9a7-1a90-4d81-be0a-e824a4fa938e",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-79",
+ "threatstream-confidence-93",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:57:04.883Z",
- "threatintel.anomali.name": "mal_url: http://lbfb3f03.justinstalledpanel.com/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:57:12.997Z",
+ "anomali.limo.name": "mal_url: http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://lbfb3f03.justinstalledpanel.com/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:57:04.883Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:57:04.883Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "lbfb3f03.justinstalledpanel.com",
- "threatintel.indicator.url.full": "http://lbfb3f03.justinstalledpanel.com/login",
- "threatintel.indicator.url.original": "http://lbfb3f03.justinstalledpanel.com/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:57:12.997Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2144,32 +2263,34 @@
"threatstream-confidence-93",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078035; iType: mal_url; State: active; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--37fcf9a7-1a90-4d81-be0a-e824a4fa938e",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:57:12.997Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "byedtronchgroup.yt",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078008; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime",
+ "anomali.limo.id": "indicator--5a38786f-107e-4060-a7c9-ea8a5ded6aac",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-93",
+ "threatstream-confidence-87",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:57:12.997Z",
- "threatintel.anomali.name": "mal_url: http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:57:13.025Z",
+ "anomali.limo.name": "mal_url: http://199.192.28.11/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:57:12.997Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:57:12.997Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "byedtronchgroup.yt",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://199.192.28.11/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:57:13.025Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2186,32 +2307,34 @@
"threatstream-confidence-87",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078008; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--5a38786f-107e-4060-a7c9-ea8a5ded6aac",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:57:13.025Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "199.192.28.11",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://199.192.28.11/panel/admin.php",
+ "threat.indicator.url.original": "http://199.192.28.11/panel/admin.php",
+ "threat.indicator.url.path": "/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078038; iType: mal_url; State: active; Source: CyberCrime",
+ "anomali.limo.id": "indicator--3eb79b31-1d6d-438c-a848-24a3407f6e32",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-87",
+ "threatstream-confidence-82",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:57:13.025Z",
- "threatintel.anomali.name": "mal_url: http://199.192.28.11/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:57:32.901Z",
+ "anomali.limo.name": "mal_url: http://217.8.117.51/aW8bVds1/login.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://199.192.28.11/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:57:13.025Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:57:13.025Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "199.192.28.11",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://199.192.28.11/panel/admin.php",
- "threatintel.indicator.url.original": "http://199.192.28.11/panel/admin.php",
- "threatintel.indicator.url.path": "/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://217.8.117.51/aW8bVds1/login.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:57:32.901Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2228,32 +2351,34 @@
"threatstream-confidence-82",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078038; iType: mal_url; State: active; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--3eb79b31-1d6d-438c-a848-24a3407f6e32",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:57:32.901Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "217.8.117.51",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://217.8.117.51/aW8bVds1/login.php",
+ "threat.indicator.url.original": "http://217.8.117.51/aW8bVds1/login.php",
+ "threat.indicator.url.path": "/aW8bVds1/login.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078026; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime",
+ "anomali.limo.id": "indicator--a050832c-db6e-49a0-8470-7a3cd8f17178",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-82",
+ "threatstream-confidence-93",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:57:32.901Z",
- "threatintel.anomali.name": "mal_url: http://217.8.117.51/aW8bVds1/login.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:57:32.929Z",
+ "anomali.limo.name": "mal_url: http://lansome.site/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://217.8.117.51/aW8bVds1/login.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:57:32.901Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:57:32.901Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "217.8.117.51",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://217.8.117.51/aW8bVds1/login.php",
- "threatintel.indicator.url.original": "http://217.8.117.51/aW8bVds1/login.php",
- "threatintel.indicator.url.path": "/aW8bVds1/login.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://lansome.site/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:57:32.929Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2270,31 +2395,33 @@
"threatstream-confidence-93",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078026; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--a050832c-db6e-49a0-8470-7a3cd8f17178",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:57:32.929Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "lansome.site",
+ "threat.indicator.url.full": "http://lansome.site/login",
+ "threat.indicator.url.original": "http://lansome.site/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078034; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime",
+ "anomali.limo.id": "indicator--e88008f4-76fc-428d-831a-4b389e48b712",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-93",
+ "threatstream-confidence-83",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:57:32.929Z",
- "threatintel.anomali.name": "mal_url: http://lansome.site/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:57:49.028Z",
+ "anomali.limo.name": "mal_url: http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://lansome.site/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:57:32.929Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:57:32.929Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "lansome.site",
- "threatintel.indicator.url.full": "http://lansome.site/login",
- "threatintel.indicator.url.original": "http://lansome.site/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:57:49.028Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2311,32 +2438,34 @@
"threatstream-confidence-83",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078034; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--e88008f4-76fc-428d-831a-4b389e48b712",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:57:49.028Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "iplusvietnam.com.vn",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078032; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime",
+ "anomali.limo.id": "indicator--dafe91cf-787c-471c-9afe-f7bb20a1b93f",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-83",
+ "threatstream-confidence-94",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:57:49.028Z",
- "threatintel.anomali.name": "mal_url: http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:58:03.345Z",
+ "anomali.limo.name": "mal_url: http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:57:49.028Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:57:49.028Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "iplusvietnam.com.vn",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:58:03.345Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2353,32 +2482,34 @@
"threatstream-confidence-94",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078032; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--dafe91cf-787c-471c-9afe-f7bb20a1b93f",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:58:03.345Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "leakaryadeen.com",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/parl/id345/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078031; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime",
+ "anomali.limo.id": "indicator--232bdc34-44cb-4f41-af52-f6f1cd28818e",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-94",
+ "threatstream-confidence-81",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:58:03.345Z",
- "threatintel.anomali.name": "mal_url: http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:58:16.318Z",
+ "anomali.limo.name": "mal_url: http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:58:03.345Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:58:03.345Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "leakaryadeen.com",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/parl/id345/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:58:16.318Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2395,32 +2526,34 @@
"threatstream-confidence-81",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078031; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--232bdc34-44cb-4f41-af52-f6f1cd28818e",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:58:16.318Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "oaa-my.com",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/clap/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078027; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime",
+ "anomali.limo.id": "indicator--4adabe80-3be4-401a-948a-f9724c872374",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-81",
+ "threatstream-confidence-66",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:58:16.318Z",
- "threatintel.anomali.name": "mal_url: http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:58:16.358Z",
+ "anomali.limo.name": "mal_url: http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:58:16.318Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:58:16.318Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "oaa-my.com",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/clap/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:58:16.358Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2437,32 +2570,34 @@
"threatstream-confidence-66",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078027; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--4adabe80-3be4-401a-948a-f9724c872374",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:58:16.358Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "thaubenuocngam.com",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078013; iType: mal_url; State: active; Source: CyberCrime",
+ "anomali.limo.id": "indicator--1d7051c0-a42b-4801-bd7f-f0abf2cc125c",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-66",
+ "threatstream-confidence-82",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:58:16.358Z",
- "threatintel.anomali.name": "mal_url: http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:58:32.126Z",
+ "anomali.limo.name": "mal_url: http://suspiciousactivity.xyz/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:58:16.358Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:58:16.358Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "thaubenuocngam.com",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://suspiciousactivity.xyz/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:58:32.126Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2479,31 +2614,33 @@
"threatstream-confidence-82",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078013; iType: mal_url; State: active; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--1d7051c0-a42b-4801-bd7f-f0abf2cc125c",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:58:32.126Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "suspiciousactivity.xyz",
+ "threat.indicator.url.full": "http://suspiciousactivity.xyz/login",
+ "threat.indicator.url.original": "http://suspiciousactivity.xyz/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078017; iType: mal_url; State: active; Source: CyberCrime",
+ "anomali.limo.id": "indicator--fb06856c-8aad-4fae-92fc-b73aae4f6dc7",
+ "anomali.limo.labels": [
"malicious-activity",
"threatstream-confidence-82",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:58:32.126Z",
- "threatintel.anomali.name": "mal_url: http://suspiciousactivity.xyz/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:58:37.603Z",
+ "anomali.limo.name": "mal_url: http://217.8.117.8/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://suspiciousactivity.xyz/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:58:32.126Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:58:32.126Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "suspiciousactivity.xyz",
- "threatintel.indicator.url.full": "http://suspiciousactivity.xyz/login",
- "threatintel.indicator.url.original": "http://suspiciousactivity.xyz/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://217.8.117.8/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:58:37.603Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2520,31 +2657,33 @@
"threatstream-confidence-82",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078017; iType: mal_url; State: active; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--fb06856c-8aad-4fae-92fc-b73aae4f6dc7",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:58:37.603Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "217.8.117.8",
+ "threat.indicator.url.full": "http://217.8.117.8/login",
+ "threat.indicator.url.original": "http://217.8.117.8/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078012; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
+ "anomali.limo.id": "indicator--33e674f5-a64a-48f4-9d8c-248348356135",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-82",
+ "threatstream-confidence-71",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:58:37.603Z",
- "threatintel.anomali.name": "mal_url: http://217.8.117.8/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:58:37.643Z",
+ "anomali.limo.name": "mal_url: http://f0387550.xsph.ru/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://217.8.117.8/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:58:37.603Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:58:37.603Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "217.8.117.8",
- "threatintel.indicator.url.full": "http://217.8.117.8/login",
- "threatintel.indicator.url.original": "http://217.8.117.8/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://f0387550.xsph.ru/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:58:37.643Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2561,31 +2700,33 @@
"threatstream-confidence-71",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078012; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--33e674f5-a64a-48f4-9d8c-248348356135",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:58:37.643Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "f0387550.xsph.ru",
+ "threat.indicator.url.full": "http://f0387550.xsph.ru/login",
+ "threat.indicator.url.original": "http://f0387550.xsph.ru/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078018; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime",
+ "anomali.limo.id": "indicator--6311f539-1d5d-423f-a238-d0c1dc167432",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-71",
+ "threatstream-confidence-84",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:58:37.643Z",
- "threatintel.anomali.name": "mal_url: http://f0387550.xsph.ru/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:58:39.465Z",
+ "anomali.limo.name": "mal_url: http://lf4e4abf.justinstalledpanel.com/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://f0387550.xsph.ru/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:58:37.643Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:58:37.643Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "f0387550.xsph.ru",
- "threatintel.indicator.url.full": "http://f0387550.xsph.ru/login",
- "threatintel.indicator.url.original": "http://f0387550.xsph.ru/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://lf4e4abf.justinstalledpanel.com/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:58:39.465Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2602,31 +2743,33 @@
"threatstream-confidence-84",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078018; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--6311f539-1d5d-423f-a238-d0c1dc167432",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:58:39.465Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "lf4e4abf.justinstalledpanel.com",
+ "threat.indicator.url.full": "http://lf4e4abf.justinstalledpanel.com/login",
+ "threat.indicator.url.original": "http://lf4e4abf.justinstalledpanel.com/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078033; iType: mal_ip; State: active; Org: ColoCrossing; Source: CyberCrime",
+ "anomali.limo.id": "indicator--1c91f219-cfa6-44c7-a5ee-1c760489b43c",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-84",
+ "threatstream-confidence-81",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:58:39.465Z",
- "threatintel.anomali.name": "mal_url: http://lf4e4abf.justinstalledpanel.com/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:59:02.031Z",
+ "anomali.limo.name": "mal_ip: 206.217.131.245",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://lf4e4abf.justinstalledpanel.com/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:58:39.465Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:58:39.465Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "lf4e4abf.justinstalledpanel.com",
- "threatintel.indicator.url.full": "http://lf4e4abf.justinstalledpanel.com/login",
- "threatintel.indicator.url.original": "http://lf4e4abf.justinstalledpanel.com/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[ipv4-addr:value = '206.217.131.245']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:59:02.031Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2643,27 +2786,29 @@
"threatstream-confidence-81",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078033; iType: mal_ip; State: active; Org: ColoCrossing; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--1c91f219-cfa6-44c7-a5ee-1c760489b43c",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:59:02.031Z",
+ "threat.indicator.ip": "206.217.131.245",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "ipv4-addr"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078010; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime",
+ "anomali.limo.id": "indicator--c58983e2-18fd-47b8-aab4-6c8a2e2dcb35",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-81",
+ "threatstream-confidence-52",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:59:02.031Z",
- "threatintel.anomali.name": "mal_ip: 206.217.131.245",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:59:15.878Z",
+ "anomali.limo.name": "mal_url: http://67.215.224.101/a1/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[ipv4-addr:value = '206.217.131.245']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:59:02.031Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:59:02.031Z",
- "threatintel.indicator.ip": "206.217.131.245",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "ipv4-addr"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://67.215.224.101/a1/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:59:15.878Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2680,32 +2825,34 @@
"threatstream-confidence-52",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078010; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--c58983e2-18fd-47b8-aab4-6c8a2e2dcb35",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:59:15.878Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "67.215.224.101",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://67.215.224.101/a1/panel/admin.php",
+ "threat.indicator.url.original": "http://67.215.224.101/a1/panel/admin.php",
+ "threat.indicator.url.path": "/a1/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078000; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime",
+ "anomali.limo.id": "indicator--1ab178a8-7991-4879-b9aa-8da49f40e92e",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-52",
+ "threatstream-confidence-58",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:59:15.878Z",
- "threatintel.anomali.name": "mal_url: http://67.215.224.101/a1/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:59:29.155Z",
+ "anomali.limo.name": "mal_ip: 162.241.73.163",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://67.215.224.101/a1/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:59:15.878Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:59:15.878Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "67.215.224.101",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://67.215.224.101/a1/panel/admin.php",
- "threatintel.indicator.url.original": "http://67.215.224.101/a1/panel/admin.php",
- "threatintel.indicator.url.path": "/a1/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[ipv4-addr:value = '162.241.73.163']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:59:29.155Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2722,27 +2869,29 @@
"threatstream-confidence-58",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078000; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--1ab178a8-7991-4879-b9aa-8da49f40e92e",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:59:29.155Z",
+ "threat.indicator.ip": "162.241.73.163",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "ipv4-addr"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078020; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime",
+ "anomali.limo.id": "indicator--d5bdff38-6939-4a47-8e11-b910520565c4",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-58",
+ "threatstream-confidence-78",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:59:29.155Z",
- "threatintel.anomali.name": "mal_ip: 162.241.73.163",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:59:50.233Z",
+ "anomali.limo.name": "mal_url: http://l60bdd58.justinstalledpanel.com/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[ipv4-addr:value = '162.241.73.163']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:59:29.155Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:59:29.155Z",
- "threatintel.indicator.ip": "162.241.73.163",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "ipv4-addr"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://l60bdd58.justinstalledpanel.com/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:59:50.233Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2759,31 +2908,33 @@
"threatstream-confidence-78",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078020; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--d5bdff38-6939-4a47-8e11-b910520565c4",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:59:50.233Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "l60bdd58.justinstalledpanel.com",
+ "threat.indicator.url.full": "http://l60bdd58.justinstalledpanel.com/login",
+ "threat.indicator.url.original": "http://l60bdd58.justinstalledpanel.com/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078009; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime",
+ "anomali.limo.id": "indicator--1be74977-5aa6-4175-99dd-32b54863a06b",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-78",
+ "threatstream-confidence-25",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:59:50.233Z",
- "threatintel.anomali.name": "mal_url: http://l60bdd58.justinstalledpanel.com/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:59:50.255Z",
+ "anomali.limo.name": "mal_url: http://107.175.150.73/~giftioz/.azma/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://l60bdd58.justinstalledpanel.com/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:59:50.233Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:59:50.233Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "l60bdd58.justinstalledpanel.com",
- "threatintel.indicator.url.full": "http://l60bdd58.justinstalledpanel.com/login",
- "threatintel.indicator.url.original": "http://l60bdd58.justinstalledpanel.com/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://107.175.150.73/~giftioz/.azma/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:59:50.255Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2800,32 +2951,34 @@
"threatstream-confidence-25",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078009; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--1be74977-5aa6-4175-99dd-32b54863a06b",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:59:50.255Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "107.175.150.73",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://107.175.150.73/~giftioz/.azma/panel/admin.php",
+ "threat.indicator.url.original": "http://107.175.150.73/~giftioz/.azma/panel/admin.php",
+ "threat.indicator.url.path": "/~giftioz/.azma/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078023; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime",
+ "anomali.limo.id": "indicator--eacc25ce-584c-4b40-98ab-7935dabd5cb1",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-25",
+ "threatstream-confidence-78",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:59:50.255Z",
- "threatintel.anomali.name": "mal_url: http://107.175.150.73/~giftioz/.azma/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:59:52.536Z",
+ "anomali.limo.name": "mal_url: http://5.188.60.52/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://107.175.150.73/~giftioz/.azma/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:59:50.255Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:59:50.255Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "107.175.150.73",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://107.175.150.73/~giftioz/.azma/panel/admin.php",
- "threatintel.indicator.url.original": "http://107.175.150.73/~giftioz/.azma/panel/admin.php",
- "threatintel.indicator.url.path": "/~giftioz/.azma/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://5.188.60.52/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:59:52.536Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2842,31 +2995,33 @@
"threatstream-confidence-78",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078023; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--eacc25ce-584c-4b40-98ab-7935dabd5cb1",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:59:52.536Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "5.188.60.52",
+ "threat.indicator.url.full": "http://5.188.60.52/login",
+ "threat.indicator.url.original": "http://5.188.60.52/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078025; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
+ "anomali.limo.id": "indicator--504f4011-eaea-4921-aad5-f102bef7c798",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-78",
+ "threatstream-confidence-85",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:59:52.536Z",
- "threatintel.anomali.name": "mal_url: http://5.188.60.52/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:59:54.784Z",
+ "anomali.limo.name": "mal_url: http://trotdeiman.ga/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://5.188.60.52/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:59:52.536Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:59:52.536Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "5.188.60.52",
- "threatintel.indicator.url.full": "http://5.188.60.52/login",
- "threatintel.indicator.url.original": "http://5.188.60.52/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://trotdeiman.ga/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:59:54.784Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2883,31 +3038,33 @@
"threatstream-confidence-85",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078025; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--504f4011-eaea-4921-aad5-f102bef7c798",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:59:54.784Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "trotdeiman.ga",
+ "threat.indicator.url.full": "http://trotdeiman.ga/login",
+ "threat.indicator.url.original": "http://trotdeiman.ga/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078014; iType: mal_ip; State: active; Source: CyberCrime",
+ "anomali.limo.id": "indicator--e3ffb953-6c59-461a-8242-0d26c2b5c358",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-85",
+ "threatstream-confidence-82",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:59:54.784Z",
- "threatintel.anomali.name": "mal_url: http://trotdeiman.ga/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T02:59:54.815Z",
+ "anomali.limo.name": "mal_ip: 217.8.117.8",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://trotdeiman.ga/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:59:54.784Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:59:54.784Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "trotdeiman.ga",
- "threatintel.indicator.url.full": "http://trotdeiman.ga/login",
- "threatintel.indicator.url.original": "http://trotdeiman.ga/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[ipv4-addr:value = '217.8.117.8']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T02:59:54.815Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2924,27 +3081,29 @@
"threatstream-confidence-82",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078014; iType: mal_ip; State: active; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--e3ffb953-6c59-461a-8242-0d26c2b5c358",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T02:59:54.815Z",
+ "threat.indicator.ip": "217.8.117.8",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "ipv4-addr"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078036; iType: mal_ip; State: active; Org: Global Frag Networks; Source: CyberCrime",
+ "anomali.limo.id": "indicator--3a47ad46-930d-4ced-b0e7-dc9d0776153e",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-82",
+ "threatstream-confidence-83",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T02:59:54.815Z",
- "threatintel.anomali.name": "mal_ip: 217.8.117.8",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T03:00:01.726Z",
+ "anomali.limo.name": "mal_ip: 104.223.170.113",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[ipv4-addr:value = '217.8.117.8']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T02:59:54.815Z",
- "threatintel.indicator.first_seen": "2020-01-24T02:59:54.815Z",
- "threatintel.indicator.ip": "217.8.117.8",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "ipv4-addr"
- },
- {
+ "anomali.limo.pattern": "[ipv4-addr:value = '104.223.170.113']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T03:00:01.726Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2961,27 +3120,29 @@
"threatstream-confidence-83",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078036; iType: mal_ip; State: active; Org: Global Frag Networks; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--3a47ad46-930d-4ced-b0e7-dc9d0776153e",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T03:00:01.726Z",
+ "threat.indicator.ip": "104.223.170.113",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "ipv4-addr"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078011; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime",
+ "anomali.limo.id": "indicator--0e10924c-745c-4a58-8e27-ab3a6bacd666",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-83",
+ "threatstream-confidence-58",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T03:00:01.726Z",
- "threatintel.anomali.name": "mal_ip: 104.223.170.113",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T03:00:01.762Z",
+ "anomali.limo.name": "mal_url: http://tavim.org/includes/firmino/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[ipv4-addr:value = '104.223.170.113']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T03:00:01.726Z",
- "threatintel.indicator.first_seen": "2020-01-24T03:00:01.726Z",
- "threatintel.indicator.ip": "104.223.170.113",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "ipv4-addr"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://tavim.org/includes/firmino/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T03:00:01.762Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -2998,32 +3159,34 @@
"threatstream-confidence-58",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078011; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--0e10924c-745c-4a58-8e27-ab3a6bacd666",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T03:00:01.762Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "tavim.org",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://tavim.org/includes/firmino/admin.php",
+ "threat.indicator.url.original": "http://tavim.org/includes/firmino/admin.php",
+ "threat.indicator.url.path": "/includes/firmino/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078015; iType: mal_url; State: active; Source: CyberCrime",
+ "anomali.limo.id": "indicator--c3fb816a-cc3b-4442-be4d-d62113ae5168",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-58",
+ "threatstream-confidence-84",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T03:00:01.762Z",
- "threatintel.anomali.name": "mal_url: http://tavim.org/includes/firmino/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T03:00:10.928Z",
+ "anomali.limo.name": "mal_url: http://onlinesecuritycenter.xyz/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://tavim.org/includes/firmino/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T03:00:01.762Z",
- "threatintel.indicator.first_seen": "2020-01-24T03:00:01.762Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "tavim.org",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://tavim.org/includes/firmino/admin.php",
- "threatintel.indicator.url.original": "http://tavim.org/includes/firmino/admin.php",
- "threatintel.indicator.url.path": "/includes/firmino/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://onlinesecuritycenter.xyz/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T03:00:10.928Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3040,31 +3203,33 @@
"threatstream-confidence-84",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078015; iType: mal_url; State: active; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--c3fb816a-cc3b-4442-be4d-d62113ae5168",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T03:00:10.928Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "onlinesecuritycenter.xyz",
+ "threat.indicator.url.full": "http://onlinesecuritycenter.xyz/login",
+ "threat.indicator.url.original": "http://onlinesecuritycenter.xyz/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078029; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime",
+ "anomali.limo.id": "indicator--9159e46d-f3a4-464b-ac68-8beaf87e1a8f",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-84",
+ "threatstream-confidence-81",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T03:00:10.928Z",
- "threatintel.anomali.name": "mal_url: http://onlinesecuritycenter.xyz/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T03:00:20.166Z",
+ "anomali.limo.name": "mal_url: http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://onlinesecuritycenter.xyz/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T03:00:10.928Z",
- "threatintel.indicator.first_seen": "2020-01-24T03:00:10.928Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "onlinesecuritycenter.xyz",
- "threatintel.indicator.url.full": "http://onlinesecuritycenter.xyz/login",
- "threatintel.indicator.url.original": "http://onlinesecuritycenter.xyz/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T03:00:20.166Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3081,32 +3246,34 @@
"threatstream-confidence-81",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078029; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--9159e46d-f3a4-464b-ac68-8beaf87e1a8f",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T03:00:20.166Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "oaa-my.com",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/cutter/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078016; iType: mal_url; State: active; Source: CyberCrime",
+ "anomali.limo.id": "indicator--fefa8e76-ae0f-41ab-84e7-ea43ab055573",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-81",
+ "threatstream-confidence-90",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T03:00:20.166Z",
- "threatintel.anomali.name": "mal_url: http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T03:00:24.048Z",
+ "anomali.limo.name": "mal_url: http://jumbajumbadun.fun/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T03:00:20.166Z",
- "threatintel.indicator.first_seen": "2020-01-24T03:00:20.166Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "oaa-my.com",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/cutter/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://jumbajumbadun.fun/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T03:00:24.048Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3123,31 +3290,33 @@
"threatstream-confidence-90",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078016; iType: mal_url; State: active; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--fefa8e76-ae0f-41ab-84e7-ea43ab055573",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T03:00:24.048Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "jumbajumbadun.fun",
+ "threat.indicator.url.full": "http://jumbajumbadun.fun/login",
+ "threat.indicator.url.original": "http://jumbajumbadun.fun/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078024; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime",
+ "anomali.limo.id": "indicator--6a76fa89-4d5f-40d0-9b03-671bdb2d5b4b",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-90",
+ "threatstream-confidence-58",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T03:00:24.048Z",
- "threatintel.anomali.name": "mal_url: http://jumbajumbadun.fun/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T03:00:55.816Z",
+ "anomali.limo.name": "mal_url: http://tavim.org/includes/salah/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://jumbajumbadun.fun/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T03:00:24.048Z",
- "threatintel.indicator.first_seen": "2020-01-24T03:00:24.048Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "jumbajumbadun.fun",
- "threatintel.indicator.url.full": "http://jumbajumbadun.fun/login",
- "threatintel.indicator.url.original": "http://jumbajumbadun.fun/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://tavim.org/includes/salah/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T03:00:55.816Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3164,32 +3333,34 @@
"threatstream-confidence-58",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078024; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--6a76fa89-4d5f-40d0-9b03-671bdb2d5b4b",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T03:00:55.816Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "tavim.org",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://tavim.org/includes/salah/admin.php",
+ "threat.indicator.url.original": "http://tavim.org/includes/salah/admin.php",
+ "threat.indicator.url.path": "/includes/salah/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078022; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime",
+ "anomali.limo.id": "indicator--21055dfd-d0cb-42ec-93bd-ffaeadd11d80",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-58",
+ "threatstream-confidence-80",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T03:00:55.816Z",
- "threatintel.anomali.name": "mal_url: http://tavim.org/includes/salah/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T03:01:10.501Z",
+ "anomali.limo.name": "mal_url: http://l0c23205.justinstalledpanel.com/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://tavim.org/includes/salah/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T03:00:55.816Z",
- "threatintel.indicator.first_seen": "2020-01-24T03:00:55.816Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "tavim.org",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://tavim.org/includes/salah/admin.php",
- "threatintel.indicator.url.original": "http://tavim.org/includes/salah/admin.php",
- "threatintel.indicator.url.path": "/includes/salah/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://l0c23205.justinstalledpanel.com/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T03:01:10.501Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3206,31 +3377,33 @@
"threatstream-confidence-80",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078022; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--21055dfd-d0cb-42ec-93bd-ffaeadd11d80",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T03:01:10.501Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "l0c23205.justinstalledpanel.com",
+ "threat.indicator.url.full": "http://l0c23205.justinstalledpanel.com/login",
+ "threat.indicator.url.original": "http://l0c23205.justinstalledpanel.com/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078021; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime",
+ "anomali.limo.id": "indicator--7471a595-e8b0-4c41-be4c-0a3e55675630",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-80",
+ "threatstream-confidence-83",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T03:01:10.501Z",
- "threatintel.anomali.name": "mal_url: http://l0c23205.justinstalledpanel.com/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T03:01:10.518Z",
+ "anomali.limo.name": "mal_url: http://l535e9e5.justinstalledpanel.com/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://l0c23205.justinstalledpanel.com/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T03:01:10.501Z",
- "threatintel.indicator.first_seen": "2020-01-24T03:01:10.501Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "l0c23205.justinstalledpanel.com",
- "threatintel.indicator.url.full": "http://l0c23205.justinstalledpanel.com/login",
- "threatintel.indicator.url.original": "http://l0c23205.justinstalledpanel.com/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://l535e9e5.justinstalledpanel.com/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T03:01:10.518Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3247,31 +3420,33 @@
"threatstream-confidence-83",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078021; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--7471a595-e8b0-4c41-be4c-0a3e55675630",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T03:01:10.518Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "l535e9e5.justinstalledpanel.com",
+ "threat.indicator.url.full": "http://l535e9e5.justinstalledpanel.com/login",
+ "threat.indicator.url.original": "http://l535e9e5.justinstalledpanel.com/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55250078007; iType: mal_ip; State: active; Source: CyberCrime",
+ "anomali.limo.id": "indicator--ead1e7e5-fdb3-47c2-9476-aa82741c038e",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-83",
+ "threatstream-confidence-76",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T03:01:10.518Z",
- "threatintel.anomali.name": "mal_url: http://l535e9e5.justinstalledpanel.com/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-24T03:01:14.843Z",
+ "anomali.limo.name": "mal_ip: 217.8.117.47",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://l535e9e5.justinstalledpanel.com/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T03:01:10.518Z",
- "threatintel.indicator.first_seen": "2020-01-24T03:01:10.518Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "l535e9e5.justinstalledpanel.com",
- "threatintel.indicator.url.full": "http://l535e9e5.justinstalledpanel.com/login",
- "threatintel.indicator.url.original": "http://l535e9e5.justinstalledpanel.com/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[ipv4-addr:value = '217.8.117.47']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-24T03:01:14.843Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3288,27 +3463,29 @@
"threatstream-confidence-76",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55250078007; iType: mal_ip; State: active; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--ead1e7e5-fdb3-47c2-9476-aa82741c038e",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-24T03:01:14.843Z",
+ "threat.indicator.ip": "217.8.117.47",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "ipv4-addr"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55253484365; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime",
+ "anomali.limo.id": "indicator--b0aee6bf-32f4-4f65-8de6-f65e04e92b15",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-76",
+ "threatstream-confidence-67",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-24T03:01:14.843Z",
- "threatintel.anomali.name": "mal_ip: 217.8.117.47",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-25T02:57:12.699Z",
+ "anomali.limo.name": "mal_url: http://46.161.27.57/northon/",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[ipv4-addr:value = '217.8.117.47']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-24T03:01:14.843Z",
- "threatintel.indicator.first_seen": "2020-01-24T03:01:14.843Z",
- "threatintel.indicator.ip": "217.8.117.47",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "ipv4-addr"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://46.161.27.57/northon/']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-25T02:57:12.699Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3325,31 +3502,33 @@
"threatstream-confidence-67",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55253484365; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--b0aee6bf-32f4-4f65-8de6-f65e04e92b15",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-25T02:57:12.699Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "46.161.27.57",
+ "threat.indicator.url.full": "http://46.161.27.57/northon/",
+ "threat.indicator.url.original": "http://46.161.27.57/northon/",
+ "threat.indicator.url.path": "/northon/",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55253484350; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime",
+ "anomali.limo.id": "indicator--54afbceb-72f3-484e-aee4-904f77beeff6",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-67",
+ "threatstream-confidence-90",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-25T02:57:12.699Z",
- "threatintel.anomali.name": "mal_url: http://46.161.27.57/northon/",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-25T02:57:28.034Z",
+ "anomali.limo.name": "mal_url: http://104.168.99.170/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://46.161.27.57/northon/']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-25T02:57:12.699Z",
- "threatintel.indicator.first_seen": "2020-01-25T02:57:12.699Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "46.161.27.57",
- "threatintel.indicator.url.full": "http://46.161.27.57/northon/",
- "threatintel.indicator.url.original": "http://46.161.27.57/northon/",
- "threatintel.indicator.url.path": "/northon/",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://104.168.99.170/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-25T02:57:28.034Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3366,31 +3545,33 @@
"threatstream-confidence-90",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55253484350; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--54afbceb-72f3-484e-aee4-904f77beeff6",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-25T02:57:28.034Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "104.168.99.170",
+ "threat.indicator.url.full": "http://104.168.99.170/login",
+ "threat.indicator.url.original": "http://104.168.99.170/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55253484356; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime",
+ "anomali.limo.id": "indicator--da030e10-af9f-462d-bda8-33abb223e950",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-90",
+ "threatstream-confidence-89",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-25T02:57:28.034Z",
- "threatintel.anomali.name": "mal_url: http://104.168.99.170/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-25T02:57:38.187Z",
+ "anomali.limo.name": "mal_url: http://officelog.org/inc/js/jstree/scan/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://104.168.99.170/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-25T02:57:28.034Z",
- "threatintel.indicator.first_seen": "2020-01-25T02:57:28.034Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "104.168.99.170",
- "threatintel.indicator.url.full": "http://104.168.99.170/login",
- "threatintel.indicator.url.original": "http://104.168.99.170/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/scan/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-25T02:57:38.187Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3407,32 +3588,34 @@
"threatstream-confidence-89",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55253484356; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--da030e10-af9f-462d-bda8-33abb223e950",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-25T02:57:38.187Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "officelog.org",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://officelog.org/inc/js/jstree/scan/panel/admin.php",
+ "threat.indicator.url.original": "http://officelog.org/inc/js/jstree/scan/panel/admin.php",
+ "threat.indicator.url.path": "/inc/js/jstree/scan/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55253484343; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
+ "anomali.limo.id": "indicator--d38e051a-bc5b-4723-884a-65e017d98299",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-89",
+ "threatstream-confidence-65",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-25T02:57:38.187Z",
- "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/scan/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-25T02:57:38.214Z",
+ "anomali.limo.name": "mal_url: http://f0391587.xsph.ru/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/scan/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-25T02:57:38.187Z",
- "threatintel.indicator.first_seen": "2020-01-25T02:57:38.187Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "officelog.org",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/scan/panel/admin.php",
- "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/scan/panel/admin.php",
- "threatintel.indicator.url.path": "/inc/js/jstree/scan/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://f0391587.xsph.ru/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-25T02:57:38.214Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3449,31 +3632,33 @@
"threatstream-confidence-65",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55253484343; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--d38e051a-bc5b-4723-884a-65e017d98299",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-25T02:57:38.214Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "f0391587.xsph.ru",
+ "threat.indicator.url.full": "http://f0391587.xsph.ru/login",
+ "threat.indicator.url.original": "http://f0391587.xsph.ru/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55253484367; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime",
+ "anomali.limo.id": "indicator--46491826-6ba1-4217-a35e-1eb0081a9e6a",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-65",
+ "threatstream-confidence-67",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-25T02:57:38.214Z",
- "threatintel.anomali.name": "mal_url: http://f0391587.xsph.ru/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-25T02:57:47.281Z",
+ "anomali.limo.name": "mal_url: http://46.161.27.57:8080/northon/",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://f0391587.xsph.ru/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-25T02:57:38.214Z",
- "threatintel.indicator.first_seen": "2020-01-25T02:57:38.214Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "f0391587.xsph.ru",
- "threatintel.indicator.url.full": "http://f0391587.xsph.ru/login",
- "threatintel.indicator.url.original": "http://f0391587.xsph.ru/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://46.161.27.57:8080/northon/']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-25T02:57:47.281Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3490,32 +3675,34 @@
"threatstream-confidence-67",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55253484367; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--46491826-6ba1-4217-a35e-1eb0081a9e6a",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-25T02:57:47.281Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "46.161.27.57",
+ "threat.indicator.url.full": "http://46.161.27.57:8080/northon/",
+ "threat.indicator.url.original": "http://46.161.27.57:8080/northon/",
+ "threat.indicator.url.path": "/northon/",
+ "threat.indicator.url.port": 8080,
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55253484342; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
+ "anomali.limo.id": "indicator--b9715fd5-b89a-4859-b19f-55e052709227",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-67",
+ "threatstream-confidence-79",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-25T02:57:47.281Z",
- "threatintel.anomali.name": "mal_url: http://46.161.27.57:8080/northon/",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-25T02:57:51.296Z",
+ "anomali.limo.name": "mal_url: http://f0393086.xsph.ru/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://46.161.27.57:8080/northon/']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-25T02:57:47.281Z",
- "threatintel.indicator.first_seen": "2020-01-25T02:57:47.281Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "46.161.27.57",
- "threatintel.indicator.url.full": "http://46.161.27.57:8080/northon/",
- "threatintel.indicator.url.original": "http://46.161.27.57:8080/northon/",
- "threatintel.indicator.url.path": "/northon/",
- "threatintel.indicator.url.port": 8080,
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://f0393086.xsph.ru/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-25T02:57:51.296Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3532,31 +3719,33 @@
"threatstream-confidence-79",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55253484342; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--b9715fd5-b89a-4859-b19f-55e052709227",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-25T02:57:51.296Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "f0393086.xsph.ru",
+ "threat.indicator.url.full": "http://f0393086.xsph.ru/login",
+ "threat.indicator.url.original": "http://f0393086.xsph.ru/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55253484363; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime",
+ "anomali.limo.id": "indicator--e3177515-f481-46c8-bad8-582ba0858ef3",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-79",
+ "threatstream-confidence-87",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-25T02:57:51.296Z",
- "threatintel.anomali.name": "mal_url: http://f0393086.xsph.ru/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-25T02:57:56.007Z",
+ "anomali.limo.name": "mal_url: http://insuncos.com/files1/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://f0393086.xsph.ru/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-25T02:57:51.296Z",
- "threatintel.indicator.first_seen": "2020-01-25T02:57:51.296Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "f0393086.xsph.ru",
- "threatintel.indicator.url.full": "http://f0393086.xsph.ru/login",
- "threatintel.indicator.url.original": "http://f0393086.xsph.ru/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://insuncos.com/files1/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-25T02:57:56.007Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3573,32 +3762,34 @@
"threatstream-confidence-87",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55253484363; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--e3177515-f481-46c8-bad8-582ba0858ef3",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-25T02:57:56.007Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "insuncos.com",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://insuncos.com/files1/panel/admin.php",
+ "threat.indicator.url.original": "http://insuncos.com/files1/panel/admin.php",
+ "threat.indicator.url.path": "/files1/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55253484339; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime",
+ "anomali.limo.id": "indicator--33cdeaeb-5201-4fbb-b9ae-9c23377e7533",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-87",
+ "threatstream-confidence-89",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-25T02:57:56.007Z",
- "threatintel.anomali.name": "mal_url: http://insuncos.com/files1/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-25T02:57:56.044Z",
+ "anomali.limo.name": "mal_url: http://tg-h.ru/login",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files1/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-25T02:57:56.007Z",
- "threatintel.indicator.first_seen": "2020-01-25T02:57:56.007Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "insuncos.com",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://insuncos.com/files1/panel/admin.php",
- "threatintel.indicator.url.original": "http://insuncos.com/files1/panel/admin.php",
- "threatintel.indicator.url.path": "/files1/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://tg-h.ru/login']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-25T02:57:56.044Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3615,31 +3806,33 @@
"threatstream-confidence-89",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55253484339; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--33cdeaeb-5201-4fbb-b9ae-9c23377e7533",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-25T02:57:56.044Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "tg-h.ru",
+ "threat.indicator.url.full": "http://tg-h.ru/login",
+ "threat.indicator.url.original": "http://tg-h.ru/login",
+ "threat.indicator.url.path": "/login",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55253484351; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime",
+ "anomali.limo.id": "indicator--2baaa5f0-c2f6-4bd1-b59d-3a75931da735",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-89",
+ "threatstream-confidence-86",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-25T02:57:56.044Z",
- "threatintel.anomali.name": "mal_url: http://tg-h.ru/login",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-25T02:58:11.038Z",
+ "anomali.limo.name": "mal_url: http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://tg-h.ru/login']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-25T02:57:56.044Z",
- "threatintel.indicator.first_seen": "2020-01-25T02:57:56.044Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "tg-h.ru",
- "threatintel.indicator.url.full": "http://tg-h.ru/login",
- "threatintel.indicator.url.original": "http://tg-h.ru/login",
- "threatintel.indicator.url.path": "/login",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-25T02:58:11.038Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3656,32 +3849,34 @@
"threatstream-confidence-86",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55253484351; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--2baaa5f0-c2f6-4bd1-b59d-3a75931da735",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-25T02:58:11.038Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "wusetwo.xyz",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55253484366; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime",
+ "anomali.limo.id": "indicator--f1bdef49-666f-46b5-a323-efa1f1446b62",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-86",
+ "threatstream-confidence-64",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-25T02:58:11.038Z",
- "threatintel.anomali.name": "mal_url: http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-25T02:58:20.420Z",
+ "anomali.limo.name": "mal_url: http://185.234.217.36/northon/",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-25T02:58:11.038Z",
- "threatintel.indicator.first_seen": "2020-01-25T02:58:11.038Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "wusetwo.xyz",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://185.234.217.36/northon/']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-25T02:58:20.42Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3698,31 +3893,33 @@
"threatstream-confidence-64",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55253484366; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--f1bdef49-666f-46b5-a323-efa1f1446b62",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-25T02:58:20.420Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "185.234.217.36",
+ "threat.indicator.url.full": "http://185.234.217.36/northon/",
+ "threat.indicator.url.original": "http://185.234.217.36/northon/",
+ "threat.indicator.url.path": "/northon/",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55253484354; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime",
+ "anomali.limo.id": "indicator--a173f4b1-67ce-44f8-a6d0-bd8a24e8c593",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-64",
+ "threatstream-confidence-84",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-25T02:58:20.420Z",
- "threatintel.anomali.name": "mal_url: http://185.234.217.36/northon/",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-25T02:58:20.448Z",
+ "anomali.limo.name": "mal_url: http://topik07.mcdir.ru/papka/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://185.234.217.36/northon/']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-25T02:58:20.42Z",
- "threatintel.indicator.first_seen": "2020-01-25T02:58:20.420Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "185.234.217.36",
- "threatintel.indicator.url.full": "http://185.234.217.36/northon/",
- "threatintel.indicator.url.original": "http://185.234.217.36/northon/",
- "threatintel.indicator.url.path": "/northon/",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://topik07.mcdir.ru/papka/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-25T02:58:20.448Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3739,32 +3936,34 @@
"threatstream-confidence-84",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55253484354; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--a173f4b1-67ce-44f8-a6d0-bd8a24e8c593",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-25T02:58:20.448Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "topik07.mcdir.ru",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://topik07.mcdir.ru/papka/admin.php",
+ "threat.indicator.url.original": "http://topik07.mcdir.ru/papka/admin.php",
+ "threat.indicator.url.path": "/papka/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55253484362; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime",
+ "anomali.limo.id": "indicator--b53dded1-d293-4cd1-9e63-b6e0cbd850f0",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-84",
+ "threatstream-confidence-87",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-25T02:58:20.448Z",
- "threatintel.anomali.name": "mal_url: http://topik07.mcdir.ru/papka/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-25T02:58:33.189Z",
+ "anomali.limo.name": "mal_url: http://insuncos.com/files2/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://topik07.mcdir.ru/papka/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-25T02:58:20.448Z",
- "threatintel.indicator.first_seen": "2020-01-25T02:58:20.448Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "topik07.mcdir.ru",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://topik07.mcdir.ru/papka/admin.php",
- "threatintel.indicator.url.original": "http://topik07.mcdir.ru/papka/admin.php",
- "threatintel.indicator.url.path": "/papka/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://insuncos.com/files2/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-25T02:58:33.189Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3781,32 +3980,34 @@
"threatstream-confidence-87",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55253484362; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--b53dded1-d293-4cd1-9e63-b6e0cbd850f0",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-25T02:58:33.189Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "insuncos.com",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://insuncos.com/files2/panel/admin.php",
+ "threat.indicator.url.original": "http://insuncos.com/files2/panel/admin.php",
+ "threat.indicator.url.path": "/files2/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55253484364; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime",
+ "anomali.limo.id": "indicator--2b30f8fe-13e8-4a7d-8eba-3e59c288bef7",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-87",
+ "threatstream-confidence-47",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-25T02:58:33.189Z",
- "threatintel.anomali.name": "mal_url: http://insuncos.com/files2/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-25T02:58:49.056Z",
+ "anomali.limo.name": "mal_url: http://185.234.218.68/kaspersky/",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files2/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-25T02:58:33.189Z",
- "threatintel.indicator.first_seen": "2020-01-25T02:58:33.189Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "insuncos.com",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://insuncos.com/files2/panel/admin.php",
- "threatintel.indicator.url.original": "http://insuncos.com/files2/panel/admin.php",
- "threatintel.indicator.url.path": "/files2/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://185.234.218.68/kaspersky/']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-25T02:58:49.056Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3823,31 +4024,33 @@
"threatstream-confidence-47",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55253484364; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--2b30f8fe-13e8-4a7d-8eba-3e59c288bef7",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-25T02:58:49.056Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "185.234.218.68",
+ "threat.indicator.url.full": "http://185.234.218.68/kaspersky/",
+ "threat.indicator.url.original": "http://185.234.218.68/kaspersky/",
+ "threat.indicator.url.path": "/kaspersky/",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55253484357; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime",
+ "anomali.limo.id": "indicator--f502199a-17a4-404b-a114-fb5eda28c32c",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-47",
+ "threatstream-confidence-89",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-25T02:58:49.056Z",
- "threatintel.anomali.name": "mal_url: http://185.234.218.68/kaspersky/",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-25T02:58:59.472Z",
+ "anomali.limo.name": "mal_url: http://officelog.org/inc/js/jstree/mh/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://185.234.218.68/kaspersky/']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-25T02:58:49.056Z",
- "threatintel.indicator.first_seen": "2020-01-25T02:58:49.056Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "185.234.218.68",
- "threatintel.indicator.url.full": "http://185.234.218.68/kaspersky/",
- "threatintel.indicator.url.original": "http://185.234.218.68/kaspersky/",
- "threatintel.indicator.url.path": "/kaspersky/",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/mh/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-25T02:58:59.472Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3864,32 +4067,34 @@
"threatstream-confidence-89",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55253484357; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--f502199a-17a4-404b-a114-fb5eda28c32c",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-25T02:58:59.472Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "officelog.org",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://officelog.org/inc/js/jstree/mh/panel/admin.php",
+ "threat.indicator.url.original": "http://officelog.org/inc/js/jstree/mh/panel/admin.php",
+ "threat.indicator.url.path": "/inc/js/jstree/mh/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55253484359; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime",
+ "anomali.limo.id": "indicator--af7422eb-5d8e-4878-bdd1-395313434dae",
+ "anomali.limo.labels": [
"malicious-activity",
"threatstream-confidence-89",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-25T02:58:59.472Z",
- "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/mh/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-25T02:59:27.070Z",
+ "anomali.limo.name": "mal_url: http://officelog.org/inc/js/jstree/ch/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/mh/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-25T02:58:59.472Z",
- "threatintel.indicator.first_seen": "2020-01-25T02:58:59.472Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "officelog.org",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/mh/panel/admin.php",
- "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/mh/panel/admin.php",
- "threatintel.indicator.url.path": "/inc/js/jstree/mh/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/ch/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-25T02:59:27.07Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3906,32 +4111,34 @@
"threatstream-confidence-89",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55253484359; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--af7422eb-5d8e-4878-bdd1-395313434dae",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-25T02:59:27.070Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "officelog.org",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://officelog.org/inc/js/jstree/ch/panel/admin.php",
+ "threat.indicator.url.original": "http://officelog.org/inc/js/jstree/ch/panel/admin.php",
+ "threat.indicator.url.path": "/inc/js/jstree/ch/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55253484358; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime",
+ "anomali.limo.id": "indicator--71b36c05-86dd-4685-81c0-5a99e2e14c23",
+ "anomali.limo.labels": [
"malicious-activity",
"threatstream-confidence-89",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-25T02:59:27.070Z",
- "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/ch/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-25T02:59:28.967Z",
+ "anomali.limo.name": "mal_url: http://officelog.org/inc/js/jstree/dar/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/ch/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-25T02:59:27.07Z",
- "threatintel.indicator.first_seen": "2020-01-25T02:59:27.070Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "officelog.org",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/ch/panel/admin.php",
- "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/ch/panel/admin.php",
- "threatintel.indicator.url.path": "/inc/js/jstree/ch/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/dar/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-25T02:59:28.967Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3948,32 +4155,34 @@
"threatstream-confidence-89",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55253484358; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--71b36c05-86dd-4685-81c0-5a99e2e14c23",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-25T02:59:28.967Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "officelog.org",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://officelog.org/inc/js/jstree/dar/panel/admin.php",
+ "threat.indicator.url.original": "http://officelog.org/inc/js/jstree/dar/panel/admin.php",
+ "threat.indicator.url.path": "/inc/js/jstree/dar/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55253484352; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime",
+ "anomali.limo.id": "indicator--9d948509-dfb4-45b6-b8bc-780df88a213f",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-89",
+ "threatstream-confidence-81",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-25T02:59:28.967Z",
- "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/dar/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-25T02:59:37.661Z",
+ "anomali.limo.name": "mal_url: http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/dar/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-25T02:59:28.967Z",
- "threatintel.indicator.first_seen": "2020-01-25T02:59:28.967Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "officelog.org",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/dar/panel/admin.php",
- "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/dar/panel/admin.php",
- "threatintel.indicator.url.path": "/inc/js/jstree/dar/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-25T02:59:37.661Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -3990,32 +4199,34 @@
"threatstream-confidence-81",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55253484352; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--9d948509-dfb4-45b6-b8bc-780df88a213f",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-25T02:59:37.661Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "oaa-my.com",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.original": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.path": "/cage/five/PvqDq929BSx_A_D_M1n_a.php",
+ "threat.indicator.url.scheme": "http"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55253484224; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime",
+ "anomali.limo.id": "indicator--9f613f8e-2040-4eee-8044-044023a8093e",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-81",
+ "threatstream-confidence-53",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-25T02:59:37.661Z",
- "threatintel.anomali.name": "mal_url: http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-25T02:59:37.692Z",
+ "anomali.limo.name": "mal_ip: 192.64.118.56",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-25T02:59:37.661Z",
- "threatintel.indicator.first_seen": "2020-01-25T02:59:37.661Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "oaa-my.com",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.original": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.path": "/cage/five/PvqDq929BSx_A_D_M1n_a.php",
- "threatintel.indicator.url.scheme": "http"
- },
- {
+ "anomali.limo.pattern": "[ipv4-addr:value = '192.64.118.56']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-25T02:59:37.692Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -4032,27 +4243,29 @@
"threatstream-confidence-53",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55253484224; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--9f613f8e-2040-4eee-8044-044023a8093e",
- "threatintel.anomali.labels": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-25T02:59:37.692Z",
+ "threat.indicator.ip": "192.64.118.56",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "ipv4-addr"
+ },
+ {
+ "anomali.limo.description": "TS ID: 55253484361; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime",
+ "anomali.limo.id": "indicator--518c3959-6c26-413f-9a5f-c8f76d86185a",
+ "anomali.limo.labels": [
"malicious-activity",
- "threatstream-confidence-53",
+ "threatstream-confidence-87",
"threatstream-severity-medium"
],
- "threatintel.anomali.modified": "2020-01-25T02:59:37.692Z",
- "threatintel.anomali.name": "mal_ip: 192.64.118.56",
- "threatintel.anomali.object_marking_refs": [
+ "anomali.limo.modified": "2020-01-25T02:59:54.296Z",
+ "anomali.limo.name": "mal_url: http://insuncos.com/files3/panel/admin.php",
+ "anomali.limo.object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
- "threatintel.anomali.pattern": "[ipv4-addr:value = '192.64.118.56']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-25T02:59:37.692Z",
- "threatintel.indicator.first_seen": "2020-01-25T02:59:37.692Z",
- "threatintel.indicator.ip": "192.64.118.56",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "ipv4-addr"
- },
- {
+ "anomali.limo.pattern": "[url:value = 'http://insuncos.com/files3/panel/admin.php']",
+ "anomali.limo.type": "indicator",
+ "anomali.limo.valid_from": "2020-01-25T02:59:54.296Z",
"event.category": "threat",
"event.dataset": "threatintel.anomali",
"event.kind": "enrichment",
@@ -4069,29 +4282,16 @@
"threatstream-confidence-87",
"threatstream-severity-medium"
],
- "threatintel.anomali.description": "TS ID: 55253484361; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime",
- "threatintel.anomali.id": "indicator--518c3959-6c26-413f-9a5f-c8f76d86185a",
- "threatintel.anomali.labels": [
- "malicious-activity",
- "threatstream-confidence-87",
- "threatstream-severity-medium"
- ],
- "threatintel.anomali.modified": "2020-01-25T02:59:54.296Z",
- "threatintel.anomali.name": "mal_url: http://insuncos.com/files3/panel/admin.php",
- "threatintel.anomali.object_marking_refs": [
- "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
- ],
- "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files3/panel/admin.php']",
- "threatintel.anomali.type": "indicator",
- "threatintel.anomali.valid_from": "2020-01-25T02:59:54.296Z",
- "threatintel.indicator.first_seen": "2020-01-25T02:59:54.296Z",
- "threatintel.indicator.provider": "CyberCrime",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "insuncos.com",
- "threatintel.indicator.url.extension": "php",
- "threatintel.indicator.url.full": "http://insuncos.com/files3/panel/admin.php",
- "threatintel.indicator.url.original": "http://insuncos.com/files3/panel/admin.php",
- "threatintel.indicator.url.path": "/files3/panel/admin.php",
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali Limo",
+ "threat.indicator.first_seen": "2020-01-25T02:59:54.296Z",
+ "threat.indicator.provider": "CyberCrime",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "insuncos.com",
+ "threat.indicator.url.extension": "php",
+ "threat.indicator.url.full": "http://insuncos.com/files3/panel/admin.php",
+ "threat.indicator.url.original": "http://insuncos.com/files3/panel/admin.php",
+ "threat.indicator.url.path": "/files3/panel/admin.php",
+ "threat.indicator.url.scheme": "http"
}
]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/_meta/fields.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/_meta/fields.yml
index de0ededab33..41fae21921c 100644
--- a/x-pack/filebeat/module/threatintel/anomalithreatstream/_meta/fields.yml
+++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/_meta/fields.yml
@@ -1,4 +1,4 @@
-- name: anomalithreatstream
+- name: anomali.threatstream
type: group
description: >
Fields for Anomali ThreatStream
diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml
index f6cfe024305..4d814c03fe5 100644
--- a/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml
+++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml
@@ -1,7 +1,6 @@
{{ if eq .input "http_endpoint" }}
type: http_endpoint
-enabled: true
listen_address: {{ .listen_address }}
listen_port: {{ .listen_port }}
@@ -16,12 +15,12 @@ hmac:
prefix: sha256=
{{ end }}
-{{ if .ssl_certificate }}
-ssl:
- enabled: true
- certificate: {{ .ssl_certificate }}
- key: {{ .ssl_key }}
- verification_mode: none
+{{ if .ssl }}
+ssl: {{ .ssl | tojson }}
+{{ end }}
+
+{{ if .preserve_original_event }}
+preserve_original_event: true
{{ end }}
{{ else if eq .input "file" }}
@@ -35,24 +34,12 @@ exclude_files: [".gz$"]
json.add_error_key: true
{{ end }}
-tags: {{.tags | tojson}}
-
-processors:
- - add_fields:
- target: ''
- fields:
- ecs.version: 1.12.0
- - fingerprint:
- fields:
- - event.dataset
- - json.id
- target_field: '@metadata._id'
- encoding: base64
- - script:
- lang: javascript
- id: my_filter
- source: >
- function process(event) {
- event.Put("@metadata.op_type", "index");
- }
+tags:
+{{if .preserve_original_event}}
+ - preserve_original_event
+{{end}}
+{{range $val := .tags}}
+ - {{$val}}
+{{end}}
+publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml
index 22644d79518..50b5c6c7bb2 100644
--- a/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml
@@ -1,19 +1,21 @@
+---
description: Pipeline for parsing Anomali ThreatStream
processors:
- #
- # Safeguard against feeding the pipeline with documents other
- # that the ones generated by Filebeat's http_endpoint input.
- #
- - fail:
- if: "ctx.json == null || !(ctx.json instanceof Map)"
- message: "missing json object in input document"
-
#
# Set basic ECS fields.
#
- set:
field: event.ingested
value: "{{{ _ingest.timestamp }}}"
+ - set:
+ field: ecs.version
+ value: "1.12"
+ - fingerprint:
+ fields:
+ - event.dataset
+ - json.id
+ target_field: "_id"
+ ignore_missing: true
- set:
field: event.kind
value: enrichment
@@ -24,14 +26,21 @@ processors:
field: event.type
value: indicator
+ - set:
+ field: threat.feed.name
+ value: "[Filebeat] Anomali ThreatStream"
+ - set:
+ field: threat.feed.dashboard_id
+ value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f"
+
#
- # Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type).
+ # Map itype field to STIX 2.0 Cyber Observable values (threat.indicator.type).
#
- script:
lang: painless
if: "ctx.json.itype != null"
description: >
- Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type).
+ Map itype field to STIX 2.0 Cyber Observable values (threat.indicator.type).
params:
actor_ip: ipv4-addr
adware_domain: domain-name
@@ -125,26 +134,26 @@ processors:
- rename:
field: threatintel_indicator_type
- target_field: threatintel.indicator.type
+ target_field: threat.indicator.type
ignore_missing: true
#
# Detect ipv6 for ipv4-addr types.
#
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: ipv6-addr
- if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.srcip != null && ctx.json.srcip.contains(":")'
+ if: 'ctx.threat?.indicator?.type == "ipv4-addr" && ctx.json?.srcip != null && ctx.json.srcip.contains(":")'
#
# Map first and last seen dates.
#
- date:
field: json.date_first
- target_field: threatintel.indicator.first_seen
+ target_field: threat.indicator.first_seen
formats:
- ISO8601
- if: "ctx.json.date_first != null"
+ if: "ctx.json?.date_first != null"
on_failure:
- append:
field: error.message
@@ -152,10 +161,10 @@ processors:
- date:
field: json.date_last
- target_field: threatintel.indicator.last_seen
+ target_field: threat.indicator.last_seen
formats:
- ISO8601
- if: "ctx.json.date_last != null"
+ if: "ctx.json?.date_last != null"
on_failure:
- append:
field: error.message
@@ -166,18 +175,18 @@ processors:
#
- convert:
field: json.lat
- target_field: threatintel.indicator.geo.location.lat
+ target_field: threat.indicator.geo.location.lat
type: double
- if: "ctx.json.lat != null && ctx.json.lon != null"
+ if: "ctx.json?.lat != null && ctx.json?.lon != null"
on_failure:
- append:
field: error.message
value: 'Cannot convert lat field "{{{ json.lat }}}" to double: {{{ _ingest.on_failure_message }}}'
- convert:
field: json.lon
- target_field: threatintel.indicator.geo.location.lon
+ target_field: threat.indicator.geo.location.lon
type: double
- if: "ctx.json.lat != null && ctx.json.lon != null"
+ if: "ctx.json?.lat != null && ctx.json?.lon != null"
on_failure:
- append:
field: error.message
@@ -190,25 +199,40 @@ processors:
# private => Amber ("Limited disclosure, restricted to participants’ organizations.").
#
- append:
- field: threatintel.indicator.marking.tlp
+ field: threat.indicator.marking.tlp
value: Amber
- if: 'ctx.json.classification == "private"'
+ if: 'ctx.json?.classification == "private"'
- append:
- field: threatintel.indicator.marking.tlp
+ field: threat.indicator.marking.tlp
value: White
- if: 'ctx.json.classification == "public"'
+ if: 'ctx.json?.classification == "public"'
#
# Convert confidence field (-1..100) to ECS confidence (0..10).
#
- script:
lang: painless
+ if: ctx.json?.confidence != null
description: >
Normalize confidence level.
source: >
def value = ctx.json.confidence;
- if (value == null || value < 0.0 || value > 100.0) return;
- ctx["threatintel_indicator_confidence"] = (long)Math.round((double)value / 10.0);
+ if (value <= 0.0 || value > 100.0) {
+ ctx["threatintel_indicator_confidence"] = "None";
+ return;
+ }
+ if (value >= 1.0 && value <= 29.0) {
+ ctx["threatintel_indicator_confidence"] = "Low";
+ return;
+ }
+ if (value >= 30.0 && value <= 69.0) {
+ ctx["threatintel_indicator_confidence"] = "Med";
+ return;
+ }
+ if (value >= 70 && value <= 100) {
+ ctx["threatintel_indicator_confidence"] = "High";
+ return;
+ }
on_failure:
- append:
field: error.message
@@ -216,7 +240,7 @@ processors:
- rename:
field: threatintel_indicator_confidence
- target_field: threatintel.indicator.confidence
+ target_field: threat.indicator.confidence
ignore_missing: true
#
@@ -224,7 +248,7 @@ processors:
#
- convert:
field: json.asn
- target_field: threatintel.indicator.as.number
+ target_field: threat.indicator.as.number
type: long
ignore_missing: true
on_failure:
@@ -234,41 +258,41 @@ processors:
- rename:
field: json.org
- target_field: threatintel.indicator.as.organization.name
+ target_field: threat.indicator.as.organization.name
ignore_missing: true
- rename:
field: json.email
- target_field: threatintel.indicator.email.address
+ target_field: threat.indicator.email.address
ignore_missing: true
- rename:
field: json.srcip
- target_field: threatintel.indicator.ip
+ target_field: threat.indicator.ip
ignore_missing: true
- uri_parts:
field: json.url
- target_field: threatintel.indicator.url
+ target_field: threat.indicator.url
keep_original: true
remove_if_successful: true
- if: "ctx.json.url != null"
+ if: "ctx.json?.url != null"
on_failure:
- append:
field: error.message
value: "Cannot parse url field `{{{ json.url }}}`: {{{ _ingest.on_failure_message }}}"
- set:
- field: threatintel.indicator.url.full
- value: "{{{threatintel.indicator.url.original}}}"
+ field: threat.indicator.url.full
+ value: "{{{threat.indicator.url.original}}}"
ignore_empty_value: true
- rename:
field: json.domain
- target_field: threatintel.indicator.url.domain
+ target_field: threat.indicator.url.domain
ignore_missing: true
- if: ctx.threatintel?.indicator?.url?.domain == null
+ if: ctx.threat?.indicator?.url?.domain == null
- rename:
field: json.country
- target_field: threatintel.indicator.geo.country_iso_code
+ target_field: threat.indicator.geo.country_iso_code
ignore_missing: true
#
@@ -277,27 +301,27 @@ processors:
#
- rename:
field: json.md5
- target_field: threatintel.indicator.file.hash.md5
- if: "ctx.json.md5 != null && ctx.json.md5.length() == 32"
+ target_field: threat.indicator.file.hash.md5
+ if: "ctx.json?.md5 != null && ctx.json.md5.length() == 32"
- rename:
field: json.md5
- target_field: threatintel.indicator.file.hash.sha1
- if: "ctx.json.md5 != null && ctx.json.md5.length() == 40"
+ target_field: threat.indicator.file.hash.sha1
+ if: "ctx.json?.md5 != null && ctx.json.md5.length() == 40"
- rename:
field: json.md5
- target_field: threatintel.indicator.file.hash.sha256
- if: "ctx.json.md5 != null && ctx.json.md5.length() == 64"
+ target_field: threat.indicator.file.hash.sha256
+ if: "ctx.json?.md5 != null && ctx.json.md5.length() == 64"
- rename:
field: json.md5
- target_field: threatintel.indicator.file.hash.sha512
- if: "ctx.json.md5 != null && ctx.json.md5.length() == 128"
+ target_field: threat.indicator.file.hash.sha512
+ if: "ctx.json?.md5 != null && ctx.json.md5.length() == 128"
- rename:
field: json.source
- target_field: threatintel.indicator.provider
+ target_field: threat.indicator.provider
ignore_missing: true
#
@@ -310,22 +334,22 @@ processors:
- set:
field: event.severity
value: 3
- if: 'ctx.json.severity == "low"'
+ if: 'ctx.json?.severity == "low"'
- set:
field: event.severity
value: 5
- if: 'ctx.json.severity == "medium"'
+ if: 'ctx.json?.severity == "medium"'
- set:
field: event.severity
value: 7
- if: 'ctx.json.severity == "high"'
+ if: 'ctx.json?.severity == "high"'
- set:
field: event.severity
value: 9
- if: 'ctx.json.severity == "very-high"'
+ if: 'ctx.json?.severity == "very-high"'
#
# Field trusted_circles_ids is a comma-separated string
@@ -335,24 +359,16 @@ processors:
#
- script:
lang: painless
- if: "ctx.json.trusted_circle_ids != null && ctx.json.trusted_circle_ids instanceof String"
+ if: "ctx.json?.trusted_circle_ids != null && ctx.json?.trusted_circle_ids instanceof String"
description: >
Convert trusted_circles_ids from CSV to an array.
source: >
- def lst =
- Stream.of(ctx.json.trusted_circle_ids.splitOnToken(","))
- .filter(s -> !s.isEmpty())
- .toArray(String[]::new);
- if (lst.length > 0) {
+ def lst = Stream.of(ctx.json.trusted_circle_ids.splitOnToken(',')).filter(s -> !s.isEmpty()).collect(Collectors.toList());
+ if (lst.size() > 0) {
ctx.json.trusted_circle_ids = lst;
} else {
ctx.json.remove('trusted_circle_ids');
}
- on_failure:
- - append:
- field: error.message
- value: 'unable to split trusted_circle_ids "{{{ json.trusted_circle_ids }}}": {{{ _ingest.on_failure_message }}}'
-
#
# Split detail field and append each component to ECS tags field.
#
@@ -372,10 +388,33 @@ processors:
append:
field: tags
value: "{{{ _ingest._value }}}"
-
+ #
+ # Convert certain fields to the correct value
+ #
+ - convert:
+ field: json.id
+ type: string
+ if: "ctx.json?.id != null"
+ - convert:
+ field: json.source_feed_id
+ type: string
+ if: "ctx.json?.source_feed_id != null"
+ - convert:
+ field: json.update_id
+ type: string
+ if: "ctx.json?.update_id != null"
+ - convert:
+ field: json.import_session_id
+ type: string
+ if: "ctx.json?.import_session_id != null"
#
# Remove fields converted to an ECS field.
#
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
- remove:
field:
- json.asn
@@ -391,7 +430,7 @@ processors:
#
- rename:
field: json
- target_field: threatintel.anomalithreatstream
+ target_field: anomali.threatstream
on_failure:
- append:
diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/manifest.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/manifest.yml
index de6faeea227..011e2bb553e 100644
--- a/x-pack/filebeat/module/threatintel/anomalithreatstream/manifest.yml
+++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/manifest.yml
@@ -8,13 +8,15 @@ var:
- name: listen_port
default: 8080
- name: secret
- - name: ssl_certificate
- - name: ssl_key
+ - name: ssl
- name: paths
default: /path/to/testing.log
- name: tags
default:
- threatintel-anomalithreatstream
+ - forwarded
+ - name: preserve_original_event
+ default: false
ingest_pipeline:
- ingest/pipeline.yml
input: config/config.yml
diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json b/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json
index 21c627dde57..b101076a9e1 100644
--- a/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json
@@ -1,5 +1,20 @@
[
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 20,
+ "anomali.threatstream.detail2": "imported by user 184",
+ "anomali.threatstream.id": "3135167627",
+ "anomali.threatstream.import_session_id": "1400",
+ "anomali.threatstream.itype": "mal_domain",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46279656657/",
+ "anomali.threatstream.severity": "high",
+ "anomali.threatstream.source_feed_id": "3143",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "122"
+ ],
+ "anomali.threatstream.update_id": "3786618776",
+ "anomali.threatstream.value_type": "domain",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -11,39 +26,44 @@
"log.offset": 0,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 20,
- "threatintel.anomalithreatstream.detail2": "imported by user 184",
- "threatintel.anomalithreatstream.id": 3135167627,
- "threatintel.anomalithreatstream.import_session_id": 1400,
- "threatintel.anomalithreatstream.itype": "mal_domain",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46279656657/",
- "threatintel.anomalithreatstream.severity": "high",
- "threatintel.anomalithreatstream.source_feed_id": 3143,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "122"
- ],
- "threatintel.anomalithreatstream.update_id": 3786618776,
- "threatintel.anomalithreatstream.value_type": "domain",
- "threatintel.indicator.as.organization.name": "OVH Hosting",
- "threatintel.indicator.confidence": 2,
- "threatintel.indicator.first_seen": "2020-10-08T12:21:50.000Z",
- "threatintel.indicator.geo.country_iso_code": "FR",
- "threatintel.indicator.geo.location.lat": -49.1,
- "threatintel.indicator.geo.location.lon": 94.4,
- "threatintel.indicator.ip": "203.0.113.35",
- "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.as.organization.name": "OVH Hosting",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-08T12:21:50.000Z",
+ "threat.indicator.geo.country_iso_code": "FR",
+ "threat.indicator.geo.location.lat": -49.1,
+ "threat.indicator.geo.location.lon": 94.4,
+ "threat.indicator.ip": "203.0.113.35",
+ "threat.indicator.last_seen": "2020-10-08T12:24:42.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "d4xgfj.example.net"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "d4xgfj.example.net"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 51,
+ "anomali.threatstream.detail2": "imported by user 979",
+ "anomali.threatstream.id": "2465691587",
+ "anomali.threatstream.import_session_id": "1934",
+ "anomali.threatstream.itype": "mal_ip",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P26893014825/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "639",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "355",
+ "386",
+ "461"
+ ],
+ "anomali.threatstream.update_id": "3311633654",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -55,40 +75,42 @@
"log.offset": 575,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 51,
- "threatintel.anomalithreatstream.detail2": "imported by user 979",
- "threatintel.anomalithreatstream.id": 2465691587,
- "threatintel.anomalithreatstream.import_session_id": 1934,
- "threatintel.anomalithreatstream.itype": "mal_ip",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P26893014825/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 639,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "355",
- "386",
- "461"
- ],
- "threatintel.anomalithreatstream.update_id": 3311633654,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.as.organization.name": "IP Khnykin Vitaliy Yakovlevich",
- "threatintel.indicator.confidence": 5,
- "threatintel.indicator.first_seen": "2020-10-08T12:21:59.000Z",
- "threatintel.indicator.geo.country_iso_code": "RU",
- "threatintel.indicator.geo.location.lat": -51.2,
- "threatintel.indicator.geo.location.lon": -64.7,
- "threatintel.indicator.ip": "2001:db8:fc77:2510:5ab8:7bc8:65a3:4894",
- "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.as.organization.name": "IP Khnykin Vitaliy Yakovlevich",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-08T12:21:59.000Z",
+ "threat.indicator.geo.country_iso_code": "RU",
+ "threat.indicator.geo.location.lat": -51.2,
+ "threat.indicator.geo.location.lon": -64.7,
+ "threat.indicator.ip": "2001:db8:fc77:2510:5ab8:7bc8:65a3:4894",
+ "threat.indicator.last_seen": "2020-10-08T12:24:42.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv6-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv6-addr"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 24,
+ "anomali.threatstream.detail2": "imported by user 830",
+ "anomali.threatstream.id": "1886961414",
+ "anomali.threatstream.import_session_id": "3569",
+ "anomali.threatstream.itype": "mal_ip",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P16938191113/",
+ "anomali.threatstream.severity": "high",
+ "anomali.threatstream.source_feed_id": "2564",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "740",
+ "954"
+ ],
+ "anomali.threatstream.update_id": "1860329541",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -100,40 +122,45 @@
"log.offset": 1163,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 24,
- "threatintel.anomalithreatstream.detail2": "imported by user 830",
- "threatintel.anomalithreatstream.id": 1886961414,
- "threatintel.anomalithreatstream.import_session_id": 3569,
- "threatintel.anomalithreatstream.itype": "mal_ip",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P16938191113/",
- "threatintel.anomalithreatstream.severity": "high",
- "threatintel.anomalithreatstream.source_feed_id": 2564,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "740",
- "954"
- ],
- "threatintel.anomalithreatstream.update_id": 1860329541,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.as.number": 22773,
- "threatintel.indicator.as.organization.name": "Cox Communications",
- "threatintel.indicator.confidence": 2,
- "threatintel.indicator.first_seen": "2020-10-08T12:22:11.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.geo.location.lat": 38.4,
- "threatintel.indicator.geo.location.lon": 0.0,
- "threatintel.indicator.ip": "192.0.2.8",
- "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.as.number": 22773,
+ "threat.indicator.as.organization.name": "Cox Communications",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-08T12:22:11.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.geo.location.lat": 38.4,
+ "threat.indicator.geo.location.lon": 0.0,
+ "threat.indicator.ip": "192.0.2.8",
+ "threat.indicator.last_seen": "2020-10-08T12:24:42.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv4-addr"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 56,
+ "anomali.threatstream.detail2": "imported by user 723",
+ "anomali.threatstream.id": "1785659799",
+ "anomali.threatstream.import_session_id": "244",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.md5": "6466e2",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P44706407813/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "3759",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "439",
+ "801",
+ "942"
+ ],
+ "anomali.threatstream.update_id": "3898969521",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -145,36 +172,38 @@
"log.offset": 1720,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 56,
- "threatintel.anomalithreatstream.detail2": "imported by user 723",
- "threatintel.anomalithreatstream.id": 1785659799,
- "threatintel.anomalithreatstream.import_session_id": 244,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.md5": "6466e2",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P44706407813/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 3759,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "439",
- "801",
- "942"
- ],
- "threatintel.anomalithreatstream.update_id": 3898969521,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 6,
- "threatintel.indicator.first_seen": "2020-10-08T12:22:16.000Z",
- "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-08T12:22:16.000Z",
+ "threat.indicator.last_seen": "2020-10-08T12:24:42.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 61,
+ "anomali.threatstream.detail2": "imported by user 16",
+ "anomali.threatstream.id": "2788278724",
+ "anomali.threatstream.import_session_id": "3146",
+ "anomali.threatstream.itype": "mal_ip",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P39996084337/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "1834",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "310",
+ "553",
+ "709"
+ ],
+ "anomali.threatstream.update_id": "1925356831",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -186,41 +215,43 @@
"log.offset": 2195,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 61,
- "threatintel.anomalithreatstream.detail2": "imported by user 16",
- "threatintel.anomalithreatstream.id": 2788278724,
- "threatintel.anomalithreatstream.import_session_id": 3146,
- "threatintel.anomalithreatstream.itype": "mal_ip",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P39996084337/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 1834,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "310",
- "553",
- "709"
- ],
- "threatintel.anomalithreatstream.update_id": 1925356831,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.as.number": 20001,
- "threatintel.indicator.as.organization.name": "Spectrum",
- "threatintel.indicator.confidence": 6,
- "threatintel.indicator.first_seen": "2020-10-08T12:28:50.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.geo.location.lat": -64.8,
- "threatintel.indicator.geo.location.lon": -129.3,
- "threatintel.indicator.ip": "192.0.2.235",
- "threatintel.indicator.last_seen": "2020-10-09T18:49:37.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.as.number": 20001,
+ "threat.indicator.as.organization.name": "Spectrum",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-08T12:28:50.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.geo.location.lat": -64.8,
+ "threat.indicator.geo.location.lon": -129.3,
+ "threat.indicator.ip": "192.0.2.235",
+ "threat.indicator.last_seen": "2020-10-09T18:49:37.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv4-addr"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 31,
+ "anomali.threatstream.detail2": "imported by user 659",
+ "anomali.threatstream.id": "2979716207",
+ "anomali.threatstream.import_session_id": "2369",
+ "anomali.threatstream.itype": "mal_ip",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P24601068254/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "2122",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "297",
+ "811"
+ ],
+ "anomali.threatstream.update_id": "1327494837",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -232,40 +263,44 @@
"log.offset": 2757,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 31,
- "threatintel.anomalithreatstream.detail2": "imported by user 659",
- "threatintel.anomalithreatstream.id": 2979716207,
- "threatintel.anomalithreatstream.import_session_id": 2369,
- "threatintel.anomalithreatstream.itype": "mal_ip",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P24601068254/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 2122,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "297",
- "811"
- ],
- "threatintel.anomalithreatstream.update_id": 1327494837,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.as.number": 11351,
- "threatintel.indicator.as.organization.name": "Spectrum",
- "threatintel.indicator.confidence": 3,
- "threatintel.indicator.first_seen": "2020-10-08T12:29:01.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.geo.location.lat": 72.1,
- "threatintel.indicator.geo.location.lon": -52.2,
- "threatintel.indicator.ip": "2001:db8:df14:f43b:a986:5e2a:8ce9:4523",
- "threatintel.indicator.last_seen": "2020-10-09T18:49:37.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.as.number": 11351,
+ "threat.indicator.as.organization.name": "Spectrum",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-08T12:29:01.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.geo.location.lat": 72.1,
+ "threat.indicator.geo.location.lon": -52.2,
+ "threat.indicator.ip": "2001:db8:df14:f43b:a986:5e2a:8ce9:4523",
+ "threat.indicator.last_seen": "2020-10-09T18:49:37.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv6-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv6-addr"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 72,
+ "anomali.threatstream.detail2": "imported by user 50",
+ "anomali.threatstream.id": "3763825895",
+ "anomali.threatstream.itype": "c2_domain",
+ "anomali.threatstream.maltype": "malware:r47agu9",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P49850231022/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "967",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "238",
+ "259",
+ "537"
+ ],
+ "anomali.threatstream.update_id": "1356750652",
+ "anomali.threatstream.value_type": "domain",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -281,6 +316,7 @@
"Botnet-1QZ2U",
"Botnet-VXPC5QK8T",
"first_seen=2020-07-24T07:36:41",
+ "forwarded",
"mask=2001:db8:867f:42a1:d692:b396:4f14:548c",
"popularity=high",
"popularity=high",
@@ -288,35 +324,37 @@
"threatintel-anomalithreatstream",
"type=2"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 72,
- "threatintel.anomalithreatstream.detail2": "imported by user 50",
- "threatintel.anomalithreatstream.id": 3763825895,
- "threatintel.anomalithreatstream.itype": "c2_domain",
- "threatintel.anomalithreatstream.maltype": "malware:r47agu9",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P49850231022/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 967,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "238",
- "259",
- "537"
- ],
- "threatintel.anomalithreatstream.update_id": 1356750652,
- "threatintel.anomalithreatstream.value_type": "domain",
- "threatintel.indicator.confidence": 7,
- "threatintel.indicator.first_seen": "2020-10-09T18:14:43.000Z",
- "threatintel.indicator.ip": "203.0.113.130",
- "threatintel.indicator.last_seen": "2020-10-09T18:14:43.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:14:43.000Z",
+ "threat.indicator.ip": "203.0.113.130",
+ "threat.indicator.last_seen": "2020-10-09T18:14:43.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "ei1im6skd.example.com"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "ei1im6skd.example.com"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 60,
+ "anomali.threatstream.detail2": "imported by user 167",
+ "anomali.threatstream.id": "3178646499",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.md5": "0f321db9",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P35792781031/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "1743",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "112",
+ "455",
+ "761"
+ ],
+ "anomali.threatstream.update_id": "1585930018",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -328,35 +366,37 @@
"log.offset": 4049,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 60,
- "threatintel.anomalithreatstream.detail2": "imported by user 167",
- "threatintel.anomalithreatstream.id": 3178646499,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.md5": "0f321db9",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P35792781031/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 1743,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "112",
- "455",
- "761"
- ],
- "threatintel.anomalithreatstream.update_id": 1585930018,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 6,
- "threatintel.indicator.first_seen": "2020-10-09T18:30:10.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:30:10.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:30:10.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:30:10.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 70,
+ "anomali.threatstream.detail2": "imported by user 654",
+ "anomali.threatstream.id": "2435568409",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:9rb9",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P41264495308/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "3940",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "633",
+ "641"
+ ],
+ "anomali.threatstream.update_id": "2070423140",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -368,43 +408,46 @@
"log.offset": 4495,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"jn5jpvg",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 70,
- "threatintel.anomalithreatstream.detail2": "imported by user 654",
- "threatintel.anomalithreatstream.id": 2435568409,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:9rb9",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P41264495308/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 3940,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "633",
- "641"
- ],
- "threatintel.anomalithreatstream.update_id": 2070423140,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 7,
- "threatintel.indicator.first_seen": "2020-10-09T18:30:13.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "203.0.113.236",
- "threatintel.indicator.last_seen": "2020-10-09T18:30:13.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:30:13.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "203.0.113.236",
+ "threat.indicator.last_seen": "2020-10-09T18:30:13.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "ax1a6o38z.example.org",
- "threatintel.indicator.url.full": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p",
- "threatintel.indicator.url.original": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p",
- "threatintel.indicator.url.path": "/enec3i/f1n8fv",
- "threatintel.indicator.url.query": "4shpqq9=fbo9osx8p",
- "threatintel.indicator.url.scheme": "https"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "ax1a6o38z.example.org",
+ "threat.indicator.url.full": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p",
+ "threat.indicator.url.original": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p",
+ "threat.indicator.url.path": "/enec3i/f1n8fv",
+ "threat.indicator.url.query": "4shpqq9=fbo9osx8p",
+ "threat.indicator.url.scheme": "https"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 35,
+ "anomali.threatstream.detail2": "imported by user 81",
+ "anomali.threatstream.id": "1404936664",
+ "anomali.threatstream.itype": "mal_url",
+ "anomali.threatstream.maltype": "malware:4p1lc0bf",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P22799247040/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "2236",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "424",
+ "718"
+ ],
+ "anomali.threatstream.update_id": "2151391711",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -417,43 +460,46 @@
"service.type": "threatintel",
"tags": [
"7zhsn5t7",
+ "forwarded",
"threatintel-anomalithreatstream",
"xl4"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 35,
- "threatintel.anomalithreatstream.detail2": "imported by user 81",
- "threatintel.anomalithreatstream.id": 1404936664,
- "threatintel.anomalithreatstream.itype": "mal_url",
- "threatintel.anomalithreatstream.maltype": "malware:4p1lc0bf",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P22799247040/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 2236,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "424",
- "718"
- ],
- "threatintel.anomalithreatstream.update_id": 2151391711,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 4,
- "threatintel.indicator.first_seen": "2020-10-09T18:30:13.000Z",
- "threatintel.indicator.geo.country_iso_code": "CN",
- "threatintel.indicator.ip": "2001:db8:62cc:2fd2:f406:9c03:e2e8:617d",
- "threatintel.indicator.last_seen": "2020-10-09T18:30:13.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:30:13.000Z",
+ "threat.indicator.geo.country_iso_code": "CN",
+ "threat.indicator.ip": "2001:db8:62cc:2fd2:f406:9c03:e2e8:617d",
+ "threat.indicator.last_seen": "2020-10-09T18:30:13.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "beko3.example.com",
- "threatintel.indicator.url.full": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge",
- "threatintel.indicator.url.original": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge",
- "threatintel.indicator.url.path": "/vkelnz/jdz6zf-ga",
- "threatintel.indicator.url.query": "g39fu=88309ge",
- "threatintel.indicator.url.scheme": "https"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "beko3.example.com",
+ "threat.indicator.url.full": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge",
+ "threat.indicator.url.original": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge",
+ "threat.indicator.url.path": "/vkelnz/jdz6zf-ga",
+ "threat.indicator.url.query": "g39fu=88309ge",
+ "threat.indicator.url.scheme": "https"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 7,
+ "anomali.threatstream.detail2": "imported by user 993",
+ "anomali.threatstream.id": "1300368058",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:s7-t",
+ "anomali.threatstream.md5": "b91c",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P43593676062/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "1581",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "812"
+ ],
+ "anomali.threatstream.update_id": "1852221746",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -467,34 +513,39 @@
"tags": [
"aampq5",
"d6-",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 7,
- "threatintel.anomalithreatstream.detail2": "imported by user 993",
- "threatintel.anomalithreatstream.id": 1300368058,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:s7-t",
- "threatintel.anomalithreatstream.md5": "b91c",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P43593676062/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 1581,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "812"
- ],
- "threatintel.anomalithreatstream.update_id": 1852221746,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 1,
- "threatintel.indicator.first_seen": "2020-10-09T18:30:22.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:30:22.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:30:22.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:30:22.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 63,
+ "anomali.threatstream.detail2": "imported by user 963",
+ "anomali.threatstream.id": "1511736215",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:0vnvp84",
+ "anomali.threatstream.md5": "3c49c",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P47666251160/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "1695",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "29",
+ "537",
+ "879"
+ ],
+ "anomali.threatstream.update_id": "3048270616",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -507,36 +558,37 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 63,
- "threatintel.anomalithreatstream.detail2": "imported by user 963",
- "threatintel.anomalithreatstream.id": 1511736215,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:0vnvp84",
- "threatintel.anomalithreatstream.md5": "3c49c",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P47666251160/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 1695,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "29",
- "537",
- "879"
- ],
- "threatintel.anomalithreatstream.update_id": 3048270616,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 6,
- "threatintel.indicator.first_seen": "2020-10-09T18:30:23.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:30:23.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:30:23.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:30:23.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 95,
+ "anomali.threatstream.detail2": "imported by user 302",
+ "anomali.threatstream.id": "2213035853",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:25iv",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P11608678465/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "787",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "154",
+ "766"
+ ],
+ "anomali.threatstream.update_id": "2851232102",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -549,42 +601,46 @@
"service.type": "threatintel",
"tags": [
"22nciqjs",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 95,
- "threatintel.anomalithreatstream.detail2": "imported by user 302",
- "threatintel.anomalithreatstream.id": 2213035853,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:25iv",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P11608678465/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 787,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "154",
- "766"
- ],
- "threatintel.anomalithreatstream.update_id": 2851232102,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 10,
- "threatintel.indicator.first_seen": "2020-10-09T18:30:30.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "192.0.2.162",
- "threatintel.indicator.last_seen": "2020-10-09T18:30:30.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:30:30.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "192.0.2.162",
+ "threat.indicator.last_seen": "2020-10-09T18:30:30.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "sevs82.example.com",
- "threatintel.indicator.url.full": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi",
- "threatintel.indicator.url.original": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi",
- "threatintel.indicator.url.path": "/c5-d/hdajog",
- "threatintel.indicator.url.query": "4rs78hl=wvwi",
- "threatintel.indicator.url.scheme": "http"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "sevs82.example.com",
+ "threat.indicator.url.full": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi",
+ "threat.indicator.url.original": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi",
+ "threat.indicator.url.path": "/c5-d/hdajog",
+ "threat.indicator.url.query": "4rs78hl=wvwi",
+ "threat.indicator.url.scheme": "http"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 18,
+ "anomali.threatstream.detail2": "imported by user 548",
+ "anomali.threatstream.id": "2594216423",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:i6z9qr",
+ "anomali.threatstream.md5": "e29608b",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P32471582403/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "1475",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "539",
+ "6"
+ ],
+ "anomali.threatstream.update_id": "2328838402",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -597,36 +653,38 @@
"service.type": "threatintel",
"tags": [
"26sg-3-",
+ "forwarded",
"threatintel-anomalithreatstream",
"vnx4nu7c"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 18,
- "threatintel.anomalithreatstream.detail2": "imported by user 548",
- "threatintel.anomalithreatstream.id": 2594216423,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:i6z9qr",
- "threatintel.anomalithreatstream.md5": "e29608b",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P32471582403/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 1475,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "539",
- "6"
- ],
- "threatintel.anomalithreatstream.update_id": 2328838402,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 2,
- "threatintel.indicator.first_seen": "2020-10-09T18:30:37.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:30:37.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:30:37.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:30:37.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 54,
+ "anomali.threatstream.detail2": "imported by user 438",
+ "anomali.threatstream.id": "1133111133",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:4rs9qpc1",
+ "anomali.threatstream.md5": "c38d2e6d",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P20539380512/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "3600",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "762"
+ ],
+ "anomali.threatstream.update_id": "1784507596",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -639,34 +697,37 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 54,
- "threatintel.anomalithreatstream.detail2": "imported by user 438",
- "threatintel.anomalithreatstream.id": 1133111133,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:4rs9qpc1",
- "threatintel.anomalithreatstream.md5": "c38d2e6d",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P20539380512/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 3600,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "762"
- ],
- "threatintel.anomalithreatstream.update_id": 1784507596,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 5,
- "threatintel.indicator.first_seen": "2020-10-09T18:30:40.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:30:40.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:30:40.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:30:40.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 78,
+ "anomali.threatstream.detail2": "imported by user 690",
+ "anomali.threatstream.id": "2543010039",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:ghdl7nwwq",
+ "anomali.threatstream.md5": "67808c",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P16167095005/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "926",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "751"
+ ],
+ "anomali.threatstream.update_id": "2343991526",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -679,35 +740,40 @@
"service.type": "threatintel",
"tags": [
"8ahl",
+ "forwarded",
"ica",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 78,
- "threatintel.anomalithreatstream.detail2": "imported by user 690",
- "threatintel.anomalithreatstream.id": 2543010039,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:ghdl7nwwq",
- "threatintel.anomalithreatstream.md5": "67808c",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P16167095005/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 926,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "751"
- ],
- "threatintel.anomalithreatstream.update_id": 2343991526,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 8,
- "threatintel.indicator.first_seen": "2020-10-09T18:30:45.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:30:45.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:30:45.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:30:45.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 0,
+ "anomali.threatstream.detail2": "imported by user 517",
+ "anomali.threatstream.id": "3233930917",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:m5pk44o",
+ "anomali.threatstream.md5": "efa99",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15758111412/",
+ "anomali.threatstream.severity": "high",
+ "anomali.threatstream.source_feed_id": "2010",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "390",
+ "519",
+ "909"
+ ],
+ "anomali.threatstream.update_id": "3008175946",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -719,38 +785,41 @@
"log.offset": 8774,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"gyu-",
"iop",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 0,
- "threatintel.anomalithreatstream.detail2": "imported by user 517",
- "threatintel.anomalithreatstream.id": 3233930917,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:m5pk44o",
- "threatintel.anomalithreatstream.md5": "efa99",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15758111412/",
- "threatintel.anomalithreatstream.severity": "high",
- "threatintel.anomalithreatstream.source_feed_id": 2010,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "390",
- "519",
- "909"
- ],
- "threatintel.anomalithreatstream.update_id": 3008175946,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 0,
- "threatintel.indicator.first_seen": "2020-10-09T18:30:54.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:30:54.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "None",
+ "threat.indicator.first_seen": "2020-10-09T18:30:54.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:30:54.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 34,
+ "anomali.threatstream.detail2": "imported by user 303",
+ "anomali.threatstream.id": "1777540600",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:-fesxy",
+ "anomali.threatstream.md5": "e8c1",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13990676648/",
+ "anomali.threatstream.severity": "high",
+ "anomali.threatstream.source_feed_id": "3201",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "109",
+ "621",
+ "718"
+ ],
+ "anomali.threatstream.update_id": "2404949482",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -763,36 +832,37 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 34,
- "threatintel.anomalithreatstream.detail2": "imported by user 303",
- "threatintel.anomalithreatstream.id": 1777540600,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:-fesxy",
- "threatintel.anomalithreatstream.md5": "e8c1",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13990676648/",
- "threatintel.anomalithreatstream.severity": "high",
- "threatintel.anomalithreatstream.source_feed_id": 3201,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "109",
- "621",
- "718"
- ],
- "threatintel.anomalithreatstream.update_id": 2404949482,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 3,
- "threatintel.indicator.first_seen": "2020-10-09T18:30:59.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:30:59.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:30:59.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:30:59.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 15,
+ "anomali.threatstream.detail2": "imported by user 219",
+ "anomali.threatstream.id": "2796250594",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:c1b7kt7",
+ "anomali.threatstream.md5": "be24",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13506696048/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "3205",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "559"
+ ],
+ "anomali.threatstream.update_id": "3529199846",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -805,34 +875,39 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 15,
- "threatintel.anomalithreatstream.detail2": "imported by user 219",
- "threatintel.anomalithreatstream.id": 2796250594,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:c1b7kt7",
- "threatintel.anomalithreatstream.md5": "be24",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13506696048/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 3205,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "559"
- ],
- "threatintel.anomalithreatstream.update_id": 3529199846,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 2,
- "threatintel.indicator.first_seen": "2020-10-09T18:31:10.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:31:10.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:31:10.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:31:10.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 56,
+ "anomali.threatstream.detail2": "imported by user 762",
+ "anomali.threatstream.id": "2310429917",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:slwl",
+ "anomali.threatstream.md5": "a2678fc",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P35629727989/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "885",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "190",
+ "495",
+ "959"
+ ],
+ "anomali.threatstream.update_id": "3510871820",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -845,36 +920,38 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 56,
- "threatintel.anomalithreatstream.detail2": "imported by user 762",
- "threatintel.anomalithreatstream.id": 2310429917,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:slwl",
- "threatintel.anomalithreatstream.md5": "a2678fc",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P35629727989/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 885,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "190",
- "495",
- "959"
- ],
- "threatintel.anomalithreatstream.update_id": 3510871820,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 6,
- "threatintel.indicator.first_seen": "2020-10-09T18:31:16.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:31:16.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:31:16.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:31:16.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 11,
+ "anomali.threatstream.detail2": "imported by user 616",
+ "anomali.threatstream.id": "2853859039",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:voc",
+ "anomali.threatstream.md5": "2ee715a9b",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P39948074871/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "586",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "454",
+ "562"
+ ],
+ "anomali.threatstream.update_id": "3756244435",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -887,35 +964,38 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 11,
- "threatintel.anomalithreatstream.detail2": "imported by user 616",
- "threatintel.anomalithreatstream.id": 2853859039,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:voc",
- "threatintel.anomalithreatstream.md5": "2ee715a9b",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P39948074871/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 586,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "454",
- "562"
- ],
- "threatintel.anomalithreatstream.update_id": 3756244435,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 1,
- "threatintel.indicator.first_seen": "2020-10-09T18:31:22.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:31:22.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:31:22.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:31:22.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 51,
+ "anomali.threatstream.detail2": "imported by user 510",
+ "anomali.threatstream.id": "2328858169",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:yuq33pg5",
+ "anomali.threatstream.md5": "e1df8d",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P30902643017/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "826",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "362",
+ "846"
+ ],
+ "anomali.threatstream.update_id": "1410682100",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -928,39 +1008,41 @@
"service.type": "threatintel",
"tags": [
"etukwxhs",
+ "forwarded",
"g0vc9",
"gcgm1we6l",
"mask=203.0.113.182",
"threat=bm-uj8c12",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 51,
- "threatintel.anomalithreatstream.detail2": "imported by user 510",
- "threatintel.anomalithreatstream.id": 2328858169,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:yuq33pg5",
- "threatintel.anomalithreatstream.md5": "e1df8d",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P30902643017/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 826,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "362",
- "846"
- ],
- "threatintel.anomalithreatstream.update_id": 1410682100,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 5,
- "threatintel.indicator.first_seen": "2020-10-09T18:31:27.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:31:27.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:31:27.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:31:27.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": -1,
+ "anomali.threatstream.detail2": "imported by user 14",
+ "anomali.threatstream.id": "1145199430",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:qc6c9qt",
+ "anomali.threatstream.md5": "9006d07f",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P14842247088/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "1793",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "305"
+ ],
+ "anomali.threatstream.update_id": "1592676961",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -973,33 +1055,36 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": -1,
- "threatintel.anomalithreatstream.detail2": "imported by user 14",
- "threatintel.anomalithreatstream.id": 1145199430,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:qc6c9qt",
- "threatintel.anomalithreatstream.md5": "9006d07f",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P14842247088/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 1793,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "305"
- ],
- "threatintel.anomalithreatstream.update_id": 1592676961,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.first_seen": "2020-10-09T18:31:29.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:31:29.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "None",
+ "threat.indicator.first_seen": "2020-10-09T18:31:29.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:31:29.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 2,
+ "anomali.threatstream.detail2": "imported by user 600",
+ "anomali.threatstream.id": "1726466938",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:t52oo3",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P39735553093/",
+ "anomali.threatstream.severity": "high",
+ "anomali.threatstream.source_feed_id": "1965",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "553"
+ ],
+ "anomali.threatstream.update_id": "2718905308",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1011,42 +1096,46 @@
"log.offset": 12237,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"g1wn0g",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 2,
- "threatintel.anomalithreatstream.detail2": "imported by user 600",
- "threatintel.anomalithreatstream.id": 1726466938,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:t52oo3",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P39735553093/",
- "threatintel.anomalithreatstream.severity": "high",
- "threatintel.anomalithreatstream.source_feed_id": 1965,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "553"
- ],
- "threatintel.anomalithreatstream.update_id": 2718905308,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 0,
- "threatintel.indicator.first_seen": "2020-10-09T18:31:34.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "203.0.113.229",
- "threatintel.indicator.last_seen": "2020-10-09T18:31:34.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:31:34.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "203.0.113.229",
+ "threat.indicator.last_seen": "2020-10-09T18:31:34.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "faahk3drf.example.net",
- "threatintel.indicator.url.full": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz",
- "threatintel.indicator.url.original": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz",
- "threatintel.indicator.url.path": "/julf98x5/0g1t8f",
- "threatintel.indicator.url.query": "cbffxs2qv=vwgz",
- "threatintel.indicator.url.scheme": "http"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "faahk3drf.example.net",
+ "threat.indicator.url.full": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz",
+ "threat.indicator.url.original": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz",
+ "threat.indicator.url.path": "/julf98x5/0g1t8f",
+ "threat.indicator.url.query": "cbffxs2qv=vwgz",
+ "threat.indicator.url.scheme": "http"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 71,
+ "anomali.threatstream.detail2": "imported by user 976",
+ "anomali.threatstream.id": "1457264389",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:nx1qwwprl",
+ "anomali.threatstream.md5": "f5d",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P20794801988/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "1437",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "866"
+ ],
+ "anomali.threatstream.update_id": "2310970191",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1059,35 +1148,40 @@
"service.type": "threatintel",
"tags": [
"6rblg",
+ "forwarded",
"pzs4xlqy",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 71,
- "threatintel.anomalithreatstream.detail2": "imported by user 976",
- "threatintel.anomalithreatstream.id": 1457264389,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:nx1qwwprl",
- "threatintel.anomalithreatstream.md5": "f5d",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P20794801988/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 1437,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "866"
- ],
- "threatintel.anomalithreatstream.update_id": 2310970191,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 7,
- "threatintel.indicator.first_seen": "2020-10-09T18:31:36.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:31:36.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:31:36.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:31:36.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 70,
+ "anomali.threatstream.detail2": "imported by user 761",
+ "anomali.threatstream.id": "3532094043",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:k1y",
+ "anomali.threatstream.md5": "cfd9",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P48760414603/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "2198",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "68",
+ "70",
+ "789"
+ ],
+ "anomali.threatstream.update_id": "1487534287",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1100,36 +1194,37 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 70,
- "threatintel.anomalithreatstream.detail2": "imported by user 761",
- "threatintel.anomalithreatstream.id": 3532094043,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:k1y",
- "threatintel.anomalithreatstream.md5": "cfd9",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P48760414603/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 2198,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "68",
- "70",
- "789"
- ],
- "threatintel.anomalithreatstream.update_id": 1487534287,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 7,
- "threatintel.indicator.first_seen": "2020-10-09T18:31:39.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:31:39.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:31:39.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:31:39.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 23,
+ "anomali.threatstream.detail2": "imported by user 680",
+ "anomali.threatstream.id": "1753194968",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:ixlyb",
+ "anomali.threatstream.md5": "93daa",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P36997562731/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "2101",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "15"
+ ],
+ "anomali.threatstream.update_id": "1772862647",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1142,35 +1237,38 @@
"service.type": "threatintel",
"tags": [
"6rw",
+ "forwarded",
"g80r1d4sj",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 23,
- "threatintel.anomalithreatstream.detail2": "imported by user 680",
- "threatintel.anomalithreatstream.id": 1753194968,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:ixlyb",
- "threatintel.anomalithreatstream.md5": "93daa",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P36997562731/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 2101,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "15"
- ],
- "threatintel.anomalithreatstream.update_id": 1772862647,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 2,
- "threatintel.indicator.first_seen": "2020-10-09T18:31:43.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:31:43.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:31:43.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:31:43.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 0,
+ "anomali.threatstream.detail2": "imported by user 820",
+ "anomali.threatstream.id": "3285278133",
+ "anomali.threatstream.itype": "scan_ip",
+ "anomali.threatstream.maltype": "malware:1u76t",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P45121980169/",
+ "anomali.threatstream.severity": "high",
+ "anomali.threatstream.source_feed_id": "1152",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "390",
+ "7"
+ ],
+ "anomali.threatstream.update_id": "2657969647",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1183,36 +1281,38 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 0,
- "threatintel.anomalithreatstream.detail2": "imported by user 820",
- "threatintel.anomalithreatstream.id": 3285278133,
- "threatintel.anomalithreatstream.itype": "scan_ip",
- "threatintel.anomalithreatstream.maltype": "malware:1u76t",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P45121980169/",
- "threatintel.anomalithreatstream.severity": "high",
- "threatintel.anomalithreatstream.source_feed_id": 1152,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "390",
- "7"
- ],
- "threatintel.anomalithreatstream.update_id": 2657969647,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.confidence": 0,
- "threatintel.indicator.first_seen": "2020-10-09T18:31:49.000Z",
- "threatintel.indicator.geo.country_iso_code": "DE",
- "threatintel.indicator.ip": "192.0.2.219",
- "threatintel.indicator.last_seen": "2020-10-09T18:31:49.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "None",
+ "threat.indicator.first_seen": "2020-10-09T18:31:49.000Z",
+ "threat.indicator.geo.country_iso_code": "DE",
+ "threat.indicator.ip": "192.0.2.219",
+ "threat.indicator.last_seen": "2020-10-09T18:31:49.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv4-addr"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 45,
+ "anomali.threatstream.detail2": "imported by user 894",
+ "anomali.threatstream.id": "2098390184",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:hc-wh",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P33231447204/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "3354",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "846"
+ ],
+ "anomali.threatstream.update_id": "2110937414",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1224,42 +1324,46 @@
"log.offset": 14812,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"om0z7",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 45,
- "threatintel.anomalithreatstream.detail2": "imported by user 894",
- "threatintel.anomalithreatstream.id": 2098390184,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:hc-wh",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P33231447204/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 3354,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "846"
- ],
- "threatintel.anomalithreatstream.update_id": 2110937414,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 5,
- "threatintel.indicator.first_seen": "2020-10-09T18:31:49.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "192.0.2.208",
- "threatintel.indicator.last_seen": "2020-10-09T18:31:49.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:31:49.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "192.0.2.208",
+ "threat.indicator.last_seen": "2020-10-09T18:31:49.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "p9okf0.example.org",
- "threatintel.indicator.url.full": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d",
- "threatintel.indicator.url.original": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d",
- "threatintel.indicator.url.path": "/jyb3n8f/f55vfyt48",
- "threatintel.indicator.url.query": "s2n=0t2d",
- "threatintel.indicator.url.scheme": "http"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "p9okf0.example.org",
+ "threat.indicator.url.full": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d",
+ "threat.indicator.url.original": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d",
+ "threat.indicator.url.path": "/jyb3n8f/f55vfyt48",
+ "threat.indicator.url.query": "s2n=0t2d",
+ "threat.indicator.url.scheme": "http"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 34,
+ "anomali.threatstream.detail2": "imported by user 747",
+ "anomali.threatstream.id": "3367490507",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:0ua9",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P34959401147/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "959",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "404",
+ "574"
+ ],
+ "anomali.threatstream.update_id": "2335801340",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1272,42 +1376,47 @@
"service.type": "threatintel",
"tags": [
"adeba89",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 34,
- "threatintel.anomalithreatstream.detail2": "imported by user 747",
- "threatintel.anomalithreatstream.id": 3367490507,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:0ua9",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P34959401147/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 959,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "404",
- "574"
- ],
- "threatintel.anomalithreatstream.update_id": 2335801340,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 3,
- "threatintel.indicator.first_seen": "2020-10-09T18:31:58.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "203.0.113.105",
- "threatintel.indicator.last_seen": "2020-10-09T18:31:58.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:31:58.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "203.0.113.105",
+ "threat.indicator.last_seen": "2020-10-09T18:31:58.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "fxkeo24m.example.com",
- "threatintel.indicator.url.full": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4",
- "threatintel.indicator.url.original": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4",
- "threatintel.indicator.url.path": "/y75tg7sw/jnnu9xmc",
- "threatintel.indicator.url.query": "apus=ob1hnba4",
- "threatintel.indicator.url.scheme": "https"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "fxkeo24m.example.com",
+ "threat.indicator.url.full": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4",
+ "threat.indicator.url.original": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4",
+ "threat.indicator.url.path": "/y75tg7sw/jnnu9xmc",
+ "threat.indicator.url.query": "apus=ob1hnba4",
+ "threat.indicator.url.scheme": "https"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 14,
+ "anomali.threatstream.detail2": "imported by user 604",
+ "anomali.threatstream.id": "1998649659",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:s0anj",
+ "anomali.threatstream.md5": "b4dd5cf7",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P21831217400/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "1405",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "422",
+ "749",
+ "852"
+ ],
+ "anomali.threatstream.update_id": "1339527388",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1320,36 +1429,37 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 14,
- "threatintel.anomalithreatstream.detail2": "imported by user 604",
- "threatintel.anomalithreatstream.id": 1998649659,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:s0anj",
- "threatintel.anomalithreatstream.md5": "b4dd5cf7",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P21831217400/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 1405,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "422",
- "749",
- "852"
- ],
- "threatintel.anomalithreatstream.update_id": 1339527388,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 1,
- "threatintel.indicator.first_seen": "2020-10-09T18:32:02.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:32:02.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:32:02.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:32:02.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 85,
+ "anomali.threatstream.detail2": "imported by user 386",
+ "anomali.threatstream.id": "3005939184",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:hn5uajghq",
+ "anomali.threatstream.md5": "b890cdad",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P23229581043/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "652",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "120"
+ ],
+ "anomali.threatstream.update_id": "1316735853",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1362,35 +1472,40 @@
"service.type": "threatintel",
"tags": [
"a-e8lz",
+ "forwarded",
"nj3f",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 85,
- "threatintel.anomalithreatstream.detail2": "imported by user 386",
- "threatintel.anomalithreatstream.id": 3005939184,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:hn5uajghq",
- "threatintel.anomalithreatstream.md5": "b890cdad",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P23229581043/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 652,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "120"
- ],
- "threatintel.anomalithreatstream.update_id": 1316735853,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 9,
- "threatintel.indicator.first_seen": "2020-10-09T18:32:03.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:32:03.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:32:03.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:32:03.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 31,
+ "anomali.threatstream.detail2": "imported by user 706",
+ "anomali.threatstream.id": "1900495748",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:3taf",
+ "anomali.threatstream.md5": "817",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P35660572297/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "506",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "718",
+ "828",
+ "98"
+ ],
+ "anomali.threatstream.update_id": "3243777736",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1403,36 +1518,38 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 31,
- "threatintel.anomalithreatstream.detail2": "imported by user 706",
- "threatintel.anomalithreatstream.id": 1900495748,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:3taf",
- "threatintel.anomalithreatstream.md5": "817",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P35660572297/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 506,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "718",
- "828",
- "98"
- ],
- "threatintel.anomalithreatstream.update_id": 3243777736,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 3,
- "threatintel.indicator.first_seen": "2020-10-09T18:32:04.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:32:04.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:32:04.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:32:04.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 50,
+ "anomali.threatstream.detail2": "imported by user 222",
+ "anomali.threatstream.id": "1040883425",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:wsge",
+ "anomali.threatstream.md5": "a06b",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P33297645928/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "146",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "539",
+ "959"
+ ],
+ "anomali.threatstream.update_id": "1284922297",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1445,35 +1562,39 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 50,
- "threatintel.anomalithreatstream.detail2": "imported by user 222",
- "threatintel.anomalithreatstream.id": 1040883425,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:wsge",
- "threatintel.anomalithreatstream.md5": "a06b",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P33297645928/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 146,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "539",
- "959"
- ],
- "threatintel.anomalithreatstream.update_id": 1284922297,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 5,
- "threatintel.indicator.first_seen": "2020-10-09T18:32:08.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:32:08.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:32:08.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:32:08.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 50,
+ "anomali.threatstream.detail2": "imported by user 414",
+ "anomali.threatstream.id": "1703603090",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:yid8n1",
+ "anomali.threatstream.md5": "ebd6108",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P25381157923/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "294",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "124",
+ "394",
+ "820"
+ ],
+ "anomali.threatstream.update_id": "1405107391",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1486,36 +1607,38 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 50,
- "threatintel.anomalithreatstream.detail2": "imported by user 414",
- "threatintel.anomalithreatstream.id": 1703603090,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:yid8n1",
- "threatintel.anomalithreatstream.md5": "ebd6108",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P25381157923/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 294,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "124",
- "394",
- "820"
- ],
- "threatintel.anomalithreatstream.update_id": 1405107391,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 5,
- "threatintel.indicator.first_seen": "2020-10-09T18:32:11.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:32:11.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:32:11.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:32:11.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 6,
+ "anomali.threatstream.detail2": "imported by user 872",
+ "anomali.threatstream.id": "1393798645",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:aeu2f0",
+ "anomali.threatstream.md5": "5afe0a",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P34100122259/",
+ "anomali.threatstream.severity": "high",
+ "anomali.threatstream.source_feed_id": "1256",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "386",
+ "980"
+ ],
+ "anomali.threatstream.update_id": "2194495180",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1528,35 +1651,36 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 6,
- "threatintel.anomalithreatstream.detail2": "imported by user 872",
- "threatintel.anomalithreatstream.id": 1393798645,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:aeu2f0",
- "threatintel.anomalithreatstream.md5": "5afe0a",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P34100122259/",
- "threatintel.anomalithreatstream.severity": "high",
- "threatintel.anomalithreatstream.source_feed_id": 1256,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "386",
- "980"
- ],
- "threatintel.anomalithreatstream.update_id": 2194495180,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 1,
- "threatintel.indicator.first_seen": "2020-10-09T18:32:19.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:32:19.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:32:19.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:32:19.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 46,
+ "anomali.threatstream.detail2": "imported by user 237",
+ "anomali.threatstream.id": "3384379889",
+ "anomali.threatstream.itype": "scan_ip",
+ "anomali.threatstream.maltype": "malware:w3rx",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P38445847685/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "773",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "830"
+ ],
+ "anomali.threatstream.update_id": "2280522298",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1569,35 +1693,40 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 46,
- "threatintel.anomalithreatstream.detail2": "imported by user 237",
- "threatintel.anomalithreatstream.id": 3384379889,
- "threatintel.anomalithreatstream.itype": "scan_ip",
- "threatintel.anomalithreatstream.maltype": "malware:w3rx",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P38445847685/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 773,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "830"
- ],
- "threatintel.anomalithreatstream.update_id": 2280522298,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.confidence": 5,
- "threatintel.indicator.first_seen": "2020-10-09T18:32:30.000Z",
- "threatintel.indicator.geo.country_iso_code": "CN",
- "threatintel.indicator.ip": "2001:db8:b94f:43d3:f1ef:8964:c8e3:48d4",
- "threatintel.indicator.last_seen": "2020-10-09T18:32:30.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:32:30.000Z",
+ "threat.indicator.geo.country_iso_code": "CN",
+ "threat.indicator.ip": "2001:db8:b94f:43d3:f1ef:8964:c8e3:48d4",
+ "threat.indicator.last_seen": "2020-10-09T18:32:30.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv6-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv6-addr"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 60,
+ "anomali.threatstream.detail2": "imported by user 317",
+ "anomali.threatstream.id": "1291701932",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:upf65oc8",
+ "anomali.threatstream.md5": "758a81",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P40886917073/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "2980",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "407",
+ "437"
+ ],
+ "anomali.threatstream.update_id": "1128332354",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1610,35 +1739,38 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 60,
- "threatintel.anomalithreatstream.detail2": "imported by user 317",
- "threatintel.anomalithreatstream.id": 1291701932,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:upf65oc8",
- "threatintel.anomalithreatstream.md5": "758a81",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P40886917073/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 2980,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "407",
- "437"
- ],
- "threatintel.anomalithreatstream.update_id": 1128332354,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 6,
- "threatintel.indicator.first_seen": "2020-10-09T18:32:35.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:32:35.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:32:35.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:32:35.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": -1,
+ "anomali.threatstream.detail2": "imported by user 352",
+ "anomali.threatstream.id": "3279148213",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:u0e",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P37449871811/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "2315",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "29",
+ "817",
+ "831"
+ ],
+ "anomali.threatstream.update_id": "2267992225",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1650,43 +1782,47 @@
"log.offset": 19948,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"threatintel-anomalithreatstream",
"ziqdk"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": -1,
- "threatintel.anomalithreatstream.detail2": "imported by user 352",
- "threatintel.anomalithreatstream.id": 3279148213,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:u0e",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P37449871811/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 2315,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "29",
- "817",
- "831"
- ],
- "threatintel.anomalithreatstream.update_id": 2267992225,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.first_seen": "2020-10-09T18:33:10.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "203.0.113.16",
- "threatintel.indicator.last_seen": "2020-10-09T18:33:10.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "None",
+ "threat.indicator.first_seen": "2020-10-09T18:33:10.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "203.0.113.16",
+ "threat.indicator.last_seen": "2020-10-09T18:33:10.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "ke4ffyj5.example.com",
- "threatintel.indicator.url.full": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1",
- "threatintel.indicator.url.original": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1",
- "threatintel.indicator.url.path": "/t-9ikyrtt/ai91",
- "threatintel.indicator.url.query": "s6u=3y1",
- "threatintel.indicator.url.scheme": "http"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "ke4ffyj5.example.com",
+ "threat.indicator.url.full": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1",
+ "threat.indicator.url.original": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1",
+ "threat.indicator.url.path": "/t-9ikyrtt/ai91",
+ "threat.indicator.url.query": "s6u=3y1",
+ "threat.indicator.url.scheme": "http"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 42,
+ "anomali.threatstream.detail2": "imported by user 768",
+ "anomali.threatstream.id": "2138145846",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:-shiotjs",
+ "anomali.threatstream.md5": "c9b4",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P24530928152/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "837",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "322",
+ "410"
+ ],
+ "anomali.threatstream.update_id": "3812327380",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1699,35 +1835,38 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 42,
- "threatintel.anomalithreatstream.detail2": "imported by user 768",
- "threatintel.anomalithreatstream.id": 2138145846,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:-shiotjs",
- "threatintel.anomalithreatstream.md5": "c9b4",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P24530928152/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 837,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "322",
- "410"
- ],
- "threatintel.anomalithreatstream.update_id": 3812327380,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 4,
- "threatintel.indicator.first_seen": "2020-10-09T18:33:13.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:33:13.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:33:13.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:33:13.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 25,
+ "anomali.threatstream.detail2": "imported by user 148",
+ "anomali.threatstream.id": "1502954738",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:c8f0r5d4",
+ "anomali.threatstream.md5": "ad0",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P43216360516/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "3786",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "520",
+ "695"
+ ],
+ "anomali.threatstream.update_id": "2085432040",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1740,35 +1879,37 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 25,
- "threatintel.anomalithreatstream.detail2": "imported by user 148",
- "threatintel.anomalithreatstream.id": 1502954738,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:c8f0r5d4",
- "threatintel.anomalithreatstream.md5": "ad0",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P43216360516/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 3786,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "520",
- "695"
- ],
- "threatintel.anomalithreatstream.update_id": 2085432040,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 3,
- "threatintel.indicator.first_seen": "2020-10-09T18:33:14.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:33:14.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:33:14.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:33:14.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 56,
+ "anomali.threatstream.detail2": "imported by user 649",
+ "anomali.threatstream.id": "2730182815",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:2vsd1miq",
+ "anomali.threatstream.md5": "571957",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P23842171060/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "2923",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "127"
+ ],
+ "anomali.threatstream.update_id": "3768246717",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1781,34 +1922,38 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 56,
- "threatintel.anomalithreatstream.detail2": "imported by user 649",
- "threatintel.anomalithreatstream.id": 2730182815,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:2vsd1miq",
- "threatintel.anomalithreatstream.md5": "571957",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P23842171060/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 2923,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "127"
- ],
- "threatintel.anomalithreatstream.update_id": 3768246717,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 6,
- "threatintel.indicator.first_seen": "2020-10-09T18:33:14.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:33:14.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:33:14.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:33:14.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": -1,
+ "anomali.threatstream.detail2": "imported by user 132",
+ "anomali.threatstream.id": "1649793681",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:d1q-sdovn",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13727067406/",
+ "anomali.threatstream.severity": "high",
+ "anomali.threatstream.source_feed_id": "1993",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "176",
+ "715",
+ "824"
+ ],
+ "anomali.threatstream.update_id": "3498000116",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1821,42 +1966,45 @@
"service.type": "threatintel",
"tags": [
"73d",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": -1,
- "threatintel.anomalithreatstream.detail2": "imported by user 132",
- "threatintel.anomalithreatstream.id": 1649793681,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:d1q-sdovn",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13727067406/",
- "threatintel.anomalithreatstream.severity": "high",
- "threatintel.anomalithreatstream.source_feed_id": 1993,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "176",
- "715",
- "824"
- ],
- "threatintel.anomalithreatstream.update_id": 3498000116,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.first_seen": "2020-10-09T18:33:22.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "192.0.2.154",
- "threatintel.indicator.last_seen": "2020-10-09T18:33:22.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "None",
+ "threat.indicator.first_seen": "2020-10-09T18:33:22.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "192.0.2.154",
+ "threat.indicator.last_seen": "2020-10-09T18:33:22.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "rl27d.example.net",
- "threatintel.indicator.url.full": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk",
- "threatintel.indicator.url.original": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk",
- "threatintel.indicator.url.path": "/ko6/4rtt",
- "threatintel.indicator.url.query": "b12=o4mgzz2kk",
- "threatintel.indicator.url.scheme": "https"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "rl27d.example.net",
+ "threat.indicator.url.full": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk",
+ "threat.indicator.url.original": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk",
+ "threat.indicator.url.path": "/ko6/4rtt",
+ "threat.indicator.url.query": "b12=o4mgzz2kk",
+ "threat.indicator.url.scheme": "https"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 48,
+ "anomali.threatstream.detail2": "imported by user 137",
+ "anomali.threatstream.id": "2195098028",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:886x",
+ "anomali.threatstream.md5": "7f4",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P39956518309/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "1936",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "469"
+ ],
+ "anomali.threatstream.update_id": "1238197737",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1869,35 +2017,38 @@
"service.type": "threatintel",
"tags": [
"e3mm2h",
+ "forwarded",
"knjq-wt",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 48,
- "threatintel.anomalithreatstream.detail2": "imported by user 137",
- "threatintel.anomalithreatstream.id": 2195098028,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:886x",
- "threatintel.anomalithreatstream.md5": "7f4",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P39956518309/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 1936,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "469"
- ],
- "threatintel.anomalithreatstream.update_id": 1238197737,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 5,
- "threatintel.indicator.first_seen": "2020-10-09T18:33:24.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:33:24.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:33:24.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:33:24.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 62,
+ "anomali.threatstream.detail2": "imported by user 76",
+ "anomali.threatstream.id": "2273277634",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:eem8vy0",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P28216636081/",
+ "anomali.threatstream.severity": "high",
+ "anomali.threatstream.source_feed_id": "2583",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "143",
+ "22"
+ ],
+ "anomali.threatstream.update_id": "3547953290",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1909,43 +2060,45 @@
"log.offset": 23077,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"rb2my5u7",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 62,
- "threatintel.anomalithreatstream.detail2": "imported by user 76",
- "threatintel.anomalithreatstream.id": 2273277634,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:eem8vy0",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P28216636081/",
- "threatintel.anomalithreatstream.severity": "high",
- "threatintel.anomalithreatstream.source_feed_id": 2583,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "143",
- "22"
- ],
- "threatintel.anomalithreatstream.update_id": 3547953290,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 6,
- "threatintel.indicator.first_seen": "2020-10-09T18:33:26.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "203.0.113.228",
- "threatintel.indicator.last_seen": "2020-10-09T18:33:26.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:33:26.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "203.0.113.228",
+ "threat.indicator.last_seen": "2020-10-09T18:33:26.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "6ygk0y.example.com",
- "threatintel.indicator.url.full": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef",
- "threatintel.indicator.url.original": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef",
- "threatintel.indicator.url.path": "/t520/4twe",
- "threatintel.indicator.url.query": "ql4bhkpop=yfpkef",
- "threatintel.indicator.url.scheme": "http"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "6ygk0y.example.com",
+ "threat.indicator.url.full": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef",
+ "threat.indicator.url.original": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef",
+ "threat.indicator.url.path": "/t520/4twe",
+ "threat.indicator.url.query": "ql4bhkpop=yfpkef",
+ "threat.indicator.url.scheme": "http"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 47,
+ "anomali.threatstream.detail2": "imported by user 304",
+ "anomali.threatstream.id": "1593951372",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:lrfqa",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P18416887501/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "1922",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "281"
+ ],
+ "anomali.threatstream.update_id": "3726618139",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -1958,41 +2111,47 @@
"service.type": "threatintel",
"tags": [
"3jujb6j",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 47,
- "threatintel.anomalithreatstream.detail2": "imported by user 304",
- "threatintel.anomalithreatstream.id": 1593951372,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:lrfqa",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P18416887501/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 1922,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "281"
- ],
- "threatintel.anomalithreatstream.update_id": 3726618139,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 5,
- "threatintel.indicator.first_seen": "2020-10-09T18:33:27.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "203.0.113.38",
- "threatintel.indicator.last_seen": "2020-10-09T18:33:27.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:33:27.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "203.0.113.38",
+ "threat.indicator.last_seen": "2020-10-09T18:33:27.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "rcsr9o.example.net",
- "threatintel.indicator.url.full": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-",
- "threatintel.indicator.url.original": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-",
- "threatintel.indicator.url.path": "/e6f/08b",
- "threatintel.indicator.url.query": "8d2y=d-42fr-",
- "threatintel.indicator.url.scheme": "http"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "rcsr9o.example.net",
+ "threat.indicator.url.full": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-",
+ "threat.indicator.url.original": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-",
+ "threat.indicator.url.path": "/e6f/08b",
+ "threat.indicator.url.query": "8d2y=d-42fr-",
+ "threat.indicator.url.scheme": "http"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": -1,
+ "anomali.threatstream.detail2": "imported by user 578",
+ "anomali.threatstream.id": "2881597176",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:wpo",
+ "anomali.threatstream.md5": "89a0a684",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P37162617510/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "1312",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "450",
+ "588",
+ "873"
+ ],
+ "anomali.threatstream.update_id": "2444963851",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2006,35 +2165,39 @@
"tags": [
"2uu9b",
"f7ciq9",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": -1,
- "threatintel.anomalithreatstream.detail2": "imported by user 578",
- "threatintel.anomalithreatstream.id": 2881597176,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:wpo",
- "threatintel.anomalithreatstream.md5": "89a0a684",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P37162617510/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 1312,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "450",
- "588",
- "873"
- ],
- "threatintel.anomalithreatstream.update_id": 2444963851,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.first_seen": "2020-10-09T18:33:29.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:33:29.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "None",
+ "threat.indicator.first_seen": "2020-10-09T18:33:29.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:33:29.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 51,
+ "anomali.threatstream.detail2": "imported by user 347",
+ "anomali.threatstream.id": "1789877636",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:f7l",
+ "anomali.threatstream.md5": "a41f",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15884312830/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "1250",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "299",
+ "501",
+ "551"
+ ],
+ "anomali.threatstream.update_id": "3210446946",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2047,36 +2210,39 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 51,
- "threatintel.anomalithreatstream.detail2": "imported by user 347",
- "threatintel.anomalithreatstream.id": 1789877636,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:f7l",
- "threatintel.anomalithreatstream.md5": "a41f",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15884312830/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 1250,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "299",
- "501",
- "551"
- ],
- "threatintel.anomalithreatstream.update_id": 3210446946,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 5,
- "threatintel.indicator.first_seen": "2020-10-09T18:33:43.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:33:43.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:33:43.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:33:43.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 56,
+ "anomali.threatstream.detail2": "imported by user 182",
+ "anomali.threatstream.id": "1300434967",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:5kjd",
+ "anomali.threatstream.md5": "d0f5f32",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P44427200974/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "1603",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "122",
+ "460",
+ "615"
+ ],
+ "anomali.threatstream.update_id": "2994196701",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2089,37 +2255,38 @@
"service.type": "threatintel",
"tags": [
"f5c6pl",
+ "forwarded",
"kpjt",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 56,
- "threatintel.anomalithreatstream.detail2": "imported by user 182",
- "threatintel.anomalithreatstream.id": 1300434967,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:5kjd",
- "threatintel.anomalithreatstream.md5": "d0f5f32",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P44427200974/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 1603,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "122",
- "460",
- "615"
- ],
- "threatintel.anomalithreatstream.update_id": 2994196701,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 6,
- "threatintel.indicator.first_seen": "2020-10-09T18:33:45.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:33:45.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:33:45.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:33:45.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 79,
+ "anomali.threatstream.detail2": "imported by user 976",
+ "anomali.threatstream.id": "2448066635",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:7x9cgytj",
+ "anomali.threatstream.md5": "4f984375b",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15169037907/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "814",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "804"
+ ],
+ "anomali.threatstream.update_id": "2396481494",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2132,34 +2299,37 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 79,
- "threatintel.anomalithreatstream.detail2": "imported by user 976",
- "threatintel.anomalithreatstream.id": 2448066635,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:7x9cgytj",
- "threatintel.anomalithreatstream.md5": "4f984375b",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15169037907/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 814,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "804"
- ],
- "threatintel.anomalithreatstream.update_id": 2396481494,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 8,
- "threatintel.indicator.first_seen": "2020-10-09T18:33:45.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:33:45.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:33:45.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:33:45.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 15,
+ "anomali.threatstream.detail2": "imported by user 408",
+ "anomali.threatstream.id": "1693329110",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:1l5tib0",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46598563676/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "3431",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "301",
+ "374"
+ ],
+ "anomali.threatstream.update_id": "1425004305",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2172,42 +2342,47 @@
"service.type": "threatintel",
"tags": [
"5w8i",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 15,
- "threatintel.anomalithreatstream.detail2": "imported by user 408",
- "threatintel.anomalithreatstream.id": 1693329110,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:1l5tib0",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46598563676/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 3431,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "301",
- "374"
- ],
- "threatintel.anomalithreatstream.update_id": 1425004305,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 2,
- "threatintel.indicator.first_seen": "2020-10-09T18:33:48.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "192.0.2.115",
- "threatintel.indicator.last_seen": "2020-10-09T18:33:48.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:33:48.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "192.0.2.115",
+ "threat.indicator.last_seen": "2020-10-09T18:33:48.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "cc7d.example.com",
- "threatintel.indicator.url.full": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb",
- "threatintel.indicator.url.original": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb",
- "threatintel.indicator.url.path": "/kxxwobg/hd6omn",
- "threatintel.indicator.url.query": "tr8=essb",
- "threatintel.indicator.url.scheme": "https"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "cc7d.example.com",
+ "threat.indicator.url.full": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb",
+ "threat.indicator.url.original": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb",
+ "threat.indicator.url.path": "/kxxwobg/hd6omn",
+ "threat.indicator.url.query": "tr8=essb",
+ "threat.indicator.url.scheme": "https"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 35,
+ "anomali.threatstream.detail2": "imported by user 843",
+ "anomali.threatstream.id": "1522150430",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:8-8a",
+ "anomali.threatstream.md5": "9c67037e6",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P28645937174/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "2342",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "27",
+ "396",
+ "989"
+ ],
+ "anomali.threatstream.update_id": "3573181354",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2220,36 +2395,37 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 35,
- "threatintel.anomalithreatstream.detail2": "imported by user 843",
- "threatintel.anomalithreatstream.id": 1522150430,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:8-8a",
- "threatintel.anomalithreatstream.md5": "9c67037e6",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P28645937174/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 2342,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "27",
- "396",
- "989"
- ],
- "threatintel.anomalithreatstream.update_id": 3573181354,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 4,
- "threatintel.indicator.first_seen": "2020-10-09T18:33:51.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:33:51.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:33:51.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:33:51.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 71,
+ "anomali.threatstream.detail2": "imported by user 831",
+ "anomali.threatstream.id": "1760436567",
+ "anomali.threatstream.itype": "scan_ip",
+ "anomali.threatstream.maltype": "malware:vy02k4",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P14276852864/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "271",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "342",
+ "504"
+ ],
+ "anomali.threatstream.update_id": "1253389383",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2262,36 +2438,38 @@
"service.type": "threatintel",
"tags": [
"f3ctz7j",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 71,
- "threatintel.anomalithreatstream.detail2": "imported by user 831",
- "threatintel.anomalithreatstream.id": 1760436567,
- "threatintel.anomalithreatstream.itype": "scan_ip",
- "threatintel.anomalithreatstream.maltype": "malware:vy02k4",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P14276852864/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 271,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "342",
- "504"
- ],
- "threatintel.anomalithreatstream.update_id": 1253389383,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.confidence": 7,
- "threatintel.indicator.first_seen": "2020-10-09T18:33:57.000Z",
- "threatintel.indicator.geo.country_iso_code": "VN",
- "threatintel.indicator.ip": "192.0.2.61",
- "threatintel.indicator.last_seen": "2020-10-09T18:33:57.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:33:57.000Z",
+ "threat.indicator.geo.country_iso_code": "VN",
+ "threat.indicator.ip": "192.0.2.61",
+ "threat.indicator.last_seen": "2020-10-09T18:33:57.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv4-addr"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 85,
+ "anomali.threatstream.detail2": "imported by user 650",
+ "anomali.threatstream.id": "1925240476",
+ "anomali.threatstream.itype": "scan_ip",
+ "anomali.threatstream.maltype": "malware:2bnikxoma",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15033658538/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "1067",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "51"
+ ],
+ "anomali.threatstream.update_id": "1098288836",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2304,35 +2482,38 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 85,
- "threatintel.anomalithreatstream.detail2": "imported by user 650",
- "threatintel.anomalithreatstream.id": 1925240476,
- "threatintel.anomalithreatstream.itype": "scan_ip",
- "threatintel.anomalithreatstream.maltype": "malware:2bnikxoma",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15033658538/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 1067,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "51"
- ],
- "threatintel.anomalithreatstream.update_id": 1098288836,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.confidence": 9,
- "threatintel.indicator.first_seen": "2020-10-09T18:34:00.000Z",
- "threatintel.indicator.geo.country_iso_code": "DE",
- "threatintel.indicator.ip": "192.0.2.233",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:00.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:34:00.000Z",
+ "threat.indicator.geo.country_iso_code": "DE",
+ "threat.indicator.ip": "192.0.2.233",
+ "threat.indicator.last_seen": "2020-10-09T18:34:00.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv4-addr"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 91,
+ "anomali.threatstream.detail2": "imported by user 489",
+ "anomali.threatstream.id": "3001806953",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:ak63t",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P34696300225/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "782",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "484"
+ ],
+ "anomali.threatstream.update_id": "2722308334",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2344,42 +2525,45 @@
"log.offset": 28355,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"threatintel-anomalithreatstream",
"v9ycq"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 91,
- "threatintel.anomalithreatstream.detail2": "imported by user 489",
- "threatintel.anomalithreatstream.id": 3001806953,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:ak63t",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P34696300225/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 782,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "484"
- ],
- "threatintel.anomalithreatstream.update_id": 2722308334,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 9,
- "threatintel.indicator.first_seen": "2020-10-09T18:34:00.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "2001:db8:9850:9607:e204:423b:cade:837e",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:00.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:34:00.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "2001:db8:9850:9607:e204:423b:cade:837e",
+ "threat.indicator.last_seen": "2020-10-09T18:34:00.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "v9aqrp81q.example.net",
- "threatintel.indicator.url.full": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh",
- "threatintel.indicator.url.original": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh",
- "threatintel.indicator.url.path": "/psuj4bs/rvp",
- "threatintel.indicator.url.query": "qufy=ymryh",
- "threatintel.indicator.url.scheme": "http"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "v9aqrp81q.example.net",
+ "threat.indicator.url.full": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh",
+ "threat.indicator.url.original": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh",
+ "threat.indicator.url.path": "/psuj4bs/rvp",
+ "threat.indicator.url.query": "qufy=ymryh",
+ "threat.indicator.url.scheme": "http"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": -1,
+ "anomali.threatstream.detail2": "imported by user 453",
+ "anomali.threatstream.id": "3933431319",
+ "anomali.threatstream.itype": "scan_ip",
+ "anomali.threatstream.maltype": "malware:ejrypgr",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46019487828/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "1904",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "444"
+ ],
+ "anomali.threatstream.update_id": "3520784497",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2392,34 +2576,40 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": -1,
- "threatintel.anomalithreatstream.detail2": "imported by user 453",
- "threatintel.anomalithreatstream.id": 3933431319,
- "threatintel.anomalithreatstream.itype": "scan_ip",
- "threatintel.anomalithreatstream.maltype": "malware:ejrypgr",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46019487828/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 1904,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "444"
- ],
- "threatintel.anomalithreatstream.update_id": 3520784497,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.first_seen": "2020-10-09T18:34:00.000Z",
- "threatintel.indicator.geo.country_iso_code": "IN",
- "threatintel.indicator.ip": "192.0.2.234",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:00.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "None",
+ "threat.indicator.first_seen": "2020-10-09T18:34:00.000Z",
+ "threat.indicator.geo.country_iso_code": "IN",
+ "threat.indicator.ip": "192.0.2.234",
+ "threat.indicator.last_seen": "2020-10-09T18:34:00.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv4-addr"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 95,
+ "anomali.threatstream.detail2": "imported by user 722",
+ "anomali.threatstream.id": "1356788940",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:q4a",
+ "anomali.threatstream.md5": "a4fa",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P30118085912/",
+ "anomali.threatstream.severity": "high",
+ "anomali.threatstream.source_feed_id": "3698",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "743",
+ "936"
+ ],
+ "anomali.threatstream.update_id": "3707298072",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2431,37 +2621,41 @@
"log.offset": 29493,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"qxwn7lw",
"threatintel-anomalithreatstream",
"xva1ki"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 95,
- "threatintel.anomalithreatstream.detail2": "imported by user 722",
- "threatintel.anomalithreatstream.id": 1356788940,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:q4a",
- "threatintel.anomalithreatstream.md5": "a4fa",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P30118085912/",
- "threatintel.anomalithreatstream.severity": "high",
- "threatintel.anomalithreatstream.source_feed_id": 3698,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "743",
- "936"
- ],
- "threatintel.anomalithreatstream.update_id": 3707298072,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 10,
- "threatintel.indicator.first_seen": "2020-10-09T18:34:02.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:02.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:34:02.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:34:02.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 6,
+ "anomali.threatstream.detail2": "imported by user 236",
+ "anomali.threatstream.id": "3804309005",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:2sclqws1s",
+ "anomali.threatstream.md5": "5e11299",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P14689465586/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "342",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "50",
+ "642",
+ "948"
+ ],
+ "anomali.threatstream.update_id": "3749914856",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2473,38 +2667,39 @@
"log.offset": 29986,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"r81f4",
"threatintel-anomalithreatstream",
"wwsw"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 6,
- "threatintel.anomalithreatstream.detail2": "imported by user 236",
- "threatintel.anomalithreatstream.id": 3804309005,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:2sclqws1s",
- "threatintel.anomalithreatstream.md5": "5e11299",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P14689465586/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 342,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "50",
- "642",
- "948"
- ],
- "threatintel.anomalithreatstream.update_id": 3749914856,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 1,
- "threatintel.indicator.first_seen": "2020-10-09T18:34:05.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:05.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:34:05.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:34:05.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 15,
+ "anomali.threatstream.detail2": "imported by user 488",
+ "anomali.threatstream.id": "1022859708",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:9cfecc",
+ "anomali.threatstream.md5": "22315f8",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P33092174596/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "2811",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "1"
+ ],
+ "anomali.threatstream.update_id": "1637146862",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2517,34 +2712,38 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 15,
- "threatintel.anomalithreatstream.detail2": "imported by user 488",
- "threatintel.anomalithreatstream.id": 1022859708,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:9cfecc",
- "threatintel.anomalithreatstream.md5": "22315f8",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P33092174596/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 2811,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "1"
- ],
- "threatintel.anomalithreatstream.update_id": 1637146862,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 2,
- "threatintel.indicator.first_seen": "2020-10-09T18:34:11.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:11.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:34:11.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:34:11.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 54,
+ "anomali.threatstream.detail2": "imported by user 310",
+ "anomali.threatstream.id": "1581368214",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:r7vbej",
+ "anomali.threatstream.md5": "d4a",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P28408487114/",
+ "anomali.threatstream.severity": "high",
+ "anomali.threatstream.source_feed_id": "1371",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "810",
+ "910"
+ ],
+ "anomali.threatstream.update_id": "1671617316",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2557,35 +2756,36 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 54,
- "threatintel.anomalithreatstream.detail2": "imported by user 310",
- "threatintel.anomalithreatstream.id": 1581368214,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:r7vbej",
- "threatintel.anomalithreatstream.md5": "d4a",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P28408487114/",
- "threatintel.anomalithreatstream.severity": "high",
- "threatintel.anomalithreatstream.source_feed_id": 1371,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "810",
- "910"
- ],
- "threatintel.anomalithreatstream.update_id": 1671617316,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 5,
- "threatintel.indicator.first_seen": "2020-10-09T18:34:12.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:12.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:34:12.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:34:12.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": -1,
+ "anomali.threatstream.detail2": "imported by user 376",
+ "anomali.threatstream.id": "3576055846",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:0qqrz",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P27429039546/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "1808",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "660"
+ ],
+ "anomali.threatstream.update_id": "2477226249",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2597,41 +2797,48 @@
"log.offset": 31451,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"gry2doqf",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": -1,
- "threatintel.anomalithreatstream.detail2": "imported by user 376",
- "threatintel.anomalithreatstream.id": 3576055846,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:0qqrz",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P27429039546/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 1808,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "660"
- ],
- "threatintel.anomalithreatstream.update_id": 2477226249,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.first_seen": "2020-10-09T18:34:17.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "203.0.113.83",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:17.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "None",
+ "threat.indicator.first_seen": "2020-10-09T18:34:17.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "203.0.113.83",
+ "threat.indicator.last_seen": "2020-10-09T18:34:17.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "o4kqv8b8.example.net",
- "threatintel.indicator.url.full": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp",
- "threatintel.indicator.url.original": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp",
- "threatintel.indicator.url.path": "/gm4d-9gt/v2iqt",
- "threatintel.indicator.url.query": "x65ry67ao=skta9rp",
- "threatintel.indicator.url.scheme": "https"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "o4kqv8b8.example.net",
+ "threat.indicator.url.full": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp",
+ "threat.indicator.url.original": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp",
+ "threat.indicator.url.path": "/gm4d-9gt/v2iqt",
+ "threat.indicator.url.query": "x65ry67ao=skta9rp",
+ "threat.indicator.url.scheme": "https"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 89,
+ "anomali.threatstream.detail2": "imported by user 748",
+ "anomali.threatstream.id": "1315247197",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:r38g5hbgx",
+ "anomali.threatstream.md5": "3eac",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15092591036/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "206",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "19",
+ "6",
+ "954"
+ ],
+ "anomali.threatstream.update_id": "1760504719",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2644,37 +2851,39 @@
"service.type": "threatintel",
"tags": [
"1l9tule2",
+ "forwarded",
"k6p",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 89,
- "threatintel.anomalithreatstream.detail2": "imported by user 748",
- "threatintel.anomalithreatstream.id": 1315247197,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:r38g5hbgx",
- "threatintel.anomalithreatstream.md5": "3eac",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15092591036/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 206,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "19",
- "6",
- "954"
- ],
- "threatintel.anomalithreatstream.update_id": 1760504719,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 9,
- "threatintel.indicator.first_seen": "2020-10-09T18:34:20.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:20.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:34:20.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:34:20.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 25,
+ "anomali.threatstream.detail2": "imported by user 380",
+ "anomali.threatstream.id": "1562423716",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:882dlx",
+ "anomali.threatstream.md5": "59893613",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P35184012550/",
+ "anomali.threatstream.severity": "high",
+ "anomali.threatstream.source_feed_id": "3446",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "392",
+ "581"
+ ],
+ "anomali.threatstream.update_id": "2530088908",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2687,36 +2896,40 @@
"service.type": "threatintel",
"tags": [
"d9qquxe",
+ "forwarded",
"threatintel-anomalithreatstream",
"ulx"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 25,
- "threatintel.anomalithreatstream.detail2": "imported by user 380",
- "threatintel.anomalithreatstream.id": 1562423716,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:882dlx",
- "threatintel.anomalithreatstream.md5": "59893613",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P35184012550/",
- "threatintel.anomalithreatstream.severity": "high",
- "threatintel.anomalithreatstream.source_feed_id": 3446,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "392",
- "581"
- ],
- "threatintel.anomalithreatstream.update_id": 2530088908,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 3,
- "threatintel.indicator.first_seen": "2020-10-09T18:34:20.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:20.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:34:20.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:34:20.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 4,
+ "anomali.threatstream.detail2": "imported by user 423",
+ "anomali.threatstream.id": "1470897088",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:rwo6s",
+ "anomali.threatstream.md5": "5facf1f",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P10368659748/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "599",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "591",
+ "663",
+ "848"
+ ],
+ "anomali.threatstream.update_id": "1937893007",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2728,38 +2941,39 @@
"log.offset": 33043,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"threatintel-anomalithreatstream",
"wsu7l1",
"zrb"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 4,
- "threatintel.anomalithreatstream.detail2": "imported by user 423",
- "threatintel.anomalithreatstream.id": 1470897088,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:rwo6s",
- "threatintel.anomalithreatstream.md5": "5facf1f",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P10368659748/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 599,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "591",
- "663",
- "848"
- ],
- "threatintel.anomalithreatstream.update_id": 1937893007,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 0,
- "threatintel.indicator.first_seen": "2020-10-09T18:34:32.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:32.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:34:32.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:34:32.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 9,
+ "anomali.threatstream.detail2": "imported by user 983",
+ "anomali.threatstream.id": "1205553827",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:-pbnrmv",
+ "anomali.threatstream.md5": "708b2c",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P41514908414/",
+ "anomali.threatstream.severity": "high",
+ "anomali.threatstream.source_feed_id": "3751",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "299"
+ ],
+ "anomali.threatstream.update_id": "3858315866",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2772,34 +2986,37 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 9,
- "threatintel.anomalithreatstream.detail2": "imported by user 983",
- "threatintel.anomalithreatstream.id": 1205553827,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:-pbnrmv",
- "threatintel.anomalithreatstream.md5": "708b2c",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P41514908414/",
- "threatintel.anomalithreatstream.severity": "high",
- "threatintel.anomalithreatstream.source_feed_id": 3751,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "299"
- ],
- "threatintel.anomalithreatstream.update_id": 3858315866,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 1,
- "threatintel.indicator.first_seen": "2020-10-09T18:34:32.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:32.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:34:32.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:34:32.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": -1,
+ "anomali.threatstream.detail2": "imported by user 314",
+ "anomali.threatstream.id": "1744295971",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:uqw",
+ "anomali.threatstream.md5": "0df",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P36955243007/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "2305",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "556"
+ ],
+ "anomali.threatstream.update_id": "2655715062",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2812,33 +3029,37 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": -1,
- "threatintel.anomalithreatstream.detail2": "imported by user 314",
- "threatintel.anomalithreatstream.id": 1744295971,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:uqw",
- "threatintel.anomalithreatstream.md5": "0df",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P36955243007/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 2305,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "556"
- ],
- "threatintel.anomalithreatstream.update_id": 2655715062,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.first_seen": "2020-10-09T18:34:39.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:39.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "None",
+ "threat.indicator.first_seen": "2020-10-09T18:34:39.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:34:39.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 45,
+ "anomali.threatstream.detail2": "imported by user 986",
+ "anomali.threatstream.id": "1782793990",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:mkctzuaaf",
+ "anomali.threatstream.md5": "770",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P41751433270/",
+ "anomali.threatstream.severity": "high",
+ "anomali.threatstream.source_feed_id": "3513",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "445"
+ ],
+ "anomali.threatstream.update_id": "2172945223",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2850,36 +3071,38 @@
"log.offset": 34489,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"ps2",
"qr2wno4",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 45,
- "threatintel.anomalithreatstream.detail2": "imported by user 986",
- "threatintel.anomalithreatstream.id": 1782793990,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:mkctzuaaf",
- "threatintel.anomalithreatstream.md5": "770",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P41751433270/",
- "threatintel.anomalithreatstream.severity": "high",
- "threatintel.anomalithreatstream.source_feed_id": 3513,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "445"
- ],
- "threatintel.anomalithreatstream.update_id": 2172945223,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 5,
- "threatintel.indicator.first_seen": "2020-10-09T18:34:40.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:40.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:34:40.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:34:40.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 98,
+ "anomali.threatstream.detail2": "imported by user 615",
+ "anomali.threatstream.id": "1130190904",
+ "anomali.threatstream.itype": "scan_ip",
+ "anomali.threatstream.maltype": "malware:3zu2d2",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13755730530/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "1192",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "88"
+ ],
+ "anomali.threatstream.update_id": "1575621349",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2892,35 +3115,39 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 98,
- "threatintel.anomalithreatstream.detail2": "imported by user 615",
- "threatintel.anomalithreatstream.id": 1130190904,
- "threatintel.anomalithreatstream.itype": "scan_ip",
- "threatintel.anomalithreatstream.maltype": "malware:3zu2d2",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13755730530/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 1192,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "88"
- ],
- "threatintel.anomalithreatstream.update_id": 1575621349,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.confidence": 10,
- "threatintel.indicator.first_seen": "2020-10-09T18:34:41.000Z",
- "threatintel.indicator.geo.country_iso_code": "VN",
- "threatintel.indicator.ip": "192.0.2.88",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:41.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:34:41.000Z",
+ "threat.indicator.geo.country_iso_code": "VN",
+ "threat.indicator.ip": "192.0.2.88",
+ "threat.indicator.last_seen": "2020-10-09T18:34:41.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv4-addr"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 17,
+ "anomali.threatstream.detail2": "imported by user 202",
+ "anomali.threatstream.id": "2499059829",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:86-jrf6o",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P43937262060/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "852",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "308",
+ "949"
+ ],
+ "anomali.threatstream.update_id": "2450069481",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2933,42 +3160,45 @@
"service.type": "threatintel",
"tags": [
"ao6",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 17,
- "threatintel.anomalithreatstream.detail2": "imported by user 202",
- "threatintel.anomalithreatstream.id": 2499059829,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:86-jrf6o",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P43937262060/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 852,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "308",
- "949"
- ],
- "threatintel.anomalithreatstream.update_id": 2450069481,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 2,
- "threatintel.indicator.first_seen": "2020-10-09T18:34:43.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "203.0.113.111",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:43.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:34:43.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "203.0.113.111",
+ "threat.indicator.last_seen": "2020-10-09T18:34:43.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "91p0p.example.com",
- "threatintel.indicator.url.full": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21",
- "threatintel.indicator.url.original": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21",
- "threatintel.indicator.url.path": "/easx3j6iy/xvnchuoa",
- "threatintel.indicator.url.query": "dvkljl=h21",
- "threatintel.indicator.url.scheme": "https"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "91p0p.example.com",
+ "threat.indicator.url.full": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21",
+ "threat.indicator.url.original": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21",
+ "threat.indicator.url.path": "/easx3j6iy/xvnchuoa",
+ "threat.indicator.url.query": "dvkljl=h21",
+ "threat.indicator.url.scheme": "https"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 67,
+ "anomali.threatstream.detail2": "imported by user 421",
+ "anomali.threatstream.id": "2799251412",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:91o2",
+ "anomali.threatstream.md5": "f9edba87a",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P31632809876/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "3756",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "776"
+ ],
+ "anomali.threatstream.update_id": "3951093865",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -2981,34 +3211,37 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 67,
- "threatintel.anomalithreatstream.detail2": "imported by user 421",
- "threatintel.anomalithreatstream.id": 2799251412,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:91o2",
- "threatintel.anomalithreatstream.md5": "f9edba87a",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P31632809876/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 3756,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "776"
- ],
- "threatintel.anomalithreatstream.update_id": 3951093865,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 7,
- "threatintel.indicator.first_seen": "2020-10-09T18:34:48.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:48.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:34:48.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:34:48.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 22,
+ "anomali.threatstream.detail2": "imported by user 807",
+ "anomali.threatstream.id": "3711409360",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:yakt8pe9r",
+ "anomali.threatstream.md5": "c3b497",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P37263483140/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "3903",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "35"
+ ],
+ "anomali.threatstream.update_id": "3046847198",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3021,34 +3254,38 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 22,
- "threatintel.anomalithreatstream.detail2": "imported by user 807",
- "threatintel.anomalithreatstream.id": 3711409360,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:yakt8pe9r",
- "threatintel.anomalithreatstream.md5": "c3b497",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P37263483140/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 3903,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "35"
- ],
- "threatintel.anomalithreatstream.update_id": 3046847198,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 2,
- "threatintel.indicator.first_seen": "2020-10-09T18:34:53.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:53.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:34:53.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:34:53.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 20,
+ "anomali.threatstream.detail2": "imported by user 298",
+ "anomali.threatstream.id": "3346530445",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:jfje",
+ "anomali.threatstream.md5": "ec57713c",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P10248765051/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "1239",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "196",
+ "775"
+ ],
+ "anomali.threatstream.update_id": "2946803375",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3061,35 +3298,37 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 20,
- "threatintel.anomalithreatstream.detail2": "imported by user 298",
- "threatintel.anomalithreatstream.id": 3346530445,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:jfje",
- "threatintel.anomalithreatstream.md5": "ec57713c",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P10248765051/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 1239,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "196",
- "775"
- ],
- "threatintel.anomalithreatstream.update_id": 2946803375,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 2,
- "threatintel.indicator.first_seen": "2020-10-09T18:34:53.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:53.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:34:53.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:34:53.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": -1,
+ "anomali.threatstream.detail2": "imported by user 345",
+ "anomali.threatstream.id": "2804727563",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:c7e",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P11093591971/",
+ "anomali.threatstream.severity": "high",
+ "anomali.threatstream.source_feed_id": "2617",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "131",
+ "793"
+ ],
+ "anomali.threatstream.update_id": "1687817836",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3102,41 +3341,45 @@
"service.type": "threatintel",
"tags": [
"-g6",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": -1,
- "threatintel.anomalithreatstream.detail2": "imported by user 345",
- "threatintel.anomalithreatstream.id": 2804727563,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:c7e",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P11093591971/",
- "threatintel.anomalithreatstream.severity": "high",
- "threatintel.anomalithreatstream.source_feed_id": 2617,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "131",
- "793"
- ],
- "threatintel.anomalithreatstream.update_id": 1687817836,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.first_seen": "2020-10-09T18:34:54.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "203.0.113.133",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:54.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "None",
+ "threat.indicator.first_seen": "2020-10-09T18:34:54.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "203.0.113.133",
+ "threat.indicator.last_seen": "2020-10-09T18:34:54.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "lzr6.example.org",
- "threatintel.indicator.url.full": "https://lzr6.example.org/a7og/4vpv?e7k5=wun",
- "threatintel.indicator.url.original": "https://lzr6.example.org/a7og/4vpv?e7k5=wun",
- "threatintel.indicator.url.path": "/a7og/4vpv",
- "threatintel.indicator.url.query": "e7k5=wun",
- "threatintel.indicator.url.scheme": "https"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "lzr6.example.org",
+ "threat.indicator.url.full": "https://lzr6.example.org/a7og/4vpv?e7k5=wun",
+ "threat.indicator.url.original": "https://lzr6.example.org/a7og/4vpv?e7k5=wun",
+ "threat.indicator.url.path": "/a7og/4vpv",
+ "threat.indicator.url.query": "e7k5=wun",
+ "threat.indicator.url.scheme": "https"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 84,
+ "anomali.threatstream.detail2": "imported by user 747",
+ "anomali.threatstream.id": "2229747614",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:0d7cxf",
+ "anomali.threatstream.md5": "bde",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P12084157836/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "1620",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "30"
+ ],
+ "anomali.threatstream.update_id": "2339220849",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3149,34 +3392,37 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 84,
- "threatintel.anomalithreatstream.detail2": "imported by user 747",
- "threatintel.anomalithreatstream.id": 2229747614,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:0d7cxf",
- "threatintel.anomalithreatstream.md5": "bde",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P12084157836/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 1620,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "30"
- ],
- "threatintel.anomalithreatstream.update_id": 2339220849,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 8,
- "threatintel.indicator.first_seen": "2020-10-09T18:34:55.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:34:55.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:34:55.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:34:55.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 54,
+ "anomali.threatstream.detail2": "imported by user 832",
+ "anomali.threatstream.id": "2821279948",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:-farvj0e",
+ "anomali.threatstream.md5": "aa674f5f",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P43981956471/",
+ "anomali.threatstream.severity": "high",
+ "anomali.threatstream.source_feed_id": "2038",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "908"
+ ],
+ "anomali.threatstream.update_id": "2083515068",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3189,34 +3435,39 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 54,
- "threatintel.anomalithreatstream.detail2": "imported by user 832",
- "threatintel.anomalithreatstream.id": 2821279948,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:-farvj0e",
- "threatintel.anomalithreatstream.md5": "aa674f5f",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P43981956471/",
- "threatintel.anomalithreatstream.severity": "high",
- "threatintel.anomalithreatstream.source_feed_id": 2038,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "908"
- ],
- "threatintel.anomalithreatstream.update_id": 2083515068,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 5,
- "threatintel.indicator.first_seen": "2020-10-09T18:35:01.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:35:01.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:35:01.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:35:01.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 63,
+ "anomali.threatstream.detail2": "imported by user 217",
+ "anomali.threatstream.id": "3118884222",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:23xfw4nyi",
+ "anomali.threatstream.md5": "48721c98",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P20451120036/",
+ "anomali.threatstream.severity": "high",
+ "anomali.threatstream.source_feed_id": "1492",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "207",
+ "501",
+ "993"
+ ],
+ "anomali.threatstream.update_id": "3429396478",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3229,36 +3480,36 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 63,
- "threatintel.anomalithreatstream.detail2": "imported by user 217",
- "threatintel.anomalithreatstream.id": 3118884222,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:23xfw4nyi",
- "threatintel.anomalithreatstream.md5": "48721c98",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P20451120036/",
- "threatintel.anomalithreatstream.severity": "high",
- "threatintel.anomalithreatstream.source_feed_id": 1492,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "207",
- "501",
- "993"
- ],
- "threatintel.anomalithreatstream.update_id": 3429396478,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 6,
- "threatintel.indicator.first_seen": "2020-10-09T18:35:01.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:35:01.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:35:01.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:35:01.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 72,
+ "anomali.threatstream.detail2": "imported by user 402",
+ "anomali.threatstream.id": "3912225830",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:dto",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P16185398807/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "1594",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "439"
+ ],
+ "anomali.threatstream.update_id": "3320773285",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3270,42 +3521,46 @@
"log.offset": 39578,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"threatintel-anomalithreatstream",
"y7d71"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 72,
- "threatintel.anomalithreatstream.detail2": "imported by user 402",
- "threatintel.anomalithreatstream.id": 3912225830,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:dto",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P16185398807/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 1594,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "439"
- ],
- "threatintel.anomalithreatstream.update_id": 3320773285,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 7,
- "threatintel.indicator.first_seen": "2020-10-09T18:35:04.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "203.0.113.177",
- "threatintel.indicator.last_seen": "2020-10-09T18:35:04.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:35:04.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "203.0.113.177",
+ "threat.indicator.last_seen": "2020-10-09T18:35:04.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "932.example.com",
- "threatintel.indicator.url.full": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw",
- "threatintel.indicator.url.original": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw",
- "threatintel.indicator.url.path": "/1xmdjyom/tf3inx1",
- "threatintel.indicator.url.query": "s6zgr=ajgw",
- "threatintel.indicator.url.scheme": "http"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "932.example.com",
+ "threat.indicator.url.full": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw",
+ "threat.indicator.url.original": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw",
+ "threat.indicator.url.path": "/1xmdjyom/tf3inx1",
+ "threat.indicator.url.query": "s6zgr=ajgw",
+ "threat.indicator.url.scheme": "http"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 34,
+ "anomali.threatstream.detail2": "imported by user 626",
+ "anomali.threatstream.id": "2591984894",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:7nq6far",
+ "anomali.threatstream.md5": "114bd63e0",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P19612019110/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "1579",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "669"
+ ],
+ "anomali.threatstream.update_id": "2275758319",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3317,36 +3572,40 @@
"log.offset": 40161,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"hlq",
"nknea",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 34,
- "threatintel.anomalithreatstream.detail2": "imported by user 626",
- "threatintel.anomalithreatstream.id": 2591984894,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:7nq6far",
- "threatintel.anomalithreatstream.md5": "114bd63e0",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P19612019110/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 1579,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "669"
- ],
- "threatintel.anomalithreatstream.update_id": 2275758319,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 3,
- "threatintel.indicator.first_seen": "2020-10-09T18:35:06.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:35:06.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:35:06.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:35:06.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 53,
+ "anomali.threatstream.detail2": "imported by user 756",
+ "anomali.threatstream.id": "2589012476",
+ "anomali.threatstream.itype": "mal_md5",
+ "anomali.threatstream.maltype": "malware:c1z0qya",
+ "anomali.threatstream.md5": "636cd4267",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P47658489795/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "3665",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "835",
+ "850"
+ ],
+ "anomali.threatstream.update_id": "2399518196",
+ "anomali.threatstream.value_type": "md5",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3359,35 +3618,37 @@
"service.type": "threatintel",
"tags": [
"",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 53,
- "threatintel.anomalithreatstream.detail2": "imported by user 756",
- "threatintel.anomalithreatstream.id": 2589012476,
- "threatintel.anomalithreatstream.itype": "mal_md5",
- "threatintel.anomalithreatstream.maltype": "malware:c1z0qya",
- "threatintel.anomalithreatstream.md5": "636cd4267",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P47658489795/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 3665,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "835",
- "850"
- ],
- "threatintel.anomalithreatstream.update_id": 2399518196,
- "threatintel.anomalithreatstream.value_type": "md5",
- "threatintel.indicator.confidence": 5,
- "threatintel.indicator.first_seen": "2020-10-09T18:35:22.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:35:22.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:35:22.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:35:22.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "file"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "file"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 57,
+ "anomali.threatstream.detail2": "imported by user 893",
+ "anomali.threatstream.id": "2677187012",
+ "anomali.threatstream.itype": "mal_url",
+ "anomali.threatstream.maltype": "malware:qtp",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P28161033466/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "3395",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "234",
+ "909"
+ ],
+ "anomali.threatstream.update_id": "3342338979",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3403,44 +3664,48 @@
"5z6",
"IP=192.0.2.45",
"first_seen=2020-11-24T05:32:17",
+ "forwarded",
"mask=2001:db8:6d86:4a6:af9b:4385:14d6:b714",
"popularity=high",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 57,
- "threatintel.anomalithreatstream.detail2": "imported by user 893",
- "threatintel.anomalithreatstream.id": 2677187012,
- "threatintel.anomalithreatstream.itype": "mal_url",
- "threatintel.anomalithreatstream.maltype": "malware:qtp",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P28161033466/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 3395,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "234",
- "909"
- ],
- "threatintel.anomalithreatstream.update_id": 3342338979,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 6,
- "threatintel.indicator.first_seen": "2020-10-09T18:44:01.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "203.0.113.71",
- "threatintel.indicator.last_seen": "2020-10-09T18:44:01.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:44:01.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "203.0.113.71",
+ "threat.indicator.last_seen": "2020-10-09T18:44:01.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "0te9x75e.example.net",
- "threatintel.indicator.url.full": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3",
- "threatintel.indicator.url.original": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3",
- "threatintel.indicator.url.path": "/y2cbl5ov5/u-s9",
- "threatintel.indicator.url.query": "vhppw120=bt0ze0du3",
- "threatintel.indicator.url.scheme": "https"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "0te9x75e.example.net",
+ "threat.indicator.url.full": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3",
+ "threat.indicator.url.original": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3",
+ "threat.indicator.url.path": "/y2cbl5ov5/u-s9",
+ "threat.indicator.url.query": "vhppw120=bt0ze0du3",
+ "threat.indicator.url.scheme": "https"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 31,
+ "anomali.threatstream.detail2": "imported by user 450",
+ "anomali.threatstream.id": "3137219963",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:nosy8",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P33588463803/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "2108",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "755",
+ "843",
+ "943"
+ ],
+ "anomali.threatstream.update_id": "1484831936",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3453,43 +3718,45 @@
"service.type": "threatintel",
"tags": [
"06epx",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 31,
- "threatintel.anomalithreatstream.detail2": "imported by user 450",
- "threatintel.anomalithreatstream.id": 3137219963,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:nosy8",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P33588463803/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 2108,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "755",
- "843",
- "943"
- ],
- "threatintel.anomalithreatstream.update_id": 1484831936,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 3,
- "threatintel.indicator.first_seen": "2020-10-09T18:44:04.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "203.0.113.180",
- "threatintel.indicator.last_seen": "2020-10-09T18:44:04.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:44:04.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "203.0.113.180",
+ "threat.indicator.last_seen": "2020-10-09T18:44:04.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "b7qdtnl8f.example.org",
- "threatintel.indicator.url.full": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse",
- "threatintel.indicator.url.original": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse",
- "threatintel.indicator.url.path": "/z2a-tx3ip/7cv",
- "threatintel.indicator.url.query": "9a67ct3mb=ijse",
- "threatintel.indicator.url.scheme": "http"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "b7qdtnl8f.example.org",
+ "threat.indicator.url.full": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse",
+ "threat.indicator.url.original": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse",
+ "threat.indicator.url.path": "/z2a-tx3ip/7cv",
+ "threat.indicator.url.query": "9a67ct3mb=ijse",
+ "threat.indicator.url.scheme": "http"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 19,
+ "anomali.threatstream.detail2": "imported by user 479",
+ "anomali.threatstream.id": "2506436592",
+ "anomali.threatstream.itype": "mal_domain",
+ "anomali.threatstream.maltype": "malware:4okr",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P42606732542/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "393",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "324",
+ "63"
+ ],
+ "anomali.threatstream.update_id": "1826833096",
+ "anomali.threatstream.value_type": "domain",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3501,37 +3768,40 @@
"log.offset": 42447,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"jjz8e",
"n5okkr7mg",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 19,
- "threatintel.anomalithreatstream.detail2": "imported by user 479",
- "threatintel.anomalithreatstream.id": 2506436592,
- "threatintel.anomalithreatstream.itype": "mal_domain",
- "threatintel.anomalithreatstream.maltype": "malware:4okr",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P42606732542/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 393,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "324",
- "63"
- ],
- "threatintel.anomalithreatstream.update_id": 1826833096,
- "threatintel.anomalithreatstream.value_type": "domain",
- "threatintel.indicator.confidence": 2,
- "threatintel.indicator.first_seen": "2020-10-09T18:44:19.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:44:19.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:44:19.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:44:19.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "4gtq1n.example.net"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "4gtq1n.example.net"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 83,
+ "anomali.threatstream.detail2": "imported by user 969",
+ "anomali.threatstream.id": "1214135687",
+ "anomali.threatstream.itype": "mal_ip",
+ "anomali.threatstream.maltype": "malware:h68c70o",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P25206292349/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "425",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "324",
+ "474"
+ ],
+ "anomali.threatstream.update_id": "2101635974",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3545,40 +3815,43 @@
"tags": [
"IP=203.0.113.163",
"first_seen=2020-02-14T13:46:51",
+ "forwarded",
"gnz6",
"mask=203.0.113.12",
"popularity=high",
"threatintel-anomalithreatstream",
"u96h"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 83,
- "threatintel.anomalithreatstream.detail2": "imported by user 969",
- "threatintel.anomalithreatstream.id": 1214135687,
- "threatintel.anomalithreatstream.itype": "mal_ip",
- "threatintel.anomalithreatstream.maltype": "malware:h68c70o",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P25206292349/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 425,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "324",
- "474"
- ],
- "threatintel.anomalithreatstream.update_id": 2101635974,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.confidence": 8,
- "threatintel.indicator.first_seen": "2020-10-09T18:44:27.000Z",
- "threatintel.indicator.geo.country_iso_code": "RU",
- "threatintel.indicator.ip": "192.0.2.17",
- "threatintel.indicator.last_seen": "2020-10-09T18:44:27.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:44:27.000Z",
+ "threat.indicator.geo.country_iso_code": "RU",
+ "threat.indicator.ip": "192.0.2.17",
+ "threat.indicator.last_seen": "2020-10-09T18:44:27.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv4-addr"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 15,
+ "anomali.threatstream.detail2": "imported by user 501",
+ "anomali.threatstream.id": "1632578144",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:y9xovpr2",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P21633460934/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "1114",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "615",
+ "818"
+ ],
+ "anomali.threatstream.update_id": "1949050295",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3590,43 +3863,47 @@
"log.offset": 43582,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"t37z5d2",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 15,
- "threatintel.anomalithreatstream.detail2": "imported by user 501",
- "threatintel.anomalithreatstream.id": 1632578144,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:y9xovpr2",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P21633460934/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 1114,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "615",
- "818"
- ],
- "threatintel.anomalithreatstream.update_id": 1949050295,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 2,
- "threatintel.indicator.first_seen": "2020-10-09T18:44:35.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "192.0.2.183",
- "threatintel.indicator.last_seen": "2020-10-09T18:44:35.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:44:35.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "192.0.2.183",
+ "threat.indicator.last_seen": "2020-10-09T18:44:35.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "tfva.example.org",
- "threatintel.indicator.url.full": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao",
- "threatintel.indicator.url.original": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao",
- "threatintel.indicator.url.path": "/iih3qkj/b04g7",
- "threatintel.indicator.url.query": "dwosh0qmt=wi9ao",
- "threatintel.indicator.url.scheme": "https"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "tfva.example.org",
+ "threat.indicator.url.full": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao",
+ "threat.indicator.url.original": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao",
+ "threat.indicator.url.path": "/iih3qkj/b04g7",
+ "threat.indicator.url.query": "dwosh0qmt=wi9ao",
+ "threat.indicator.url.scheme": "https"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 85,
+ "anomali.threatstream.detail2": "imported by user 149",
+ "anomali.threatstream.id": "3098969355",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:wxbuhcov9",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P30134520108/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "398",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "597",
+ "913",
+ "946"
+ ],
+ "anomali.threatstream.update_id": "2645963867",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3638,44 +3915,47 @@
"log.offset": 44184,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"rprsi-",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 85,
- "threatintel.anomalithreatstream.detail2": "imported by user 149",
- "threatintel.anomalithreatstream.id": 3098969355,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:wxbuhcov9",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P30134520108/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 398,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "597",
- "913",
- "946"
- ],
- "threatintel.anomalithreatstream.update_id": 2645963867,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 9,
- "threatintel.indicator.first_seen": "2020-10-09T18:44:36.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "203.0.113.149",
- "threatintel.indicator.last_seen": "2020-10-09T18:44:36.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:44:36.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "203.0.113.149",
+ "threat.indicator.last_seen": "2020-10-09T18:44:36.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "erg2.example.com",
- "threatintel.indicator.url.full": "https://erg2.example.com/4ys/vywa93c?7oru=evpi",
- "threatintel.indicator.url.original": "https://erg2.example.com/4ys/vywa93c?7oru=evpi",
- "threatintel.indicator.url.path": "/4ys/vywa93c",
- "threatintel.indicator.url.query": "7oru=evpi",
- "threatintel.indicator.url.scheme": "https"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "erg2.example.com",
+ "threat.indicator.url.full": "https://erg2.example.com/4ys/vywa93c?7oru=evpi",
+ "threat.indicator.url.original": "https://erg2.example.com/4ys/vywa93c?7oru=evpi",
+ "threat.indicator.url.path": "/4ys/vywa93c",
+ "threat.indicator.url.query": "7oru=evpi",
+ "threat.indicator.url.scheme": "https"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 64,
+ "anomali.threatstream.detail2": "imported by user 59",
+ "anomali.threatstream.id": "2035701780",
+ "anomali.threatstream.itype": "mal_url",
+ "anomali.threatstream.maltype": "malware:xn2a",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P10508749376/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "2760",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "600",
+ "673",
+ "990"
+ ],
+ "anomali.threatstream.update_id": "2806149730",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3690,46 +3970,49 @@
"-jj",
"IP=203.0.113.22",
"first_seen=2020-12-24T20:20:31",
+ "forwarded",
"gogpcno",
"mask=2001:db8:bdc6:400b:c095:41c7:1d54:8ff6",
"popularity=low",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 64,
- "threatintel.anomalithreatstream.detail2": "imported by user 59",
- "threatintel.anomalithreatstream.id": 2035701780,
- "threatintel.anomalithreatstream.itype": "mal_url",
- "threatintel.anomalithreatstream.maltype": "malware:xn2a",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P10508749376/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 2760,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "600",
- "673",
- "990"
- ],
- "threatintel.anomalithreatstream.update_id": 2806149730,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 6,
- "threatintel.indicator.first_seen": "2020-10-09T18:44:37.000Z",
- "threatintel.indicator.geo.country_iso_code": "IN",
- "threatintel.indicator.ip": "203.0.113.27",
- "threatintel.indicator.last_seen": "2020-10-09T18:44:37.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:44:37.000Z",
+ "threat.indicator.geo.country_iso_code": "IN",
+ "threat.indicator.ip": "203.0.113.27",
+ "threat.indicator.last_seen": "2020-10-09T18:44:37.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "0elz6c.example.com",
- "threatintel.indicator.url.full": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl",
- "threatintel.indicator.url.original": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl",
- "threatintel.indicator.url.path": "/3nhx/cadsn6",
- "threatintel.indicator.url.query": "kfcj94=gnl",
- "threatintel.indicator.url.scheme": "https"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "0elz6c.example.com",
+ "threat.indicator.url.full": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl",
+ "threat.indicator.url.original": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl",
+ "threat.indicator.url.path": "/3nhx/cadsn6",
+ "threat.indicator.url.query": "kfcj94=gnl",
+ "threat.indicator.url.scheme": "https"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 44,
+ "anomali.threatstream.detail2": "imported by user 134",
+ "anomali.threatstream.id": "2120958409",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:cu6f11gp1",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46535027346/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "1973",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "125",
+ "279",
+ "552"
+ ],
+ "anomali.threatstream.update_id": "3490786662",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3741,44 +4024,46 @@
"log.offset": 45480,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"qztcai",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 44,
- "threatintel.anomalithreatstream.detail2": "imported by user 134",
- "threatintel.anomalithreatstream.id": 2120958409,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:cu6f11gp1",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46535027346/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 1973,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "125",
- "279",
- "552"
- ],
- "threatintel.anomalithreatstream.update_id": 3490786662,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 4,
- "threatintel.indicator.first_seen": "2020-10-09T18:44:45.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "2001:db8:129e:7520:8797:95ca:a4d1:3011",
- "threatintel.indicator.last_seen": "2020-10-09T18:44:45.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:44:45.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "2001:db8:129e:7520:8797:95ca:a4d1:3011",
+ "threat.indicator.last_seen": "2020-10-09T18:44:45.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "6i0-utr.example.com",
- "threatintel.indicator.url.full": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr",
- "threatintel.indicator.url.original": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr",
- "threatintel.indicator.url.path": "/hsv/50qcugwt",
- "threatintel.indicator.url.query": "xcl=ofr",
- "threatintel.indicator.url.scheme": "https"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "6i0-utr.example.com",
+ "threat.indicator.url.full": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr",
+ "threat.indicator.url.original": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr",
+ "threat.indicator.url.path": "/hsv/50qcugwt",
+ "threat.indicator.url.query": "xcl=ofr",
+ "threat.indicator.url.scheme": "https"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 94,
+ "anomali.threatstream.detail2": "imported by user 914",
+ "anomali.threatstream.id": "1139990065",
+ "anomali.threatstream.itype": "mal_ip",
+ "anomali.threatstream.maltype": "malware:9pyy91p7",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P20277063326/",
+ "anomali.threatstream.severity": "high",
+ "anomali.threatstream.source_feed_id": "2363",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "346",
+ "610"
+ ],
+ "anomali.threatstream.update_id": "2750333841",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3793,39 +4078,41 @@
"IP=203.0.113.155",
"ail6s",
"first_seen=2020-11-23T17:11:50",
+ "forwarded",
"mask=203.0.113.23",
"popularity=medium",
"q0n",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 94,
- "threatintel.anomalithreatstream.detail2": "imported by user 914",
- "threatintel.anomalithreatstream.id": 1139990065,
- "threatintel.anomalithreatstream.itype": "mal_ip",
- "threatintel.anomalithreatstream.maltype": "malware:9pyy91p7",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P20277063326/",
- "threatintel.anomalithreatstream.severity": "high",
- "threatintel.anomalithreatstream.source_feed_id": 2363,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "346",
- "610"
- ],
- "threatintel.anomalithreatstream.update_id": 2750333841,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.confidence": 9,
- "threatintel.indicator.first_seen": "2020-10-09T18:44:47.000Z",
- "threatintel.indicator.geo.country_iso_code": "CN",
- "threatintel.indicator.ip": "203.0.113.128",
- "threatintel.indicator.last_seen": "2020-10-09T18:44:47.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:44:47.000Z",
+ "threat.indicator.geo.country_iso_code": "CN",
+ "threat.indicator.ip": "203.0.113.128",
+ "threat.indicator.last_seen": "2020-10-09T18:44:47.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv4-addr"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 69,
+ "anomali.threatstream.detail2": "imported by user 886",
+ "anomali.threatstream.id": "2453026318",
+ "anomali.threatstream.itype": "mal_domain",
+ "anomali.threatstream.maltype": "malware:c0-a",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P26988858868/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "1281",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "391"
+ ],
+ "anomali.threatstream.update_id": "3315952704",
+ "anomali.threatstream.value_type": "domain",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3839,39 +4126,44 @@
"tags": [
"0a3p",
"first_seen=2020-03-11T09:04:13",
+ "forwarded",
"mask=2001:db8:7aae:f1e6:e8b3:5702:40ea:29f0",
"popularity=high",
"smh",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 69,
- "threatintel.anomalithreatstream.detail2": "imported by user 886",
- "threatintel.anomalithreatstream.id": 2453026318,
- "threatintel.anomalithreatstream.itype": "mal_domain",
- "threatintel.anomalithreatstream.maltype": "malware:c0-a",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P26988858868/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 1281,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "391"
- ],
- "threatintel.anomalithreatstream.update_id": 3315952704,
- "threatintel.anomalithreatstream.value_type": "domain",
- "threatintel.indicator.confidence": 7,
- "threatintel.indicator.first_seen": "2020-10-09T18:44:50.000Z",
- "threatintel.indicator.geo.country_iso_code": "HK",
- "threatintel.indicator.ip": "203.0.113.16",
- "threatintel.indicator.last_seen": "2020-10-09T18:44:50.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Med",
+ "threat.indicator.first_seen": "2020-10-09T18:44:50.000Z",
+ "threat.indicator.geo.country_iso_code": "HK",
+ "threat.indicator.ip": "203.0.113.16",
+ "threat.indicator.last_seen": "2020-10-09T18:44:50.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "ztpyt.example.org"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "ztpyt.example.org"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 88,
+ "anomali.threatstream.detail2": "imported by user 268",
+ "anomali.threatstream.id": "3554643386",
+ "anomali.threatstream.itype": "mal_url",
+ "anomali.threatstream.maltype": "malware:ai7s5vg01",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P48225335605/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "744",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "258",
+ "75",
+ "806"
+ ],
+ "anomali.threatstream.update_id": "3898530792",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3884,45 +4176,46 @@
"service.type": "threatintel",
"tags": [
"first_seen=2020-07-17T00:42:30",
+ "forwarded",
"mask=192.0.2.22",
"mdedohd",
"popularity=high",
"sv5lmqoo",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 88,
- "threatintel.anomalithreatstream.detail2": "imported by user 268",
- "threatintel.anomalithreatstream.id": 3554643386,
- "threatintel.anomalithreatstream.itype": "mal_url",
- "threatintel.anomalithreatstream.maltype": "malware:ai7s5vg01",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P48225335605/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 744,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "258",
- "75",
- "806"
- ],
- "threatintel.anomalithreatstream.update_id": 3898530792,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 9,
- "threatintel.indicator.first_seen": "2020-10-09T18:44:50.000Z",
- "threatintel.indicator.last_seen": "2020-10-09T18:44:50.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:44:50.000Z",
+ "threat.indicator.last_seen": "2020-10-09T18:44:50.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "e5el.example.net",
- "threatintel.indicator.url.full": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5",
- "threatintel.indicator.url.original": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5",
- "threatintel.indicator.url.path": "/rncer/fky",
- "threatintel.indicator.url.query": "8tc53bbz=1pd-6w5",
- "threatintel.indicator.url.scheme": "http"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "e5el.example.net",
+ "threat.indicator.url.full": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5",
+ "threat.indicator.url.original": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5",
+ "threat.indicator.url.path": "/rncer/fky",
+ "threat.indicator.url.query": "8tc53bbz=1pd-6w5",
+ "threat.indicator.url.scheme": "http"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 73,
+ "anomali.threatstream.detail2": "imported by user 737",
+ "anomali.threatstream.id": "2781657405",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:6faja4zy-",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13788530147/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "518",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "259"
+ ],
+ "anomali.threatstream.update_id": "1423149268",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3934,42 +4227,47 @@
"log.offset": 47992,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"l019r8",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 73,
- "threatintel.anomalithreatstream.detail2": "imported by user 737",
- "threatintel.anomalithreatstream.id": 2781657405,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:6faja4zy-",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13788530147/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 518,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "259"
- ],
- "threatintel.anomalithreatstream.update_id": 1423149268,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 7,
- "threatintel.indicator.first_seen": "2020-10-09T18:44:54.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "192.0.2.226",
- "threatintel.indicator.last_seen": "2020-10-09T18:44:54.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2020-10-09T18:44:54.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "192.0.2.226",
+ "threat.indicator.last_seen": "2020-10-09T18:44:54.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "eryz36i.example.net",
- "threatintel.indicator.url.full": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo",
- "threatintel.indicator.url.original": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo",
- "threatintel.indicator.url.path": "/9a86hdj/zti5r9fx",
- "threatintel.indicator.url.query": "ahz=l7dsg01qo",
- "threatintel.indicator.url.scheme": "http"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "eryz36i.example.net",
+ "threat.indicator.url.full": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo",
+ "threat.indicator.url.original": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo",
+ "threat.indicator.url.path": "/9a86hdj/zti5r9fx",
+ "threat.indicator.url.query": "ahz=l7dsg01qo",
+ "threat.indicator.url.scheme": "http"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 22,
+ "anomali.threatstream.detail2": "imported by user 703",
+ "anomali.threatstream.id": "1875325904",
+ "anomali.threatstream.itype": "phish_url",
+ "anomali.threatstream.maltype": "malware:rrcnb",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P12535858975/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "417",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "114",
+ "792",
+ "802"
+ ],
+ "anomali.threatstream.update_id": "2621256767",
+ "anomali.threatstream.value_type": "url",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -3982,43 +4280,45 @@
"service.type": "threatintel",
"tags": [
"4yqbj3b",
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 22,
- "threatintel.anomalithreatstream.detail2": "imported by user 703",
- "threatintel.anomalithreatstream.id": 1875325904,
- "threatintel.anomalithreatstream.itype": "phish_url",
- "threatintel.anomalithreatstream.maltype": "malware:rrcnb",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P12535858975/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 417,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "114",
- "792",
- "802"
- ],
- "threatintel.anomalithreatstream.update_id": 2621256767,
- "threatintel.anomalithreatstream.value_type": "url",
- "threatintel.indicator.confidence": 2,
- "threatintel.indicator.first_seen": "2020-10-09T18:44:58.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.ip": "192.0.2.25",
- "threatintel.indicator.last_seen": "2020-10-09T18:44:58.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:44:58.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.ip": "192.0.2.25",
+ "threat.indicator.last_seen": "2020-10-09T18:44:58.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "i-pb.example.com",
- "threatintel.indicator.url.full": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd",
- "threatintel.indicator.url.original": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd",
- "threatintel.indicator.url.path": "/pjmy3/w0tgzb",
- "threatintel.indicator.url.query": "noe1pr9=eiwcfihd",
- "threatintel.indicator.url.scheme": "http"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "i-pb.example.com",
+ "threat.indicator.url.full": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd",
+ "threat.indicator.url.original": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd",
+ "threat.indicator.url.path": "/pjmy3/w0tgzb",
+ "threat.indicator.url.query": "noe1pr9=eiwcfihd",
+ "threat.indicator.url.scheme": "http"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 19,
+ "anomali.threatstream.detail2": "imported by user 846",
+ "anomali.threatstream.id": "2684776210",
+ "anomali.threatstream.itype": "mal_ip",
+ "anomali.threatstream.maltype": "malware:zfd",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P45743905551/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "965",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "641",
+ "697"
+ ],
+ "anomali.threatstream.update_id": "1171583779",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -4032,40 +4332,44 @@
"tags": [
"IP=2001:db8:61be:1efa:290:c941:bef8:3803",
"first_seen=2020-12-01T02:16:04",
+ "forwarded",
"j6vwgb6",
"mask=2001:db8:fc83:375e:9c60:3d50:1dc1:9f89",
"popularity=medium",
"qqo5fg",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 19,
- "threatintel.anomalithreatstream.detail2": "imported by user 846",
- "threatintel.anomalithreatstream.id": 2684776210,
- "threatintel.anomalithreatstream.itype": "mal_ip",
- "threatintel.anomalithreatstream.maltype": "malware:zfd",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P45743905551/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 965,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "641",
- "697"
- ],
- "threatintel.anomalithreatstream.update_id": 1171583779,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.confidence": 2,
- "threatintel.indicator.first_seen": "2020-10-09T18:45:05.000Z",
- "threatintel.indicator.geo.country_iso_code": "IN",
- "threatintel.indicator.ip": "2001:db8:79d3:9083:95f2:a6fd:e475:4956",
- "threatintel.indicator.last_seen": "2020-10-09T18:45:05.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2020-10-09T18:45:05.000Z",
+ "threat.indicator.geo.country_iso_code": "IN",
+ "threat.indicator.ip": "2001:db8:79d3:9083:95f2:a6fd:e475:4956",
+ "threat.indicator.last_seen": "2020-10-09T18:45:05.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv6-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv6-addr"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 14,
+ "anomali.threatstream.detail2": "imported by user 812",
+ "anomali.threatstream.id": "1705726884",
+ "anomali.threatstream.import_session_id": "2813",
+ "anomali.threatstream.itype": "mal_ip",
+ "anomali.threatstream.maltype": "malware:ib0ezg",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P12586136986/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "632",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "459",
+ "936"
+ ],
+ "anomali.threatstream.update_id": "3651210157",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -4077,41 +4381,42 @@
"log.offset": 49879,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 14,
- "threatintel.anomalithreatstream.detail2": "imported by user 812",
- "threatintel.anomalithreatstream.id": 1705726884,
- "threatintel.anomalithreatstream.import_session_id": 2813,
- "threatintel.anomalithreatstream.itype": "mal_ip",
- "threatintel.anomalithreatstream.maltype": "malware:ib0ezg",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P12586136986/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 632,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "459",
- "936"
- ],
- "threatintel.anomalithreatstream.update_id": 3651210157,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.as.number": 3356,
- "threatintel.indicator.as.organization.name": "Level 3 Communications",
- "threatintel.indicator.confidence": 1,
- "threatintel.indicator.first_seen": "2021-04-07T13:10:07.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.geo.location.lat": 5.6,
- "threatintel.indicator.geo.location.lon": 112.8,
- "threatintel.indicator.ip": "192.0.2.12",
- "threatintel.indicator.last_seen": "2021-04-19T08:57:46.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.as.number": 3356,
+ "threat.indicator.as.organization.name": "Level 3 Communications",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2021-04-07T13:10:07.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.geo.location.lat": 5.6,
+ "threat.indicator.geo.location.lon": 112.8,
+ "threat.indicator.ip": "192.0.2.12",
+ "threat.indicator.last_seen": "2021-04-19T08:57:46.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv4-addr"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 81,
+ "anomali.threatstream.detail2": "imported by user 411",
+ "anomali.threatstream.id": "1502608684",
+ "anomali.threatstream.itype": "apt_ip",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46655498126/",
+ "anomali.threatstream.severity": "very-high",
+ "anomali.threatstream.source_feed_id": "2891",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "474",
+ "601"
+ ],
+ "anomali.threatstream.update_id": "1170853028",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -4123,34 +4428,36 @@
"log.offset": 50468,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 81,
- "threatintel.anomalithreatstream.detail2": "imported by user 411",
- "threatintel.anomalithreatstream.id": 1502608684,
- "threatintel.anomalithreatstream.itype": "apt_ip",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46655498126/",
- "threatintel.anomalithreatstream.severity": "very-high",
- "threatintel.anomalithreatstream.source_feed_id": 2891,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "474",
- "601"
- ],
- "threatintel.anomalithreatstream.update_id": 1170853028,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.confidence": 8,
- "threatintel.indicator.first_seen": "2021-04-29T16:02:17.000Z",
- "threatintel.indicator.ip": "203.0.113.5",
- "threatintel.indicator.last_seen": "2021-04-29T16:02:17.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2021-04-29T16:02:17.000Z",
+ "threat.indicator.ip": "203.0.113.5",
+ "threat.indicator.last_seen": "2021-04-29T16:02:17.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv4-addr"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 14,
+ "anomali.threatstream.detail2": "imported by user 601",
+ "anomali.threatstream.id": "1171635730",
+ "anomali.threatstream.itype": "ssh_ip",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P24647878518/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "822",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "749"
+ ],
+ "anomali.threatstream.update_id": "1026394470",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -4162,33 +4469,37 @@
"log.offset": 50919,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 14,
- "threatintel.anomalithreatstream.detail2": "imported by user 601",
- "threatintel.anomalithreatstream.id": 1171635730,
- "threatintel.anomalithreatstream.itype": "ssh_ip",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P24647878518/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 822,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "749"
- ],
- "threatintel.anomalithreatstream.update_id": 1026394470,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.confidence": 1,
- "threatintel.indicator.first_seen": "2021-04-29T16:02:23.000Z",
- "threatintel.indicator.ip": "192.0.2.68",
- "threatintel.indicator.last_seen": "2021-04-29T16:02:23.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2021-04-29T16:02:23.000Z",
+ "threat.indicator.ip": "192.0.2.68",
+ "threat.indicator.last_seen": "2021-04-29T16:02:23.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv4-addr"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 70,
+ "anomali.threatstream.detail2": "imported by user 964",
+ "anomali.threatstream.id": "2251817936",
+ "anomali.threatstream.itype": "i2p_ip",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P47421535249/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "3194",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "235",
+ "630"
+ ],
+ "anomali.threatstream.update_id": "3118045359",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -4200,34 +4511,37 @@
"log.offset": 51361,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 70,
- "threatintel.anomalithreatstream.detail2": "imported by user 964",
- "threatintel.anomalithreatstream.id": 2251817936,
- "threatintel.anomalithreatstream.itype": "i2p_ip",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P47421535249/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 3194,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "235",
- "630"
- ],
- "threatintel.anomalithreatstream.update_id": 3118045359,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.confidence": 7,
- "threatintel.indicator.first_seen": "2021-04-29T16:02:24.000Z",
- "threatintel.indicator.ip": "203.0.113.54",
- "threatintel.indicator.last_seen": "2021-04-29T16:02:24.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2021-04-29T16:02:24.000Z",
+ "threat.indicator.ip": "203.0.113.54",
+ "threat.indicator.last_seen": "2021-04-29T16:02:24.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv4-addr"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 77,
+ "anomali.threatstream.detail2": "imported by user 137",
+ "anomali.threatstream.id": "1966380326",
+ "anomali.threatstream.itype": "parked_ip",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P19479436344/",
+ "anomali.threatstream.severity": "low",
+ "anomali.threatstream.source_feed_id": "229",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "303",
+ "461"
+ ],
+ "anomali.threatstream.update_id": "1757326916",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -4239,34 +4553,38 @@
"log.offset": 51809,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 77,
- "threatintel.anomalithreatstream.detail2": "imported by user 137",
- "threatintel.anomalithreatstream.id": 1966380326,
- "threatintel.anomalithreatstream.itype": "parked_ip",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P19479436344/",
- "threatintel.anomalithreatstream.severity": "low",
- "threatintel.anomalithreatstream.source_feed_id": 229,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "303",
- "461"
- ],
- "threatintel.anomalithreatstream.update_id": 1757326916,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.confidence": 8,
- "threatintel.indicator.first_seen": "2021-04-29T16:02:25.000Z",
- "threatintel.indicator.ip": "203.0.113.195",
- "threatintel.indicator.last_seen": "2021-04-29T16:02:25.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "High",
+ "threat.indicator.first_seen": "2021-04-29T16:02:25.000Z",
+ "threat.indicator.ip": "203.0.113.195",
+ "threat.indicator.last_seen": "2021-04-29T16:02:25.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv4-addr"
},
{
+ "anomali.threatstream.classification": "private",
+ "anomali.threatstream.confidence": 14,
+ "anomali.threatstream.detail2": "imported by user 997",
+ "anomali.threatstream.id": "3377960871",
+ "anomali.threatstream.itype": "tor_ip",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P25503355951/",
+ "anomali.threatstream.severity": "medium",
+ "anomali.threatstream.source_feed_id": "1710",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "13",
+ "657",
+ "879"
+ ],
+ "anomali.threatstream.update_id": "1469037378",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -4278,35 +4596,38 @@
"log.offset": 52257,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"threatintel-anomalithreatstream"
],
- "threatintel.anomalithreatstream.classification": "private",
- "threatintel.anomalithreatstream.confidence": 14,
- "threatintel.anomalithreatstream.detail2": "imported by user 997",
- "threatintel.anomalithreatstream.id": 3377960871,
- "threatintel.anomalithreatstream.itype": "tor_ip",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P25503355951/",
- "threatintel.anomalithreatstream.severity": "medium",
- "threatintel.anomalithreatstream.source_feed_id": 1710,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "13",
- "657",
- "879"
- ],
- "threatintel.anomalithreatstream.update_id": 1469037378,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.confidence": 1,
- "threatintel.indicator.first_seen": "2021-04-29T16:02:25.000Z",
- "threatintel.indicator.ip": "192.0.2.239",
- "threatintel.indicator.last_seen": "2021-04-29T16:02:25.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2021-04-29T16:02:25.000Z",
+ "threat.indicator.ip": "192.0.2.239",
+ "threat.indicator.last_seen": "2021-04-29T16:02:25.000Z",
+ "threat.indicator.marking.tlp": [
"Amber"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv4-addr"
},
{
+ "anomali.threatstream.classification": "public",
+ "anomali.threatstream.confidence": 12,
+ "anomali.threatstream.detail2": "imported by user 445",
+ "anomali.threatstream.id": "1049633552",
+ "anomali.threatstream.itype": "c2_ip",
+ "anomali.threatstream.maltype": "malware:tos5xne",
+ "anomali.threatstream.resource_uri": "/api/v1/intelligence/P17175297976/",
+ "anomali.threatstream.severity": "high",
+ "anomali.threatstream.source_feed_id": "274",
+ "anomali.threatstream.state": "active",
+ "anomali.threatstream.trusted_circle_ids": [
+ "683",
+ "719"
+ ],
+ "anomali.threatstream.update_id": "1541655552",
+ "anomali.threatstream.value_type": "ip",
"event.category": "threat",
"event.dataset": "threatintel.anomalithreatstream",
"event.kind": "enrichment",
@@ -4318,33 +4639,20 @@
"log.offset": 52708,
"service.type": "threatintel",
"tags": [
+ "forwarded",
"threatintel-anomalithreatstream",
"vjb9lmpcf"
],
- "threatintel.anomalithreatstream.classification": "public",
- "threatintel.anomalithreatstream.confidence": 12,
- "threatintel.anomalithreatstream.detail2": "imported by user 445",
- "threatintel.anomalithreatstream.id": 1049633552,
- "threatintel.anomalithreatstream.itype": "c2_ip",
- "threatintel.anomalithreatstream.maltype": "malware:tos5xne",
- "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P17175297976/",
- "threatintel.anomalithreatstream.severity": "high",
- "threatintel.anomalithreatstream.source_feed_id": 274,
- "threatintel.anomalithreatstream.state": "active",
- "threatintel.anomalithreatstream.trusted_circle_ids": [
- "683",
- "719"
- ],
- "threatintel.anomalithreatstream.update_id": 1541655552,
- "threatintel.anomalithreatstream.value_type": "ip",
- "threatintel.indicator.confidence": 1,
- "threatintel.indicator.first_seen": "2021-04-29T16:02:26.000Z",
- "threatintel.indicator.ip": "192.0.2.169",
- "threatintel.indicator.last_seen": "2021-04-29T16:02:26.000Z",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Anomali ThreatStream",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.first_seen": "2021-04-29T16:02:26.000Z",
+ "threat.indicator.ip": "192.0.2.169",
+ "threat.indicator.last_seen": "2021-04-29T16:02:26.000Z",
+ "threat.indicator.marking.tlp": [
"White"
],
- "threatintel.indicator.provider": "Default Organization",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.indicator.provider": "Default Organization",
+ "threat.indicator.type": "ipv4-addr"
}
]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/threatintel/fields.go b/x-pack/filebeat/module/threatintel/fields.go
index 4f915c83f55..d0fa140db90 100644
--- a/x-pack/filebeat/module/threatintel/fields.go
+++ b/x-pack/filebeat/module/threatintel/fields.go
@@ -19,5 +19,5 @@ func init() {
// AssetThreatintel returns asset data.
// This is the base64 encoded zlib format compressed contents of module/threatintel.
func AssetThreatintel() string {
- return "eJzsXetz2ziS/z5/RZfvwzhbsmI7cXbiqrkrj+3MuM5xMn7MbO3lSoHIloQ1CDAAKFl7df/7FR58iAQp2aa8c1vrL4n46P6h0Wg0Go3mHtzj8hj0TCLRlGtk3wFoqhnWL0pkSBQewxg1+Q4gRhVJmmoq+DH8+3cAALf2BbBvMDpFHiF8oAzH5upHEWcMh98BTCiyWB3bV/aAk6TBy/zpZYrHMJUiS/2VAEfz98GSg4kUCegZVkmV3JOCu/mrIqiioDymEdFCDidUKj1SiLx4KIcUE42Viy2onDzQPg2Ex6BpgrCYIV+VjxKZjBAsP5CYCqkxBkWnM035FPSMqgqsDsSMvChgw+5ZePNXVAMvE3y6Gd6rLBmjBDGxYFWNOyyIAjFWKOcYQyR4nEUepNVTEmk6p3rZhdIgagC8x+VCyHhDmS5TNAhLWEQZwUlUyI3sxks4XZpmfLJQyZghUA43txd/gcPh/nCF2vlDipF5a05YhmrlHsCfgGRacJGITO2ppdKYNJ+Qmk5IpBs3Yiox0kIum3dEQijfM7Jp3MOEULZH4lg2bk0oaz5P0/nb8OM0nb8L30lI1HIj0/jQuJpKEaFqykaJiV4Q2cSUSda8plDukSgSGW+KakF5LBZqT+KUKi2Xe/fYlNrD3tH++70IjbxNz2OHmlX053nadmZvje1YQEvA6J7RdMHzIeB0rjSVnaM0IpyjHClN9HNG6qmRo4Fy8tvr87NrmCOPhTQoiQaVRabDJhljS4hROw1PCKMRFZmyigRCwt31ZRfWVIo5jVE+T4IXMXLTY16Ehok1MDNctYM5ty5EkeATGpvHe8VUkgVJrEUjStEpLzs2BweZMretLam8pSLCUD3OslwJDTcpRgZGPIArwXEAl2IxgI8Y0ywZwC90Omu8tr93sN+4eBInVBJG9RJuDBTYPdh796rx2NnVRX7/aO/9UfOB388/5w9cJKlQihrjuQenKDWh/FVH1ziHYCuqopyUIu90uFkpJpoAVRCJxPSI8Va6NMc8rlBvF59nUrpOgYm+C6TECcrna/d1TsYMcGCU39tJWgCJY2peIAwonwiZEGvGyFhk+hGeBk0b+FYubSZBkrsNKxM54XDx2QCVqBTsUinRiFfTuRW1m1Op4K86DZeQzZ7e3LauBwmGA3DnLT0RpJ3oh76lvellq1Qtu+cKNiHS6NJQs6YKPM6Jk2RiRsylcVrhsxRaRIKBmhFpdNXz6baoQCQeN03YjOqmR/KzXHXk3dUT03+Nq9cYd4pARzOMG82vLqwgsCSqUiNaJDSqMW6T4hpJQtMuOfIVDbBOgQcOBJiICAPkcyoFT5BrQB6nghqHQgJHvRDyHnCOXA+D+G3btgbfUs9dhK23pbYg6bcpub+4tZY09ZM0bcljVNPZtKBAaga0Lo2GLO44/ZZhbiUJMw00o1cLJ49iZQVuZTW0y+XG5cLMntxc1T0WgMwyYUugpeSRRLNCYIJbbhdco+RYUwIAfCBJyvAYDo4O3r0PikTIKeH073auHAbWbF3qQqdcSByRsZgbHvuHb2sPJBnTdBTqkSoEjQ/1RVPJueUmFzJRxzAhTNURryjxp0rzLLtWEf0sxJQhXF6edvowbgn3LC00jtRQaVkLZzxb2mtG76ng2gw8G6RZSGqXAg6G5avqogH4LNKMWbV20yyRkiyDBKzD6nU/F9IQPggJZknRWNlD/l7+rEMAu9fnP49u/joA8+/5Xz6fXJ2Nbv76auD8NzUTGYthjBUsVNdXEQCCo6fvIeC3zHiMyvqzjrF50XL5eHd5e2F5Wh45WcZg3EQ9J5LakAtDPtUzR55nCUrvIA/M8nRmxGVon/3+6frMhsfMr1/Nr5WmNOiPEdJC5haiEWiMEU0IK+NATp13cTiFrzsHO19ftWr19/+1c3r8RWryRWI80jr9Mqb8S7IkaTrEB9z57++DKpqShlj7U80PGWOWwwAoj1gWm/6Y0TkODHkrLusDtbSpIbRf/vPy45ebTx9ufz+5Pv/ykUZSKDHRX353cRe4uv1ymkmJXP+GUlHBv1wkZOqCzXD+gFFWi6S4v08WrvqyoNw02YjryxmOs+m0NoXkQguB7k9qV5XQguVkh6BG3tr3nWCbMaj+oF7ng9p056pUmiZ1iuJZ1jSiejnqe+Jaac4p1cvuueOj4FoiYWGAgmvKkevtoqzqR8GyFfGVkHoGJ9ZwkRbYGddyOaJKjCIRb1G8jhFc3HwCw6gV8+lJJ9Dt6oAH2akGp4STOCxN6x42rYxXdxQj6wt3IbgUfEp1FrvtFka0/dFu+P8HdpjgO8ew9+c3w3cHb394sz+AHUb0zjG8PRoe7R+9P/gB/jds/820LPj2+/7a8tmk6/d+Pe1CutXO9yg7+/7XDMcYddi5CWU4THFIk3RG1GyDCEMnyNbFyc4JGPpFFDpJhdQKKAcCn89tdHwIJxw8DtjbMysw9xjUkIG5GxFu/JJMudXNhPIpylSapduYciLtomSOHMhEowSJkUhSypyPIiQIPUNpu3eP4RxXjaSWhKsiWKdgRuYIIorMfB0PYDGj0QwW1u2LZoRPERIh0bxWBPtsK1zQZLV3LpFI7p4nGmZap+r49evFYjGcUIm4xGEkktdjJqavXVhpz3hXREaz14f7B29f7x+81pJE95RP9xLCFkTinpPTnuFp3MuZTthw57uAPuxH737YfxO9xfeHhwfmP3FEjt6/e0NI/OZdHE/WaMqzpsRGL7YRaSNUJaZZgxisGV2wfjECfv/YtPV7lauf4TUAOgEyJ5QZR7u5JslxKRUj1hvTPzLHxop0U2RJfLR1WEl89ChMakYOti+rGTl4LKrDo3cvgevw6N1jkb35oT4pbAXZmx/ePhbZ0cHhSyA7Ojhci+yJgcbnxjJyoJZJGJGifw8jWhPp6+D2vQItNGGWdpjrI/2QzRk3nY+cJT5o5KrNt3wu34J6mHlCExz1G2WuMP948fG81sXN6XI1H+MJ4Tibr9If/jNLL/e/MsnKmNCOcT6QEaVpNIzETn8d2s+AQmYznzShPN+tYFjiKbd+haRTym1I6luGSgfbMZFkmmBjVbPNZnwW0rmdhfC9V2p+ff23r5Wu0CJtkf8kY/UMn+dsmkwsQbi7vrSbet7XIVwbb3opMmlca4iIwoGBuayEOZUWEpu2nHL4mkk2NHS/GicZrYttA4uuE6myfjhXWroUHiHBxw7N20Yadq+lQbq+jQ8rWwWu0/uTzR1PRGxTREqNsn2mQKFNJSyhBqGZvyuh0W03UV5sjCSCUy0k5dOBU9g8se/u+hISsrRB5KJjrAwlkno43oqa2HQjYGKqHC1DgioQE40c/pa5zMYiQc/toBM9ayK9XemgBL0OFG8X1IkCqlcSEgdgVlUMtU1t4qJlvy8lSgW6YatDzrPMx5y3CG34HhVXXstaz2psKwP8tVvLtQzyWhYFdLkHbn167LcOHm+RWjG+ffsmjO5bho3Mym2bf8vTq2e8khjo7viNk1BbGvSM/L/96Ge6YD/kXL/+x1czGPAhYlmMcTnFVJkOjRUldmgU0xMX5l07IhtJmmBIclFtkiVhnzX3iOU7znTx1KDC1MkAH6jSTYtgd2VsykmqS3y2Ke6Nr55KLW4S04lNXNKUaIQx6kUzaQPcvvpC2OlAhXXDbZmhxHjUt+tiWjGj0xlam5azsSbZsRrYBqcpFsNdZWN3q9m9H4TM4yGDysagJeneMSMLdiZCDP1zw0gkO6aDdqoXWiyp2wXxYo5Ro0wox9hMdBFVyJa+r4BRpYHRe3TZjtmY0QhUNpnQejowuGd3Z1qnx69fu0fdk0Mhp6+GcCuXeb5ZmkrxQBOifdLeeAmKJilbgib3TUPhOtdmwpseZmSMTLmdRi402GlrgYxZodxenqnSlEVimN23GDIVzXCLsc+mktxYhu121wba2sDm2vLCtq3ga+2+9xDd/L+Ebxlhzgnxz9jUR7c12UhtBSCM5Y03D1rbhambvGdCafd6xmPvdjbG6xDgglsnQWpKGKsbemggGtgQ7cRnYWN+320pgI2q5pCsS2MRRIRz0fTwVsbKoCKZwrI2GjhGJhbhEdw56lcNRFX0biFElB4mS0/I6bgb+0TpwKB3BjzvpBlRLr8ktdvxczOYxKRkV9FIlY0PhyobH6yYmUFwfJZw3SzgnXEvnAqtnYEzL1yAloQyYxVSlFTELRESkY4szMdb7T5GAE4mPh9Si9SrjG/oLt5enr0aAGFKwD0XC26kVoq6uUiwBnFg+qowaUaZc62pDKNhcxao82+Qn5RvmI6yKvFPOQ3YKaBtBig7bPO5IFMot7oTFljCeZat7n8zYPNwtP/+WREbhZISNurI5uuhrYHFqs34c8zzvD2qVFYepKgc3wGS6ZmQVPs0KLMYN6aTR8um4bGmvVBl45+ydEZ8XtHArAXLmIBbjOT5QSLTEAkmjNnmMWRpitL4jg0W0YxIEmmUjTSvYsvq6OjDTz+9P/3z2flPH/bf/7D//uzg8PT0JLzrbhu+NeEX2QyGjRloLZI9zaWC1IZAzqjSlE8zqmYYOyK7Z1evzPR5KpJEcH/t9OrVAGJMkdvkI8FbogutOUenP97dDODTj+d+prvg0QA+3f1o57XSdg3g9Kp45uaXk0N77AVOlMokWT0K4f5uzGpftqU6qGz8N2wcxttSDklF4p4vmNXLS4rdi/nm9sdT4/AIySkZwOWPN4TDByNAqiJR6YaB6YehFbqaEYnxcMrEmLCiSziGQ5WEaWPGjLm1qQRby8tsdPilmWic32JFXEHiva/dm5OrV0MnQZclOSdyaUxO6LRg/lcMEmsXqp1p07bH1m6YrmHLwrkpz6agGsDZ1Q2EZAGwa0guKIsjImNlPAcerx7BaCaTFl2686dqBLxjmlB0yonO5DPPC310O/cwIQllSytqNxx3q7tagYMhZJwp9Pv+a6erDgD5iXMh4cSQPP2lwOSPwF9UDrJDcO4rzyawwHZLu3Z2Tt4f8g00mGamz+w0dnd9OSNZpfsCKEI982QUK/1Dl52MM8kMuFEsFpwJEvfB/9JnZsHu3fXlKxcIhqXIrEeZMwICkUiXzjZSd8a0E+mcykzZzcKhRJUx3QfUk9/8eVcDV7qU/Q1BGLegHu93KCZMEP1EDGZR5whvioNRft9Lr1F+n+eb/1aQ9yUGWsbyJhuFLzSOaS+qa9Z1F2eVza6NBk/oHOaz+8GbDeMhyLVj2J4Pz1RfIohccjc4qrk47q4vh/A5P+VbOVQHgjPKcQBiMjH/cY4ztwvfTuQuSawv1P4kYyTsWUXhPCKr0VSBn3ZWz7AHII0Zie7NWlUNVSbHrA9wN3fXP12WlL1YW2RpnsDYipALPXI/N0WcksSZ856Ae3pwFsLfBcpXJpF99e3tgmqNEmaEx6yyNHZc3GblzBX2cBVR6p0Ou0IC4YIvE5GpV53gGZEaQ/ZkLARDwjeHfuF8L1SVLWVcgWVAjxF5BbkoAp82ApaXEtjVMrN7lfaI1qvOcUWmvdiCExe1MdImUwVEKRHR1ZM03zKU1FWLyNvUnCu4SAijfU0VjtofY4oIHIDvSF16BsvVOhgdTFNiBgrvi68nt2mT54TReDSRIgkAiOvLqk7uv8+QrzK0+/euUtNEZNzmYNiSDlyZEeJOetM4hCvPitgWKht9DDApTcoYWW/zs9/pksiqJ2QLRCHdD9x7FgQXWKurxKAaai72V8yCiKpi58Wa5kUe8ChOX4W6LVyX5xn2rHJ7I322pdh6kZkhlGcBuCJYa1hH7nRpH8zPH7Qk9uCvGTLFo3PMmbSqUlAmPa2Wb1dGkSEysEvEqgqNEXZyvbHxkIFdZP9C1Gzv5peTw6N3OyGIwoZ+Rr4uhHHQext7tpZP4fF7ToH1kZulnE+qtESSbGX+u6mTrs9/Ic1iRKlit7MPwTT9HMIrfUsVpJLOicu1sgkpJN8umqD3dovIkb/DlvWIV81fPs6JDvwbq88X8TH/VKdEQoWicmmoWT2zaa2SJEhUJstaDlGUSRItYde2fd8Ms4P9/VcrdaOq/fm9ERjG1G1XEU7YUtNIgcZoxgUT06UhUQi42xePURPKDgMta5QC6GzYmaXjzIhRxKCRqMj9IvEe7Xhp99Hg7WEnzhfyz0KcLdKRQqXsIb1egFRAuLM4nrxbrESms+06pWoEBV9Rg27QfdnhixUbvHbQ7ZBU+x33nYH7ZS1z/oOm+f8yyRo5ATtjkT8SHVbIRIflVfse7NDD1F9LCCserdMz9wr+5kf5ShIf5f/1JFMi7zH2j6Qzqmb5u3Wy7mb1QU9CRYT762a5XWmC8i/USalMpa6SXuVhLaR52Fo+80Mi1yN7OA6lZdXZ9wlhLb2fbyI8pvvL0l4Sp0TauAkpVnQuzD8AAqe/ncPFmU2dIdwdQiRak+gebHkao7eD4CJxs1FYP+X1RHU2voG1T5tzluh2zUaZpH1AuDbelLHcd9cXTSjeIK/ZEcA5SqqXfcA5lVTTyNX7C3WPD5zZmdgXhExTRuvWaa1lYGIxgMRXI5zR6WwAc5TLPfPf7sZa6ffR1Btfzre9+6E6RZ2YmbVy2KIV28gIp7+JocSncSqtUtT3bUNQdH2p+lQpGUIeRLiK34qUbKHeTv9Jy0xpjEcRlRHDEY17cbfLGdTTB0ffn01IilDfpuM8S81iv6duvLPE4OJsXXC+F2bXl4+0aXZQ9razeWarEVXKk21uFWg6KJb+9uyWX8cl8VFz2eQnnTH5OyHNQrJPWzDle0o/WaJ/xC3iVYShBe3LbBD/ISLILpkgBKpaHjUArnkWv/uQotuIDiemPP5Ia1kLvaDsVrpe2s2+rdql7SDxdDfGYQZmEMTmZQ5yUj8jR9koWrnuTPXaE9W56uaH2aaODRhXHLSrElq3SDmki9tto7m4bQVSiQu5LaiAAje6unt2LCsY+kCrT8NZEAUqGydUu41Ez5AFB3okYhwZ69KLoylitKbKrCCqJYPzqas+tstDz6pZIfaJ1v7i5vM/am/oRGtJx1nNK1gpDRn15H2slGE8FUmScePely5To4ZpBcQ2MGzA2a0zfM5+EMLjRoDvZZf6bm3ckY2s+cOncJDn0ydCaYj8Kig8s0xELwpQVszOo+10ZXm9EmVvFZQNZ6pZP3vQxY6VO/RrrENBP8Q8y/oLxN3d1dSiES9fKeIZmtUftz1XfEFFTFxVzTpn234ffAva53wIj5qfnniKjv4iFpAQviwJ+zPr3B/PtGWkXEnPtSKyX1nRJEl7kVNB7cnCiqlyjeppG+GsQs85yZURYwx7cLBIkQqVRwFHTEShfLhHD5sb1PbzOG5vYJpJjEFwN73YHSqbnWu4uZrBVK3tPvNwT3klPqPc52lZUCsdR5XnFjjcXrMyo/606kTDwizN7aeLgsoUsmyVOjyS8unIzvs9TVGruwGWMsYOloIi6qLWTl0xVWTMjFGQViXDCv+UfqxQtJvkjlGcF6JudG0Ina0nEqvRS5huoBoSW4bfcW1xMYb9IRE1NyM0i3YIx4DpMxNH1AtgPwXQtnpqBdwTcNmq8j1aqIBRIqyyCSwxEbr5rZNVl7lHXWp3myn3tRGDdqvIzlv9cEwNZ59q1oLUn6R+PtY+NbAFq1XMPrD2rZUteG0iV66gasmjvHrGBnpauHc9Kms5rAvqjx3TJaw+s3b0yncqNoG2cojdB4BpOn87cCUOCY/tedzuJkRE47T+gbznpLl7es9oys6VL4904j9mGExHqvSCaNkceaoql5grtfwzLcyKMyKMLXNFzqusXJzddEPc1tTULd1uTPaRHl1C//EU2639IFyzFHr8onEVUJEmXvDBeFD/jKXdTUTpT1KrNZq4pbXkir0vG2Bsq00WmD3FeEUiadS9e3KM0pJSkJAYi4/LFDipVsgm3Wi2tVCx9Cr6mH/eyl2v6WTxFbkSV7eCIsO+TjXUh0vlEEMi5tWaU5t38cussAqkyFeWWT1MsD7ndBvT/yfvP4eHFi1H1kYIO8T7LG+gEHJTOYrNvtpKcv1Ya34CpK+k9YJH7QB9kbJuC5vsuHKjM3LgN673lIyCk7xNpX7Qw+16ggojwWMil09X2SbQbfmGjwX7DC+x2ahte4vPatxmfmOgp/r2H0OteJ4n2QS9LY9y0x7YDOXL+Jj9Yt6K1xmC2Jf/GdDol/BDQ016ikcasDJb9kxDyNvnzSa+P5avGmjNhoreu/faqeWP9mODQ/Mf6M9uxU14YQ83qPrdvm4r5hfxedtU6rHeb7MVf3QvuIjW6mrhv+ek8Xy6/cv/gxPe/zpWC/86VvvPfqy2PCUTCRljPMmCNcSeNs6vPVH4YKluPuYru9+2hl5NCu15q2uyOs8tNXfEoPBvyw/l15NL133sizbTStelnW6QeFrAXM0zzP/K0nA0PT54fzjcHx4OD97stKJsbFz2jZPbyrW/WeuWJ4P62oed+DcB3xg4fYMPHYtchXmRnrgyfTtBDbWJ66f1U3ndENfAq5brqo+hi0qePBi2TuSi87RPgTUdScKn4Yq3LTfXYL22nxkUE7j4rNaeOqp+cTPv/f3XB+9aPqtJ1X1fI/+aqns/nh87yqPyhF2rJo6XgaKSG6mhBVZhAbv7e28bX6gOorkkY6yn9EM/g6OBylYlGcInbvv6SnAcwB3PVEbYAG6KQ7AD+EhY/t/fUC7L3+1Nwrk7nu/OoDcLaJa194jWyAOf+Nm4Td+rglvzpGYdl4pE4FsZ7ZUDHiddS9309vv3Hd1txsBN6EMq0E9Hl+dJLKjrjGH5GR33dZ4Jiezx9Yn/nBsvXpHm6TU2/vXR23brbluXJQlpfL5lk+atLSW7oQxcdzgYa1pjWn30tiorn6bJloXUhs32gqu9P2ozNVWZNOo21AXS8QAXMlHHrohYu9AN7lZxB44kwWNVSa5oUdPZdN7Wt568TOdV/pp7l5d0LFf1qX1N6c6MxqNgncLHBSgvyyJRvkKqpit+V2nAsS+ePrBiKXZwxIeUSlR9cDw3pDZiFhEWZayvllb45oQ7MBSJyD0K2VWh6WTbX51Oz9OX6FxQPfPfdmvV8UbQYtRbWOlT/q25cuFZp11s7cZzlMp+5LqX2ENJzq3ZiERglN+Xq25RL/He2GUOIQl7EutW3grzgo1AyrNAPqAHZCwyDYTnkP4vAAD//ytUcvM="
+ return "eJzsXNtz2zaXf89fccYvSWYUNXGTztYPO+PmsvGM23R9yfZNAwFHIlYgwAKgFPWv/wYASVEUSEk25Ob7pn6yeDnnh4NzB8BXsMD1BdhMI7FcWhTPACy3ArsXNQokBi9gipY8A2BoqOaF5UpewH8/AwC48y+Af0PwOUqK8IkLnLqrvypWChw/A5hxFMxc+FdegSQ5XsDZmf8JYNcFXsBcq7KorrQfb78S4I25ZJwSq/R4xgWOM2KysRUma56vaS5wvVKata5HhlD/3WUIjt5zAzwvlLbgaI6Az4AsCRdk6sZyDCaTkR//620yVIEcONKHopohsrG70gti8E1GTDZVRLMJZ3uHURMg09IgzcY5ESuidzm3J3rP4D95PYCZ0nDpqL7/DL8GqrXiXVWqWv91NWcDywlx4hBsceibkUFY4FXcvwvzEo1BBtM13N9cZ6Q04+bZCArD55LYUidBUctiRnIu+HqQcamFAzdhaiWFIiwF/2tFibsDL+5vrl/CKkONsFYlUCKhZgQEqCrWoGZgM278PAwiXXJdGqssEWONphQ2BdTLr8DQIvVwtUd9KIgCNUUZQzETitgHYuASKsKH4hBcLpLMGpcLsApshvC1IQ8anc8b95pzqcX3Yso8ifY6z3r1IeglOvs4yH40zlC7MJdyKirPASit3mvGE2OJLU0qEdBSa5QWAtVaHPc312P4XRnDpwJhSUSJBojGC1BScIkjULOZ+weIZFDKhVSrYYsKcSUV6kANqNIaTaEk43IelJobqCKPH8QQpKkgdCG4sWZsSj0VKcDd3t/8cr2hXIm1R5buCWRehFLZSfh5KOKC5MGjJwJe0YMPMfxDoILnQJ1qbu9W3FrUkBHJBNYaWXMBmxHrkqD6CtuZdHihNBCp5DpXpXk5CF4Q3Zb5BvpUKYFEHg79KmSAaFwgtJlHiluwHOgpomwhD244U8Y6BS60WnKGGl5YXSIoDTMiDL4ctCsyT+ILLr02emmTuQFijKKcOJArbjMP888SNUfWHtNuuJAqJ4KPBc9VqngRSH4fcWKT50cYdjLtR7F0tA5iWhBnLTIV34rcoUNeEsHZZKZVHgHAiMXDuf9fhnKbIayISxi1sTBTpWTOIrgBqqRxZoIssI/hyhXjMx617CSoBDE2xmTjV6YokgXpQM0V5KTlNhpEMd2P3HsUBB+3dlRi5C0Uv5G8EOiKUnfXF0bcAFM54XIU/PNKlYLBFP0Tnlhs2low0ji11u2D9Nk3QpLIzBGqHpn67GQfa6qkjRcaRzP/+M1qAha/WWcyzaNLrJn0qlJUJomq5rstK3JERr5UbKvQFOGs1hvMCRcjX2x/JiZ7dfv58vzdT2cxiGr6/0jtJCd6weXcZenJbO/27uoPaNL+ilOkTqoCX8hMjdVI8pMEwNsu6W4AjKmWIMbwGQ/1egrJ7GY7RLYmlxsoNF8SG7IYrXIgUJRTwSnMsMp5mwZWdUesxx0unaz5oiY6qt7Yfr7SoeapQYkoOeOsp5AzmdJHFPZOS3IkptSNgySUlprQNbzwY3/t7OzN69cvXV7F5zI0jNrz+dwJDBmn3kqJJGJtOTVgkWZSCTVfOxKNgIczcoaWcHEeGZlzCYcP7IOnE/yIU8Sol2jJ/Sqv8trpGkqDGt6eD+J8ogQtxtkjnRg0his5SQOkBSI0kCvyoWShbrJ9tdL2gkpuqcEw6FSO+GrLCe81ujNS2Elwymej8Mu75voHL+r/Si3ORh1yZ1NVP0LPW2To+eaqfw/O+HlRXcuJaB7t0nP3Gv7ux+aVnL2r/61IFkQvkFWPFBk3Wf1ul2y42X6wImEokdV1V3S3hmCqF7qkTGkKTrny/db6Yau0e9h7PvdDo7QTqwldoPasBuc+J6Jn9ldcMEqOm/6Z0nlo3WqcE+27J6Sp63w/eT0CAu+/foSrDyMI9XRw89YSunBXQqQbRUvFw6wwZ+9SqLNLDrx/OpyzRqNKTXFSap4Cwo1Lp5znvr+52oVSOeQ9SwO4RM3tOgWc95pbTongdh2dnqp95iOxd06mLArBu95pr2cQajWCHBkv8xFkfJ6NYIl6/cr9OzxYL/0UQ731lIamH9oh6tJFVmP3Y5s44aQLDBt8FufaK0XgMywm261VHyolR6gCwc1eKRGfhgwhs7o0FtmEck0FTjhLkm9vImhFHwL9oKQ8bxp+h9p5WbhqP9E03nticPVhX4s+CbOb6yN9mjfKZEucH4gloZIfKpsh5hV4MWpq/1KLppDL2bv+9aUq+EzJX4ToRIVTvcL0iyf6Pa4ZbyOMVbZPs2L8XfSTjfc+MVDt/SURcF3tiM1pqzqqVqZNB3GgJZScd24MjhPgtzKfonYjbSiHireS9u7ctv3TaZBUdA/G4Qw0CmJXtHHhbkj9D0rUnO6A69ejA0a2UV2D6FfP54ENuJQcrCazWbcdsIF0dXdqNFd3vUBaDaKwIBVR4J2pHo6SDKXlM46m7rgGy/GNaVNOc27DsmLFUEQNnSqGE+ddkiSciqF3Va6S4K36og5hXdtuFI+bIpW3v7r9/e9aJLq0VvNp2ckOWv1JPaeJspAvek4k/yuI973K81K6NH+TOuFya1fJFohTYDiAc6g3JgKXKOIQjrOAapY9veDj3vkO26jahPQGuAnLr8pYoFU1FI8sM5VEARjj7g4RTdudb5XZW+32XkH5tqbJ0qxIN0tXnp33Dg39GPOyTNeQu7/vqMVO47wVkONFznHrdI6pT8/VzCmB3OHsx1814aL+uTbhCVVldBnmOB39rFaQE7neEPa7PoBLKkqGzIUNAobLudgvIstzNJbkRRI5NdQeLCzGTRhUouWEDy16IUluWYxz7FFj0apQpu4GToSisQ1yR5vNLVrL5dyENYJ5qZGBkiG8+KUqxw0cN/C9XW72Tp97ONEuk2BS9a4tD2pr4ripuDkXJNWQl5mk06pLCytXojuKcWWKebamxsmI5nI+8XE/UYjaXhXwlJEFWAaa7ovZG7oYN2QqnFPQXiXjCv+QeWxR9KvlgRELSoW7UxtDh98sSmYmT+G6gVvI+TyzFdeeFGOcDonqpBmxKDogHAcm5ZacLTh+f84DAJ1qprbAPQCXUJTEGlcP9VARp0REazFYY64s7jRBt1PmhLrUnzZzCauM0yzut5q9eg53L86UataD1CtcCqwpNbAHq1fMFFhTa2UPXr+jq1ZQs5a0wnWInjbpXUJl3Zh1Q/1Ym97ASrl9p90QPgwafGrt7qkawbxYvh25qP/Gr4aakmbDQ6DE4lzpJGtjftN7Re8RQzn7De1K6QVcUsuX3K6j+5Jas6B6FkkeqsobzCar99aR0ipXcVIixLpWZN9vJS6A3g5DPFVoGpbuMCb/SMKUMFh5mNY0CPeUQscXjduAmk3jDR9kI+c9NRqU1WYbv6qIGqRvAJs9mniiWnLL328G4Hyr3zSQPcR5UZXniTZFvg+kDOSEYY1kg5Nbg2I2jOZUhYqn19LHik91vaOTpkDKZ5y2cA0rKApMdcahay6tIw25WtZR87gpfpoKq0GKcqvMShBgq82npwj/X6r8OW5afGNZByEcEO+jsoFGyLvK0Sz2dSrJ/bbmV5NTId3avd7wGAHDAsPhsQq9H5LgC4Qzv3TtkpRqAfuV0TQa5P2e6m92fNpM0CBVkhG9frjK7gI9VW54LNhHZIm7gzp1tviowR2WN0ZmKnX+GBvF4zLJXdCnyigPnYHDUD5NjpkW80myzhjEVPlnRKOfIg+NDekhGWnEy5w4M40h74+bu/i+r1w1MpoDFT159jqo5UfnsVHT/Bvz2ZOkCU+c4UZVfzjX7cX8JDlvn0odm/3ujuJ7z4Kbbq399qyL8WHbeL7c/fFvcNT7n/O18M/52v/087Wb0zJUaYZsVnY2Ij/Gzm8qovDJUz3c5lur39J2D8wM7Vvds6vzo6cWjho0+a0BUn8SrfNCfBdsr0tqg+vbdnrAxtMG5vY+w/qvOcFxxouLNz+fj1+Pz8dvfjzrRbmzcJkap2Mwhq/eu9WbQcO8DeM/BPyO4aQGHzseuQ3zqrhkTKMxZ1EN9RvX33dP5w1D3AOv/f2urg1dtb/D6NgGkavBUz8N1mKiiZx3JRqg9tzcg/XGveLiwtXvZu/po5ZYn9ez//qHNz89j6LV3CxSWf4NN4vKno+1cro5aderidO1janpAWrogbVYwIvXr96+3NXICJprMsXuln5IYxw7qPznScbwRfq5/k1JHMG9LE1JxAhum8OwI/iViPrfr6jXm9/9Q8JlOKYfzqJ3T0pA62N8xFqU+IgxPTcNt90Tm11chird73x2vyBwnHQ9dTfbP/88MN3OBm6tq75PM9Gb8yQe1E0p0ICaGtSuRCYuNs4I9cfYZxA+IyibV7R7eo+P/+Hd237v7kdX5jnR/abVPzw+l0rjhEzVEi/gzevzt4+ZjgBjz2jcqN+9bcuq2qYp1o3UxrvjBchLYfmkz9W0ZbLz/YauQAYekErn5iJ8Uqxf6A53r7gjR5LgWFXSW1q0m2yGbOvPRFlmyCr/t84ur/lUb+tTf00Zzo6ySfSrhcc1KK83X4uqPplq+VbetXHgmIpn1VjxFAc44reCazQpOH50pA5iRomgpUg10hbfmvAAhmYjckIhh6/RDLJN99XOimf1wc4VtxkPXZteHd9pWkyStZW+aD7nkohW4dml3SztsiVqQzTHNAdMN+RCzUY0guBysam6Q78tBqU5khFBEs8k9lXeBuvPNwLZnAWqGnpApqq0QGQN6V8BAAD///eBqM4="
}
diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/_meta/fields.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/_meta/fields.yml
index 16a50f3a0ff..ea68e4c23cb 100644
--- a/x-pack/filebeat/module/threatintel/malwarebazaar/_meta/fields.yml
+++ b/x-pack/filebeat/module/threatintel/malwarebazaar/_meta/fields.yml
@@ -1,4 +1,4 @@
-- name: malwarebazaar
+- name: abusech.malwarebazaar
type: group
description: >
Fields for Malware Bazaar Threat Intel
diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml
index a8cbef0b52b..6c90f1d86dc 100644
--- a/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml
+++ b/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml
@@ -5,19 +5,14 @@ interval: {{ .interval }}
request.method: POST
{{ if .ssl }}
-
request.ssl: {{ .ssl | tojson }}
{{ end }}
{{ if .proxy_url }}
request.proxy_url: {{ .proxy_url }}
{{ end }}
request.url: {{ .url }}
-#request.encode_as: application/x-www-form-encoded
-
+request.encode_as: application/x-www-form-urlencoded
request.transforms:
-- set:
- target: header.Content-Type
- value: application/x-www-form-urlencoded
- set:
target: url.params.query
value: get_recent
@@ -39,17 +34,12 @@ exclude_files: [".gz$"]
{{ end }}
-tags: {{.tags | tojson}}
-publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
+tags:
+{{if .preserve_original_event}}
+ - preserve_original_event
+{{end}}
+{{range $val := .tags}}
+ - {{$val}}
+{{end}}
-processors:
- - decode_json_fields:
- fields: [message]
- target: json
- - fingerprint:
- fields: ["json.md5_hash"]
- target_field: "@metadata._id"
- - add_fields:
- target: ''
- fields:
- ecs.version: 1.12.0
+publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml
index c2c4b51810d..0a5aca9dbb3 100644
--- a/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml
@@ -1,4 +1,5 @@
-description: Pipeline for parsing Malware Bazaar Threat Intel
+---
+description: Pipeline for parsing Abuse.ch URL Threat Intel
processors:
####################
# Event ECS fields #
@@ -6,6 +7,9 @@ processors:
- set:
field: event.ingested
value: "{{_ingest.timestamp}}"
+ - set:
+ field: ecs.version
+ value: "1.12"
- set:
field: event.kind
value: enrichment
@@ -20,148 +24,182 @@ processors:
# General ECS fields #
######################
- rename:
- field: json
- target_field: threatintel.malwarebazaar
- ignore_missing: true
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: abusech.malwarebazaar
+ - fingerprint:
+ fields:
+ - abusech.malwarebazaar.md5_hash
+ - abusech.malwarebazaar.sha256_hash
+ target_field: "_id"
#####################
# Threat ECS Fields #
#####################
+ - set:
+ field: threat.feed.name
+ value: "[Filebeat] AbuseCH MalwareBazaar"
+ - set:
+ field: threat.feed.dashboard_id
+ value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f"
- date:
- field: threatintel.malwarebazaar.first_seen
- target_field: threatintel.indicator.first_seen
+ field: abusech.malwarebazaar.first_seen
+ target_field: threat.indicator.first_seen
formats:
- "yyyy-MM-dd HH:mm:ss z"
- "yyyy-MM-dd HH:mm:ss Z"
- "yyyy-MM-dd HH:mm:ss"
- if: "ctx?.threatintel?.malwarebazaar.first_seen != null"
+ if: "ctx.abusech?.malwarebazaar?.first_seen != null"
- date:
- field: threatintel.malwarebazaar.last_seen
- target_field: threatintel.indicator.last_seen
+ field: abusech.malwarebazaar.last_seen
+ target_field: threat.indicator.last_seen
formats:
- "yyyy-MM-dd HH:mm:ss z"
- "yyyy-MM-dd HH:mm:ss Z"
- "yyyy-MM-dd HH:mm:ss"
- if: "ctx?.threatintel?.malwarebazaar.last_seen != null"
+ if: "ctx.abusech?.malwarebazaar?.last_seen != null"
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: file
- rename:
- field: threatintel.malwarebazaar.file_name
- target_field: threatintel.indicator.file.name
+ field: abusech.malwarebazaar.file_name
+ target_field: threat.indicator.file.name
ignore_missing: true
- rename:
- field: threatintel.malwarebazaar.file_type_mime
- target_field: threatintel.indicator.file.mime_type
+ field: abusech.malwarebazaar.file_type_mime
+ target_field: threat.indicator.file.mime_type
ignore_missing: true
- rename:
- field: threatintel.malwarebazaar.reporter
- target_field: threatintel.indicator.provider
+ field: abusech.malwarebazaar.reporter
+ target_field: threat.indicator.provider
ignore_missing: true
- rename:
- field: threatintel.malwarebazaar.origin_country
- target_field: threatintel.indicator.geo.country_iso_code
+ field: abusech.malwarebazaar.origin_country
+ target_field: threat.indicator.geo.country_iso_code
ignore_missing: true
- rename:
- field: threatintel.malwarebazaar.signature
- target_field: threatintel.indicator.signature
+ field: abusech.malwarebazaar.signature
+ target_field: threat.software.alias
ignore_missing: true
- foreach:
- field: threatintel.malwarebazaar.code_sign
+ field: abusech.malwarebazaar.code_sign
ignore_missing: true
processor:
rename:
- field: subject_cn
- target_field: threatintel.indicator.file.x509.subject.common_name
+ field: _ingest._value.subject_cn
+ target_field: threat.indicator.file.x509.subject.common_name
+ - foreach:
+ field: abusech.malwarebazaar.code_sign
+ ignore_missing: true
+ processor:
rename:
- field: issuer_cn
- target_field: threatintel.indicator.file.x509.issuer.common_name
+ field: _ingest._value.issuer_cn
+ target_field: threat.indicator.file.x509.issuer.common_name
+ - foreach:
+ field: abusech.malwarebazaar.code_sign
+ ignore_missing: true
+ processor:
rename:
- field: algorithm
- target_field: threatintel.indicator.file.x509.public_key_algorithm
+ field: _ingest._value.algorithm
+ target_field: threat.indicator.file.x509.public_key_algorithm
+ - foreach:
+ field: abusech.malwarebazaar.code_sign
+ ignore_missing: true
+ processor:
rename:
- field: valid_from
- target_field: threatintel.indicator.file.x509.not_before
+ field: _ingest._value.valid_from
+ target_field: threat.indicator.file.x509.not_before
+ - foreach:
+ field: abusech.malwarebazaar.code_sign
+ ignore_missing: true
+ processor:
rename:
- field: valid_to
- target_field: threatintel.indicator.file.x509.not_after
+ field: _ingest._value.valid_to
+ target_field: threat.indicator.file.x509.not_after
+ - foreach:
+ field: abusech.malwarebazaar.code_sign
+ ignore_missing: true
+ processor:
rename:
- field: serial_number
- target_field: threatintel.indicator.file.x509.serial_number
+ field: _ingest._value.serial_number
+ target_field: threat.indicator.file.x509.serial_number
- rename:
- field: threatintel.malwarebazaar.file_size
- target_field: threatintel.indicator.file.size
+ field: abusech.malwarebazaar.file_size
+ target_field: threat.indicator.file.size
ignore_missing: true
- rename:
- field: threatintel.malwarebazaar.file_type
- target_field: threatintel.indicator.file.extension
+ field: abusech.malwarebazaar.file_type
+ target_field: threat.indicator.file.extension
ignore_missing: true
- rename:
- field: threatintel.malwarebazaar.md5_hash
- target_field: threatintel.indicator.file.hash.md5
+ field: abusech.malwarebazaar.md5_hash
+ target_field: threat.indicator.file.hash.md5
ignore_missing: true
- rename:
- field: threatintel.malwarebazaar.sha256_hash
- target_field: threatintel.indicator.file.hash.sha256
+ field: abusech.malwarebazaar.sha256_hash
+ target_field: threat.indicator.file.hash.sha256
ignore_missing: true
- rename:
- field: threatintel.malwarebazaar.sha1_hash
- target_field: threatintel.indicator.file.hash.sha1
+ field: abusech.malwarebazaar.sha1_hash
+ target_field: threat.indicator.file.hash.sha1
ignore_missing: true
- rename:
- field: threatintel.malwarebazaar.sha3_384_hash
- target_field: threatintel.indicator.file.hash.sha384
+ field: abusech.malwarebazaar.sha3_384_hash
+ target_field: threat.indicator.file.hash.sha384
ignore_missing: true
- rename:
- field: threatintel.malwarebazaar.imphash
- target_field: threatintel.indicator.file.pe.imphash
+ field: abusech.malwarebazaar.imphash
+ target_field: threat.indicator.file.pe.imphash
ignore_missing: true
- rename:
- field: threatintel.malwarebazaar.ssdeep
- target_field: threatintel.indicator.file.hash.ssdeep
+ field: abusech.malwarebazaar.ssdeep
+ target_field: threat.indicator.file.hash.ssdeep
ignore_missing: true
- rename:
- field: threatintel.malwarebazaar.tlsh
- target_field: threatintel.indicator.file.hash.tlsh
+ field: abusech.malwarebazaar.tlsh
+ target_field: threat.indicator.file.hash.tlsh
ignore_missing: true
- rename:
- field: threatintel.malwarebazaar.telfhash
- target_field: threatintel.indicator.file.elf.telfhash
+ field: abusech.malwarebazaar.telfhash
+ target_field: threat.indicator.file.elf.telfhash
ignore_missing: true
- append:
field: related.hash
- value: "{{ threatintel.indicator.file.hash.md5 }}"
- if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null
+ value: "{{ threat.indicator.file.hash.md5 }}"
+ if: ctx?.threat?.indicator?.file?.hash?.md5 != null
- append:
field: related.hash
- value: "{{ threatintel.indicator.file.hash.sha256 }}"
- if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null
+ value: "{{ threat.indicator.file.hash.sha256 }}"
+ if: ctx?.threat?.indicator?.file?.hash?.sha256 != null
- append:
field: related.hash
- value: "{{ threatintel.indicator.file.hash.ssdeep }}"
- if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null
+ value: "{{ threat.indicator.file.hash.ssdeep }}"
+ if: ctx?.threat?.indicator?.file?.hash?.ssdeep != null
- append:
field: related.hash
- value: "{{ threatintel.indicator.file.pe.imphash }}"
- if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null
+ value: "{{ threat.indicator.file.pe.imphash }}"
+ if: ctx?.threat?.indicator?.file?.pe?.imphash != null
- append:
field: related.hash
- value: "{{ threatintel.indicator.file.elf.telfhash }}"
- if: ctx?.threatintel?.indicator?.file?.elf?.telfhash != null
+ value: "{{ threat.indicator.file.elf.telfhash }}"
+ if: ctx?.threat?.indicator?.file?.elf?.telfhash != null
- append:
field: related.hash
- value: "{{ threatintel.indicator.file.hash.tlsh }}"
- if: ctx?.threatintel?.indicator?.file?.hash?.tlsh != null
+ value: "{{ threat.indicator.file.hash.tlsh }}"
+ if: ctx?.threat?.indicator?.file?.hash?.tlsh != null
- convert:
- field: threatintel.indicator.file.size
+ field: threat.indicator.file.size
type: long
ignore_missing: true
- convert:
- field: threatintel.malwarebazaar.intelligence.downloads
+ field: abusech.malwarebazaar.intelligence.downloads
type: long
ignore_missing: true
- convert:
- field: threatintel.malwarebazaar.intelligence.uploads
+ field: abusech.malwarebazaar.intelligence.uploads
type: long
ignore_missing: true
@@ -169,12 +207,12 @@ processors:
# Cleanup processors #
######################
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: unknown
- if: ctx?.threatintel?.indicator?.type == null
+ if: ctx?.threat?.indicator?.type == null
- script:
lang: painless
- if: ctx?.threatintel != null
+ if: ctx?.abusech != null
source: |
void handleMap(Map map) {
for (def x : map.values()) {
@@ -196,10 +234,15 @@ processors:
}
}
handleMap(ctx);
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
- remove:
field:
- - threatintel.malwarebazaar.first_seen
- - threatintel.malwarebazaar.last_seen
+ - abusech.malwarebazaar.first_seen
+ - abusech.malwarebazaar.last_seen
- message
ignore_missing: true
on_failure:
diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml
index e9294ca9e2e..b90ea0d9562 100644
--- a/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml
+++ b/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml
@@ -11,6 +11,8 @@ var:
- name: tags
default: [threatintel-malwarebazaar, forwarded]
- name: proxy_url
+ - name: preserve_original_event
+ default: false
ingest_pipeline:
- ingest/pipeline.yml
diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json
index 1d84eda36cb..40b3f4289ec 100644
--- a/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json
@@ -1,5 +1,12 @@
[
{
+ "abusech.malwarebazaar.anonymous": 0,
+ "abusech.malwarebazaar.code_sign": [],
+ "abusech.malwarebazaar.intelligence.downloads": 15,
+ "abusech.malwarebazaar.intelligence.uploads": 1,
+ "abusech.malwarebazaar.tags": [
+ "exe"
+ ],
"event.category": "threat",
"event.dataset": "threatintel.malwarebazaar",
"event.kind": "enrichment",
@@ -20,30 +27,29 @@
"forwarded",
"threatintel-malwarebazaar"
],
- "threatintel.indicator.file.extension": "exe",
- "threatintel.indicator.file.hash.md5": "0af07660056a692b7cb82fa329221ddd",
- "threatintel.indicator.file.hash.sha1": "a71fd0504821092e003f350080a6bcc5fa6a972e",
- "threatintel.indicator.file.hash.sha256": "5bce7d528c1363104a93fbb5a7fa9bdd991ce929cc09cc7fb29052a68d4fd24b",
- "threatintel.indicator.file.hash.sha384": "3b454eb6421d17d093f19292b64d30bf918cb91e9322d0e2d2512857997f574ea2ca5b005133c16f6c33c7cee9c1bd0e",
- "threatintel.indicator.file.hash.ssdeep": "3072:DsPPK3p+8r5igrL1Tq50cVBDmDJhE9yV4veedHrP6FXK7:D+PL8bronBDmDJ69JeedHriFG",
- "threatintel.indicator.file.hash.tlsh": "F9848B24AF932F9BC6CCC1FE50C2D165C9A9F85DD2B1251A73B6CB89FE00544ED2C686",
- "threatintel.indicator.file.mime_type": "application/x-dosexec",
- "threatintel.indicator.file.name": "SALM0BRU.exe",
- "threatintel.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
- "threatintel.indicator.file.size": 399872,
- "threatintel.indicator.first_seen": "2021-04-06T20:34:58.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.provider": "James_inthe_box",
- "threatintel.indicator.type": "file",
- "threatintel.malwarebazaar.anonymous": 0,
- "threatintel.malwarebazaar.code_sign": [],
- "threatintel.malwarebazaar.intelligence.downloads": 15,
- "threatintel.malwarebazaar.intelligence.uploads": 1,
- "threatintel.malwarebazaar.tags": [
- "exe"
- ]
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar",
+ "threat.indicator.file.extension": "exe",
+ "threat.indicator.file.hash.md5": "0af07660056a692b7cb82fa329221ddd",
+ "threat.indicator.file.hash.sha1": "a71fd0504821092e003f350080a6bcc5fa6a972e",
+ "threat.indicator.file.hash.sha256": "5bce7d528c1363104a93fbb5a7fa9bdd991ce929cc09cc7fb29052a68d4fd24b",
+ "threat.indicator.file.hash.sha384": "3b454eb6421d17d093f19292b64d30bf918cb91e9322d0e2d2512857997f574ea2ca5b005133c16f6c33c7cee9c1bd0e",
+ "threat.indicator.file.hash.ssdeep": "3072:DsPPK3p+8r5igrL1Tq50cVBDmDJhE9yV4veedHrP6FXK7:D+PL8bronBDmDJ69JeedHriFG",
+ "threat.indicator.file.hash.tlsh": "F9848B24AF932F9BC6CCC1FE50C2D165C9A9F85DD2B1251A73B6CB89FE00544ED2C686",
+ "threat.indicator.file.mime_type": "application/x-dosexec",
+ "threat.indicator.file.name": "SALM0BRU.exe",
+ "threat.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
+ "threat.indicator.file.size": 399872,
+ "threat.indicator.first_seen": "2021-04-06T20:34:58.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.provider": "James_inthe_box",
+ "threat.indicator.type": "file"
},
{
+ "abusech.malwarebazaar.anonymous": 0,
+ "abusech.malwarebazaar.code_sign": [],
+ "abusech.malwarebazaar.intelligence.downloads": 11,
+ "abusech.malwarebazaar.intelligence.uploads": 1,
"event.category": "threat",
"event.dataset": "threatintel.malwarebazaar",
"event.kind": "enrichment",
@@ -63,26 +69,31 @@
"forwarded",
"threatintel-malwarebazaar"
],
- "threatintel.indicator.file.extension": "zip",
- "threatintel.indicator.file.hash.md5": "296aad7075596d21516b30bfbc17fcac",
- "threatintel.indicator.file.hash.sha1": "c454be4eb0892d61a4ad6bac16f97724e73cd795",
- "threatintel.indicator.file.hash.sha256": "83d0429a2c5f1b611ebc30391eeeb75bebb51212ee1af51dbcf2624b48f9d27f",
- "threatintel.indicator.file.hash.sha384": "0a1536add280715320040d5ac5340d3b205d90045ff5c90993b8e909edb9b3e9338b3ffbb3febcaf82584d00d516e8c7",
- "threatintel.indicator.file.hash.ssdeep": "12288:j++y4mulTPaYJSaHwvJblQpLGwYeHU9vPpNGd+Zr:j3HPaMtQxblje01pNHZr",
- "threatintel.indicator.file.hash.tlsh": "74A4233B9A6D5CA02B224AA69F37537D13A8406300944EAEFD375CA431583056B9F6FF",
- "threatintel.indicator.file.mime_type": "application/zip",
- "threatintel.indicator.file.name": "PO_NO.ENQUIRY-210604.zip",
- "threatintel.indicator.file.size": 476768,
- "threatintel.indicator.first_seen": "2021-04-06T20:32:25.000Z",
- "threatintel.indicator.geo.country_iso_code": "US",
- "threatintel.indicator.provider": "GovCERT_CH",
- "threatintel.indicator.type": "file",
- "threatintel.malwarebazaar.anonymous": 0,
- "threatintel.malwarebazaar.code_sign": [],
- "threatintel.malwarebazaar.intelligence.downloads": 11,
- "threatintel.malwarebazaar.intelligence.uploads": 1
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar",
+ "threat.indicator.file.extension": "zip",
+ "threat.indicator.file.hash.md5": "296aad7075596d21516b30bfbc17fcac",
+ "threat.indicator.file.hash.sha1": "c454be4eb0892d61a4ad6bac16f97724e73cd795",
+ "threat.indicator.file.hash.sha256": "83d0429a2c5f1b611ebc30391eeeb75bebb51212ee1af51dbcf2624b48f9d27f",
+ "threat.indicator.file.hash.sha384": "0a1536add280715320040d5ac5340d3b205d90045ff5c90993b8e909edb9b3e9338b3ffbb3febcaf82584d00d516e8c7",
+ "threat.indicator.file.hash.ssdeep": "12288:j++y4mulTPaYJSaHwvJblQpLGwYeHU9vPpNGd+Zr:j3HPaMtQxblje01pNHZr",
+ "threat.indicator.file.hash.tlsh": "74A4233B9A6D5CA02B224AA69F37537D13A8406300944EAEFD375CA431583056B9F6FF",
+ "threat.indicator.file.mime_type": "application/zip",
+ "threat.indicator.file.name": "PO_NO.ENQUIRY-210604.zip",
+ "threat.indicator.file.size": 476768,
+ "threat.indicator.first_seen": "2021-04-06T20:32:25.000Z",
+ "threat.indicator.geo.country_iso_code": "US",
+ "threat.indicator.provider": "GovCERT_CH",
+ "threat.indicator.type": "file"
},
{
+ "abusech.malwarebazaar.anonymous": 0,
+ "abusech.malwarebazaar.code_sign": [],
+ "abusech.malwarebazaar.intelligence.downloads": 30,
+ "abusech.malwarebazaar.intelligence.uploads": 1,
+ "abusech.malwarebazaar.tags": [
+ "Hancitor"
+ ],
"event.category": "threat",
"event.dataset": "threatintel.malwarebazaar",
"event.kind": "enrichment",
@@ -103,31 +114,34 @@
"forwarded",
"threatintel-malwarebazaar"
],
- "threatintel.indicator.file.extension": "dll",
- "threatintel.indicator.file.hash.md5": "a4838dd31c672122441bebcbf7e9d277",
- "threatintel.indicator.file.hash.sha1": "bf103996196df8255881127dee103c22fc12bef3",
- "threatintel.indicator.file.hash.sha256": "f4910ea08d14eeb634084de47cf590d4dc5e554552f111da20d22ae71d7b425b",
- "threatintel.indicator.file.hash.sha384": "ee7586cb085fde3c14c9c1bea4635ccb30b1af2020f64e87a9983e61b05026ec9b35255670a3d9ecaab436c4ba302dcc",
- "threatintel.indicator.file.hash.ssdeep": "12288:L2X/txpFDEVkUNglTovKfoLy+hqK/cEUMMlGOG:RzglgLm/9lGOG",
- "threatintel.indicator.file.hash.tlsh": "0C947D11BA96C473E572163008399F6A17BE7A900B704BDBE3CC097E4E755C24B36BA7",
- "threatintel.indicator.file.mime_type": "application/x-dosexec",
- "threatintel.indicator.file.name": "DropDll.dat",
- "threatintel.indicator.file.pe.imphash": "0b5a952a025c2783c3126cdb9bef2844",
- "threatintel.indicator.file.size": 435926,
- "threatintel.indicator.first_seen": "2021-04-06T20:12:29.000Z",
- "threatintel.indicator.geo.country_iso_code": "DE",
- "threatintel.indicator.provider": "DmitriyMelikov",
- "threatintel.indicator.signature": "Hancitor",
- "threatintel.indicator.type": "file",
- "threatintel.malwarebazaar.anonymous": 0,
- "threatintel.malwarebazaar.code_sign": [],
- "threatintel.malwarebazaar.intelligence.downloads": 30,
- "threatintel.malwarebazaar.intelligence.uploads": 1,
- "threatintel.malwarebazaar.tags": [
- "Hancitor"
- ]
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar",
+ "threat.indicator.file.extension": "dll",
+ "threat.indicator.file.hash.md5": "a4838dd31c672122441bebcbf7e9d277",
+ "threat.indicator.file.hash.sha1": "bf103996196df8255881127dee103c22fc12bef3",
+ "threat.indicator.file.hash.sha256": "f4910ea08d14eeb634084de47cf590d4dc5e554552f111da20d22ae71d7b425b",
+ "threat.indicator.file.hash.sha384": "ee7586cb085fde3c14c9c1bea4635ccb30b1af2020f64e87a9983e61b05026ec9b35255670a3d9ecaab436c4ba302dcc",
+ "threat.indicator.file.hash.ssdeep": "12288:L2X/txpFDEVkUNglTovKfoLy+hqK/cEUMMlGOG:RzglgLm/9lGOG",
+ "threat.indicator.file.hash.tlsh": "0C947D11BA96C473E572163008399F6A17BE7A900B704BDBE3CC097E4E755C24B36BA7",
+ "threat.indicator.file.mime_type": "application/x-dosexec",
+ "threat.indicator.file.name": "DropDll.dat",
+ "threat.indicator.file.pe.imphash": "0b5a952a025c2783c3126cdb9bef2844",
+ "threat.indicator.file.size": 435926,
+ "threat.indicator.first_seen": "2021-04-06T20:12:29.000Z",
+ "threat.indicator.geo.country_iso_code": "DE",
+ "threat.indicator.provider": "DmitriyMelikov",
+ "threat.indicator.type": "file",
+ "threat.software.alias": "Hancitor"
},
{
+ "abusech.malwarebazaar.anonymous": 0,
+ "abusech.malwarebazaar.code_sign": [],
+ "abusech.malwarebazaar.intelligence.downloads": 27,
+ "abusech.malwarebazaar.intelligence.uploads": 1,
+ "abusech.malwarebazaar.tags": [
+ "backdoor",
+ "python"
+ ],
"event.category": "threat",
"event.dataset": "threatintel.malwarebazaar",
"event.kind": "enrichment",
@@ -147,30 +161,31 @@
"forwarded",
"threatintel-malwarebazaar"
],
- "threatintel.indicator.file.extension": "unknown",
- "threatintel.indicator.file.hash.md5": "8d7c8b55ac49d241fb7f75a27a5ef8d5",
- "threatintel.indicator.file.hash.sha1": "a68ca1b41cb93fe2879bb3baeb8e19990758f099",
- "threatintel.indicator.file.hash.sha256": "e45ffc61a85c2f5c0cbe9376ff215cad324bf14f925bf52ec0d2949f7d235a00",
- "threatintel.indicator.file.hash.sha384": "788f61cf45bbc8cad5775de18d0d5f42c4e028af0aaa34c570645efc96af8ebc3d7fe330aaf22ef34d35360bbd4a708c",
- "threatintel.indicator.file.hash.ssdeep": "192:z7X/yHo/yz/yBKiSOINLyhQMYd+LiTfq6LTf3ZoTta3Grj6rg2:z7CIKnNNLwufPfAPq7",
- "threatintel.indicator.file.hash.tlsh": "AE3222515C6A881A03B3C66F7992B844FB588303C7116607F6FC86782F79568CAF1BBD",
- "threatintel.indicator.file.mime_type": "text/x-script.python",
- "threatintel.indicator.file.name": "vabsheche.py",
- "threatintel.indicator.file.size": 11717,
- "threatintel.indicator.first_seen": "2021-04-06T20:07:59.000Z",
- "threatintel.indicator.geo.country_iso_code": "FR",
- "threatintel.indicator.provider": "ArkbirdDevil",
- "threatintel.indicator.type": "file",
- "threatintel.malwarebazaar.anonymous": 0,
- "threatintel.malwarebazaar.code_sign": [],
- "threatintel.malwarebazaar.intelligence.downloads": 27,
- "threatintel.malwarebazaar.intelligence.uploads": 1,
- "threatintel.malwarebazaar.tags": [
- "backdoor",
- "python"
- ]
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar",
+ "threat.indicator.file.extension": "unknown",
+ "threat.indicator.file.hash.md5": "8d7c8b55ac49d241fb7f75a27a5ef8d5",
+ "threat.indicator.file.hash.sha1": "a68ca1b41cb93fe2879bb3baeb8e19990758f099",
+ "threat.indicator.file.hash.sha256": "e45ffc61a85c2f5c0cbe9376ff215cad324bf14f925bf52ec0d2949f7d235a00",
+ "threat.indicator.file.hash.sha384": "788f61cf45bbc8cad5775de18d0d5f42c4e028af0aaa34c570645efc96af8ebc3d7fe330aaf22ef34d35360bbd4a708c",
+ "threat.indicator.file.hash.ssdeep": "192:z7X/yHo/yz/yBKiSOINLyhQMYd+LiTfq6LTf3ZoTta3Grj6rg2:z7CIKnNNLwufPfAPq7",
+ "threat.indicator.file.hash.tlsh": "AE3222515C6A881A03B3C66F7992B844FB588303C7116607F6FC86782F79568CAF1BBD",
+ "threat.indicator.file.mime_type": "text/x-script.python",
+ "threat.indicator.file.name": "vabsheche.py",
+ "threat.indicator.file.size": 11717,
+ "threat.indicator.first_seen": "2021-04-06T20:07:59.000Z",
+ "threat.indicator.geo.country_iso_code": "FR",
+ "threat.indicator.provider": "ArkbirdDevil",
+ "threat.indicator.type": "file"
},
{
+ "abusech.malwarebazaar.anonymous": 0,
+ "abusech.malwarebazaar.code_sign": [],
+ "abusech.malwarebazaar.intelligence.downloads": 21,
+ "abusech.malwarebazaar.intelligence.uploads": 1,
+ "abusech.malwarebazaar.tags": [
+ "maldoc"
+ ],
"event.category": "threat",
"event.dataset": "threatintel.malwarebazaar",
"event.kind": "enrichment",
@@ -190,29 +205,32 @@
"forwarded",
"threatintel-malwarebazaar"
],
- "threatintel.indicator.file.extension": "docx",
- "threatintel.indicator.file.hash.md5": "fe185f106730583156f39233f77f8019",
- "threatintel.indicator.file.hash.sha1": "e8378aede9f26f09b7d503d79a05d67612be15f6",
- "threatintel.indicator.file.hash.sha256": "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4",
- "threatintel.indicator.file.hash.sha384": "752e5d56a166227d06f8cbd40cd3f693f543f9c3f798c673c1430957bb7e149a12d9158138fa449479105f472e70f68f",
- "threatintel.indicator.file.hash.ssdeep": "196608:KQaeKLOiBEp+uc+iuYmbMdHmN1Rwyd2jecXeaH1pHE+2:oeIOTp+p+iNJC1ChjhXZ1pHz2",
- "threatintel.indicator.file.hash.tlsh": "13863341B085EE2EE2CA41BA0DA9C2BD43B63D131E054F677269B72D3EB76E0E7D4144",
- "threatintel.indicator.file.mime_type": "application/msword",
- "threatintel.indicator.file.name": "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4.bin",
- "threatintel.indicator.file.size": 7929856,
- "threatintel.indicator.first_seen": "2021-04-06T20:00:48.000Z",
- "threatintel.indicator.geo.country_iso_code": "FR",
- "threatintel.indicator.provider": "ArkbirdDevil",
- "threatintel.indicator.type": "file",
- "threatintel.malwarebazaar.anonymous": 0,
- "threatintel.malwarebazaar.code_sign": [],
- "threatintel.malwarebazaar.intelligence.downloads": 21,
- "threatintel.malwarebazaar.intelligence.uploads": 1,
- "threatintel.malwarebazaar.tags": [
- "maldoc"
- ]
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar",
+ "threat.indicator.file.extension": "docx",
+ "threat.indicator.file.hash.md5": "fe185f106730583156f39233f77f8019",
+ "threat.indicator.file.hash.sha1": "e8378aede9f26f09b7d503d79a05d67612be15f6",
+ "threat.indicator.file.hash.sha256": "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4",
+ "threat.indicator.file.hash.sha384": "752e5d56a166227d06f8cbd40cd3f693f543f9c3f798c673c1430957bb7e149a12d9158138fa449479105f472e70f68f",
+ "threat.indicator.file.hash.ssdeep": "196608:KQaeKLOiBEp+uc+iuYmbMdHmN1Rwyd2jecXeaH1pHE+2:oeIOTp+p+iNJC1ChjhXZ1pHz2",
+ "threat.indicator.file.hash.tlsh": "13863341B085EE2EE2CA41BA0DA9C2BD43B63D131E054F677269B72D3EB76E0E7D4144",
+ "threat.indicator.file.mime_type": "application/msword",
+ "threat.indicator.file.name": "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4.bin",
+ "threat.indicator.file.size": 7929856,
+ "threat.indicator.first_seen": "2021-04-06T20:00:48.000Z",
+ "threat.indicator.geo.country_iso_code": "FR",
+ "threat.indicator.provider": "ArkbirdDevil",
+ "threat.indicator.type": "file"
},
{
+ "abusech.malwarebazaar.anonymous": 0,
+ "abusech.malwarebazaar.code_sign": [],
+ "abusech.malwarebazaar.intelligence.downloads": 30,
+ "abusech.malwarebazaar.intelligence.uploads": 1,
+ "abusech.malwarebazaar.tags": [
+ "apt",
+ "tonto"
+ ],
"event.category": "threat",
"event.dataset": "threatintel.malwarebazaar",
"event.kind": "enrichment",
@@ -233,31 +251,29 @@
"forwarded",
"threatintel-malwarebazaar"
],
- "threatintel.indicator.file.extension": "dll",
- "threatintel.indicator.file.hash.md5": "70da6872b6b2da9ddc94d14b02302917",
- "threatintel.indicator.file.hash.sha1": "b2da45913353bfc66d189455f9ad80ef26968143",
- "threatintel.indicator.file.hash.sha256": "2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c",
- "threatintel.indicator.file.hash.sha384": "c82132559381b7b3b184b4ce8c7a58c301a46001621f346b637139f5987dee968ae2ef009a17b2388852b2db15a45b58",
- "threatintel.indicator.file.hash.ssdeep": "1536:2NVi7z0r0lJRn6I8+YDgr1fnWG5Ff0+adgBYlCtMiQMX1c0E4JsWjcdonPv870E1:YM7zh8+Cofnp5eRm6riQ6OZoPv870E",
- "threatintel.indicator.file.hash.tlsh": "A2D38C067790C071DAAF013908799E624B7F7D70DDB49D8B77841A8E69342D0AF3AB27",
- "threatintel.indicator.file.mime_type": "application/x-dosexec",
- "threatintel.indicator.file.name": "winlog.wll",
- "threatintel.indicator.file.pe.imphash": "6476b7c4dd55eafbdf922a7ba1e2d5f9",
- "threatintel.indicator.file.size": 131584,
- "threatintel.indicator.first_seen": "2021-04-06T19:58:50.000Z",
- "threatintel.indicator.geo.country_iso_code": "FR",
- "threatintel.indicator.provider": "ArkbirdDevil",
- "threatintel.indicator.type": "file",
- "threatintel.malwarebazaar.anonymous": 0,
- "threatintel.malwarebazaar.code_sign": [],
- "threatintel.malwarebazaar.intelligence.downloads": 30,
- "threatintel.malwarebazaar.intelligence.uploads": 1,
- "threatintel.malwarebazaar.tags": [
- "apt",
- "tonto"
- ]
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar",
+ "threat.indicator.file.extension": "dll",
+ "threat.indicator.file.hash.md5": "70da6872b6b2da9ddc94d14b02302917",
+ "threat.indicator.file.hash.sha1": "b2da45913353bfc66d189455f9ad80ef26968143",
+ "threat.indicator.file.hash.sha256": "2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c",
+ "threat.indicator.file.hash.sha384": "c82132559381b7b3b184b4ce8c7a58c301a46001621f346b637139f5987dee968ae2ef009a17b2388852b2db15a45b58",
+ "threat.indicator.file.hash.ssdeep": "1536:2NVi7z0r0lJRn6I8+YDgr1fnWG5Ff0+adgBYlCtMiQMX1c0E4JsWjcdonPv870E1:YM7zh8+Cofnp5eRm6riQ6OZoPv870E",
+ "threat.indicator.file.hash.tlsh": "A2D38C067790C071DAAF013908799E624B7F7D70DDB49D8B77841A8E69342D0AF3AB27",
+ "threat.indicator.file.mime_type": "application/x-dosexec",
+ "threat.indicator.file.name": "winlog.wll",
+ "threat.indicator.file.pe.imphash": "6476b7c4dd55eafbdf922a7ba1e2d5f9",
+ "threat.indicator.file.size": 131584,
+ "threat.indicator.first_seen": "2021-04-06T19:58:50.000Z",
+ "threat.indicator.geo.country_iso_code": "FR",
+ "threat.indicator.provider": "ArkbirdDevil",
+ "threat.indicator.type": "file"
},
{
+ "abusech.malwarebazaar.anonymous": 0,
+ "abusech.malwarebazaar.code_sign": [],
+ "abusech.malwarebazaar.intelligence.downloads": 32,
+ "abusech.malwarebazaar.intelligence.uploads": 1,
"event.category": "threat",
"event.dataset": "threatintel.malwarebazaar",
"event.kind": "enrichment",
@@ -277,26 +293,33 @@
"forwarded",
"threatintel-malwarebazaar"
],
- "threatintel.indicator.file.extension": "docx",
- "threatintel.indicator.file.hash.md5": "de80e1d7d9f5b1c64ec9f8d4f5063989",
- "threatintel.indicator.file.hash.sha1": "3d613d5678e43faeea1c636185a0b4c3ec80e742",
- "threatintel.indicator.file.hash.sha256": "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606",
- "threatintel.indicator.file.hash.sha384": "a3ec981ed158fe08cc2cd97303807cfbed147e59ccfd92fcaa9395c5718b4d9b892d6e9fa6337f5976dc1bd042562fe4",
- "threatintel.indicator.file.hash.ssdeep": "24576:WKEiZxl3A4yJJG2dPQQCthXzglgLm/9lGO:WKEGByvGOQQC/XElga/9lGO",
- "threatintel.indicator.file.hash.tlsh": "8635D001BA82C573D5621A35083ADBAA177E7D604F704ADBB3C83B2E5D355C14B32BA7",
- "threatintel.indicator.file.mime_type": "application/msword",
- "threatintel.indicator.file.name": "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606.bin.sample",
- "threatintel.indicator.file.size": 1088000,
- "threatintel.indicator.first_seen": "2021-04-06T19:58:44.000Z",
- "threatintel.indicator.geo.country_iso_code": "DE",
- "threatintel.indicator.provider": "DmitriyMelikov",
- "threatintel.indicator.type": "file",
- "threatintel.malwarebazaar.anonymous": 0,
- "threatintel.malwarebazaar.code_sign": [],
- "threatintel.malwarebazaar.intelligence.downloads": 32,
- "threatintel.malwarebazaar.intelligence.uploads": 1
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar",
+ "threat.indicator.file.extension": "docx",
+ "threat.indicator.file.hash.md5": "de80e1d7d9f5b1c64ec9f8d4f5063989",
+ "threat.indicator.file.hash.sha1": "3d613d5678e43faeea1c636185a0b4c3ec80e742",
+ "threat.indicator.file.hash.sha256": "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606",
+ "threat.indicator.file.hash.sha384": "a3ec981ed158fe08cc2cd97303807cfbed147e59ccfd92fcaa9395c5718b4d9b892d6e9fa6337f5976dc1bd042562fe4",
+ "threat.indicator.file.hash.ssdeep": "24576:WKEiZxl3A4yJJG2dPQQCthXzglgLm/9lGO:WKEGByvGOQQC/XElga/9lGO",
+ "threat.indicator.file.hash.tlsh": "8635D001BA82C573D5621A35083ADBAA177E7D604F704ADBB3C83B2E5D355C14B32BA7",
+ "threat.indicator.file.mime_type": "application/msword",
+ "threat.indicator.file.name": "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606.bin.sample",
+ "threat.indicator.file.size": 1088000,
+ "threat.indicator.first_seen": "2021-04-06T19:58:44.000Z",
+ "threat.indicator.geo.country_iso_code": "DE",
+ "threat.indicator.provider": "DmitriyMelikov",
+ "threat.indicator.type": "file"
},
{
+ "abusech.malwarebazaar.anonymous": 0,
+ "abusech.malwarebazaar.code_sign": [],
+ "abusech.malwarebazaar.intelligence.downloads": 38,
+ "abusech.malwarebazaar.intelligence.mail.Generic": "low",
+ "abusech.malwarebazaar.intelligence.uploads": 1,
+ "abusech.malwarebazaar.tags": [
+ "SnakeKeylogger",
+ "exe"
+ ],
"event.category": "threat",
"event.dataset": "threatintel.malwarebazaar",
"event.kind": "enrichment",
@@ -317,33 +340,35 @@
"forwarded",
"threatintel-malwarebazaar"
],
- "threatintel.indicator.file.extension": "exe",
- "threatintel.indicator.file.hash.md5": "2759c73c986c6a757bf9d25621c5595a",
- "threatintel.indicator.file.hash.sha1": "00b52e8ca1785d5086703ad8cff1d28fc3354934",
- "threatintel.indicator.file.hash.sha256": "84f983067868de50e5b1553782c056c1f5b5118bb2084473ca4b6908f221cd3b",
- "threatintel.indicator.file.hash.sha384": "138dc28a74d15c1f9797ce732e99097c8c6db4549cb17cb7b20c1c6738a170328e45aea2d4c3b593912f14a97f521c1d",
- "threatintel.indicator.file.hash.ssdeep": "12288:8t11ulRZRLZNh4YeX6f6XmwNShqE73YXy7moh:S11gZpZNmBX06WmAcy7m0",
- "threatintel.indicator.file.hash.tlsh": "23F4AE212684C9C0D93E67B4D43584F003BABD16D631F69F6E887C693EB32D2D63B646",
- "threatintel.indicator.file.mime_type": "application/x-dosexec",
- "threatintel.indicator.file.name": "Purchase Order.8000.scan.pdf...exe",
- "threatintel.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
- "threatintel.indicator.file.size": 752128,
- "threatintel.indicator.first_seen": "2021-04-06T19:52:32.000Z",
- "threatintel.indicator.geo.country_iso_code": "FR",
- "threatintel.indicator.provider": "James_inthe_box",
- "threatintel.indicator.signature": "SnakeKeylogger",
- "threatintel.indicator.type": "file",
- "threatintel.malwarebazaar.anonymous": 0,
- "threatintel.malwarebazaar.code_sign": [],
- "threatintel.malwarebazaar.intelligence.downloads": 38,
- "threatintel.malwarebazaar.intelligence.mail.Generic": "low",
- "threatintel.malwarebazaar.intelligence.uploads": 1,
- "threatintel.malwarebazaar.tags": [
- "SnakeKeylogger",
- "exe"
- ]
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar",
+ "threat.indicator.file.extension": "exe",
+ "threat.indicator.file.hash.md5": "2759c73c986c6a757bf9d25621c5595a",
+ "threat.indicator.file.hash.sha1": "00b52e8ca1785d5086703ad8cff1d28fc3354934",
+ "threat.indicator.file.hash.sha256": "84f983067868de50e5b1553782c056c1f5b5118bb2084473ca4b6908f221cd3b",
+ "threat.indicator.file.hash.sha384": "138dc28a74d15c1f9797ce732e99097c8c6db4549cb17cb7b20c1c6738a170328e45aea2d4c3b593912f14a97f521c1d",
+ "threat.indicator.file.hash.ssdeep": "12288:8t11ulRZRLZNh4YeX6f6XmwNShqE73YXy7moh:S11gZpZNmBX06WmAcy7m0",
+ "threat.indicator.file.hash.tlsh": "23F4AE212684C9C0D93E67B4D43584F003BABD16D631F69F6E887C693EB32D2D63B646",
+ "threat.indicator.file.mime_type": "application/x-dosexec",
+ "threat.indicator.file.name": "Purchase Order.8000.scan.pdf...exe",
+ "threat.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
+ "threat.indicator.file.size": 752128,
+ "threat.indicator.first_seen": "2021-04-06T19:52:32.000Z",
+ "threat.indicator.geo.country_iso_code": "FR",
+ "threat.indicator.provider": "James_inthe_box",
+ "threat.indicator.type": "file",
+ "threat.software.alias": "SnakeKeylogger"
},
{
+ "abusech.malwarebazaar.anonymous": 0,
+ "abusech.malwarebazaar.code_sign": [],
+ "abusech.malwarebazaar.intelligence.downloads": 40,
+ "abusech.malwarebazaar.intelligence.mail.Generic": "low",
+ "abusech.malwarebazaar.intelligence.uploads": 1,
+ "abusech.malwarebazaar.tags": [
+ "AgentTesla",
+ "exe"
+ ],
"event.category": "threat",
"event.dataset": "threatintel.malwarebazaar",
"event.kind": "enrichment",
@@ -364,30 +389,23 @@
"forwarded",
"threatintel-malwarebazaar"
],
- "threatintel.indicator.file.extension": "exe",
- "threatintel.indicator.file.hash.md5": "596b3dbf07a287dcf76860b5e54762c3",
- "threatintel.indicator.file.hash.sha1": "a34fd5e57d75d17bc2d84055ca4752e5ee2e92f5",
- "threatintel.indicator.file.hash.sha256": "0661d87116f44cbd5b5c6bec7fb06c4e5cd5b6ecbc5455d959e65f1ee46c54c8",
- "threatintel.indicator.file.hash.sha384": "ed5d03454121d81adf65a01ba90af81b1a7cea052709c22bb9170508069d17242861f85e5546b2cc3efb07c10926368c",
- "threatintel.indicator.file.hash.ssdeep": "12288:qRedcNeqimzAEmN03VgdZfBOMx+RVBM7pdWje9ppB5nAZGNY2:ZaNeqikqN0udZfBFUYp55nFN",
- "threatintel.indicator.file.hash.tlsh": "A505CF712694C9A4FABD53B80434403007F5FE42E232FA9A6FD17C993E72782DA3B655",
- "threatintel.indicator.file.mime_type": "application/x-dosexec",
- "threatintel.indicator.file.name": "New Order PO#121012020_____PDF_______.exe",
- "threatintel.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
- "threatintel.indicator.file.size": 836096,
- "threatintel.indicator.first_seen": "2021-04-06T19:47:13.000Z",
- "threatintel.indicator.geo.country_iso_code": "FR",
- "threatintel.indicator.provider": "James_inthe_box",
- "threatintel.indicator.signature": "AgentTesla",
- "threatintel.indicator.type": "file",
- "threatintel.malwarebazaar.anonymous": 0,
- "threatintel.malwarebazaar.code_sign": [],
- "threatintel.malwarebazaar.intelligence.downloads": 40,
- "threatintel.malwarebazaar.intelligence.mail.Generic": "low",
- "threatintel.malwarebazaar.intelligence.uploads": 1,
- "threatintel.malwarebazaar.tags": [
- "AgentTesla",
- "exe"
- ]
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar",
+ "threat.indicator.file.extension": "exe",
+ "threat.indicator.file.hash.md5": "596b3dbf07a287dcf76860b5e54762c3",
+ "threat.indicator.file.hash.sha1": "a34fd5e57d75d17bc2d84055ca4752e5ee2e92f5",
+ "threat.indicator.file.hash.sha256": "0661d87116f44cbd5b5c6bec7fb06c4e5cd5b6ecbc5455d959e65f1ee46c54c8",
+ "threat.indicator.file.hash.sha384": "ed5d03454121d81adf65a01ba90af81b1a7cea052709c22bb9170508069d17242861f85e5546b2cc3efb07c10926368c",
+ "threat.indicator.file.hash.ssdeep": "12288:qRedcNeqimzAEmN03VgdZfBOMx+RVBM7pdWje9ppB5nAZGNY2:ZaNeqikqN0udZfBFUYp55nFN",
+ "threat.indicator.file.hash.tlsh": "A505CF712694C9A4FABD53B80434403007F5FE42E232FA9A6FD17C993E72782DA3B655",
+ "threat.indicator.file.mime_type": "application/x-dosexec",
+ "threat.indicator.file.name": "New Order PO#121012020_____PDF_______.exe",
+ "threat.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
+ "threat.indicator.file.size": 836096,
+ "threat.indicator.first_seen": "2021-04-06T19:47:13.000Z",
+ "threat.indicator.geo.country_iso_code": "FR",
+ "threat.indicator.provider": "James_inthe_box",
+ "threat.indicator.type": "file",
+ "threat.software.alias": "AgentTesla"
}
]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/threatintel/misp/config/config.yml b/x-pack/filebeat/module/threatintel/misp/config/config.yml
index 922f794af20..53ce56b16a2 100644
--- a/x-pack/filebeat/module/threatintel/misp/config/config.yml
+++ b/x-pack/filebeat/module/threatintel/misp/config/config.yml
@@ -12,18 +12,24 @@ request.proxy_url: {{ .proxy_url }}
{{ end }}
request.url: {{ .url }}
request.body:
- limit: 100
- page: 1
- returnFormat: json
-{{if .filters}}
- {{ range $key, $value := .filters}}{{$key}}: {{$value | tojson}}{{end}}
-{{end}}
+{{ if .filters }}
+ {{ .filters | tojson}}
+{{ end }}
request.transforms:
{{ if .api_token }}
- set:
target: header.Authorization
value: {{ .api_token }}
-{{end}}
+{{ end }}
+- set:
+ target: body.page
+ value: 1
+- set:
+ target: body.limit
+ value: 10
+- set:
+ target: body.returnFormat
+ value: json
- set:
target: body.timestamp
value: '[[.cursor.timestamp]]'
@@ -63,28 +69,12 @@ exclude_files: [".gz$"]
{{ end }}
-tags: {{.tags | tojson}}
-publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
+tags:
+{{if .preserve_original_event}}
+ - preserve_original_event
+{{end}}
+{{range $val := .tags}}
+ - {{$val}}
+{{end}}
-processors:
- - decode_json_fields:
- fields: [message]
- target: json
- - fingerprint:
- fields:
- - json.Event.Attribute.uuid
- - json.Event.Object.Attribute.uuid
- ignore_missing: true
- target_field: "@metadata._id"
- encoding: base64
- - script:
- lang: javascript
- id: my_filter
- source: >
- function process(event) {
- event.Put("@metadata.op_type", "index");
- }
- - add_fields:
- target: ''
- fields:
- ecs.version: 1.12.0
+publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
diff --git a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml
index e64379422db..f4f54c903b9 100644
--- a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml
@@ -1,3 +1,4 @@
+---
description: Pipeline for parsing MISP Threat Intel
processors:
####################
@@ -6,6 +7,9 @@ processors:
- set:
field: event.ingested
value: "{{_ingest.timestamp}}"
+ - set:
+ field: ecs.version
+ value: "1.12"
- set:
field: event.kind
value: enrichment
@@ -19,236 +23,253 @@ processors:
######################
# General ECS fields #
######################
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+ - fingerprint:
+ fields:
+ - json.Event.Attribute.uuid
+ - json.Event.Object.Attribute.uuid
+ target_field: "_id"
+ ignore_missing: true
- rename:
field: json.Event
- target_field: threatintel.misp
+ target_field: misp
ignore_missing: true
- set:
- field: threatintel.indicator.provider
+ field: threat.indicator.provider
value: misp
- if: ctx?.threatintel?.misp?.Orgc?.local != 'false'
+ if: ctx.misp?.Orgc?.local != 'false'
- set:
- field: threatintel.indicator.provider
+ field: threat.indicator.provider
value: "{{misp.Orgc.name}}"
- if: ctx?.threatintel?.misp?.Orgc?.local == 'false'
+ if: ctx.misp?.Orgc?.local == 'false'
ignore_empty_value: true
# Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event
- remove:
field:
- - threatintel.misp.ShadowAttribute
- - threatintel.misp.RelatedEvent
- - threatintel.misp.Galaxy
- - threatintel.misp.Attribute.Galaxy
- - threatintel.misp.Attribute.ShadowAttribute
- - threatintel.misp.EventReport
- - threatintel.misp.Object.Attribute.Galaxy
- - threatintel.misp.Object.Attribute.ShadowAttribute
- - message
+ - misp.ShadowAttribute
+ - misp.RelatedEvent
+ - misp.Galaxy
+ - misp.Attribute.Galaxy
+ - misp.Attribute.ShadowAttribute
+ - misp.EventReport
+ - misp.Object.Attribute.Galaxy
+ - misp.Object.Attribute.ShadowAttribute
ignore_missing: true
- remove:
field:
- - threatintel.misp.Attribute
+ - misp.Attribute
ignore_missing: true
- if: ctx?.threatintel?.misp?.Attribute.size() == 0
+ if: ctx.misp?.Attribute.size() == 0
- remove:
field:
- - threatintel.misp.Object
+ - misp.Object
ignore_missing: true
- if: ctx?.threatintel?.misp?.Object.size() == 0
+ if: ctx.misp?.Object.size() == 0
- date:
- field: threatintel.misp.timestamp
+ field: misp.timestamp
formats:
- UNIX
ignore_failure: true
- rename:
- field: threatintel.misp.Attribute
- target_field: threatintel.misp.attribute
+ field: misp.Attribute
+ target_field: misp.attribute
ignore_missing: true
- rename:
- field: threatintel.misp.Object
- target_field: threatintel.misp.object
+ field: misp.Object
+ target_field: misp.object
ignore_missing: true
- rename:
- field: threatintel.misp.object.Attribute
- target_field: threatintel.misp.object.attribute
+ field: misp.object.Attribute
+ target_field: misp.object.attribute
ignore_missing: true
- rename:
- field: threatintel.misp.Orgc
- target_field: threatintel.misp.orgc
+ field: misp.Orgc
+ target_field: misp.orgc
ignore_missing: true
- rename:
- field: threatintel.misp.Org
- target_field: threatintel.misp.org
+ field: misp.Org
+ target_field: misp.org
ignore_missing: true
- rename:
- field: threatintel.misp.Tag
- target_field: threatintel.misp.tag
+ field: misp.Tag
+ target_field: misp.tag
ignore_missing: true
# # Dance around issue of not being able to split the document into two.
# # Make the Object.Attribute field primary if it exists, but keep the
# # outer Attribute as context.
- rename:
- field: threatintel.misp.attribute
- target_field: threatintel.misp.context.attribute
+ field: misp.attribute
+ target_field: misp.context.attribute
ignore_missing: true
- if: ctx?.threatintel?.misp?.object != null
+ if: ctx.misp?.object != null
- rename:
- field: threatintel.misp.object.attribute
- target_field: threatintel.misp.attribute
+ field: misp.object.attribute
+ target_field: misp.attribute
ignore_missing: true
- if: ctx?.threatintel?.misp?.object != null
+ if: ctx.misp?.object != null
#####################
# Threat ECS Fields #
#####################
+ - set:
+ field: threat.feed.name
+ value: "[Filebeat] MISP"
+ - set:
+ field: threat.feed.dashboard_id
+ value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f"
- rename:
- field: threatintel.misp.attribute.first_seen
- target_field: threatintel.indicator.first_seen
+ field: misp.attribute.first_seen
+ target_field: threat.indicator.first_seen
ignore_missing: true
- rename:
- field: threatintel.misp.attribute.last_seen
- target_field: threatintel.indicator.last_seen
+ field: misp.attribute.last_seen
+ target_field: threat.indicator.last_seen
ignore_missing: true
- convert:
- field: threatintel.misp.analysis
+ field: misp.analysis
type: long
- target_field: threatintel.indicator.scanner_stats
+ target_field: threat.indicator.scanner_stats
ignore_missing: true
- convert:
- field: threatintel.misp.threat_level_id
+ field: misp.threat_level_id
type: long
ignore_missing: true
## File/Hash indicator operations
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: file
- if: "ctx?.threatintel?.misp?.attribute?.type != null && (['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.threatintel?.misp?.attribute?.type) || ctx.threatintel?.misp?.attribute?.type.startsWith('filename'))"
+ if: "ctx.misp?.attribute?.type != null && (['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.misp?.attribute?.type) || ctx.misp?.attribute?.type.startsWith('filename'))"
- rename:
- field: threatintel.misp.attribute.value
- target_field: "threatintel.indicator.file.hash.{{threatintel.misp.attribute.type}}"
+ field: misp.attribute.value
+ target_field: "threat.indicator.file.hash.{{misp.attribute.type}}"
ignore_missing: true
- if: "ctx?.threatintel?.indicator?.type == 'file' && ctx?.threatintel?.misp?.attribute?.type != null && !ctx?.threatintel?.misp?.attribute?.type.startsWith('filename')"
+ if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type != null && !ctx.misp?.attribute?.type.startsWith('filename')"
- rename:
- field: threatintel.misp.attribute.value
- target_field: threatintel.indicator.file.name
+ field: misp.attribute.value
+ target_field: threat.indicator.file.name
ignore_missing: true
- if: "ctx?.threatintel?.indicator?.type == 'file' && ctx?.threatintel?.misp?.attribute?.type == 'filename'"
+ if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type == 'filename'"
- grok:
- field: threatintel.misp.attribute.type
+ field: misp.attribute.type
patterns:
- "%{WORD}\\|%{WORD:_tmp.hashtype}"
ignore_missing: true
- if: ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|')
+ if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|')
- grok:
- field: threatintel.misp.attribute.value
+ field: misp.attribute.value
patterns:
- - "%{DATA:threatintel.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}"
+ - "%{DATA:threat.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}"
ignore_missing: true
- if: ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|')
+ if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|')
- set:
- field: threatintel.indicator.file.hash.{{_tmp.hashtype}}
+ field: threat.indicator.file.hash.{{_tmp.hashtype}}
value: "{{_tmp.hashvalue}}"
- if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null"
+ if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null"
## URL/URI indicator operations
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: url
- if: "ctx?.threatintel?.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx?.threatintel?.misp?.attribute?.type)"
+ if: "ctx.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx.misp?.attribute?.type)"
- uri_parts:
- field: threatintel.misp.attribute.value
- target_field: threatintel.indicator.url
+ field: misp.attribute.value
+ target_field: threat.indicator.url
keep_original: true
remove_if_successful: true
- if: ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri'
-
+ if: ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri'
- set:
- field: threatintel.indicator.url.full
- value: "{{{threatintel.indicator.url.original}}}"
+ field: threat.indicator.url.full
+ value: "{{{threat.indicator.url.original}}}"
ignore_empty_value: true
- if: "ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri'"
+ if: "ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri'"
## Regkey indicator operations
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: windows-registry-key
- if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('regkey')"
+ if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('regkey')"
- rename:
- field: threatintel.misp.attribute.value
- target_field: threatintel.indicator.registry.key
+ field: misp.attribute.value
+ target_field: threat.indicator.registry.key
ignore_missing: true
- if: "ctx?.threatintel?.indicator?.type == 'windows-registry-key' && ctx?.threatintel?.misp?.attribute?.type == 'regkey'"
+ if: "ctx.threat?.indicator?.type == 'windows-registry-key' && ctx.misp?.attribute?.type == 'regkey'"
- grok:
- field: threatintel.misp.attribute.value
+ field: misp.attribute.value
patterns:
- - "%{DATA:threatintel.indicator.registry.key}\\|%{DATA:threatintel.indicator.registry.value}"
+ - "%{DATA:threat.indicator.registry.key}\\|%{DATA:threat.indicator.registry.value}"
ignore_missing: true
- if: "ctx?.threatintel?.misp?.attribute?.type == 'regkey|value'"
+ if: "ctx.misp?.attribute?.type == 'regkey|value'"
## AS indicator operations
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: autonomous-system
- if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type == 'AS'"
+ if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type == 'AS'"
- convert:
- field: threatintel.misp.attribute.value
+ field: misp.attribute.value
type: long
- target_field: threatintel.indicator.as.number
+ target_field: threat.indicator.as.number
ignore_missing: true
- if: ctx?.threatintel?.indicator?.type == 'autonomous-system'
+ if: ctx.threat?.indicator?.type == 'autonomous-system'
## Domain/IP/Port indicator operations
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: domain-name
- if: "ctx?.threatintel?.misp?.attribute?.type != null && (ctx?.threatintel?.misp?.attribute?.type == 'hostname' || ctx?.threatintel?.misp?.attribute?.type.startsWith('domain'))"
+ if: "ctx.misp?.attribute?.type != null && (ctx.misp?.attribute?.type == 'hostname' || ctx.misp?.attribute?.type.startsWith('domain'))"
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: ipv4-addr
- if: "ctx?.threatintel?.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)"
+ if: "ctx.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)"
- rename:
- field: threatintel.misp.attribute.value
- target_field: threatintel.indicator.url.domain
+ field: misp.attribute.value
+ target_field: threat.indicator.url.domain
ignore_missing: true
- if: "ctx?.threatintel?.indicator?.type == 'domain-name' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip' && ctx.threatintel?.indicator?.url?.domain == null"
+ if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.misp?.attribute?.type != 'domain|ip' && ctx.threat?.indicator?.url?.domain == null"
- rename:
- field: threatintel.misp.attribute.value
- target_field: threatintel.indicator.ip
+ field: misp.attribute.value
+ target_field: threat.indicator.ip
ignore_missing: true
- if: "ctx?.threatintel?.indicator?.type == 'ipv4-addr' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)"
+ if: "ctx.threat?.indicator?.type == 'ipv4-addr' && ctx.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)"
- grok:
- field: threatintel.misp.attribute.value
+ field: misp.attribute.value
patterns:
- - "%{DATA:threatintel.indicator.url.domain}\\|%{IP:threatintel.indicator.ip}"
+ - "%{DATA:threat.indicator.url.domain}\\|%{IP:threat.indicator.ip}"
ignore_missing: true
- if: ctx.threatintel?.misp?.attribute?.type == 'domain|ip' && ctx.threatintel?.indicator?.url?.domain == null
+ if: ctx.misp?.attribute?.type == 'domain|ip' && ctx.threat?.indicator?.url?.domain == null
- grok:
- field: threatintel.misp.attribute.value
+ field: misp.attribute.value
patterns:
- - "%{IP:threatintel.indicator.ip}\\|%{NUMBER:threatintel.indicator.port}"
+ - "%{IP:threat.indicator.ip}\\|%{NUMBER:threat.indicator.port}"
ignore_missing: true
- if: "['ip-src|port', 'ip-dst|port'].contains(ctx.threatintel?.misp?.attribute?.type)"
+ if: "['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)"
## Email indicator operations
# Currently this ignores email-message, except setting the type it will leave the rest of the fields under misp.
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: email-addr
- if: "ctx?.threatintel?.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.threatintel?.misp?.attribute?.type)"
+ if: "ctx.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)"
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: email-message
- if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx.threatintel?.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.threatintel?.misp?.attribute?.type)"
+ if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)"
- rename:
- field: threatintel.misp.attribute.value
- target_field: threatintel.indicator.email.address
+ field: misp.attribute.value
+ target_field: threat.indicator.email.address
ignore_missing: true
- if: ctx?.threatintel?.indicator?.type == 'email-addr'
+ if: ctx.threat?.indicator?.type == 'email-addr'
- rename:
- field: threatintel.misp.event_creator_email
+ field: misp.event_creator_email
target_field: user.email
ignore_missing: true
- append:
@@ -258,14 +279,14 @@ processors:
## MAC Address indicator operations
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: mac-addr
- if: "ctx?.threatintel?.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.threatintel?.misp?.attribute?.type)"
+ if: "ctx.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.misp?.attribute?.type)"
- rename:
- field: threatintel.misp.attribute.value
- target_field: threatintel.indicator.mac
+ field: misp.attribute.value
+ target_field: threat.indicator.mac
ignore_missing: true
- if: ctx?.threatintel?.indicator?.type == 'mac-addr'
+ if: ctx.threat?.indicator?.type == 'mac-addr'
###################
# Tags ECS fields #
@@ -273,9 +294,9 @@ processors:
# Stripping special characters from tags
- script:
lang: painless
- if: ctx?.threatintel?.misp?.tag != null
+ if: ctx.misp?.tag != null
source: |
- def tags = ctx.threatintel.misp.tag.stream()
+ def tags = ctx.misp.tag.stream()
.map(t -> t.name.replace('\\', '').replace('"', ''))
.collect(Collectors.toList());
def tlpTags = tags.stream()
@@ -284,20 +305,45 @@ processors:
.collect(Collectors.toList());
ctx.tags = tags;
- ctx.threatintel.indicator.marking = [ 'tlp': tlpTags ];
+ ctx.threat.indicator.marking = [ 'tlp': tlpTags ];
# Setting indicator type to unknown if it does not match anything
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: unknown
- if: ctx?.threatintel?.indicator?.type == null
+ if: ctx.threat?.indicator?.type == null
+
+ #################
+ # Convert types #
+ #################
+ - convert:
+ field: misp.attribute.distribution
+ type: long
+ ignore_missing: true
+ - convert:
+ field: misp.context.attribute.distribution
+ type: long
+ ignore_missing: true
+ - convert:
+ field: threat.indicator.port
+ type: long
+ ignore_missing: true
+ - convert:
+ field: misp.attribute_count
+ type: long
+ ignore_missing: true
######################
# Cleanup processors #
######################
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
- script:
lang: painless
- if: ctx?.threatintel != null
+ if: ctx?.misp != null
source: |
void handleMap(Map map) {
for (def x : map.values()) {
@@ -322,24 +368,24 @@ processors:
# Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event
- remove:
field:
- - threatintel.misp.attribute.value
+ - misp.attribute.value
ignore_missing: true
- if: ctx?.threatintel?.indicator?.type != 'unknown'
+ if: ctx.threat?.indicator?.type != 'unknown'
- remove:
field:
# This removes a number of fields that may be wanted in the future when
- # threatintel.misp.attribute and threatintel.misp.object.attribute can
+ # misp.attribute and misp.object.attribute can
# be separated. At the root of .object are fields that mirror fields at
- # the root of threatintel.misp.
- - threatintel.misp.object
+ # the root of misp.
+ - misp.object
ignore_missing: true
- remove:
field:
- - threatintel.misp.Attribute.timestamp
- - threatintel.misp.timestamp
- - threatintel.misp.tag
- - threatintel.misp.org
- - threatintel.misp.analysis
+ - misp.Attribute.timestamp
+ - misp.timestamp
+ - misp.tag
+ - misp.org
+ - misp.analysis
- _tmp
- json
ignore_missing: true
diff --git a/x-pack/filebeat/module/threatintel/misp/manifest.yml b/x-pack/filebeat/module/threatintel/misp/manifest.yml
index 41443c01df8..3a91b68f4fe 100644
--- a/x-pack/filebeat/module/threatintel/misp/manifest.yml
+++ b/x-pack/filebeat/module/threatintel/misp/manifest.yml
@@ -15,6 +15,8 @@ var:
- name: tags
default: [threatintel-misp, forwarded]
- name: proxy_url
+ - name: preserve_original_event
+ default: false
ingest_pipeline:
- ingest/pipeline.yml
diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json
index 9f4dbc50fc8..04e12fc0323 100644
--- a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json
@@ -9,6 +9,39 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 0,
+ "misp.attribute.category": "Payload delivery",
+ "misp.attribute.comment": "- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "5",
+ "misp.attribute.id": "351",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1503930272",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "md5",
+ "misp.attribute.uuid": "59a427a0-f6f8-4178-9e7d-dfd702de0b81",
+ "misp.attribute_count": 7,
+ "misp.date": "2017-08-25",
+ "misp.disable_correlation": false,
+ "misp.distribution": "3",
+ "misp.extends_uuid": "",
+ "misp.id": "5",
+ "misp.info": "OSINT - New Arena Crysis Ransomware Variant Released",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "2",
+ "misp.orgc.local": false,
+ "misp.orgc.name": "CIRCL",
+ "misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f",
+ "misp.orgc_id": "2",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "1603226331",
+ "misp.published": true,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 3,
+ "misp.uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f",
"service.type": "threatintel",
"tags": [
"malware_classification:malware-category=Ransomware",
@@ -17,46 +50,15 @@
"tlp:white",
"type:OSINT"
],
- "threatintel.indicator.file.hash.md5": "f2679bdabe46e10edc6352fff3c829bc",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.file.hash.md5": "f2679bdabe46e10edc6352fff3c829bc",
+ "threat.indicator.marking.tlp": [
"white"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 2,
- "threatintel.indicator.type": "file",
- "threatintel.misp.attribute.category": "Payload delivery",
- "threatintel.misp.attribute.comment": "- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "5",
- "threatintel.misp.attribute.id": "351",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1503930272",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "md5",
- "threatintel.misp.attribute.uuid": "59a427a0-f6f8-4178-9e7d-dfd702de0b81",
- "threatintel.misp.attribute_count": "7",
- "threatintel.misp.date": "2017-08-25",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "3",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "5",
- "threatintel.misp.info": "OSINT - New Arena Crysis Ransomware Variant Released",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "2",
- "threatintel.misp.orgc.local": false,
- "threatintel.misp.orgc.name": "CIRCL",
- "threatintel.misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f",
- "threatintel.misp.orgc_id": "2",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "1603226331",
- "threatintel.misp.published": true,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 3,
- "threatintel.misp.uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f"
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 2,
+ "threat.indicator.type": "file"
},
{
"@timestamp": "2017-08-28T14:24:36.000Z",
@@ -68,6 +70,39 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 8248,
+ "misp.attribute.category": "Network activity",
+ "misp.attribute.comment": "1st stage",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "14",
+ "misp.attribute.id": "10794",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1542652482",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "domain|ip",
+ "misp.attribute.uuid": "5bf30242-8ef4-4c52-a2d7-0b7b0a016219",
+ "misp.attribute_count": 7,
+ "misp.date": "2017-08-25",
+ "misp.disable_correlation": false,
+ "misp.distribution": "3",
+ "misp.extends_uuid": "",
+ "misp.id": "5",
+ "misp.info": "OSINT - New Arena Crysis Ransomware Variant Released",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "2",
+ "misp.orgc.local": false,
+ "misp.orgc.name": "CIRCL",
+ "misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f",
+ "misp.orgc_id": "2",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "1603226331",
+ "misp.published": true,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 3,
+ "misp.uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f",
"service.type": "threatintel",
"tags": [
"malware_classification:malware-category=Ransomware",
@@ -76,47 +111,16 @@
"tlp:white",
"type:OSINT"
],
- "threatintel.indicator.ip": "178.128.103.74",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.ip": "178.128.103.74",
+ "threat.indicator.marking.tlp": [
"white"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 2,
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "your-ip.getmyip.com",
- "threatintel.misp.attribute.category": "Network activity",
- "threatintel.misp.attribute.comment": "1st stage",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "14",
- "threatintel.misp.attribute.id": "10794",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1542652482",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "domain|ip",
- "threatintel.misp.attribute.uuid": "5bf30242-8ef4-4c52-a2d7-0b7b0a016219",
- "threatintel.misp.attribute_count": "7",
- "threatintel.misp.date": "2017-08-25",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "3",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "5",
- "threatintel.misp.info": "OSINT - New Arena Crysis Ransomware Variant Released",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "2",
- "threatintel.misp.orgc.local": false,
- "threatintel.misp.orgc.name": "CIRCL",
- "threatintel.misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f",
- "threatintel.misp.orgc_id": "2",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "1603226331",
- "threatintel.misp.published": true,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 3,
- "threatintel.misp.uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f"
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 2,
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "your-ip.getmyip.com"
},
{
"@timestamp": "2017-04-28T18:23:44.000Z",
@@ -128,55 +132,57 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 16434,
+ "misp.attribute.category": "External analysis",
+ "misp.attribute.comment": "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "4",
+ "misp.attribute.id": "342",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1490878550",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "link",
+ "misp.attribute.uuid": "58dd0056-6e74-43d5-b58b-494802de0b81",
+ "misp.attribute_count": 100,
+ "misp.date": "2017-03-30",
+ "misp.disable_correlation": false,
+ "misp.distribution": "3",
+ "misp.extends_uuid": "",
+ "misp.id": "4",
+ "misp.info": "OSINT - Carbon Paper: Peering into Turla\u2019s second stage backdoor",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "2",
+ "misp.orgc.local": false,
+ "misp.orgc.name": "CIRCL",
+ "misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f",
+ "misp.orgc_id": "2",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "1603226330",
+ "misp.published": true,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 3,
+ "misp.uuid": "58dcfe62-ed84-4e5e-b293-4991950d210f",
"service.type": "threatintel",
"tags": [
"misp-galaxy:tool=Turla",
"tlp:white"
],
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.marking.tlp": [
"white"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 2,
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "www.virustotal.com",
- "threatintel.indicator.url.full": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/",
- "threatintel.indicator.url.original": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/",
- "threatintel.indicator.url.path": "/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/",
- "threatintel.indicator.url.scheme": "https",
- "threatintel.misp.attribute.category": "External analysis",
- "threatintel.misp.attribute.comment": "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "4",
- "threatintel.misp.attribute.id": "342",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1490878550",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "link",
- "threatintel.misp.attribute.uuid": "58dd0056-6e74-43d5-b58b-494802de0b81",
- "threatintel.misp.attribute_count": "100",
- "threatintel.misp.date": "2017-03-30",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "3",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "4",
- "threatintel.misp.info": "OSINT - Carbon Paper: Peering into Turla\u2019s second stage backdoor",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "2",
- "threatintel.misp.orgc.local": false,
- "threatintel.misp.orgc.name": "CIRCL",
- "threatintel.misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f",
- "threatintel.misp.orgc_id": "2",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "1603226330",
- "threatintel.misp.published": true,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 3,
- "threatintel.misp.uuid": "58dcfe62-ed84-4e5e-b293-4991950d210f"
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 2,
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "www.virustotal.com",
+ "threat.indicator.url.full": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/",
+ "threat.indicator.url.original": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/",
+ "threat.indicator.url.path": "/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/",
+ "threat.indicator.url.scheme": "https"
},
{
"@timestamp": "2014-10-06T07:12:57.000Z",
@@ -188,51 +194,53 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 20139,
+ "misp.attribute.category": "External analysis",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "2",
+ "misp.attribute.id": "1077",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1412579394",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "sha256",
+ "misp.attribute.uuid": "54324042-49fc-4628-a95e-44da950d210b",
+ "misp.attribute_count": 29,
+ "misp.date": "2014-10-03",
+ "misp.disable_correlation": false,
+ "misp.distribution": "3",
+ "misp.extends_uuid": "",
+ "misp.id": "2",
+ "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "2",
+ "misp.orgc.local": false,
+ "misp.orgc.name": "CthulhuSPRL.be",
+ "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
+ "misp.orgc_id": "2",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "1610622316",
+ "misp.published": true,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 2,
+ "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b",
"service.type": "threatintel",
"tags": [
"tlp:green",
"type:OSINT"
],
- "threatintel.indicator.file.hash.sha256": "0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.file.hash.sha256": "0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0",
+ "threat.indicator.marking.tlp": [
"green"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 2,
- "threatintel.indicator.type": "file",
- "threatintel.misp.attribute.category": "External analysis",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "2",
- "threatintel.misp.attribute.id": "1077",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1412579394",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "sha256",
- "threatintel.misp.attribute.uuid": "54324042-49fc-4628-a95e-44da950d210b",
- "threatintel.misp.attribute_count": "29",
- "threatintel.misp.date": "2014-10-03",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "3",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "2",
- "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "2",
- "threatintel.misp.orgc.local": false,
- "threatintel.misp.orgc.name": "CthulhuSPRL.be",
- "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
- "threatintel.misp.orgc_id": "2",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "1610622316",
- "threatintel.misp.published": true,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 2,
- "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b"
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 2,
+ "threat.indicator.type": "file"
},
{
"@timestamp": "2014-10-06T07:12:57.000Z",
@@ -244,51 +252,53 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 21711,
+ "misp.attribute.category": "Network activity",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "2",
+ "misp.attribute.id": "1084",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1412579457",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "ip-dst",
+ "misp.attribute.uuid": "54324081-3308-4f1f-8674-4953950d210b",
+ "misp.attribute_count": 29,
+ "misp.date": "2014-10-03",
+ "misp.disable_correlation": false,
+ "misp.distribution": "3",
+ "misp.extends_uuid": "",
+ "misp.id": "2",
+ "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "2",
+ "misp.orgc.local": false,
+ "misp.orgc.name": "CthulhuSPRL.be",
+ "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
+ "misp.orgc_id": "2",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "1610622316",
+ "misp.published": true,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 2,
+ "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b",
"service.type": "threatintel",
"tags": [
"tlp:green",
"type:OSINT"
],
- "threatintel.indicator.ip": "223.25.233.248",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.ip": "223.25.233.248",
+ "threat.indicator.marking.tlp": [
"green"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 2,
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.misp.attribute.category": "Network activity",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "2",
- "threatintel.misp.attribute.id": "1084",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1412579457",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "ip-dst",
- "threatintel.misp.attribute.uuid": "54324081-3308-4f1f-8674-4953950d210b",
- "threatintel.misp.attribute_count": "29",
- "threatintel.misp.date": "2014-10-03",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "3",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "2",
- "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "2",
- "threatintel.misp.orgc.local": false,
- "threatintel.misp.orgc.name": "CthulhuSPRL.be",
- "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
- "threatintel.misp.orgc_id": "2",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "1610622316",
- "threatintel.misp.published": true,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 2,
- "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b"
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 2,
+ "threat.indicator.type": "ipv4-addr"
},
{
"@timestamp": "2014-10-06T07:12:57.000Z",
@@ -300,51 +310,53 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 23232,
+ "misp.attribute.category": "Network activity",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "2",
+ "misp.attribute.id": "1086",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1412579548",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "hostname",
+ "misp.attribute.uuid": "543240dc-f068-437a-baa9-48f2950d210b",
+ "misp.attribute_count": 29,
+ "misp.date": "2014-10-03",
+ "misp.disable_correlation": false,
+ "misp.distribution": "3",
+ "misp.extends_uuid": "",
+ "misp.id": "2",
+ "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "2",
+ "misp.orgc.local": false,
+ "misp.orgc.name": "CthulhuSPRL.be",
+ "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
+ "misp.orgc_id": "2",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "1610622316",
+ "misp.published": true,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 2,
+ "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b",
"service.type": "threatintel",
"tags": [
"tlp:green",
"type:OSINT"
],
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.marking.tlp": [
"green"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 2,
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "xenserver.ddns.net",
- "threatintel.misp.attribute.category": "Network activity",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "2",
- "threatintel.misp.attribute.id": "1086",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1412579548",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "hostname",
- "threatintel.misp.attribute.uuid": "543240dc-f068-437a-baa9-48f2950d210b",
- "threatintel.misp.attribute_count": "29",
- "threatintel.misp.date": "2014-10-03",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "3",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "2",
- "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "2",
- "threatintel.misp.orgc.local": false,
- "threatintel.misp.orgc.name": "CthulhuSPRL.be",
- "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
- "threatintel.misp.orgc_id": "2",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "1610622316",
- "threatintel.misp.published": true,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 2,
- "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b"
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 2,
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "xenserver.ddns.net"
},
{
"@timestamp": "2014-10-06T07:12:57.000Z",
@@ -356,51 +368,53 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 24759,
+ "misp.attribute.category": "External analysis",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "2",
+ "misp.attribute.id": "1089",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1412579577",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "text",
+ "misp.attribute.uuid": "543240f9-64e8-41f2-958f-4e21950d210b",
+ "misp.attribute.value": "Nitro",
+ "misp.attribute_count": 29,
+ "misp.date": "2014-10-03",
+ "misp.disable_correlation": false,
+ "misp.distribution": "3",
+ "misp.extends_uuid": "",
+ "misp.id": "2",
+ "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "2",
+ "misp.orgc.local": false,
+ "misp.orgc.name": "CthulhuSPRL.be",
+ "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
+ "misp.orgc_id": "2",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "1610622316",
+ "misp.published": true,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 2,
+ "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b",
"service.type": "threatintel",
"tags": [
"tlp:green",
"type:OSINT"
],
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.marking.tlp": [
"green"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 2,
- "threatintel.indicator.type": "unknown",
- "threatintel.misp.attribute.category": "External analysis",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "2",
- "threatintel.misp.attribute.id": "1089",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1412579577",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "text",
- "threatintel.misp.attribute.uuid": "543240f9-64e8-41f2-958f-4e21950d210b",
- "threatintel.misp.attribute.value": "Nitro",
- "threatintel.misp.attribute_count": "29",
- "threatintel.misp.date": "2014-10-03",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "3",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "2",
- "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "2",
- "threatintel.misp.orgc.local": false,
- "threatintel.misp.orgc.name": "CthulhuSPRL.be",
- "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
- "threatintel.misp.orgc_id": "2",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "1610622316",
- "threatintel.misp.published": true,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 2,
- "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b"
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 2,
+ "threat.indicator.type": "unknown"
},
{
"@timestamp": "2014-10-06T07:12:57.000Z",
@@ -412,51 +426,53 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 26271,
+ "misp.attribute.category": "External analysis",
+ "misp.attribute.comment": "Automatically added (via 7915aabb2e66ff14841e4ef0fbff7486)",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "2",
+ "misp.attribute.id": "1090",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1455826343",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "sha1",
+ "misp.attribute.uuid": "56c625a7-f31c-460c-9ea1-c652950d210f",
+ "misp.attribute_count": 29,
+ "misp.date": "2014-10-03",
+ "misp.disable_correlation": false,
+ "misp.distribution": "3",
+ "misp.extends_uuid": "",
+ "misp.id": "2",
+ "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "2",
+ "misp.orgc.local": false,
+ "misp.orgc.name": "CthulhuSPRL.be",
+ "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
+ "misp.orgc_id": "2",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "1610622316",
+ "misp.published": true,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 2,
+ "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b",
"service.type": "threatintel",
"tags": [
"tlp:green",
"type:OSINT"
],
- "threatintel.indicator.file.hash.sha1": "0ea76f1586c008932d90c991dfdd5042f3aac8ea",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.file.hash.sha1": "0ea76f1586c008932d90c991dfdd5042f3aac8ea",
+ "threat.indicator.marking.tlp": [
"green"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 2,
- "threatintel.indicator.type": "file",
- "threatintel.misp.attribute.category": "External analysis",
- "threatintel.misp.attribute.comment": "Automatically added (via 7915aabb2e66ff14841e4ef0fbff7486)",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "2",
- "threatintel.misp.attribute.id": "1090",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1455826343",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "sha1",
- "threatintel.misp.attribute.uuid": "56c625a7-f31c-460c-9ea1-c652950d210f",
- "threatintel.misp.attribute_count": "29",
- "threatintel.misp.date": "2014-10-03",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "3",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "2",
- "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "2",
- "threatintel.misp.orgc.local": false,
- "threatintel.misp.orgc.name": "CthulhuSPRL.be",
- "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
- "threatintel.misp.orgc_id": "2",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "1610622316",
- "threatintel.misp.published": true,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 2,
- "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b"
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 2,
+ "threat.indicator.type": "file"
},
{
"@timestamp": "2014-10-06T07:12:57.000Z",
@@ -468,51 +484,53 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 27875,
+ "misp.attribute.category": "Network activity",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "22",
+ "misp.attribute.id": "12394",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1462454963",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "domain",
+ "misp.attribute.uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16",
+ "misp.attribute_count": 29,
+ "misp.date": "2014-10-03",
+ "misp.disable_correlation": false,
+ "misp.distribution": "3",
+ "misp.extends_uuid": "",
+ "misp.id": "2",
+ "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "2",
+ "misp.orgc.local": false,
+ "misp.orgc.name": "CthulhuSPRL.be",
+ "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
+ "misp.orgc_id": "2",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "1610622316",
+ "misp.published": true,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 2,
+ "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b",
"service.type": "threatintel",
"tags": [
"tlp:green",
"type:OSINT"
],
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.marking.tlp": [
"green"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 2,
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "whatsapp.com",
- "threatintel.misp.attribute.category": "Network activity",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "22",
- "threatintel.misp.attribute.id": "12394",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1462454963",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "domain",
- "threatintel.misp.attribute.uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16",
- "threatintel.misp.attribute_count": "29",
- "threatintel.misp.date": "2014-10-03",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "3",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "2",
- "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "2",
- "threatintel.misp.orgc.local": false,
- "threatintel.misp.orgc.name": "CthulhuSPRL.be",
- "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
- "threatintel.misp.orgc_id": "2",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "1610622316",
- "threatintel.misp.published": true,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 2,
- "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b"
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 2,
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "whatsapp.com"
},
{
"@timestamp": "2018-08-28T13:20:17.000Z",
@@ -524,57 +542,59 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 29397,
+ "misp.attribute.category": "Network activity",
+ "misp.attribute.comment": "Fake adobe URL",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "158",
+ "misp.attribute.id": "17299",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1515427692",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "url",
+ "misp.attribute.uuid": "5a53976c-e7c8-480d-a68a-2fc50a016219",
+ "misp.attribute_count": 61,
+ "misp.date": "2018-01-08",
+ "misp.disable_correlation": false,
+ "misp.distribution": "3",
+ "misp.extends_uuid": "",
+ "misp.id": "158",
+ "misp.info": "Turla: Mosquito Whitepaper",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "5",
+ "misp.orgc.local": false,
+ "misp.orgc.name": "ESET",
+ "misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f",
+ "misp.orgc_id": "5",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "1610637953",
+ "misp.published": true,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219",
"service.type": "threatintel",
"tags": [
"Turla",
"misp-galaxy:threat-actor=Turla Group",
"tlp:white"
],
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.marking.tlp": [
"white"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "get.adobe.com",
- "threatintel.indicator.url.full": "http://get.adobe.com/stats/AbfFcBebD/?q=",
- "threatintel.indicator.url.original": "http://get.adobe.com/stats/AbfFcBebD/?q=",
- "threatintel.indicator.url.path": "/stats/AbfFcBebD/",
- "threatintel.indicator.url.query": "q=",
- "threatintel.indicator.url.scheme": "http",
- "threatintel.misp.attribute.category": "Network activity",
- "threatintel.misp.attribute.comment": "Fake adobe URL",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "158",
- "threatintel.misp.attribute.id": "17299",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1515427692",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "url",
- "threatintel.misp.attribute.uuid": "5a53976c-e7c8-480d-a68a-2fc50a016219",
- "threatintel.misp.attribute_count": "61",
- "threatintel.misp.date": "2018-01-08",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "3",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "158",
- "threatintel.misp.info": "Turla: Mosquito Whitepaper",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "5",
- "threatintel.misp.orgc.local": false,
- "threatintel.misp.orgc.name": "ESET",
- "threatintel.misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f",
- "threatintel.misp.orgc_id": "5",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "1610637953",
- "threatintel.misp.published": true,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219"
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "get.adobe.com",
+ "threat.indicator.url.full": "http://get.adobe.com/stats/AbfFcBebD/?q=",
+ "threat.indicator.url.original": "http://get.adobe.com/stats/AbfFcBebD/?q=",
+ "threat.indicator.url.path": "/stats/AbfFcBebD/",
+ "threat.indicator.url.query": "q=",
+ "threat.indicator.url.scheme": "http"
},
{
"@timestamp": "2018-08-28T13:20:17.000Z",
@@ -586,51 +606,53 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 31486,
+ "misp.attribute.category": "Network activity",
+ "misp.attribute.comment": "Win32 backdoor C&C URI",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "158",
+ "misp.attribute.id": "17330",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1515429089",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "uri",
+ "misp.attribute.uuid": "5a539ce1-3de0-4e34-8fc4-2fc50a016219",
+ "misp.attribute_count": 61,
+ "misp.date": "2018-01-08",
+ "misp.disable_correlation": false,
+ "misp.distribution": "3",
+ "misp.extends_uuid": "",
+ "misp.id": "158",
+ "misp.info": "Turla: Mosquito Whitepaper",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "5",
+ "misp.orgc.local": false,
+ "misp.orgc.name": "ESET",
+ "misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f",
+ "misp.orgc_id": "5",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "1610637953",
+ "misp.published": true,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219",
"service.type": "threatintel",
"tags": [
"Turla",
"misp-galaxy:threat-actor=Turla Group",
"tlp:white"
],
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.marking.tlp": [
"white"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "url",
- "threatintel.misp.attribute.category": "Network activity",
- "threatintel.misp.attribute.comment": "Win32 backdoor C&C URI",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "158",
- "threatintel.misp.attribute.id": "17330",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1515429089",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "uri",
- "threatintel.misp.attribute.uuid": "5a539ce1-3de0-4e34-8fc4-2fc50a016219",
- "threatintel.misp.attribute_count": "61",
- "threatintel.misp.date": "2018-01-08",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "3",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "158",
- "threatintel.misp.info": "Turla: Mosquito Whitepaper",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "5",
- "threatintel.misp.orgc.local": false,
- "threatintel.misp.orgc.name": "ESET",
- "threatintel.misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f",
- "threatintel.misp.orgc_id": "5",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "1610637953",
- "threatintel.misp.published": true,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219"
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "url"
},
{
"@timestamp": "2018-08-28T13:20:17.000Z",
@@ -642,53 +664,55 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 33567,
+ "misp.attribute.category": "Artifacts dropped",
+ "misp.attribute.comment": "JavaScript backdoor",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "158",
+ "misp.attribute.id": "17322",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1515429089",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "filename|sha1",
+ "misp.attribute.uuid": "5a539ce1-e6a0-426a-942c-2fc50a016219",
+ "misp.attribute_count": 61,
+ "misp.date": "2018-01-08",
+ "misp.disable_correlation": false,
+ "misp.distribution": "3",
+ "misp.extends_uuid": "",
+ "misp.id": "158",
+ "misp.info": "Turla: Mosquito Whitepaper",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "5",
+ "misp.orgc.local": false,
+ "misp.orgc.name": "ESET",
+ "misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f",
+ "misp.orgc_id": "5",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "1610637953",
+ "misp.published": true,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219",
"service.type": "threatintel",
"tags": [
"Turla",
"misp-galaxy:threat-actor=Turla Group",
"tlp:white"
],
- "threatintel.indicator.file.hash.sha1": "c51d288469df9f25e2fb7ac491918b3e579282ea",
- "threatintel.indicator.file.name": "google_update_checker.js",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.file.hash.sha1": "c51d288469df9f25e2fb7ac491918b3e579282ea",
+ "threat.indicator.file.name": "google_update_checker.js",
+ "threat.indicator.marking.tlp": [
"white"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "file",
- "threatintel.misp.attribute.category": "Artifacts dropped",
- "threatintel.misp.attribute.comment": "JavaScript backdoor",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "158",
- "threatintel.misp.attribute.id": "17322",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1515429089",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "filename|sha1",
- "threatintel.misp.attribute.uuid": "5a539ce1-e6a0-426a-942c-2fc50a016219",
- "threatintel.misp.attribute_count": "61",
- "threatintel.misp.date": "2018-01-08",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "3",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "158",
- "threatintel.misp.info": "Turla: Mosquito Whitepaper",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "5",
- "threatintel.misp.orgc.local": false,
- "threatintel.misp.orgc.name": "ESET",
- "threatintel.misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f",
- "threatintel.misp.orgc_id": "5",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "1610637953",
- "threatintel.misp.published": true,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219"
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "file"
},
{
"@timestamp": "2018-01-23T16:09:56.000Z",
@@ -700,50 +724,52 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 35697,
+ "misp.attribute.category": "Payload delivery",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "22",
+ "misp.attribute.id": "12268",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1456266422",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "email-src",
+ "misp.attribute.uuid": "56ccdcb6-4d6c-4e48-b955-52849062e56a",
+ "misp.attribute_count": 133,
+ "misp.date": "2015-12-08",
+ "misp.disable_correlation": false,
+ "misp.distribution": "3",
+ "misp.extends_uuid": "",
+ "misp.id": "22",
+ "misp.info": "Packrat: Seven Years of a South American Threat Actor",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "4",
+ "misp.orgc.local": false,
+ "misp.orgc.name": "CUDESO",
+ "misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16",
+ "misp.orgc_id": "4",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "1610637901",
+ "misp.published": true,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 3,
+ "misp.uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a",
"service.type": "threatintel",
"tags": [
"tlp:white"
],
- "threatintel.indicator.email.address": "claudiobonadio88@gmail.com",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.email.address": "claudiobonadio88@gmail.com",
+ "threat.indicator.marking.tlp": [
"white"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 2,
- "threatintel.indicator.type": "email-addr",
- "threatintel.misp.attribute.category": "Payload delivery",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "22",
- "threatintel.misp.attribute.id": "12268",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1456266422",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "email-src",
- "threatintel.misp.attribute.uuid": "56ccdcb6-4d6c-4e48-b955-52849062e56a",
- "threatintel.misp.attribute_count": "133",
- "threatintel.misp.date": "2015-12-08",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "3",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "22",
- "threatintel.misp.info": "Packrat: Seven Years of a South American Threat Actor",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "4",
- "threatintel.misp.orgc.local": false,
- "threatintel.misp.orgc.name": "CUDESO",
- "threatintel.misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16",
- "threatintel.misp.orgc_id": "4",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "1610637901",
- "threatintel.misp.published": true,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 3,
- "threatintel.misp.uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a"
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 2,
+ "threat.indicator.type": "email-addr"
},
{
"@timestamp": "2018-01-23T16:09:56.000Z",
@@ -755,50 +781,52 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 37011,
+ "misp.attribute.category": "Artifacts dropped",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "22",
+ "misp.attribute.id": "12298",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1456266454",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "regkey",
+ "misp.attribute.uuid": "56ccdcd6-f4b8-4383-9624-52849062e56a",
+ "misp.attribute_count": 133,
+ "misp.date": "2015-12-08",
+ "misp.disable_correlation": false,
+ "misp.distribution": "3",
+ "misp.extends_uuid": "",
+ "misp.id": "22",
+ "misp.info": "Packrat: Seven Years of a South American Threat Actor",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "4",
+ "misp.orgc.local": false,
+ "misp.orgc.name": "CUDESO",
+ "misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16",
+ "misp.orgc_id": "4",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "1610637901",
+ "misp.published": true,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 3,
+ "misp.uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a",
"service.type": "threatintel",
"tags": [
"tlp:white"
],
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.marking.tlp": [
"white"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.registry.key": "HKLM\\SOFTWARE\\Microsoft\\Active",
- "threatintel.indicator.scanner_stats": 2,
- "threatintel.indicator.type": "windows-registry-key",
- "threatintel.misp.attribute.category": "Artifacts dropped",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "22",
- "threatintel.misp.attribute.id": "12298",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1456266454",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "regkey",
- "threatintel.misp.attribute.uuid": "56ccdcd6-f4b8-4383-9624-52849062e56a",
- "threatintel.misp.attribute_count": "133",
- "threatintel.misp.date": "2015-12-08",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "3",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "22",
- "threatintel.misp.info": "Packrat: Seven Years of a South American Threat Actor",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "4",
- "threatintel.misp.orgc.local": false,
- "threatintel.misp.orgc.name": "CUDESO",
- "threatintel.misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16",
- "threatintel.misp.orgc_id": "4",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "1610637901",
- "threatintel.misp.published": true,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 3,
- "threatintel.misp.uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a"
+ "threat.indicator.provider": "misp",
+ "threat.indicator.registry.key": "HKLM\\SOFTWARE\\Microsoft\\Active",
+ "threat.indicator.scanner_stats": 2,
+ "threat.indicator.type": "windows-registry-key"
},
{
"@timestamp": "2020-12-13T14:03:16.000Z",
@@ -810,51 +838,53 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 38330,
+ "misp.attribute.category": "Network activity",
+ "misp.attribute.comment": "On port 2222",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "10",
+ "misp.attribute.id": "10686",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1607517728",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "ip-dst|port",
+ "misp.attribute.uuid": "5fd0c620-a844-4ace-9710-a37bc0a8ab16",
+ "misp.attribute_count": 15,
+ "misp.date": "2020-12-09",
+ "misp.disable_correlation": false,
+ "misp.distribution": "3",
+ "misp.extends_uuid": "",
+ "misp.id": "10",
+ "misp.info": "Recent Qakbot (Qbot) activity",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "4",
+ "misp.orgc.local": false,
+ "misp.orgc.name": "CUDESO",
+ "misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16",
+ "misp.orgc_id": "4",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "1610637888",
+ "misp.published": true,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 3,
+ "misp.uuid": "5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16",
"service.type": "threatintel",
"tags": [
"misp-galaxy:banker=Qakbot",
"tlp:white"
],
- "threatintel.indicator.ip": "62.38.114.12",
- "threatintel.indicator.marking.tlp": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.ip": "62.38.114.12",
+ "threat.indicator.marking.tlp": [
"white"
],
- "threatintel.indicator.port": "2222",
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 2,
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.misp.attribute.category": "Network activity",
- "threatintel.misp.attribute.comment": "On port 2222",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "10",
- "threatintel.misp.attribute.id": "10686",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1607517728",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "ip-dst|port",
- "threatintel.misp.attribute.uuid": "5fd0c620-a844-4ace-9710-a37bc0a8ab16",
- "threatintel.misp.attribute_count": "15",
- "threatintel.misp.date": "2020-12-09",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "3",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "10",
- "threatintel.misp.info": "Recent Qakbot (Qbot) activity",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "4",
- "threatintel.misp.orgc.local": false,
- "threatintel.misp.orgc.name": "CUDESO",
- "threatintel.misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16",
- "threatintel.misp.orgc_id": "4",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "1610637888",
- "threatintel.misp.published": true,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 3,
- "threatintel.misp.uuid": "5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16"
+ "threat.indicator.port": 2222,
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 2,
+ "threat.indicator.type": "ipv4-addr"
}
]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json
index 6db06ab777c..ae03f9bce95 100644
--- a/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json
@@ -9,48 +9,50 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 0,
+ "misp.attribute.category": "Payload installation",
+ "misp.attribute.comment": "Contextual comment for the file md5 attribute",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3631",
+ "misp.attribute.id": "266258",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1621588162",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "md5",
+ "misp.attribute.uuid": "34c59b06-d35d-4808-919c-4b452f185c52",
+ "misp.attribute_count": 1,
+ "misp.date": "2021-05-21",
+ "misp.disable_correlation": false,
+ "misp.distribution": "1",
+ "misp.extends_uuid": "",
+ "misp.id": "3631",
+ "misp.info": "Test event 1 just atrributes",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "8ca56ae9-3747-4172-93d2-808da1a4eaf3",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.file.hash.md5": "70461da8b94c6ca5d2fda3260c5a8c3b",
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "file",
- "threatintel.misp.attribute.category": "Payload installation",
- "threatintel.misp.attribute.comment": "Contextual comment for the file md5 attribute",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3631",
- "threatintel.misp.attribute.id": "266258",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1621588162",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "md5",
- "threatintel.misp.attribute.uuid": "34c59b06-d35d-4808-919c-4b452f185c52",
- "threatintel.misp.attribute_count": "1",
- "threatintel.misp.date": "2021-05-21",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "1",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3631",
- "threatintel.misp.info": "Test event 1 just atrributes",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "8ca56ae9-3747-4172-93d2-808da1a4eaf3",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.file.hash.md5": "70461da8b94c6ca5d2fda3260c5a8c3b",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "file",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -66,48 +68,50 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 1614,
+ "misp.attribute.category": "Artifacts dropped",
+ "misp.attribute.comment": "Artefact dropped for test 2",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3632",
+ "misp.attribute.id": "266259",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1621588675",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "md5",
+ "misp.attribute.uuid": "73102a1c-7432-47b7-9644-6f9d46b6887c",
+ "misp.attribute_count": 4,
+ "misp.date": "2021-05-21",
+ "misp.disable_correlation": false,
+ "misp.distribution": "1",
+ "misp.extends_uuid": "",
+ "misp.id": "3632",
+ "misp.info": "Test event 2 just more atrributes",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 2,
+ "misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.file.hash.md5": "60461da8b94c6ca5d2fda3260c5a8c3b",
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "file",
- "threatintel.misp.attribute.category": "Artifacts dropped",
- "threatintel.misp.attribute.comment": "Artefact dropped for test 2",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3632",
- "threatintel.misp.attribute.id": "266259",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1621588675",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "md5",
- "threatintel.misp.attribute.uuid": "73102a1c-7432-47b7-9644-6f9d46b6887c",
- "threatintel.misp.attribute_count": "4",
- "threatintel.misp.date": "2021-05-21",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "1",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3632",
- "threatintel.misp.info": "Test event 2 just more atrributes",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 2,
- "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.file.hash.md5": "60461da8b94c6ca5d2fda3260c5a8c3b",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "file",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -123,48 +127,50 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 3241,
+ "misp.attribute.category": "Network activity",
+ "misp.attribute.comment": "Conext for domain type attribute event 2",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3632",
+ "misp.attribute.id": "266260",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1621588744",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "domain",
+ "misp.attribute.uuid": "a52a1b47-a580-4f33-96ba-939cf9146c9b",
+ "misp.attribute_count": 4,
+ "misp.date": "2021-05-21",
+ "misp.disable_correlation": false,
+ "misp.distribution": "1",
+ "misp.extends_uuid": "",
+ "misp.id": "3632",
+ "misp.info": "Test event 2 just more atrributes",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 2,
+ "misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "baddom.madeup.local",
- "threatintel.misp.attribute.category": "Network activity",
- "threatintel.misp.attribute.comment": "Conext for domain type attribute event 2",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3632",
- "threatintel.misp.attribute.id": "266260",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1621588744",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "domain",
- "threatintel.misp.attribute.uuid": "a52a1b47-a580-4f33-96ba-939cf9146c9b",
- "threatintel.misp.attribute_count": "4",
- "threatintel.misp.date": "2021-05-21",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "1",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3632",
- "threatintel.misp.info": "Test event 2 just more atrributes",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 2,
- "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "baddom.madeup.local",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -180,48 +186,50 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 4870,
+ "misp.attribute.category": "Network activity",
+ "misp.attribute.comment": "Ip-src attribute context for event2",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3632",
+ "misp.attribute.id": "266261",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1621588800",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "ip-src",
+ "misp.attribute.uuid": "3dbf224b-7c84-4c4b-9f95-80f28954bd10",
+ "misp.attribute_count": 4,
+ "misp.date": "2021-05-21",
+ "misp.disable_correlation": false,
+ "misp.distribution": "1",
+ "misp.extends_uuid": "",
+ "misp.id": "3632",
+ "misp.info": "Test event 2 just more atrributes",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 2,
+ "misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.ip": "10.0.0.1",
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.misp.attribute.category": "Network activity",
- "threatintel.misp.attribute.comment": "Ip-src attribute context for event2",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3632",
- "threatintel.misp.attribute.id": "266261",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1621588800",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "ip-src",
- "threatintel.misp.attribute.uuid": "3dbf224b-7c84-4c4b-9f95-80f28954bd10",
- "threatintel.misp.attribute_count": "4",
- "threatintel.misp.date": "2021-05-21",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "1",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3632",
- "threatintel.misp.info": "Test event 2 just more atrributes",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 2,
- "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.ip": "10.0.0.1",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "ipv4-addr",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -237,48 +245,50 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 6484,
+ "misp.attribute.category": "Network activity",
+ "misp.attribute.comment": "ip-dst context for event id 2",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3632",
+ "misp.attribute.id": "266262",
+ "misp.attribute.object_id": "0",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1621588836",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "ip-dst",
+ "misp.attribute.uuid": "db4bfd36-7374-4f8c-9031-60e56d4bba30",
+ "misp.attribute_count": 4,
+ "misp.date": "2021-05-21",
+ "misp.disable_correlation": false,
+ "misp.distribution": "1",
+ "misp.extends_uuid": "",
+ "misp.id": "3632",
+ "misp.info": "Test event 2 just more atrributes",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 2,
+ "misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.ip": "192.168.1.50",
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.misp.attribute.category": "Network activity",
- "threatintel.misp.attribute.comment": "ip-dst context for event id 2",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3632",
- "threatintel.misp.attribute.id": "266262",
- "threatintel.misp.attribute.object_id": "0",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1621588836",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "ip-dst",
- "threatintel.misp.attribute.uuid": "db4bfd36-7374-4f8c-9031-60e56d4bba30",
- "threatintel.misp.attribute_count": "4",
- "threatintel.misp.date": "2021-05-21",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "1",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3632",
- "threatintel.misp.info": "Test event 2 just more atrributes",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 2,
- "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.ip": "192.168.1.50",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "ipv4-addr",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -294,63 +304,65 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 8095,
+ "misp.attribute.category": "Other",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3633",
+ "misp.attribute.id": "266267",
+ "misp.attribute.object_id": "18207",
+ "misp.attribute.object_relation": "fullpath",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1621589548",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "text",
+ "misp.attribute.uuid": "ff97cc32-815e-4fc9-9d4b-cab9822027a6",
+ "misp.attribute.value": "\\the\\fullpath\\to the file\\filenameofobject.txt",
+ "misp.attribute_count": 6,
+ "misp.context.attribute.category": "Payload delivery",
+ "misp.context.attribute.comment": "filename contect for test event 3",
+ "misp.context.attribute.deleted": false,
+ "misp.context.attribute.disable_correlation": false,
+ "misp.context.attribute.distribution": 5,
+ "misp.context.attribute.event_id": "3633",
+ "misp.context.attribute.id": "266263",
+ "misp.context.attribute.object_id": "0",
+ "misp.context.attribute.sharing_group_id": "0",
+ "misp.context.attribute.timestamp": "1621589229",
+ "misp.context.attribute.to_ids": false,
+ "misp.context.attribute.type": "filename",
+ "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3",
+ "misp.context.attribute.value": "thetestfile.txt",
+ "misp.date": "2021-05-21",
+ "misp.disable_correlation": false,
+ "misp.distribution": "1",
+ "misp.extends_uuid": "",
+ "misp.id": "3633",
+ "misp.info": "Test event 3 objects and attributes",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "unknown",
- "threatintel.misp.attribute.category": "Other",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3633",
- "threatintel.misp.attribute.id": "266267",
- "threatintel.misp.attribute.object_id": "18207",
- "threatintel.misp.attribute.object_relation": "fullpath",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1621589548",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "text",
- "threatintel.misp.attribute.uuid": "ff97cc32-815e-4fc9-9d4b-cab9822027a6",
- "threatintel.misp.attribute.value": "\\the\\fullpath\\to the file\\filenameofobject.txt",
- "threatintel.misp.attribute_count": "6",
- "threatintel.misp.context.attribute.category": "Payload delivery",
- "threatintel.misp.context.attribute.comment": "filename contect for test event 3",
- "threatintel.misp.context.attribute.deleted": false,
- "threatintel.misp.context.attribute.disable_correlation": false,
- "threatintel.misp.context.attribute.distribution": "5",
- "threatintel.misp.context.attribute.event_id": "3633",
- "threatintel.misp.context.attribute.id": "266263",
- "threatintel.misp.context.attribute.object_id": "0",
- "threatintel.misp.context.attribute.sharing_group_id": "0",
- "threatintel.misp.context.attribute.timestamp": "1621589229",
- "threatintel.misp.context.attribute.to_ids": false,
- "threatintel.misp.context.attribute.type": "filename",
- "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3",
- "threatintel.misp.context.attribute.value": "thetestfile.txt",
- "threatintel.misp.date": "2021-05-21",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "1",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3633",
- "threatintel.misp.info": "Test event 3 objects and attributes",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "unknown",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -366,63 +378,65 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 10558,
+ "misp.attribute.category": "Other",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": true,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3633",
+ "misp.attribute.id": "266268",
+ "misp.attribute.object_id": "18207",
+ "misp.attribute.object_relation": "size-in-bytes",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1621589548",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "size-in-bytes",
+ "misp.attribute.uuid": "e378b4d9-43e1-4c64-bd4e-70fce2b4e581",
+ "misp.attribute.value": "505050",
+ "misp.attribute_count": 6,
+ "misp.context.attribute.category": "Payload delivery",
+ "misp.context.attribute.comment": "filename contect for test event 3",
+ "misp.context.attribute.deleted": false,
+ "misp.context.attribute.disable_correlation": false,
+ "misp.context.attribute.distribution": 5,
+ "misp.context.attribute.event_id": "3633",
+ "misp.context.attribute.id": "266263",
+ "misp.context.attribute.object_id": "0",
+ "misp.context.attribute.sharing_group_id": "0",
+ "misp.context.attribute.timestamp": "1621589229",
+ "misp.context.attribute.to_ids": false,
+ "misp.context.attribute.type": "filename",
+ "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3",
+ "misp.context.attribute.value": "thetestfile.txt",
+ "misp.date": "2021-05-21",
+ "misp.disable_correlation": false,
+ "misp.distribution": "1",
+ "misp.extends_uuid": "",
+ "misp.id": "3633",
+ "misp.info": "Test event 3 objects and attributes",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "unknown",
- "threatintel.misp.attribute.category": "Other",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": true,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3633",
- "threatintel.misp.attribute.id": "266268",
- "threatintel.misp.attribute.object_id": "18207",
- "threatintel.misp.attribute.object_relation": "size-in-bytes",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1621589548",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "size-in-bytes",
- "threatintel.misp.attribute.uuid": "e378b4d9-43e1-4c64-bd4e-70fce2b4e581",
- "threatintel.misp.attribute.value": "505050",
- "threatintel.misp.attribute_count": "6",
- "threatintel.misp.context.attribute.category": "Payload delivery",
- "threatintel.misp.context.attribute.comment": "filename contect for test event 3",
- "threatintel.misp.context.attribute.deleted": false,
- "threatintel.misp.context.attribute.disable_correlation": false,
- "threatintel.misp.context.attribute.distribution": "5",
- "threatintel.misp.context.attribute.event_id": "3633",
- "threatintel.misp.context.attribute.id": "266263",
- "threatintel.misp.context.attribute.object_id": "0",
- "threatintel.misp.context.attribute.sharing_group_id": "0",
- "threatintel.misp.context.attribute.timestamp": "1621589229",
- "threatintel.misp.context.attribute.to_ids": false,
- "threatintel.misp.context.attribute.type": "filename",
- "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3",
- "threatintel.misp.context.attribute.value": "thetestfile.txt",
- "threatintel.misp.date": "2021-05-21",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "1",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3633",
- "threatintel.misp.info": "Test event 3 objects and attributes",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "unknown",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -438,63 +452,65 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 12990,
+ "misp.attribute.category": "Payload delivery",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3633",
+ "misp.attribute.id": "266264",
+ "misp.attribute.object_id": "18207",
+ "misp.attribute.object_relation": "md5",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1621589548",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "md5",
+ "misp.attribute.uuid": "787b3822-0bec-4278-b34a-5d649e7bce05",
+ "misp.attribute_count": 6,
+ "misp.context.attribute.category": "Payload delivery",
+ "misp.context.attribute.comment": "filename contect for test event 3",
+ "misp.context.attribute.deleted": false,
+ "misp.context.attribute.disable_correlation": false,
+ "misp.context.attribute.distribution": 5,
+ "misp.context.attribute.event_id": "3633",
+ "misp.context.attribute.id": "266263",
+ "misp.context.attribute.object_id": "0",
+ "misp.context.attribute.sharing_group_id": "0",
+ "misp.context.attribute.timestamp": "1621589229",
+ "misp.context.attribute.to_ids": false,
+ "misp.context.attribute.type": "filename",
+ "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3",
+ "misp.context.attribute.value": "thetestfile.txt",
+ "misp.date": "2021-05-21",
+ "misp.disable_correlation": false,
+ "misp.distribution": "1",
+ "misp.extends_uuid": "",
+ "misp.id": "3633",
+ "misp.info": "Test event 3 objects and attributes",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.file.hash.md5": "70461da8b94c6ca5d2fda3260c5a8c3b",
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "file",
- "threatintel.misp.attribute.category": "Payload delivery",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3633",
- "threatintel.misp.attribute.id": "266264",
- "threatintel.misp.attribute.object_id": "18207",
- "threatintel.misp.attribute.object_relation": "md5",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1621589548",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "md5",
- "threatintel.misp.attribute.uuid": "787b3822-0bec-4278-b34a-5d649e7bce05",
- "threatintel.misp.attribute_count": "6",
- "threatintel.misp.context.attribute.category": "Payload delivery",
- "threatintel.misp.context.attribute.comment": "filename contect for test event 3",
- "threatintel.misp.context.attribute.deleted": false,
- "threatintel.misp.context.attribute.disable_correlation": false,
- "threatintel.misp.context.attribute.distribution": "5",
- "threatintel.misp.context.attribute.event_id": "3633",
- "threatintel.misp.context.attribute.id": "266263",
- "threatintel.misp.context.attribute.object_id": "0",
- "threatintel.misp.context.attribute.sharing_group_id": "0",
- "threatintel.misp.context.attribute.timestamp": "1621589229",
- "threatintel.misp.context.attribute.to_ids": false,
- "threatintel.misp.context.attribute.type": "filename",
- "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3",
- "threatintel.misp.context.attribute.value": "thetestfile.txt",
- "threatintel.misp.date": "2021-05-21",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "1",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3633",
- "threatintel.misp.info": "Test event 3 objects and attributes",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.file.hash.md5": "70461da8b94c6ca5d2fda3260c5a8c3b",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "file",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -510,63 +526,65 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 15439,
+ "misp.attribute.category": "Payload delivery",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3633",
+ "misp.attribute.id": "266265",
+ "misp.attribute.object_id": "18207",
+ "misp.attribute.object_relation": "sha256",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1621589548",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "sha256",
+ "misp.attribute.uuid": "657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e",
+ "misp.attribute_count": 6,
+ "misp.context.attribute.category": "Payload delivery",
+ "misp.context.attribute.comment": "filename contect for test event 3",
+ "misp.context.attribute.deleted": false,
+ "misp.context.attribute.disable_correlation": false,
+ "misp.context.attribute.distribution": 5,
+ "misp.context.attribute.event_id": "3633",
+ "misp.context.attribute.id": "266263",
+ "misp.context.attribute.object_id": "0",
+ "misp.context.attribute.sharing_group_id": "0",
+ "misp.context.attribute.timestamp": "1621589229",
+ "misp.context.attribute.to_ids": false,
+ "misp.context.attribute.type": "filename",
+ "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3",
+ "misp.context.attribute.value": "thetestfile.txt",
+ "misp.date": "2021-05-21",
+ "misp.disable_correlation": false,
+ "misp.distribution": "1",
+ "misp.extends_uuid": "",
+ "misp.id": "3633",
+ "misp.info": "Test event 3 objects and attributes",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.file.hash.sha256": "f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee",
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "file",
- "threatintel.misp.attribute.category": "Payload delivery",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3633",
- "threatintel.misp.attribute.id": "266265",
- "threatintel.misp.attribute.object_id": "18207",
- "threatintel.misp.attribute.object_relation": "sha256",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1621589548",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "sha256",
- "threatintel.misp.attribute.uuid": "657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e",
- "threatintel.misp.attribute_count": "6",
- "threatintel.misp.context.attribute.category": "Payload delivery",
- "threatintel.misp.context.attribute.comment": "filename contect for test event 3",
- "threatintel.misp.context.attribute.deleted": false,
- "threatintel.misp.context.attribute.disable_correlation": false,
- "threatintel.misp.context.attribute.distribution": "5",
- "threatintel.misp.context.attribute.event_id": "3633",
- "threatintel.misp.context.attribute.id": "266263",
- "threatintel.misp.context.attribute.object_id": "0",
- "threatintel.misp.context.attribute.sharing_group_id": "0",
- "threatintel.misp.context.attribute.timestamp": "1621589229",
- "threatintel.misp.context.attribute.to_ids": false,
- "threatintel.misp.context.attribute.type": "filename",
- "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3",
- "threatintel.misp.context.attribute.value": "thetestfile.txt",
- "threatintel.misp.date": "2021-05-21",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "1",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3633",
- "threatintel.misp.info": "Test event 3 objects and attributes",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.file.hash.sha256": "f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "file",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -582,63 +600,65 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 17926,
+ "misp.attribute.category": "Payload delivery",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": true,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3633",
+ "misp.attribute.id": "266266",
+ "misp.attribute.object_id": "18207",
+ "misp.attribute.object_relation": "filename",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1621589548",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "filename",
+ "misp.attribute.uuid": "6648d129-9200-431b-9b41-263a84f7c9d2",
+ "misp.attribute_count": 6,
+ "misp.context.attribute.category": "Payload delivery",
+ "misp.context.attribute.comment": "filename contect for test event 3",
+ "misp.context.attribute.deleted": false,
+ "misp.context.attribute.disable_correlation": false,
+ "misp.context.attribute.distribution": 5,
+ "misp.context.attribute.event_id": "3633",
+ "misp.context.attribute.id": "266263",
+ "misp.context.attribute.object_id": "0",
+ "misp.context.attribute.sharing_group_id": "0",
+ "misp.context.attribute.timestamp": "1621589229",
+ "misp.context.attribute.to_ids": false,
+ "misp.context.attribute.type": "filename",
+ "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3",
+ "misp.context.attribute.value": "thetestfile.txt",
+ "misp.date": "2021-05-21",
+ "misp.disable_correlation": false,
+ "misp.distribution": "1",
+ "misp.extends_uuid": "",
+ "misp.id": "3633",
+ "misp.info": "Test event 3 objects and attributes",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.file.name": "filenameofobject.txt",
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "file",
- "threatintel.misp.attribute.category": "Payload delivery",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": true,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3633",
- "threatintel.misp.attribute.id": "266266",
- "threatintel.misp.attribute.object_id": "18207",
- "threatintel.misp.attribute.object_relation": "filename",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1621589548",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "filename",
- "threatintel.misp.attribute.uuid": "6648d129-9200-431b-9b41-263a84f7c9d2",
- "threatintel.misp.attribute_count": "6",
- "threatintel.misp.context.attribute.category": "Payload delivery",
- "threatintel.misp.context.attribute.comment": "filename contect for test event 3",
- "threatintel.misp.context.attribute.deleted": false,
- "threatintel.misp.context.attribute.disable_correlation": false,
- "threatintel.misp.context.attribute.distribution": "5",
- "threatintel.misp.context.attribute.event_id": "3633",
- "threatintel.misp.context.attribute.id": "266263",
- "threatintel.misp.context.attribute.object_id": "0",
- "threatintel.misp.context.attribute.sharing_group_id": "0",
- "threatintel.misp.context.attribute.timestamp": "1621589229",
- "threatintel.misp.context.attribute.to_ids": false,
- "threatintel.misp.context.attribute.type": "filename",
- "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3",
- "threatintel.misp.context.attribute.value": "thetestfile.txt",
- "threatintel.misp.date": "2021-05-21",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "1",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3633",
- "threatintel.misp.info": "Test event 3 objects and attributes",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.file.name": "filenameofobject.txt",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "file",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -654,49 +674,51 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 20372,
+ "misp.attribute.category": "Other",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": true,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3634",
+ "misp.attribute.id": "266269",
+ "misp.attribute.object_id": "18208",
+ "misp.attribute.object_relation": "text",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1621591770",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "text",
+ "misp.attribute.uuid": "25d2f181-26ae-4d6f-b4fd-85b9d1f82e67",
+ "misp.attribute.value": "Free text in the file object",
+ "misp.attribute_count": 3,
+ "misp.date": "2021-05-21",
+ "misp.disable_correlation": false,
+ "misp.distribution": "1",
+ "misp.extends_uuid": "",
+ "misp.id": "3634",
+ "misp.info": "Test event 4 with object",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 3,
+ "misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "unknown",
- "threatintel.misp.attribute.category": "Other",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": true,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3634",
- "threatintel.misp.attribute.id": "266269",
- "threatintel.misp.attribute.object_id": "18208",
- "threatintel.misp.attribute.object_relation": "text",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1621591770",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "text",
- "threatintel.misp.attribute.uuid": "25d2f181-26ae-4d6f-b4fd-85b9d1f82e67",
- "threatintel.misp.attribute.value": "Free text in the file object",
- "threatintel.misp.attribute_count": "3",
- "threatintel.misp.date": "2021-05-21",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "1",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3634",
- "threatintel.misp.info": "Test event 4 with object",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 3,
- "threatintel.misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "unknown",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -712,49 +734,51 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 21959,
+ "misp.attribute.category": "Payload delivery",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3634",
+ "misp.attribute.id": "266270",
+ "misp.attribute.object_id": "18208",
+ "misp.attribute.object_relation": "sha256",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1621591770",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "sha256",
+ "misp.attribute.uuid": "4e579782-346b-44b3-b72c-1cae8d87cb25",
+ "misp.attribute_count": 3,
+ "misp.date": "2021-05-21",
+ "misp.disable_correlation": false,
+ "misp.distribution": "1",
+ "misp.extends_uuid": "",
+ "misp.id": "3634",
+ "misp.info": "Test event 4 with object",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 3,
+ "misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.file.hash.sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc666",
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "file",
- "threatintel.misp.attribute.category": "Payload delivery",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3634",
- "threatintel.misp.attribute.id": "266270",
- "threatintel.misp.attribute.object_id": "18208",
- "threatintel.misp.attribute.object_relation": "sha256",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1621591770",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "sha256",
- "threatintel.misp.attribute.uuid": "4e579782-346b-44b3-b72c-1cae8d87cb25",
- "threatintel.misp.attribute_count": "3",
- "threatintel.misp.date": "2021-05-21",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "1",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3634",
- "threatintel.misp.info": "Test event 4 with object",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 3,
- "threatintel.misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.file.hash.sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc666",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "file",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -770,49 +794,51 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 23597,
+ "misp.attribute.category": "Payload delivery",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": true,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3634",
+ "misp.attribute.id": "266271",
+ "misp.attribute.object_id": "18208",
+ "misp.attribute.object_relation": "filename",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1621591770",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "filename",
+ "misp.attribute.uuid": "a40343b5-a480-4288-9b0c-7ae074a77140",
+ "misp.attribute_count": 3,
+ "misp.date": "2021-05-21",
+ "misp.disable_correlation": false,
+ "misp.distribution": "1",
+ "misp.extends_uuid": "",
+ "misp.id": "3634",
+ "misp.info": "Test event 4 with object",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 3,
+ "misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.file.name": "filenameinmispobject.txt",
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "file",
- "threatintel.misp.attribute.category": "Payload delivery",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": true,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3634",
- "threatintel.misp.attribute.id": "266271",
- "threatintel.misp.attribute.object_id": "18208",
- "threatintel.misp.attribute.object_relation": "filename",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1621591770",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "filename",
- "threatintel.misp.attribute.uuid": "a40343b5-a480-4288-9b0c-7ae074a77140",
- "threatintel.misp.attribute_count": "3",
- "threatintel.misp.date": "2021-05-21",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "1",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3634",
- "threatintel.misp.info": "Test event 4 with object",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 3,
- "threatintel.misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.file.name": "filenameinmispobject.txt",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "file",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -828,49 +854,51 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 25198,
+ "misp.attribute.category": "Other",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": true,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3635",
+ "misp.attribute.id": "266272",
+ "misp.attribute.object_id": "18209",
+ "misp.attribute.object_relation": "text",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1621592379",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "text",
+ "misp.attribute.uuid": "188a6a15-5704-4e4f-acba-22c55ab08fe8",
+ "misp.attribute.value": "Object 5 free text attribute in object",
+ "misp.attribute_count": 5,
+ "misp.date": "2021-05-21",
+ "misp.disable_correlation": false,
+ "misp.distribution": "1",
+ "misp.extends_uuid": "",
+ "misp.id": "3635",
+ "misp.info": "Test event 5 with an object",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "unknown",
- "threatintel.misp.attribute.category": "Other",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": true,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3635",
- "threatintel.misp.attribute.id": "266272",
- "threatintel.misp.attribute.object_id": "18209",
- "threatintel.misp.attribute.object_relation": "text",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1621592379",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "text",
- "threatintel.misp.attribute.uuid": "188a6a15-5704-4e4f-acba-22c55ab08fe8",
- "threatintel.misp.attribute.value": "Object 5 free text attribute in object",
- "threatintel.misp.attribute_count": "5",
- "threatintel.misp.date": "2021-05-21",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "1",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3635",
- "threatintel.misp.info": "Test event 5 with an object",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "unknown",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -886,49 +914,51 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 26791,
+ "misp.attribute.category": "Other",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": true,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3635",
+ "misp.attribute.id": "266275",
+ "misp.attribute.object_id": "18209",
+ "misp.attribute.object_relation": "entropy",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1621592379",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "float",
+ "misp.attribute.uuid": "2400b103-4a33-4f92-ac04-a558b6c6e252",
+ "misp.attribute.value": "0.53535445",
+ "misp.attribute_count": 5,
+ "misp.date": "2021-05-21",
+ "misp.disable_correlation": false,
+ "misp.distribution": "1",
+ "misp.extends_uuid": "",
+ "misp.id": "3635",
+ "misp.info": "Test event 5 with an object",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "unknown",
- "threatintel.misp.attribute.category": "Other",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": true,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3635",
- "threatintel.misp.attribute.id": "266275",
- "threatintel.misp.attribute.object_id": "18209",
- "threatintel.misp.attribute.object_relation": "entropy",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1621592379",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "float",
- "threatintel.misp.attribute.uuid": "2400b103-4a33-4f92-ac04-a558b6c6e252",
- "threatintel.misp.attribute.value": "0.53535445",
- "threatintel.misp.attribute_count": "5",
- "threatintel.misp.date": "2021-05-21",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "1",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3635",
- "threatintel.misp.info": "Test event 5 with an object",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "unknown",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -944,49 +974,51 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 28360,
+ "misp.attribute.category": "Other",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": true,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3635",
+ "misp.attribute.id": "266276",
+ "misp.attribute.object_id": "18209",
+ "misp.attribute.object_relation": "size-in-bytes",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1621592379",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "size-in-bytes",
+ "misp.attribute.uuid": "e5ea3ec0-cdf4-4d3e-bd66-a7bf384fd3d7",
+ "misp.attribute.value": "55555",
+ "misp.attribute_count": 5,
+ "misp.date": "2021-05-21",
+ "misp.disable_correlation": false,
+ "misp.distribution": "1",
+ "misp.extends_uuid": "",
+ "misp.id": "3635",
+ "misp.info": "Test event 5 with an object",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "unknown",
- "threatintel.misp.attribute.category": "Other",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": true,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3635",
- "threatintel.misp.attribute.id": "266276",
- "threatintel.misp.attribute.object_id": "18209",
- "threatintel.misp.attribute.object_relation": "size-in-bytes",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1621592379",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "size-in-bytes",
- "threatintel.misp.attribute.uuid": "e5ea3ec0-cdf4-4d3e-bd66-a7bf384fd3d7",
- "threatintel.misp.attribute.value": "55555",
- "threatintel.misp.attribute_count": "5",
- "threatintel.misp.date": "2021-05-21",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "1",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3635",
- "threatintel.misp.info": "Test event 5 with an object",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "unknown",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -1002,49 +1034,51 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 29938,
+ "misp.attribute.category": "Payload delivery",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3635",
+ "misp.attribute.id": "266273",
+ "misp.attribute.object_id": "18209",
+ "misp.attribute.object_relation": "sha256",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1621592379",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "sha256",
+ "misp.attribute.uuid": "803f10bd-9087-4169-8699-277579a92693",
+ "misp.attribute_count": 5,
+ "misp.date": "2021-05-21",
+ "misp.disable_correlation": false,
+ "misp.distribution": "1",
+ "misp.extends_uuid": "",
+ "misp.id": "3635",
+ "misp.info": "Test event 5 with an object",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.file.hash.sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc665",
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "file",
- "threatintel.misp.attribute.category": "Payload delivery",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3635",
- "threatintel.misp.attribute.id": "266273",
- "threatintel.misp.attribute.object_id": "18209",
- "threatintel.misp.attribute.object_relation": "sha256",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1621592379",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "sha256",
- "threatintel.misp.attribute.uuid": "803f10bd-9087-4169-8699-277579a92693",
- "threatintel.misp.attribute_count": "5",
- "threatintel.misp.date": "2021-05-21",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "1",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3635",
- "threatintel.misp.info": "Test event 5 with an object",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.file.hash.sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc665",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "file",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -1060,49 +1094,51 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 31572,
+ "misp.attribute.category": "Payload delivery",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": true,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3635",
+ "misp.attribute.id": "266274",
+ "misp.attribute.object_id": "18209",
+ "misp.attribute.object_relation": "filename",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1621592379",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "filename",
+ "misp.attribute.uuid": "e5c7a9f0-c0e1-4024-9ab8-de8a1b403e4f",
+ "misp.attribute_count": 5,
+ "misp.date": "2021-05-21",
+ "misp.disable_correlation": false,
+ "misp.distribution": "1",
+ "misp.extends_uuid": "",
+ "misp.id": "3635",
+ "misp.info": "Test event 5 with an object",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.file.name": "object5.txt",
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "file",
- "threatintel.misp.attribute.category": "Payload delivery",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": true,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3635",
- "threatintel.misp.attribute.id": "266274",
- "threatintel.misp.attribute.object_id": "18209",
- "threatintel.misp.attribute.object_relation": "filename",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1621592379",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "filename",
- "threatintel.misp.attribute.uuid": "e5c7a9f0-c0e1-4024-9ab8-de8a1b403e4f",
- "threatintel.misp.attribute_count": "5",
- "threatintel.misp.date": "2021-05-21",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "1",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3635",
- "threatintel.misp.info": "Test event 5 with an object",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.file.name": "object5.txt",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "file",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -1118,63 +1154,65 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 33156,
+ "misp.attribute.category": "Other",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": true,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3636",
+ "misp.attribute.id": "266278",
+ "misp.attribute.object_id": "18210",
+ "misp.attribute.object_relation": "text",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1622200348",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "text",
+ "misp.attribute.uuid": "955e34a5-a630-42c9-868d-6e3dcb575987",
+ "misp.attribute.value": "Excutable create bad pipe",
+ "misp.attribute_count": 9,
+ "misp.context.attribute.category": "Artifacts dropped",
+ "misp.context.attribute.comment": "",
+ "misp.context.attribute.deleted": false,
+ "misp.context.attribute.disable_correlation": false,
+ "misp.context.attribute.distribution": 5,
+ "misp.context.attribute.event_id": "3636",
+ "misp.context.attribute.id": "266277",
+ "misp.context.attribute.object_id": "0",
+ "misp.context.attribute.sharing_group_id": "0",
+ "misp.context.attribute.timestamp": "1622200249",
+ "misp.context.attribute.to_ids": false,
+ "misp.context.attribute.type": "windows-service-name",
+ "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb",
+ "misp.context.attribute.value": "badmojopipe",
+ "misp.date": "2021-05-28",
+ "misp.disable_correlation": false,
+ "misp.distribution": "0",
+ "misp.extends_uuid": "",
+ "misp.id": "3636",
+ "misp.info": "Test event 6 with multiple objects and multiple attributes",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "unknown",
- "threatintel.misp.attribute.category": "Other",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": true,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3636",
- "threatintel.misp.attribute.id": "266278",
- "threatintel.misp.attribute.object_id": "18210",
- "threatintel.misp.attribute.object_relation": "text",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1622200348",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "text",
- "threatintel.misp.attribute.uuid": "955e34a5-a630-42c9-868d-6e3dcb575987",
- "threatintel.misp.attribute.value": "Excutable create bad pipe",
- "threatintel.misp.attribute_count": "9",
- "threatintel.misp.context.attribute.category": "Artifacts dropped",
- "threatintel.misp.context.attribute.comment": "",
- "threatintel.misp.context.attribute.deleted": false,
- "threatintel.misp.context.attribute.disable_correlation": false,
- "threatintel.misp.context.attribute.distribution": "5",
- "threatintel.misp.context.attribute.event_id": "3636",
- "threatintel.misp.context.attribute.id": "266277",
- "threatintel.misp.context.attribute.object_id": "0",
- "threatintel.misp.context.attribute.sharing_group_id": "0",
- "threatintel.misp.context.attribute.timestamp": "1622200249",
- "threatintel.misp.context.attribute.to_ids": false,
- "threatintel.misp.context.attribute.type": "windows-service-name",
- "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb",
- "threatintel.misp.context.attribute.value": "badmojopipe",
- "threatintel.misp.date": "2021-05-28",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "0",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3636",
- "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "unknown",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -1190,63 +1228,65 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 35151,
+ "misp.attribute.category": "Other",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": true,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3636",
+ "misp.attribute.id": "266281",
+ "misp.attribute.object_id": "18211",
+ "misp.attribute.object_relation": "size-in-bytes",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1622200780",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "size-in-bytes",
+ "misp.attribute.uuid": "2fa7721b-ad73-4914-b082-8d44233ced98",
+ "misp.attribute.value": "3892",
+ "misp.attribute_count": 9,
+ "misp.context.attribute.category": "Artifacts dropped",
+ "misp.context.attribute.comment": "",
+ "misp.context.attribute.deleted": false,
+ "misp.context.attribute.disable_correlation": false,
+ "misp.context.attribute.distribution": 5,
+ "misp.context.attribute.event_id": "3636",
+ "misp.context.attribute.id": "266277",
+ "misp.context.attribute.object_id": "0",
+ "misp.context.attribute.sharing_group_id": "0",
+ "misp.context.attribute.timestamp": "1622200249",
+ "misp.context.attribute.to_ids": false,
+ "misp.context.attribute.type": "windows-service-name",
+ "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb",
+ "misp.context.attribute.value": "badmojopipe",
+ "misp.date": "2021-05-28",
+ "misp.disable_correlation": false,
+ "misp.distribution": "0",
+ "misp.extends_uuid": "",
+ "misp.id": "3636",
+ "misp.info": "Test event 6 with multiple objects and multiple attributes",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "unknown",
- "threatintel.misp.attribute.category": "Other",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": true,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3636",
- "threatintel.misp.attribute.id": "266281",
- "threatintel.misp.attribute.object_id": "18211",
- "threatintel.misp.attribute.object_relation": "size-in-bytes",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1622200780",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "size-in-bytes",
- "threatintel.misp.attribute.uuid": "2fa7721b-ad73-4914-b082-8d44233ced98",
- "threatintel.misp.attribute.value": "3892",
- "threatintel.misp.attribute_count": "9",
- "threatintel.misp.context.attribute.category": "Artifacts dropped",
- "threatintel.misp.context.attribute.comment": "",
- "threatintel.misp.context.attribute.deleted": false,
- "threatintel.misp.context.attribute.disable_correlation": false,
- "threatintel.misp.context.attribute.distribution": "5",
- "threatintel.misp.context.attribute.event_id": "3636",
- "threatintel.misp.context.attribute.id": "266277",
- "threatintel.misp.context.attribute.object_id": "0",
- "threatintel.misp.context.attribute.sharing_group_id": "0",
- "threatintel.misp.context.attribute.timestamp": "1622200249",
- "threatintel.misp.context.attribute.to_ids": false,
- "threatintel.misp.context.attribute.type": "windows-service-name",
- "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb",
- "threatintel.misp.context.attribute.value": "badmojopipe",
- "threatintel.misp.date": "2021-05-28",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "0",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3636",
- "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "unknown",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -1262,63 +1302,65 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 37149,
+ "misp.attribute.category": "Other",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": true,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3636",
+ "misp.attribute.id": "266283",
+ "misp.attribute.object_id": "18211",
+ "misp.attribute.object_relation": "name",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1622200780",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "text",
+ "misp.attribute.uuid": "d35c1ff8-a69c-482b-8fb0-1182988d9468",
+ "misp.attribute.value": ".data",
+ "misp.attribute_count": 9,
+ "misp.context.attribute.category": "Artifacts dropped",
+ "misp.context.attribute.comment": "",
+ "misp.context.attribute.deleted": false,
+ "misp.context.attribute.disable_correlation": false,
+ "misp.context.attribute.distribution": 5,
+ "misp.context.attribute.event_id": "3636",
+ "misp.context.attribute.id": "266277",
+ "misp.context.attribute.object_id": "0",
+ "misp.context.attribute.sharing_group_id": "0",
+ "misp.context.attribute.timestamp": "1622200249",
+ "misp.context.attribute.to_ids": false,
+ "misp.context.attribute.type": "windows-service-name",
+ "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb",
+ "misp.context.attribute.value": "badmojopipe",
+ "misp.date": "2021-05-28",
+ "misp.disable_correlation": false,
+ "misp.distribution": "0",
+ "misp.extends_uuid": "",
+ "misp.id": "3636",
+ "misp.info": "Test event 6 with multiple objects and multiple attributes",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "unknown",
- "threatintel.misp.attribute.category": "Other",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": true,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3636",
- "threatintel.misp.attribute.id": "266283",
- "threatintel.misp.attribute.object_id": "18211",
- "threatintel.misp.attribute.object_relation": "name",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1622200780",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "text",
- "threatintel.misp.attribute.uuid": "d35c1ff8-a69c-482b-8fb0-1182988d9468",
- "threatintel.misp.attribute.value": ".data",
- "threatintel.misp.attribute_count": "9",
- "threatintel.misp.context.attribute.category": "Artifacts dropped",
- "threatintel.misp.context.attribute.comment": "",
- "threatintel.misp.context.attribute.deleted": false,
- "threatintel.misp.context.attribute.disable_correlation": false,
- "threatintel.misp.context.attribute.distribution": "5",
- "threatintel.misp.context.attribute.event_id": "3636",
- "threatintel.misp.context.attribute.id": "266277",
- "threatintel.misp.context.attribute.object_id": "0",
- "threatintel.misp.context.attribute.sharing_group_id": "0",
- "threatintel.misp.context.attribute.timestamp": "1622200249",
- "threatintel.misp.context.attribute.to_ids": false,
- "threatintel.misp.context.attribute.type": "windows-service-name",
- "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb",
- "threatintel.misp.context.attribute.value": "badmojopipe",
- "threatintel.misp.date": "2021-05-28",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "0",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3636",
- "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "unknown",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -1334,63 +1376,65 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 39130,
+ "misp.attribute.category": "Other",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": true,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3636",
+ "misp.attribute.id": "266284",
+ "misp.attribute.object_id": "18211",
+ "misp.attribute.object_relation": "text",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1622200780",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "text",
+ "misp.attribute.uuid": "dc11971a-a676-4676-b24c-a45a8791e0b0",
+ "misp.attribute.value": "Extracted zip archive data",
+ "misp.attribute_count": 9,
+ "misp.context.attribute.category": "Artifacts dropped",
+ "misp.context.attribute.comment": "",
+ "misp.context.attribute.deleted": false,
+ "misp.context.attribute.disable_correlation": false,
+ "misp.context.attribute.distribution": 5,
+ "misp.context.attribute.event_id": "3636",
+ "misp.context.attribute.id": "266277",
+ "misp.context.attribute.object_id": "0",
+ "misp.context.attribute.sharing_group_id": "0",
+ "misp.context.attribute.timestamp": "1622200249",
+ "misp.context.attribute.to_ids": false,
+ "misp.context.attribute.type": "windows-service-name",
+ "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb",
+ "misp.context.attribute.value": "badmojopipe",
+ "misp.date": "2021-05-28",
+ "misp.disable_correlation": false,
+ "misp.distribution": "0",
+ "misp.extends_uuid": "",
+ "misp.id": "3636",
+ "misp.info": "Test event 6 with multiple objects and multiple attributes",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "unknown",
- "threatintel.misp.attribute.category": "Other",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": true,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3636",
- "threatintel.misp.attribute.id": "266284",
- "threatintel.misp.attribute.object_id": "18211",
- "threatintel.misp.attribute.object_relation": "text",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1622200780",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "text",
- "threatintel.misp.attribute.uuid": "dc11971a-a676-4676-b24c-a45a8791e0b0",
- "threatintel.misp.attribute.value": "Extracted zip archive data",
- "threatintel.misp.attribute_count": "9",
- "threatintel.misp.context.attribute.category": "Artifacts dropped",
- "threatintel.misp.context.attribute.comment": "",
- "threatintel.misp.context.attribute.deleted": false,
- "threatintel.misp.context.attribute.disable_correlation": false,
- "threatintel.misp.context.attribute.distribution": "5",
- "threatintel.misp.context.attribute.event_id": "3636",
- "threatintel.misp.context.attribute.id": "266277",
- "threatintel.misp.context.attribute.object_id": "0",
- "threatintel.misp.context.attribute.sharing_group_id": "0",
- "threatintel.misp.context.attribute.timestamp": "1622200249",
- "threatintel.misp.context.attribute.to_ids": false,
- "threatintel.misp.context.attribute.type": "windows-service-name",
- "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb",
- "threatintel.misp.context.attribute.value": "badmojopipe",
- "threatintel.misp.date": "2021-05-28",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "0",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3636",
- "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "unknown",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -1406,63 +1450,65 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 41132,
+ "misp.attribute.category": "Other",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": true,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3636",
+ "misp.attribute.id": "266285",
+ "misp.attribute.object_id": "18211",
+ "misp.attribute.object_relation": "entropy",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1622200780",
+ "misp.attribute.to_ids": false,
+ "misp.attribute.type": "float",
+ "misp.attribute.uuid": "a85c0cbb-25a8-4bc9-b146-3cba1020e5bb",
+ "misp.attribute.value": "7.93280431051",
+ "misp.attribute_count": 9,
+ "misp.context.attribute.category": "Artifacts dropped",
+ "misp.context.attribute.comment": "",
+ "misp.context.attribute.deleted": false,
+ "misp.context.attribute.disable_correlation": false,
+ "misp.context.attribute.distribution": 5,
+ "misp.context.attribute.event_id": "3636",
+ "misp.context.attribute.id": "266277",
+ "misp.context.attribute.object_id": "0",
+ "misp.context.attribute.sharing_group_id": "0",
+ "misp.context.attribute.timestamp": "1622200249",
+ "misp.context.attribute.to_ids": false,
+ "misp.context.attribute.type": "windows-service-name",
+ "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb",
+ "misp.context.attribute.value": "badmojopipe",
+ "misp.date": "2021-05-28",
+ "misp.disable_correlation": false,
+ "misp.distribution": "0",
+ "misp.extends_uuid": "",
+ "misp.id": "3636",
+ "misp.info": "Test event 6 with multiple objects and multiple attributes",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "unknown",
- "threatintel.misp.attribute.category": "Other",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": true,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3636",
- "threatintel.misp.attribute.id": "266285",
- "threatintel.misp.attribute.object_id": "18211",
- "threatintel.misp.attribute.object_relation": "entropy",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1622200780",
- "threatintel.misp.attribute.to_ids": false,
- "threatintel.misp.attribute.type": "float",
- "threatintel.misp.attribute.uuid": "a85c0cbb-25a8-4bc9-b146-3cba1020e5bb",
- "threatintel.misp.attribute.value": "7.93280431051",
- "threatintel.misp.attribute_count": "9",
- "threatintel.misp.context.attribute.category": "Artifacts dropped",
- "threatintel.misp.context.attribute.comment": "",
- "threatintel.misp.context.attribute.deleted": false,
- "threatintel.misp.context.attribute.disable_correlation": false,
- "threatintel.misp.context.attribute.distribution": "5",
- "threatintel.misp.context.attribute.event_id": "3636",
- "threatintel.misp.context.attribute.id": "266277",
- "threatintel.misp.context.attribute.object_id": "0",
- "threatintel.misp.context.attribute.sharing_group_id": "0",
- "threatintel.misp.context.attribute.timestamp": "1622200249",
- "threatintel.misp.context.attribute.to_ids": false,
- "threatintel.misp.context.attribute.type": "windows-service-name",
- "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb",
- "threatintel.misp.context.attribute.value": "badmojopipe",
- "threatintel.misp.date": "2021-05-28",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "0",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3636",
- "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "unknown",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -1478,63 +1524,65 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 43125,
+ "misp.attribute.category": "Payload delivery",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3636",
+ "misp.attribute.id": "266279",
+ "misp.attribute.object_id": "18210",
+ "misp.attribute.object_relation": "md5",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1622200348",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "md5",
+ "misp.attribute.uuid": "1c97c043-5de2-41a1-b591-3237174cd290",
+ "misp.attribute_count": 9,
+ "misp.context.attribute.category": "Artifacts dropped",
+ "misp.context.attribute.comment": "",
+ "misp.context.attribute.deleted": false,
+ "misp.context.attribute.disable_correlation": false,
+ "misp.context.attribute.distribution": 5,
+ "misp.context.attribute.event_id": "3636",
+ "misp.context.attribute.id": "266277",
+ "misp.context.attribute.object_id": "0",
+ "misp.context.attribute.sharing_group_id": "0",
+ "misp.context.attribute.timestamp": "1622200249",
+ "misp.context.attribute.to_ids": false,
+ "misp.context.attribute.type": "windows-service-name",
+ "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb",
+ "misp.context.attribute.value": "badmojopipe",
+ "misp.date": "2021-05-28",
+ "misp.disable_correlation": false,
+ "misp.distribution": "0",
+ "misp.extends_uuid": "",
+ "misp.id": "3636",
+ "misp.info": "Test event 6 with multiple objects and multiple attributes",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.file.hash.md5": "7392463caf95534d56460bc9f360adc1",
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "file",
- "threatintel.misp.attribute.category": "Payload delivery",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3636",
- "threatintel.misp.attribute.id": "266279",
- "threatintel.misp.attribute.object_id": "18210",
- "threatintel.misp.attribute.object_relation": "md5",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1622200348",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "md5",
- "threatintel.misp.attribute.uuid": "1c97c043-5de2-41a1-b591-3237174cd290",
- "threatintel.misp.attribute_count": "9",
- "threatintel.misp.context.attribute.category": "Artifacts dropped",
- "threatintel.misp.context.attribute.comment": "",
- "threatintel.misp.context.attribute.deleted": false,
- "threatintel.misp.context.attribute.disable_correlation": false,
- "threatintel.misp.context.attribute.distribution": "5",
- "threatintel.misp.context.attribute.event_id": "3636",
- "threatintel.misp.context.attribute.id": "266277",
- "threatintel.misp.context.attribute.object_id": "0",
- "threatintel.misp.context.attribute.sharing_group_id": "0",
- "threatintel.misp.context.attribute.timestamp": "1622200249",
- "threatintel.misp.context.attribute.to_ids": false,
- "threatintel.misp.context.attribute.type": "windows-service-name",
- "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb",
- "threatintel.misp.context.attribute.value": "badmojopipe",
- "threatintel.misp.date": "2021-05-28",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "0",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3636",
- "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.file.hash.md5": "7392463caf95534d56460bc9f360adc1",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "file",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -1550,63 +1598,65 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 45136,
+ "misp.attribute.category": "Payload delivery",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": false,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3636",
+ "misp.attribute.id": "266282",
+ "misp.attribute.object_id": "18211",
+ "misp.attribute.object_relation": "md5",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1622200780",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "md5",
+ "misp.attribute.uuid": "f3b8696e-5390-4383-ace2-6e06bfae497d",
+ "misp.attribute_count": 9,
+ "misp.context.attribute.category": "Artifacts dropped",
+ "misp.context.attribute.comment": "",
+ "misp.context.attribute.deleted": false,
+ "misp.context.attribute.disable_correlation": false,
+ "misp.context.attribute.distribution": 5,
+ "misp.context.attribute.event_id": "3636",
+ "misp.context.attribute.id": "266277",
+ "misp.context.attribute.object_id": "0",
+ "misp.context.attribute.sharing_group_id": "0",
+ "misp.context.attribute.timestamp": "1622200249",
+ "misp.context.attribute.to_ids": false,
+ "misp.context.attribute.type": "windows-service-name",
+ "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb",
+ "misp.context.attribute.value": "badmojopipe",
+ "misp.date": "2021-05-28",
+ "misp.disable_correlation": false,
+ "misp.distribution": "0",
+ "misp.extends_uuid": "",
+ "misp.id": "3636",
+ "misp.info": "Test event 6 with multiple objects and multiple attributes",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.file.hash.md5": "7295463caf95534d56460bc9f360adc1",
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "file",
- "threatintel.misp.attribute.category": "Payload delivery",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": false,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3636",
- "threatintel.misp.attribute.id": "266282",
- "threatintel.misp.attribute.object_id": "18211",
- "threatintel.misp.attribute.object_relation": "md5",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1622200780",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "md5",
- "threatintel.misp.attribute.uuid": "f3b8696e-5390-4383-ace2-6e06bfae497d",
- "threatintel.misp.attribute_count": "9",
- "threatintel.misp.context.attribute.category": "Artifacts dropped",
- "threatintel.misp.context.attribute.comment": "",
- "threatintel.misp.context.attribute.deleted": false,
- "threatintel.misp.context.attribute.disable_correlation": false,
- "threatintel.misp.context.attribute.distribution": "5",
- "threatintel.misp.context.attribute.event_id": "3636",
- "threatintel.misp.context.attribute.id": "266277",
- "threatintel.misp.context.attribute.object_id": "0",
- "threatintel.misp.context.attribute.sharing_group_id": "0",
- "threatintel.misp.context.attribute.timestamp": "1622200249",
- "threatintel.misp.context.attribute.to_ids": false,
- "threatintel.misp.context.attribute.type": "windows-service-name",
- "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb",
- "threatintel.misp.context.attribute.value": "badmojopipe",
- "threatintel.misp.date": "2021-05-28",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "0",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3636",
- "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.file.hash.md5": "7295463caf95534d56460bc9f360adc1",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "file",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
@@ -1622,63 +1672,65 @@
"fileset.name": "misp",
"input.type": "log",
"log.offset": 47153,
+ "misp.attribute.category": "Payload delivery",
+ "misp.attribute.comment": "",
+ "misp.attribute.deleted": false,
+ "misp.attribute.disable_correlation": true,
+ "misp.attribute.distribution": 5,
+ "misp.attribute.event_id": "3636",
+ "misp.attribute.id": "266280",
+ "misp.attribute.object_id": "18210",
+ "misp.attribute.object_relation": "filename",
+ "misp.attribute.sharing_group_id": "0",
+ "misp.attribute.timestamp": "1622200348",
+ "misp.attribute.to_ids": true,
+ "misp.attribute.type": "filename",
+ "misp.attribute.uuid": "2dfcb937-e6af-4b5d-ad50-f8eb975990f3",
+ "misp.attribute_count": 9,
+ "misp.context.attribute.category": "Artifacts dropped",
+ "misp.context.attribute.comment": "",
+ "misp.context.attribute.deleted": false,
+ "misp.context.attribute.disable_correlation": false,
+ "misp.context.attribute.distribution": 5,
+ "misp.context.attribute.event_id": "3636",
+ "misp.context.attribute.id": "266277",
+ "misp.context.attribute.object_id": "0",
+ "misp.context.attribute.sharing_group_id": "0",
+ "misp.context.attribute.timestamp": "1622200249",
+ "misp.context.attribute.to_ids": false,
+ "misp.context.attribute.type": "windows-service-name",
+ "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb",
+ "misp.context.attribute.value": "badmojopipe",
+ "misp.date": "2021-05-28",
+ "misp.disable_correlation": false,
+ "misp.distribution": "0",
+ "misp.extends_uuid": "",
+ "misp.id": "3636",
+ "misp.info": "Test event 6 with multiple objects and multiple attributes",
+ "misp.locked": false,
+ "misp.org_id": "1",
+ "misp.orgc.id": "1",
+ "misp.orgc.local": true,
+ "misp.orgc.name": "ORGNAME",
+ "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
+ "misp.orgc_id": "1",
+ "misp.proposal_email_lock": false,
+ "misp.publish_timestamp": "0",
+ "misp.published": false,
+ "misp.sharing_group_id": "0",
+ "misp.threat_level_id": 1,
+ "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-misp"
],
- "threatintel.indicator.file.name": "badmojopipe.exe",
- "threatintel.indicator.provider": "misp",
- "threatintel.indicator.scanner_stats": 0,
- "threatintel.indicator.type": "file",
- "threatintel.misp.attribute.category": "Payload delivery",
- "threatintel.misp.attribute.comment": "",
- "threatintel.misp.attribute.deleted": false,
- "threatintel.misp.attribute.disable_correlation": true,
- "threatintel.misp.attribute.distribution": "5",
- "threatintel.misp.attribute.event_id": "3636",
- "threatintel.misp.attribute.id": "266280",
- "threatintel.misp.attribute.object_id": "18210",
- "threatintel.misp.attribute.object_relation": "filename",
- "threatintel.misp.attribute.sharing_group_id": "0",
- "threatintel.misp.attribute.timestamp": "1622200348",
- "threatintel.misp.attribute.to_ids": true,
- "threatintel.misp.attribute.type": "filename",
- "threatintel.misp.attribute.uuid": "2dfcb937-e6af-4b5d-ad50-f8eb975990f3",
- "threatintel.misp.attribute_count": "9",
- "threatintel.misp.context.attribute.category": "Artifacts dropped",
- "threatintel.misp.context.attribute.comment": "",
- "threatintel.misp.context.attribute.deleted": false,
- "threatintel.misp.context.attribute.disable_correlation": false,
- "threatintel.misp.context.attribute.distribution": "5",
- "threatintel.misp.context.attribute.event_id": "3636",
- "threatintel.misp.context.attribute.id": "266277",
- "threatintel.misp.context.attribute.object_id": "0",
- "threatintel.misp.context.attribute.sharing_group_id": "0",
- "threatintel.misp.context.attribute.timestamp": "1622200249",
- "threatintel.misp.context.attribute.to_ids": false,
- "threatintel.misp.context.attribute.type": "windows-service-name",
- "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb",
- "threatintel.misp.context.attribute.value": "badmojopipe",
- "threatintel.misp.date": "2021-05-28",
- "threatintel.misp.disable_correlation": false,
- "threatintel.misp.distribution": "0",
- "threatintel.misp.extends_uuid": "",
- "threatintel.misp.id": "3636",
- "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes",
- "threatintel.misp.locked": false,
- "threatintel.misp.org_id": "1",
- "threatintel.misp.orgc.id": "1",
- "threatintel.misp.orgc.local": true,
- "threatintel.misp.orgc.name": "ORGNAME",
- "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488",
- "threatintel.misp.orgc_id": "1",
- "threatintel.misp.proposal_email_lock": false,
- "threatintel.misp.publish_timestamp": "0",
- "threatintel.misp.published": false,
- "threatintel.misp.sharing_group_id": "0",
- "threatintel.misp.threat_level_id": 1,
- "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df",
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] MISP",
+ "threat.indicator.file.name": "badmojopipe.exe",
+ "threat.indicator.provider": "misp",
+ "threat.indicator.scanner_stats": 0,
+ "threat.indicator.type": "file",
"user.email": "admin@admin.test",
"user.roles": [
"reporting_user"
diff --git a/x-pack/filebeat/module/threatintel/otx/config/config.yml b/x-pack/filebeat/module/threatintel/otx/config/config.yml
index 9e2f5169e6f..fe18e1141d3 100644
--- a/x-pack/filebeat/module/threatintel/otx/config/config.yml
+++ b/x-pack/filebeat/module/threatintel/otx/config/config.yml
@@ -55,17 +55,12 @@ exclude_files: [".gz$"]
{{ end }}
-tags: {{.tags | tojson}}
-publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
+tags:
+{{if .preserve_original_event}}
+ - preserve_original_event
+{{end}}
+{{range $val := .tags}}
+ - {{$val}}
+{{end}}
-processors:
- - decode_json_fields:
- fields: [message]
- target: json
- - fingerprint:
- fields: ["json.id"]
- target_field: "@metadata._id"
- - add_fields:
- target: ''
- fields:
- ecs.version: 1.12.0
+publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
diff --git a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml
index 4cb3ed37aef..4b3f6aeaea6 100644
--- a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml
@@ -1,4 +1,5 @@
-description: Pipeline for parsing MISP Threat Intel
+---
+description: Pipeline for parsing Abuse.ch URL Threat Intel
processors:
####################
# Event ECS fields #
@@ -6,6 +7,9 @@ processors:
- set:
field: event.ingested
value: "{{_ingest.timestamp}}"
+ - set:
+ field: ecs.version
+ value: "1.12"
- set:
field: event.kind
value: enrichment
@@ -20,108 +24,126 @@ processors:
# General ECS fields #
######################
- rename:
- field: json
- target_field: threatintel.otx
+ field: message
+ target_field: event.original
ignore_missing: true
+ - json:
+ field: event.original
+ target_field: otx
+ - fingerprint:
+ fields:
+ - otx.id
+ target_field: "_id"
#####################
# Threat ECS Fields #
#####################
+ - set:
+ field: threat.feed.name
+ value: "[Filebeat] Alienvault OTX"
+ - set:
+ field: threat.feed.dashboard_id
+ value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f"
## File indicator operations
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: file
- if: "ctx.threatintel?.otx?.type.startsWith('FileHash') || ctx.threatintel?.otx?.type == 'filepath'"
+ if: "ctx.otx?.type.startsWith('FileHash') || ctx.otx?.type == 'filepath'"
- rename:
- field: threatintel.otx.indicator
- target_field: threatintel.indicator.file.hash.md5
+ field: otx.indicator
+ target_field: threat.indicator.file.hash.md5
ignore_missing: true
- if: "ctx.threatintel?.otx?.type == 'FileHash-MD5'"
+ if: "ctx.otx?.type == 'FileHash-MD5'"
- rename:
- field: threatintel.otx.indicator
- target_field: threatintel.indicator.file.hash.sha1
+ field: otx.indicator
+ target_field: threat.indicator.file.hash.sha1
ignore_missing: true
- if: "ctx.threatintel?.otx?.type == 'FileHash-SHA1'"
+ if: "ctx.otx?.type == 'FileHash-SHA1'"
- rename:
- field: threatintel.otx.indicator
- target_field: threatintel.indicator.file.hash.sha256
+ field: otx.indicator
+ target_field: threat.indicator.file.hash.sha256
ignore_missing: true
- if: "ctx.threatintel?.otx?.type == 'FileHash-SHA256'"
+ if: "ctx.otx?.type == 'FileHash-SHA256'"
- rename:
- field: threatintel.otx.indicator
- target_field: threatintel.indicator.file.hash.pehash
+ field: otx.indicator
+ target_field: threat.indicator.file.hash.pehash
ignore_missing: true
- if: "ctx.threatintel?.otx?.type == 'FileHash-PEHASH'"
+ if: "ctx.otx?.type == 'FileHash-PEHASH'"
- rename:
- field: threatintel.otx.indicator
- target_field: threatintel.indicator.file.hash.imphash
+ field: otx.indicator
+ target_field: threat.indicator.file.hash.imphash
ignore_missing: true
- if: "ctx.threatintel?.otx?.type == 'FileHash-IMPHASH'"
+ if: "ctx.otx?.type == 'FileHash-IMPHASH'"
## IP indicator operations
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: ipv4-addr
- if: ctx.threatintel?.otx?.type == 'IPv4'
+ if: ctx.otx?.type == 'IPv4'
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: ipv6-addr
- if: ctx.threatintel?.otx?.type == 'IPv6'
+ if: ctx.otx?.type == 'IPv6'
- rename:
- field: threatintel.otx.indicator
- target_field: threatintel.indicator.ip
+ field: otx.indicator
+ target_field: threat.indicator.ip
ignore_missing: true
- if: "ctx?.threatintel?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx?.threatintel?.indicator?.type)"
+ if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)"
## URL indicator operations
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: url
- if: "ctx?.threatintel?.indicator?.type == null && ['URL', 'URI'].contains(ctx.threatintel?.otx?.type)"
+ if: "ctx.threat?.indicator?.type == null && ['URL', 'URI'].contains(ctx.otx?.type)"
- uri_parts:
- field: threatintel.otx.indicator
- target_field: threatintel.indicator.url
+ field: otx.indicator
+ target_field: threat.indicator.url
keep_original: true
remove_if_successful: true
- if: ctx?.threatintel?.indicator?.type == 'url'
+ if: ctx.threat?.indicator?.type == 'url'
- set:
- field: threatintel.indicator.url.full
- value: "{{{threatintel.indicator.url.original}}}"
+ field: threat.indicator.url.full
+ value: "{{{threat.indicator.url.original}}}"
ignore_empty_value: true
- if: "ctx?.threatintel?.otx?.type == 'URL'"
+ if: "ctx.otx?.type == 'URL'"
## Email indicator operations
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: email-addr
- if: ctx?.threatintel?.otx?.type == 'email'
+ if: ctx.otx?.type == 'email'
- rename:
- field: threatintel.otx.indicator
- target_field: threatintel.indicator.email.address
+ field: otx.indicator
+ target_field: threat.indicator.email.address
ignore_missing: true
- if: "ctx?.threatintel?.indicator?.type == 'email-addr'"
+ if: "ctx.threat?.indicator?.type == 'email-addr'"
## Domain indicator operations
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: domain-name
- if: "ctx?.threatintel?.indicator?.type == null && ['domain', 'hostname'].contains(ctx.threatintel?.otx?.type)"
+ if: "ctx.threat?.indicator?.type == null && ['domain', 'hostname'].contains(ctx.otx?.type)"
- rename:
- field: threatintel.otx.indicator
- target_field: threatintel.indicator.url.domain
+ field: otx.indicator
+ target_field: threat.indicator.url.domain
ignore_missing: true
- if: "ctx?.threatintel?.indicator?.type == 'domain-name' && ctx.threatintel?.indicator?.url?.domain == null"
+ if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.threat?.indicator?.url?.domain == null"
######################
# Cleanup processors #
######################
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: unknown
- if: ctx?.threatintel?.indicator?.type == null
+ if: ctx.threat?.indicator?.type == null
- script:
lang: painless
- if: ctx?.threatintel != null
+ if: ctx.otx != null
source: |
void handleMap(Map map) {
for (def x : map.values()) {
@@ -145,16 +167,16 @@ processors:
handleMap(ctx);
- remove:
field:
- - threatintel.otx.content
+ - otx.content
ignore_missing: true
- if: ctx?.threatintel?.otx?.content == ""
+ if: ctx.otx?.content == ""
- remove:
field:
- - threatintel.otx.type
- - threatintel.otx.id
+ - otx.type
+ - otx.id
- message
ignore_missing: true
- if: ctx?.threatintel?.indicator?.type != null
+ if: ctx.threat?.indicator?.type != null
on_failure:
- set:
field: error.message
diff --git a/x-pack/filebeat/module/threatintel/otx/manifest.yml b/x-pack/filebeat/module/threatintel/otx/manifest.yml
index 0fdefa51d76..72830224984 100644
--- a/x-pack/filebeat/module/threatintel/otx/manifest.yml
+++ b/x-pack/filebeat/module/threatintel/otx/manifest.yml
@@ -20,6 +20,8 @@ var:
- name: tags
default: [threatintel-otx, forwarded]
- name: proxy_url
+ - name: preserve_original_event
+ default: false
ingest_pipeline:
- ingest/pipeline.yml
diff --git a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json
index e56752d47c3..590bc64bfbc 100644
--- a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json
@@ -13,8 +13,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.ip": "86.104.194.30",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.ip": "86.104.194.30",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -25,15 +27,17 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 102,
+ "otx.description": "MD5 of a5725af4391d21a232dc6d4ad33d7d915bd190bdac9b1826b73f364dc5c1aa65",
+ "otx.title": "Win32:Hoblig-B",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.md5": "90421f8531f963d81cf54245b72cde80",
- "threatintel.indicator.type": "file",
- "threatintel.otx.description": "MD5 of a5725af4391d21a232dc6d4ad33d7d915bd190bdac9b1826b73f364dc5c1aa65",
- "threatintel.otx.title": "Win32:Hoblig-B"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.md5": "90421f8531f963d81cf54245b72cde80",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -49,8 +53,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "ip.anysrc.net"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "ip.anysrc.net"
},
{
"event.category": "threat",
@@ -66,8 +72,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.ip": "107.173.58.176",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.ip": "107.173.58.176",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -83,8 +91,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "d8c70ca70fd3555a0828fede6cc1f59e2c320ede80157039b6a2f09c336d5f7a",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "d8c70ca70fd3555a0828fede6cc1f59e2c320ede80157039b6a2f09c336d5f7a",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -95,14 +105,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 688,
+ "otx.description": "MD5 of df9b37477a83189cd4541674e64ce29bf7bf98338ed0d635276660e0c6419d09",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.md5": "f8e58af3ffefd4037fef246e93a55dc8",
- "threatintel.indicator.type": "file",
- "threatintel.otx.description": "MD5 of df9b37477a83189cd4541674e64ce29bf7bf98338ed0d635276660e0c6419d09"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.md5": "f8e58af3ffefd4037fef246e93a55dc8",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -118,8 +130,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "1c62f004d0c9b91d3467b1b8106772e667e7e2075470c2ec7982b63573c90c54",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "1c62f004d0c9b91d3467b1b8106772e667e7e2075470c2ec7982b63573c90c54",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -130,14 +144,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 1053,
+ "otx.title": "Win64:Malware-gen",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "8d24a14f2600482d0231396b6350cf21773335ec2f0b8919763317fdab78baae",
- "threatintel.indicator.type": "file",
- "threatintel.otx.title": "Win64:Malware-gen"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "8d24a14f2600482d0231396b6350cf21773335ec2f0b8919763317fdab78baae",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -153,8 +169,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.ip": "213.252.244.38",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.ip": "213.252.244.38",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -170,8 +188,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "c758ec922b173820374e552c2f015ac53cc5d9f99cc92080e608652aaa63695b",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "c758ec922b173820374e552c2f015ac53cc5d9f99cc92080e608652aaa63695b",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -187,8 +207,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -199,14 +221,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 1671,
+ "otx.description": "MD5 of 0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.md5": "aeb08b0651bc8a13dcf5e5f6c0d482f8",
- "threatintel.indicator.type": "file",
- "threatintel.otx.description": "MD5 of 0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.md5": "aeb08b0651bc8a13dcf5e5f6c0d482f8",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -222,8 +246,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "6df5e1a017dff52020c7ff6ad92fdd37494e31769e1be242f6b23d1ea2d60140",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "6df5e1a017dff52020c7ff6ad92fdd37494e31769e1be242f6b23d1ea2d60140",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -239,8 +265,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "c72fef3835f65cb380f6920b22c3488554d1af6d298562ccee92284f265c9619",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "c72fef3835f65cb380f6920b22c3488554d1af6d298562ccee92284f265c9619",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -256,8 +284,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "e711fcd0f182b214c6ec74011a395f4c853068d59eb7c57f90c4a3e1de64434a",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "e711fcd0f182b214c6ec74011a395f4c853068d59eb7c57f90c4a3e1de64434a",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -273,8 +303,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "d3ec8f4a46b21fb189fc3d58f3d87bf9897653ecdf90b7952dcc71f3b4023b4e",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "d3ec8f4a46b21fb189fc3d58f3d87bf9897653ecdf90b7952dcc71f3b4023b4e",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -290,8 +322,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "70447996722e5c04514d20b7a429d162b46546002fb0c87f512b40f16bac99bb",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "70447996722e5c04514d20b7a429d162b46546002fb0c87f512b40f16bac99bb",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -302,15 +336,17 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 2703,
+ "otx.description": "MD5 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec",
+ "otx.title": "Win64:Malware-gen",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.md5": "29340643ca2e6677c19e1d3bf351d654",
- "threatintel.indicator.type": "file",
- "threatintel.otx.description": "MD5 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec",
- "threatintel.otx.title": "Win64:Malware-gen"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.md5": "29340643ca2e6677c19e1d3bf351d654",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -321,15 +357,17 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 2919,
+ "otx.description": "MD5 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2",
+ "otx.title": "Win64:Malware-gen",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.md5": "86c314bc2dc37ba84f7364acd5108c2b",
- "threatintel.indicator.type": "file",
- "threatintel.otx.description": "MD5 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2",
- "threatintel.otx.title": "Win64:Malware-gen"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.md5": "86c314bc2dc37ba84f7364acd5108c2b",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -340,15 +378,17 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 3135,
+ "otx.description": "MD5 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56",
+ "otx.title": "Trojan:Win32/Occamy.B",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.md5": "cb0c1248d3899358a375888bb4e8f3fe",
- "threatintel.indicator.type": "file",
- "threatintel.otx.description": "MD5 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56",
- "threatintel.otx.title": "Trojan:Win32/Occamy.B"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.md5": "cb0c1248d3899358a375888bb4e8f3fe",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -359,15 +399,17 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 3355,
+ "otx.description": "MD5 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4",
+ "otx.title": "Win64:Malware-gen",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.md5": "d348f536e214a47655af387408b4fca5",
- "threatintel.indicator.type": "file",
- "threatintel.otx.description": "MD5 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4",
- "threatintel.otx.title": "Win64:Malware-gen"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.md5": "d348f536e214a47655af387408b4fca5",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -378,14 +420,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 3571,
+ "otx.title": "vad_contains_network_strings",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413",
- "threatintel.indicator.type": "file",
- "threatintel.otx.title": "vad_contains_network_strings"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -401,8 +445,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "b105891f90b2a8730bbadf02b5adeccbba539883bf75dec2ff7a5a97625dd222",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "b105891f90b2a8730bbadf02b5adeccbba539883bf75dec2ff7a5a97625dd222",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -418,8 +464,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "e4db5405ac7ab517d43722e1ca8d653ea4a32802bc8a5410d032275eedc7b7ee",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "e4db5405ac7ab517d43722e1ca8d653ea4a32802bc8a5410d032275eedc7b7ee",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -430,14 +478,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 4098,
+ "otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa",
- "threatintel.indicator.type": "file",
- "threatintel.otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -453,8 +503,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "5051906d6ed1b2ae9c9a9f070ef73c9be8f591d2e41d144649a0dc96e28d0400",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "5051906d6ed1b2ae9c9a9f070ef73c9be8f591d2e41d144649a0dc96e28d0400",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -465,15 +517,17 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 4470,
+ "otx.description": "MD5 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa",
+ "otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.md5": "14b74cb9be8cad8eb5fa8842d00bb692",
- "threatintel.indicator.type": "file",
- "threatintel.otx.description": "MD5 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa",
- "threatintel.otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.md5": "14b74cb9be8cad8eb5fa8842d00bb692",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -484,15 +538,17 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 4709,
+ "otx.description": "SHA1 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa",
+ "otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha1": "a5b59f7d133e354dfc73f40517aab730f322f0ef",
- "threatintel.indicator.type": "file",
- "threatintel.otx.description": "SHA1 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa",
- "threatintel.otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha1": "a5b59f7d133e354dfc73f40517aab730f322f0ef",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -508,8 +564,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -520,15 +578,17 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 5125,
+ "otx.description": "MD5 of 5cb822616d2c9435c9ddd060d6abdbc286ab57cfcf6dc64768c52976029a925b",
+ "otx.title": "vad_contains_network_strings",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.md5": "ff2dcea4963e060a658f4dffbb119529",
- "threatintel.indicator.type": "file",
- "threatintel.otx.description": "MD5 of 5cb822616d2c9435c9ddd060d6abdbc286ab57cfcf6dc64768c52976029a925b",
- "threatintel.otx.title": "vad_contains_network_strings"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.md5": "ff2dcea4963e060a658f4dffbb119529",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -539,15 +599,17 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 5352,
+ "otx.description": "MD5 of 29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413",
+ "otx.title": "vad_contains_network_strings",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.md5": "0d73f1a1c4b2f8723fffc83eb3d00f31",
- "threatintel.indicator.type": "file",
- "threatintel.otx.description": "MD5 of 29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413",
- "threatintel.otx.title": "vad_contains_network_strings"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.md5": "0d73f1a1c4b2f8723fffc83eb3d00f31",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -563,8 +625,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.ip": "185.25.50.167",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.ip": "185.25.50.167",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -580,8 +644,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "d35a30264c0698709ad554489004e0077e263d354ced0c54552a0b500f91ecc0",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "d35a30264c0698709ad554489004e0077e263d354ced0c54552a0b500f91ecc0",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -597,8 +663,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "5264b455f453820be629a324196131492ff03c80491e823ac06657c9387250dd",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "5264b455f453820be629a324196131492ff03c80491e823ac06657c9387250dd",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -609,14 +677,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 6018,
+ "otx.title": "Trojan:Win32/Occamy.B",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56",
- "threatintel.indicator.type": "file",
- "threatintel.otx.title": "Trojan:Win32/Occamy.B"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -627,14 +697,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 6204,
+ "otx.title": "Win64:Malware-gen",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4",
- "threatintel.indicator.type": "file",
- "threatintel.otx.title": "Win64:Malware-gen"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -650,8 +722,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -662,14 +736,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 6553,
+ "otx.title": "Win64:Malware-gen",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec",
- "threatintel.indicator.type": "file",
- "threatintel.otx.title": "Win64:Malware-gen"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -680,14 +756,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 6735,
+ "otx.title": "Win64:Malware-gen",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2",
- "threatintel.indicator.type": "file",
- "threatintel.otx.title": "Win64:Malware-gen"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -703,8 +781,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "c51024bb119211c335f95e731cfa9a744fcdb645a57d35fb379d01b7dbdd098e",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "c51024bb119211c335f95e731cfa9a744fcdb645a57d35fb379d01b7dbdd098e",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -715,15 +795,17 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 7084,
+ "otx.description": "SHA1 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2",
+ "otx.title": "Win64:Malware-gen",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha1": "ad20c6fac565f901c82a21b70f9739037eb54818",
- "threatintel.indicator.type": "file",
- "threatintel.otx.description": "SHA1 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2",
- "threatintel.otx.title": "Win64:Malware-gen"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha1": "ad20c6fac565f901c82a21b70f9739037eb54818",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -734,15 +816,17 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 7310,
+ "otx.description": "SHA1 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4",
+ "otx.title": "Win64:Malware-gen",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha1": "13f11e273f9a4a56557f03821c3bfd591cca6ebc",
- "threatintel.indicator.type": "file",
- "threatintel.otx.description": "SHA1 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4",
- "threatintel.otx.title": "Win64:Malware-gen"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha1": "13f11e273f9a4a56557f03821c3bfd591cca6ebc",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -753,15 +837,17 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 7536,
+ "otx.description": "SHA1 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec",
+ "otx.title": "Win64:Malware-gen",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha1": "1581fe76e3c96dc33182daafd09c8cf5c17004e0",
- "threatintel.indicator.type": "file",
- "threatintel.otx.description": "SHA1 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec",
- "threatintel.otx.title": "Win64:Malware-gen"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha1": "1581fe76e3c96dc33182daafd09c8cf5c17004e0",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -772,15 +858,17 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 7762,
+ "otx.description": "SHA1 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56",
+ "otx.title": "Trojan:Win32/Occamy.B",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha1": "b72e75e9e901a44b655a5cf89cf0eadcaff46037",
- "threatintel.indicator.type": "file",
- "threatintel.otx.description": "SHA1 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56",
- "threatintel.otx.title": "Trojan:Win32/Occamy.B"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha1": "b72e75e9e901a44b655a5cf89cf0eadcaff46037",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -796,8 +884,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "maper.info"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "maper.info"
},
{
"event.category": "threat",
@@ -813,8 +903,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.ip": "213.252.244.126",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.ip": "213.252.244.126",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -830,8 +922,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.ip": "78.129.139.131",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.ip": "78.129.139.131",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -842,14 +936,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 8309,
+ "otx.title": "xor_0x20_xord_javascript",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6",
- "threatintel.indicator.type": "file",
- "threatintel.otx.title": "xor_0x20_xord_javascript"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -860,14 +956,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 8498,
+ "otx.title": "xor_0x20_xord_javascript",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "be9fb556a3c7aef0329e768d7f903e7dd42a821abc663e11fb637ce33b007087",
- "threatintel.indicator.type": "file",
- "threatintel.otx.title": "xor_0x20_xord_javascript"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "be9fb556a3c7aef0329e768d7f903e7dd42a821abc663e11fb637ce33b007087",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -878,14 +976,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 8687,
+ "otx.title": "xor_0x20_xord_javascript",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "3bfec096c4837d1e6485fe0ae0ea6f1c0b44edc611d4f2204cc9cf73c985cbc2",
- "threatintel.indicator.type": "file",
- "threatintel.otx.title": "xor_0x20_xord_javascript"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "3bfec096c4837d1e6485fe0ae0ea6f1c0b44edc611d4f2204cc9cf73c985cbc2",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -896,14 +996,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 8876,
+ "otx.title": "xor_0x20_xord_javascript",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "dff2e39b2e008ea89a3d6b36dcd9b8c927fb501d60c1ad5a52ed1ffe225da2e2",
- "threatintel.indicator.type": "file",
- "threatintel.otx.title": "xor_0x20_xord_javascript"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "dff2e39b2e008ea89a3d6b36dcd9b8c927fb501d60c1ad5a52ed1ffe225da2e2",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -914,14 +1016,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 9065,
+ "otx.title": "xor_0x20_xord_javascript",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "6b4d271a48d118843aee3dee4481fa2930732ed7075db3241a8991418f00d92b",
- "threatintel.indicator.type": "file",
- "threatintel.otx.title": "xor_0x20_xord_javascript"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "6b4d271a48d118843aee3dee4481fa2930732ed7075db3241a8991418f00d92b",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -932,14 +1036,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 9254,
+ "otx.title": "xor_0x20_xord_javascript",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "26de4265303491bed1424d85b263481ac153c2b3513f9ee48ffb42c12312ac43",
- "threatintel.indicator.type": "file",
- "threatintel.otx.title": "xor_0x20_xord_javascript"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "26de4265303491bed1424d85b263481ac153c2b3513f9ee48ffb42c12312ac43",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -950,14 +1056,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 9443,
+ "otx.title": "xor_0x20_xord_javascript",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "02f54da6c6f2f87ff7b713d46e058dedac1cedabd693643bb7f6dfe994b2105d",
- "threatintel.indicator.type": "file",
- "threatintel.otx.title": "xor_0x20_xord_javascript"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "02f54da6c6f2f87ff7b713d46e058dedac1cedabd693643bb7f6dfe994b2105d",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -973,8 +1081,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.ip": "103.13.67.4",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.ip": "103.13.67.4",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -990,8 +1100,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.ip": "80.90.87.201",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.ip": "80.90.87.201",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -1007,8 +1119,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.ip": "80.80.163.182",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.ip": "80.80.163.182",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -1024,8 +1138,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.ip": "91.187.114.210",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.ip": "91.187.114.210",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -1041,8 +1157,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.ip": "170.238.117.187",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.ip": "170.238.117.187",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -1058,8 +1176,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha256": "e999b83629355ec7ff3b6fda465ef53ce6992c9327344fbf124f7eb37808389d",
- "threatintel.indicator.type": "file"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha256": "e999b83629355ec7ff3b6fda465ef53ce6992c9327344fbf124f7eb37808389d",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -1075,8 +1195,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.ip": "103.84.238.3",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.ip": "103.84.238.3",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -1092,8 +1214,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.ip": "179.43.158.171",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.ip": "179.43.158.171",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -1109,8 +1233,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.ip": "198.211.116.199",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.ip": "198.211.116.199",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -1121,14 +1247,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 10641,
+ "otx.title": "Trickbot",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.ip": "203.176.135.102",
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.otx.title": "Trickbot"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.ip": "203.176.135.102",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -1144,8 +1272,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "fotmailz.com"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "fotmailz.com"
},
{
"event.category": "threat",
@@ -1161,8 +1291,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "pori89g5jqo3v8.com"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "pori89g5jqo3v8.com"
},
{
"event.category": "threat",
@@ -1178,8 +1310,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "sebco.co.ke"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "sebco.co.ke"
},
{
"event.category": "threat",
@@ -1190,14 +1324,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 11077,
+ "otx.title": "Trickbot",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.ip": "177.74.232.124",
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.otx.title": "Trickbot"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.ip": "177.74.232.124",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -1213,8 +1349,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "chishir.com"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "chishir.com"
},
{
"event.category": "threat",
@@ -1230,8 +1368,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "kostunivo.com"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "kostunivo.com"
},
{
"event.category": "threat",
@@ -1247,8 +1387,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "mangoclone.com"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "mangoclone.com"
},
{
"event.category": "threat",
@@ -1264,8 +1406,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "onixcellent.com"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "onixcellent.com"
},
{
"event.category": "threat",
@@ -1276,14 +1420,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 11618,
+ "otx.title": "Win64:Malware-gen",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha1": "fc0efd612ad528795472e99cae5944b68b8e26dc",
- "threatintel.indicator.type": "file",
- "threatintel.otx.title": "Win64:Malware-gen"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha1": "fc0efd612ad528795472e99cae5944b68b8e26dc",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -1294,14 +1440,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 11774,
+ "otx.title": "Sf:ShellCode-DZ\\ [Trj]",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha1": "24d4bbc982a6a561f0426a683b9617de1a96a74a",
- "threatintel.indicator.type": "file",
- "threatintel.otx.title": "Sf:ShellCode-DZ\\ [Trj]"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha1": "24d4bbc982a6a561f0426a683b9617de1a96a74a",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -1312,14 +1460,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 11936,
+ "otx.title": "Win64:Malware-gen",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha1": "fa98074dc18ad7e2d357b5d168c00a91256d87d1",
- "threatintel.indicator.type": "file",
- "threatintel.otx.title": "Win64:Malware-gen"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha1": "fa98074dc18ad7e2d357b5d168c00a91256d87d1",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -1330,14 +1480,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 12092,
+ "otx.title": "Win64:Malware-gen",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.sha1": "e5dc7c8bfa285b61dda1618f0ade9c256be75d1a",
- "threatintel.indicator.type": "file",
- "threatintel.otx.title": "Win64:Malware-gen"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.sha1": "e5dc7c8bfa285b61dda1618f0ade9c256be75d1a",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -1348,14 +1500,16 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 12248,
+ "otx.title": "Trickbot",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.ip": "96.9.77.142",
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.otx.title": "Trickbot"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.ip": "96.9.77.142",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -1371,8 +1525,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.ip": "36.89.106.69",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.ip": "36.89.106.69",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -1388,8 +1544,10 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.ip": "96.9.73.73",
- "threatintel.indicator.type": "ipv4-addr"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.ip": "96.9.73.73",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -1400,15 +1558,17 @@
"fileset.name": "otx",
"input.type": "log",
"log.offset": 12563,
+ "otx.description": "MD5 of 9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6",
+ "otx.title": "xor_0x20_xord_javascript",
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.file.hash.md5": "10ec3571596c30b9993b89f12d29d23c",
- "threatintel.indicator.type": "file",
- "threatintel.otx.description": "MD5 of 9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6",
- "threatintel.otx.title": "xor_0x20_xord_javascript"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.file.hash.md5": "10ec3571596c30b9993b89f12d29d23c",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -1424,12 +1584,14 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "www.playboysplus.com",
- "threatintel.indicator.url.full": "http://www.playboysplus.com",
- "threatintel.indicator.url.original": "http://www.playboysplus.com",
- "threatintel.indicator.url.path": "",
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "www.playboysplus.com",
+ "threat.indicator.url.full": "http://www.playboysplus.com",
+ "threat.indicator.url.original": "http://www.playboysplus.com",
+ "threat.indicator.url.path": "",
+ "threat.indicator.url.scheme": "http"
},
{
"event.category": "threat",
@@ -1445,12 +1607,14 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "join.playboysplus.com",
- "threatintel.indicator.url.full": "http://join.playboysplus.com/signup/",
- "threatintel.indicator.url.original": "http://join.playboysplus.com/signup/",
- "threatintel.indicator.url.path": "/signup/",
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "join.playboysplus.com",
+ "threat.indicator.url.full": "http://join.playboysplus.com/signup/",
+ "threat.indicator.url.original": "http://join.playboysplus.com/signup/",
+ "threat.indicator.url.path": "/signup/",
+ "threat.indicator.url.scheme": "http"
},
{
"event.category": "threat",
@@ -1466,13 +1630,15 @@
"forwarded",
"threatintel-otx"
],
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "api.vk.com",
- "threatintel.indicator.url.extension": "get",
- "threatintel.indicator.url.full": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386",
- "threatintel.indicator.url.original": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386",
- "threatintel.indicator.url.path": "/method/wall.get",
- "threatintel.indicator.url.query": "count=1&owner_id=-81972386",
- "threatintel.indicator.url.scheme": "http"
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] Alienvault OTX",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "api.vk.com",
+ "threat.indicator.url.extension": "get",
+ "threat.indicator.url.full": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386",
+ "threat.indicator.url.original": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386",
+ "threat.indicator.url.path": "/method/wall.get",
+ "threat.indicator.url.query": "count=1&owner_id=-81972386",
+ "threat.indicator.url.scheme": "http"
}
]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml b/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml
index 08b2f682f3f..2c610e5379d 100644
--- a/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml
+++ b/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml
@@ -38,27 +38,12 @@ exclude_files: [".gz$"]
{{ end }}
-tags: {{.tags | tojson}}
-publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
+tags:
+{{if .preserve_original_event}}
+ - preserve_original_event
+{{end}}
+{{range $val := .tags}}
+ - {{$val}}
+{{end}}
-processors:
- - decode_json_fields:
- fields: [message]
- target: json
- - fingerprint:
- fields:
- - event.dataset
- - json.entity.id
- target_field: "@metadata._id"
- encoding: base64
- - add_fields:
- target: ''
- fields:
- ecs.version: 1.12.0
- - script:
- lang: javascript
- id: set_opt_type
- source: >
- function process(event) {
- event.Put("@metadata.op_type", "index");
- }
+publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml
index 8e0a6d4b334..6247c0cd882 100644
--- a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml
@@ -1,19 +1,14 @@
description: Pipeline for parsing Recorded Future threat intel.
processors:
- #
- # Safeguard against feeding the pipeline with documents other
- # that the ones generated by Filebeat's httpjson input.
- #
- - fail:
- if: "ctx.json == null || !(ctx.json instanceof Map)"
- message: "missing json object in input document"
-
#
# Set basic ECS fields.
#
- set:
field: event.ingested
- value: "{{{ _ingest.timestamp }}}"
+ value: "{{_ingest.timestamp}}"
+ - set:
+ field: ecs.version
+ value: "1.12"
- set:
field: event.kind
value: enrichment
@@ -24,14 +19,29 @@ processors:
field: event.type
value: indicator
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+
+ - set:
+ field: threat.feed.name
+ value: "[Filebeat] RecordedFuture"
+ - set:
+ field: threat.feed.dashboard_id
+ value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f"
+
#
- # Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type).
+ # Map itype field to STIX 2.0 Cyber Observable values (threat.indicator.type).
#
- script:
lang: painless
if: "ctx.json.entity?.type != null"
description: >
- Map entity.type field to STIX 2.0 Cyber Observable values (threatintel.indicator.type).
+ Map entity.type field to STIX 2.0 Cyber Observable values (threat.indicator.type).
params:
IpAddress: ipv4-addr
InternetDomainName: domain-name
@@ -40,7 +50,7 @@ processors:
source: >
String mapping = params[ctx.json.entity.type];
if (mapping != null) {
- ctx["threatintel_indicator_type"] = mapping;
+ ctx["threat_indicator_type"] = mapping;
}
on_failure:
- append:
@@ -48,24 +58,24 @@ processors:
value: 'Unable to determine indicator type from "{{{ json.entity.type }}}": {{{ _ingest.on_failure_message }}}'
- rename:
- field: threatintel_indicator_type
- target_field: threatintel.indicator.type
+ field: threat_indicator_type
+ target_field: threat.indicator.type
ignore_missing: true
#
# Detect ipv6 for ipv4-addr types.
#
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: ipv6-addr
- if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && ctx.json.entity.name.contains(":")'
+ if: 'ctx.threat?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && ctx.json.entity.name.contains(":")'
#
# Map first and last seen dates.
#
- date:
field: json.timestamps.firstSeen
- target_field: threatintel.indicator.first_seen
+ target_field: threat.indicator.first_seen
formats:
- ISO8601
if: "ctx.json.timestamps?.firstSeen != null"
@@ -75,7 +85,7 @@ processors:
value: 'Error parsing firstSeen field value "{{{ json.timestamps.firstSeen }}}": {{{ _ingest.on_failure_message }}}'
- date:
field: json.timestamps.lastSeen
- target_field: threatintel.indicator.last_seen
+ target_field: threat.indicator.last_seen
formats:
- ISO8601
if: "ctx.json.timestamps?.lastSeen != null"
@@ -89,20 +99,20 @@ processors:
#
- rename:
field: json.location.location.city
- target_field: threatintel.indicator.geo.city_name
+ target_field: threat.indicator.geo.city_name
ignore_missing: true
- rename:
field: json.location.location.continent
- target_field: threatintel.indicator.geo.continent_name
+ target_field: threat.indicator.geo.continent_name
ignore_missing: true
- rename:
field: json.location.location.country
- target_field: threatintel.indicator.geo.country_name
+ target_field: threat.indicator.geo.country_name
ignore_missing: true
- grok:
field: json.location.asn
patterns:
- - "^(?:[Aa][Ss])?%{NUMBER:threatintel.indicator.as.number:long}$"
+ - "^(?:[Aa][Ss])?%{NUMBER:threat.indicator.as.number:long}$"
ignore_missing: true
on_failure:
- append:
@@ -110,10 +120,10 @@ processors:
value: "Cannot parse asn field `{{{ json.location.asn }}}`: {{{ _ingest.on_failure_message }}}"
- rename:
field: json.location.organization
- target_field: threatintel.indicator.as.organization.name
+ target_field: threat.indicator.as.organization.name
ignore_missing: true
- set:
- field: threatintel.indicator.reference
+ field: threat.indicator.reference
value: "{{{ json.intelCard }}}"
ignore_empty_value: true
- set:
@@ -123,30 +133,30 @@ processors:
- set:
field: json.ip_range
value: "{{{ json.entity.name }}}/32"
- if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")'
+ if: 'ctx.threat?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")'
- set:
field: json.ip_range
value: "{{{ json.entity.name }}}/128"
- if: 'ctx.threatintel?.indicator?.type == "ipv6-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")'
+ if: 'ctx.threat?.indicator?.type == "ipv6-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")'
- set:
field: json.ip_range
value: "{{{json.entity.name}}}"
if: 'ctx.json.entity?.type == "IpAddress" && ctx.json.entity.name != null && ctx.json.entity.name.contains("/")'
- rename:
field: json.entity.name
- target_field: threatintel.indicator.ip
+ target_field: threat.indicator.ip
if: 'ctx.json.entity?.type == "IpAddress" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")'
- rename:
field: json.entity.name
- target_field: threatintel.indicator.url.domain
+ target_field: threat.indicator.url.domain
ignore_missing: true
- if: 'ctx.threatintel?.indicator?.type == "domain-name" && ctx.threatintel?.indicator?.url?.domain == null'
+ if: 'ctx.threat?.indicator?.type == "domain-name" && ctx.threat?.indicator?.url?.domain == null'
- uri_parts:
field: json.entity.name
- target_field: threatintel.indicator.url
+ target_field: threat.indicator.url
keep_original: true
remove_if_successful: true
- if: 'ctx.threatintel?.indicator?.type == "url"'
+ if: 'ctx.threat?.indicator?.type == "url"'
on_failure:
- append:
field: error.message
@@ -157,10 +167,10 @@ processors:
field: json.fileHashes
value: "{{{ json.entity.name }}}"
allow_duplicates: false
- if: 'ctx.threatintel?.indicator?.type == "file"'
+ if: 'ctx.threat?.indicator?.type == "file"'
- remove:
field: json.entity.name
- if: 'ctx.threatintel?.indicator?.type == "file"'
+ if: 'ctx.threat?.indicator?.type == "file"'
- script:
lang: painless
description: >
@@ -187,7 +197,7 @@ processors:
value: "Failed to map fileHashes field: {{ _ingest.on_failure_message }}"
- rename:
field: _hashes
- target_field: threatintel.indicator.file.hash
+ target_field: threat.indicator.file.hash
ignore_missing: true
#
@@ -213,11 +223,48 @@ processors:
- message
ignore_missing: true
#
- # Save fields without an ECS mapping under `threatintel.recordedfuture`.
+ # Save fields without an ECS mapping under `recordedfuture`.
#
- rename:
field: json
- target_field: threatintel.recordedfuture
+ target_field: recordedfuture
+
+ ######################
+ # Cleanup processors #
+ ######################
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+ - set:
+ field: threat.indicator.type
+ value: unknown
+ if: ctx.threat?.indicator?.type == null
+ - script:
+ lang: painless
+ if: ctx.recordedfuture != null
+ source: |
+ void handleMap(Map map) {
+ for (def x : map.values()) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ map.values().removeIf(v -> v == null);
+ }
+ void handleList(List list) {
+ for (def x : list) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ }
+ handleMap(ctx);
on_failure:
- append:
field: error.message
diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml b/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml
index 93df3884160..da8a88e19da 100644
--- a/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml
+++ b/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml
@@ -14,6 +14,8 @@ var:
default: [threatintel-recordedfuture, forwarded]
- name: proxy_url
- name: api_token
+ - name: preserve_original_event
+ default: false
ingest_pipeline:
- ingest/pipeline.yml
input: config/config.yml
diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json
index 29b0a8ed4a5..7da98ffcc29 100644
--- a/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json
@@ -9,26 +9,28 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 0,
+ "recordedfuture.entity.id": "idn:16url-gy.example.net",
+ "recordedfuture.entity.type": "InternetDomainName",
+ "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net",
+ "recordedfuture.risk.criticality": 0,
+ "recordedfuture.risk.criticalityLabel": "None",
+ "recordedfuture.risk.evidenceDetails": [],
+ "recordedfuture.risk.riskString": "0/44",
+ "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
+ "recordedfuture.risk.rules": 0,
+ "recordedfuture.risk.score": 0,
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-recordedfuture"
],
- "threatintel.indicator.first_seen": "2016-07-25T20:29:32.750Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:23:47.901Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net",
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "16url-gy.example.net",
- "threatintel.recordedfuture.entity.id": "idn:16url-gy.example.net",
- "threatintel.recordedfuture.entity.type": "InternetDomainName",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net",
- "threatintel.recordedfuture.risk.criticality": 0,
- "threatintel.recordedfuture.risk.criticalityLabel": "None",
- "threatintel.recordedfuture.risk.evidenceDetails": [],
- "threatintel.recordedfuture.risk.riskString": "0/44",
- "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
- "threatintel.recordedfuture.risk.rules": 0,
- "threatintel.recordedfuture.risk.score": 0
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2016-07-25T20:29:32.750Z",
+ "threat.indicator.last_seen": "2021-06-20T18:23:47.901Z",
+ "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "16url-gy.example.net"
},
{
"event.category": "threat",
@@ -40,26 +42,28 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 482,
+ "recordedfuture.entity.id": "idn:b999f.example.org",
+ "recordedfuture.entity.type": "InternetDomainName",
+ "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org",
+ "recordedfuture.risk.criticality": 0,
+ "recordedfuture.risk.criticalityLabel": "None",
+ "recordedfuture.risk.evidenceDetails": [],
+ "recordedfuture.risk.riskString": "0/44",
+ "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
+ "recordedfuture.risk.rules": 0,
+ "recordedfuture.risk.score": 0,
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-recordedfuture"
],
- "threatintel.indicator.first_seen": "2012-11-21T01:54:04.292Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:23:47.812Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org",
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "b999f.example.org",
- "threatintel.recordedfuture.entity.id": "idn:b999f.example.org",
- "threatintel.recordedfuture.entity.type": "InternetDomainName",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org",
- "threatintel.recordedfuture.risk.criticality": 0,
- "threatintel.recordedfuture.risk.criticalityLabel": "None",
- "threatintel.recordedfuture.risk.evidenceDetails": [],
- "threatintel.recordedfuture.risk.riskString": "0/44",
- "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
- "threatintel.recordedfuture.risk.rules": 0,
- "threatintel.recordedfuture.risk.score": 0
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2012-11-21T01:54:04.292Z",
+ "threat.indicator.last_seen": "2021-06-20T18:23:47.812Z",
+ "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "b999f.example.org"
},
{
"event.category": "threat",
@@ -71,26 +75,28 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 955,
+ "recordedfuture.entity.id": "idn:c422.example.net",
+ "recordedfuture.entity.type": "InternetDomainName",
+ "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net",
+ "recordedfuture.risk.criticality": 0,
+ "recordedfuture.risk.criticalityLabel": "None",
+ "recordedfuture.risk.evidenceDetails": [],
+ "recordedfuture.risk.riskString": "0/44",
+ "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
+ "recordedfuture.risk.rules": 0,
+ "recordedfuture.risk.score": 0,
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-recordedfuture"
],
- "threatintel.indicator.first_seen": "2018-02-21T13:53:46.470Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:23:47.778Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net",
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "c422.example.net",
- "threatintel.recordedfuture.entity.id": "idn:c422.example.net",
- "threatintel.recordedfuture.entity.type": "InternetDomainName",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net",
- "threatintel.recordedfuture.risk.criticality": 0,
- "threatintel.recordedfuture.risk.criticalityLabel": "None",
- "threatintel.recordedfuture.risk.evidenceDetails": [],
- "threatintel.recordedfuture.risk.riskString": "0/44",
- "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
- "threatintel.recordedfuture.risk.rules": 0,
- "threatintel.recordedfuture.risk.score": 0
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2018-02-21T13:53:46.470Z",
+ "threat.indicator.last_seen": "2021-06-20T18:23:47.778Z",
+ "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "c422.example.net"
},
{
"event.category": "threat",
@@ -102,26 +108,28 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 1425,
+ "recordedfuture.entity.id": "idn:8rwcvgjsp.example.net",
+ "recordedfuture.entity.type": "InternetDomainName",
+ "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net",
+ "recordedfuture.risk.criticality": 0,
+ "recordedfuture.risk.criticalityLabel": "None",
+ "recordedfuture.risk.evidenceDetails": [],
+ "recordedfuture.risk.riskString": "0/44",
+ "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
+ "recordedfuture.risk.rules": 0,
+ "recordedfuture.risk.score": 0,
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-recordedfuture"
],
- "threatintel.indicator.first_seen": "2016-08-15T11:56:24.964Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:23:47.747Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net",
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "8rwcvgjsp.example.net",
- "threatintel.recordedfuture.entity.id": "idn:8rwcvgjsp.example.net",
- "threatintel.recordedfuture.entity.type": "InternetDomainName",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net",
- "threatintel.recordedfuture.risk.criticality": 0,
- "threatintel.recordedfuture.risk.criticalityLabel": "None",
- "threatintel.recordedfuture.risk.evidenceDetails": [],
- "threatintel.recordedfuture.risk.riskString": "0/44",
- "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
- "threatintel.recordedfuture.risk.rules": 0,
- "threatintel.recordedfuture.risk.score": 0
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2016-08-15T11:56:24.964Z",
+ "threat.indicator.last_seen": "2021-06-20T18:23:47.747Z",
+ "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "8rwcvgjsp.example.net"
},
{
"event.category": "threat",
@@ -133,26 +141,28 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 1910,
+ "recordedfuture.entity.id": "idn:c9px.example.net",
+ "recordedfuture.entity.type": "InternetDomainName",
+ "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net",
+ "recordedfuture.risk.criticality": 0,
+ "recordedfuture.risk.criticalityLabel": "None",
+ "recordedfuture.risk.evidenceDetails": [],
+ "recordedfuture.risk.riskString": "0/44",
+ "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
+ "recordedfuture.risk.rules": 0,
+ "recordedfuture.risk.score": 0,
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-recordedfuture"
],
- "threatintel.indicator.first_seen": "2016-06-29T21:06:06.066Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:23:47.460Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net",
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "c9px.example.net",
- "threatintel.recordedfuture.entity.id": "idn:c9px.example.net",
- "threatintel.recordedfuture.entity.type": "InternetDomainName",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net",
- "threatintel.recordedfuture.risk.criticality": 0,
- "threatintel.recordedfuture.risk.criticalityLabel": "None",
- "threatintel.recordedfuture.risk.evidenceDetails": [],
- "threatintel.recordedfuture.risk.riskString": "0/44",
- "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
- "threatintel.recordedfuture.risk.rules": 0,
- "threatintel.recordedfuture.risk.score": 0
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2016-06-29T21:06:06.066Z",
+ "threat.indicator.last_seen": "2021-06-20T18:23:47.460Z",
+ "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "c9px.example.net"
},
{
"event.category": "threat",
@@ -164,26 +174,28 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 2380,
+ "recordedfuture.entity.id": "idn:ttj1i9z7.example.com",
+ "recordedfuture.entity.type": "InternetDomainName",
+ "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com",
+ "recordedfuture.risk.criticality": 0,
+ "recordedfuture.risk.criticalityLabel": "None",
+ "recordedfuture.risk.evidenceDetails": [],
+ "recordedfuture.risk.riskString": "0/44",
+ "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
+ "recordedfuture.risk.rules": 0,
+ "recordedfuture.risk.score": 0,
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-recordedfuture"
],
- "threatintel.indicator.first_seen": "2018-09-20T03:26:08.564Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com",
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "ttj1i9z7.example.com",
- "threatintel.recordedfuture.entity.id": "idn:ttj1i9z7.example.com",
- "threatintel.recordedfuture.entity.type": "InternetDomainName",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com",
- "threatintel.recordedfuture.risk.criticality": 0,
- "threatintel.recordedfuture.risk.criticalityLabel": "None",
- "threatintel.recordedfuture.risk.evidenceDetails": [],
- "threatintel.recordedfuture.risk.riskString": "0/44",
- "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
- "threatintel.recordedfuture.risk.rules": 0,
- "threatintel.recordedfuture.risk.score": 0
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2018-09-20T03:26:08.564Z",
+ "threat.indicator.last_seen": "2021-06-20T18:23:47.373Z",
+ "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "ttj1i9z7.example.com"
},
{
"event.category": "threat",
@@ -195,26 +207,28 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 2862,
+ "recordedfuture.entity.id": "idn:7pgc.example.org",
+ "recordedfuture.entity.type": "InternetDomainName",
+ "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org",
+ "recordedfuture.risk.criticality": 0,
+ "recordedfuture.risk.criticalityLabel": "None",
+ "recordedfuture.risk.evidenceDetails": [],
+ "recordedfuture.risk.riskString": "0/44",
+ "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
+ "recordedfuture.risk.rules": 0,
+ "recordedfuture.risk.score": 0,
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-recordedfuture"
],
- "threatintel.indicator.first_seen": "2017-02-23T17:44:16.104Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org",
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "7pgc.example.org",
- "threatintel.recordedfuture.entity.id": "idn:7pgc.example.org",
- "threatintel.recordedfuture.entity.type": "InternetDomainName",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org",
- "threatintel.recordedfuture.risk.criticality": 0,
- "threatintel.recordedfuture.risk.criticalityLabel": "None",
- "threatintel.recordedfuture.risk.evidenceDetails": [],
- "threatintel.recordedfuture.risk.riskString": "0/44",
- "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
- "threatintel.recordedfuture.risk.rules": 0,
- "threatintel.recordedfuture.risk.score": 0
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2017-02-23T17:44:16.104Z",
+ "threat.indicator.last_seen": "2021-06-20T18:23:47.373Z",
+ "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "7pgc.example.org"
},
{
"event.category": "threat",
@@ -226,26 +240,28 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 3332,
+ "recordedfuture.entity.id": "idn:xm5u434.example.net",
+ "recordedfuture.entity.type": "InternetDomainName",
+ "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net",
+ "recordedfuture.risk.criticality": 0,
+ "recordedfuture.risk.criticalityLabel": "None",
+ "recordedfuture.risk.evidenceDetails": [],
+ "recordedfuture.risk.riskString": "0/44",
+ "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
+ "recordedfuture.risk.rules": 0,
+ "recordedfuture.risk.score": 0,
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-recordedfuture"
],
- "threatintel.indicator.first_seen": "2017-04-10T06:55:27.658Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net",
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "xm5u434.example.net",
- "threatintel.recordedfuture.entity.id": "idn:xm5u434.example.net",
- "threatintel.recordedfuture.entity.type": "InternetDomainName",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net",
- "threatintel.recordedfuture.risk.criticality": 0,
- "threatintel.recordedfuture.risk.criticalityLabel": "None",
- "threatintel.recordedfuture.risk.evidenceDetails": [],
- "threatintel.recordedfuture.risk.riskString": "0/44",
- "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
- "threatintel.recordedfuture.risk.rules": 0,
- "threatintel.recordedfuture.risk.score": 0
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2017-04-10T06:55:27.658Z",
+ "threat.indicator.last_seen": "2021-06-20T18:23:47.373Z",
+ "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "xm5u434.example.net"
},
{
"event.category": "threat",
@@ -257,26 +273,28 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 3811,
+ "recordedfuture.entity.id": "idn:gpgju.example.com",
+ "recordedfuture.entity.type": "InternetDomainName",
+ "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com",
+ "recordedfuture.risk.criticality": 0,
+ "recordedfuture.risk.criticalityLabel": "None",
+ "recordedfuture.risk.evidenceDetails": [],
+ "recordedfuture.risk.riskString": "0/44",
+ "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
+ "recordedfuture.risk.rules": 0,
+ "recordedfuture.risk.score": 0,
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-recordedfuture"
],
- "threatintel.indicator.first_seen": "2018-07-27T15:22:39.390Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com",
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "gpgju.example.com",
- "threatintel.recordedfuture.entity.id": "idn:gpgju.example.com",
- "threatintel.recordedfuture.entity.type": "InternetDomainName",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com",
- "threatintel.recordedfuture.risk.criticality": 0,
- "threatintel.recordedfuture.risk.criticalityLabel": "None",
- "threatintel.recordedfuture.risk.evidenceDetails": [],
- "threatintel.recordedfuture.risk.riskString": "0/44",
- "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
- "threatintel.recordedfuture.risk.rules": 0,
- "threatintel.recordedfuture.risk.score": 0
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2018-07-27T15:22:39.390Z",
+ "threat.indicator.last_seen": "2021-06-20T18:23:47.373Z",
+ "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "gpgju.example.com"
},
{
"event.category": "threat",
@@ -288,25 +306,27 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 4284,
+ "recordedfuture.entity.id": "idn:55g.example.com",
+ "recordedfuture.entity.type": "InternetDomainName",
+ "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com",
+ "recordedfuture.risk.criticality": 0,
+ "recordedfuture.risk.criticalityLabel": "None",
+ "recordedfuture.risk.evidenceDetails": [],
+ "recordedfuture.risk.riskString": "0/44",
+ "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
+ "recordedfuture.risk.rules": 0,
+ "recordedfuture.risk.score": 0,
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-recordedfuture"
],
- "threatintel.indicator.first_seen": "2021-01-10T21:24:38.353Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:23:45.025Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com",
- "threatintel.indicator.type": "domain-name",
- "threatintel.indicator.url.domain": "55g.example.com",
- "threatintel.recordedfuture.entity.id": "idn:55g.example.com",
- "threatintel.recordedfuture.entity.type": "InternetDomainName",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com",
- "threatintel.recordedfuture.risk.criticality": 0,
- "threatintel.recordedfuture.risk.criticalityLabel": "None",
- "threatintel.recordedfuture.risk.evidenceDetails": [],
- "threatintel.recordedfuture.risk.riskString": "0/44",
- "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
- "threatintel.recordedfuture.risk.rules": 0,
- "threatintel.recordedfuture.risk.score": 0
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2021-01-10T21:24:38.353Z",
+ "threat.indicator.last_seen": "2021-06-20T18:23:45.025Z",
+ "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com",
+ "threat.indicator.type": "domain-name",
+ "threat.indicator.url.domain": "55g.example.com"
}
]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json
index dbc47e31767..cf8b9c1b23e 100644
--- a/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json
@@ -9,24 +9,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 0,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.file.hash.md5": "25328d1a481903f2d900479570842247",
- "threatintel.indicator.file.hash.sha1": "d73c663e2ac0c7a14ca0e2681dd599b2e7a24f65",
- "threatintel.indicator.file.hash.sha256": "dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6",
- "threatintel.indicator.first_seen": "2021-06-20T18:40:18.503Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:40:18.503Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6",
- "threatintel.indicator.type": "file",
- "threatintel.recordedfuture.entity.id": "hash:dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6",
- "threatintel.recordedfuture.entity.type": "Hash",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6",
- "threatintel.recordedfuture.risk.criticality": 3,
- "threatintel.recordedfuture.risk.criticalityLabel": "Malicious",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "hash:dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6",
+ "recordedfuture.entity.type": "Hash",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6",
+ "recordedfuture.risk.criticality": 3,
+ "recordedfuture.risk.criticalityLabel": "Malicious",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 3,
"criticalityLabel": "Malicious",
@@ -44,10 +32,24 @@
"timestamp": "2021-06-20T18:40:18.503Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "2/14",
- "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 2,
- "threatintel.recordedfuture.risk.score": 65
+ "recordedfuture.risk.riskString": "2/14",
+ "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 2,
+ "recordedfuture.risk.score": 65,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.file.hash.md5": "25328d1a481903f2d900479570842247",
+ "threat.indicator.file.hash.sha1": "d73c663e2ac0c7a14ca0e2681dd599b2e7a24f65",
+ "threat.indicator.file.hash.sha256": "dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6",
+ "threat.indicator.first_seen": "2021-06-20T18:40:18.503Z",
+ "threat.indicator.last_seen": "2021-06-20T18:40:18.503Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -59,24 +61,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 1478,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.file.hash.md5": "7b8d9afd032f0c253b7dd68aca6fb50b",
- "threatintel.indicator.file.hash.sha1": "f9ece49c249aabab29fd9c2193d897b7d131ed17",
- "threatintel.indicator.file.hash.sha256": "4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2",
- "threatintel.indicator.first_seen": "2021-06-20T18:40:18.452Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:40:18.452Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2",
- "threatintel.indicator.type": "file",
- "threatintel.recordedfuture.entity.id": "hash:4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2",
- "threatintel.recordedfuture.entity.type": "Hash",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2",
- "threatintel.recordedfuture.risk.criticality": 3,
- "threatintel.recordedfuture.risk.criticalityLabel": "Malicious",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "hash:4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2",
+ "recordedfuture.entity.type": "Hash",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2",
+ "recordedfuture.risk.criticality": 3,
+ "recordedfuture.risk.criticalityLabel": "Malicious",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 3,
"criticalityLabel": "Malicious",
@@ -94,10 +84,24 @@
"timestamp": "2021-06-20T18:40:18.452Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "2/14",
- "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 2,
- "threatintel.recordedfuture.risk.score": 65
+ "recordedfuture.risk.riskString": "2/14",
+ "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 2,
+ "recordedfuture.risk.score": 65,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.file.hash.md5": "7b8d9afd032f0c253b7dd68aca6fb50b",
+ "threat.indicator.file.hash.sha1": "f9ece49c249aabab29fd9c2193d897b7d131ed17",
+ "threat.indicator.file.hash.sha256": "4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2",
+ "threat.indicator.first_seen": "2021-06-20T18:40:18.452Z",
+ "threat.indicator.last_seen": "2021-06-20T18:40:18.452Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -109,24 +113,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 2954,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.file.hash.md5": "7b65b50ed4554c86cb777e35e7750209",
- "threatintel.indicator.file.hash.sha1": "e10942ba3fbb937c90c7cb3e39c06a13324981a8",
- "threatintel.indicator.file.hash.sha256": "299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5",
- "threatintel.indicator.first_seen": "2021-06-20T18:40:18.343Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:40:18.343Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5",
- "threatintel.indicator.type": "file",
- "threatintel.recordedfuture.entity.id": "hash:299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5",
- "threatintel.recordedfuture.entity.type": "Hash",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5",
- "threatintel.recordedfuture.risk.criticality": 3,
- "threatintel.recordedfuture.risk.criticalityLabel": "Malicious",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "hash:299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5",
+ "recordedfuture.entity.type": "Hash",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5",
+ "recordedfuture.risk.criticality": 3,
+ "recordedfuture.risk.criticalityLabel": "Malicious",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 3,
"criticalityLabel": "Malicious",
@@ -144,10 +136,24 @@
"timestamp": "2021-06-20T18:40:18.343Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "2/14",
- "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 2,
- "threatintel.recordedfuture.risk.score": 65
+ "recordedfuture.risk.riskString": "2/14",
+ "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 2,
+ "recordedfuture.risk.score": 65,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.file.hash.md5": "7b65b50ed4554c86cb777e35e7750209",
+ "threat.indicator.file.hash.sha1": "e10942ba3fbb937c90c7cb3e39c06a13324981a8",
+ "threat.indicator.file.hash.sha256": "299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5",
+ "threat.indicator.first_seen": "2021-06-20T18:40:18.343Z",
+ "threat.indicator.last_seen": "2021-06-20T18:40:18.343Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -159,24 +165,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 4457,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.file.hash.md5": "c6353df35499ca6934da2169b7bd1635",
- "threatintel.indicator.file.hash.sha1": "3e208c649da0a9efbde7bbde6eece2142fdac3f9",
- "threatintel.indicator.file.hash.sha256": "e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61",
- "threatintel.indicator.first_seen": "2021-06-20T18:40:18.258Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:40:18.258Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61",
- "threatintel.indicator.type": "file",
- "threatintel.recordedfuture.entity.id": "hash:e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61",
- "threatintel.recordedfuture.entity.type": "Hash",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61",
- "threatintel.recordedfuture.risk.criticality": 3,
- "threatintel.recordedfuture.risk.criticalityLabel": "Malicious",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "hash:e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61",
+ "recordedfuture.entity.type": "Hash",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61",
+ "recordedfuture.risk.criticality": 3,
+ "recordedfuture.risk.criticalityLabel": "Malicious",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 3,
"criticalityLabel": "Malicious",
@@ -194,10 +188,24 @@
"timestamp": "2021-06-20T18:40:18.257Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "2/14",
- "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 2,
- "threatintel.recordedfuture.risk.score": 65
+ "recordedfuture.risk.riskString": "2/14",
+ "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 2,
+ "recordedfuture.risk.score": 65,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.file.hash.md5": "c6353df35499ca6934da2169b7bd1635",
+ "threat.indicator.file.hash.sha1": "3e208c649da0a9efbde7bbde6eece2142fdac3f9",
+ "threat.indicator.file.hash.sha256": "e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61",
+ "threat.indicator.first_seen": "2021-06-20T18:40:18.258Z",
+ "threat.indicator.last_seen": "2021-06-20T18:40:18.258Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -209,24 +217,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 5932,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.file.hash.md5": "3d568bd03766a8d47c8fabb7d392c32e",
- "threatintel.indicator.file.hash.sha1": "3ea8b08bc9ed3009a4d6a0ab5851b8e3fc10ead2",
- "threatintel.indicator.file.hash.sha256": "184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1",
- "threatintel.indicator.first_seen": "2021-06-20T18:40:18.131Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:40:18.131Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1",
- "threatintel.indicator.type": "file",
- "threatintel.recordedfuture.entity.id": "hash:184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1",
- "threatintel.recordedfuture.entity.type": "Hash",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1",
- "threatintel.recordedfuture.risk.criticality": 3,
- "threatintel.recordedfuture.risk.criticalityLabel": "Malicious",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "hash:184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1",
+ "recordedfuture.entity.type": "Hash",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1",
+ "recordedfuture.risk.criticality": 3,
+ "recordedfuture.risk.criticalityLabel": "Malicious",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 3,
"criticalityLabel": "Malicious",
@@ -236,10 +232,24 @@
"timestamp": "2021-06-19T17:39:24.000Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "1/14",
- "threatintel.recordedfuture.risk.riskSummary": "1 of 14 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 1,
- "threatintel.recordedfuture.risk.score": 65
+ "recordedfuture.risk.riskString": "1/14",
+ "recordedfuture.risk.riskSummary": "1 of 14 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 1,
+ "recordedfuture.risk.score": 65,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.file.hash.md5": "3d568bd03766a8d47c8fabb7d392c32e",
+ "threat.indicator.file.hash.sha1": "3ea8b08bc9ed3009a4d6a0ab5851b8e3fc10ead2",
+ "threat.indicator.file.hash.sha256": "184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1",
+ "threat.indicator.first_seen": "2021-06-20T18:40:18.131Z",
+ "threat.indicator.last_seen": "2021-06-20T18:40:18.131Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -251,24 +261,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 7054,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.file.hash.md5": "a40e91f2d29616076114eea0f2a693af",
- "threatintel.indicator.file.hash.sha1": "e38ccd47629c1b75385a83fbfbba0ea7f3b3a705",
- "threatintel.indicator.file.hash.sha256": "1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8",
- "threatintel.indicator.first_seen": "2021-06-20T18:40:18.093Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:40:18.093Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8",
- "threatintel.indicator.type": "file",
- "threatintel.recordedfuture.entity.id": "hash:1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8",
- "threatintel.recordedfuture.entity.type": "Hash",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8",
- "threatintel.recordedfuture.risk.criticality": 3,
- "threatintel.recordedfuture.risk.criticalityLabel": "Malicious",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "hash:1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8",
+ "recordedfuture.entity.type": "Hash",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8",
+ "recordedfuture.risk.criticality": 3,
+ "recordedfuture.risk.criticalityLabel": "Malicious",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 3,
"criticalityLabel": "Malicious",
@@ -286,10 +284,24 @@
"timestamp": "2021-06-20T18:40:18.093Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "2/14",
- "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 2,
- "threatintel.recordedfuture.risk.score": 65
+ "recordedfuture.risk.riskString": "2/14",
+ "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 2,
+ "recordedfuture.risk.score": 65,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.file.hash.md5": "a40e91f2d29616076114eea0f2a693af",
+ "threat.indicator.file.hash.sha1": "e38ccd47629c1b75385a83fbfbba0ea7f3b3a705",
+ "threat.indicator.file.hash.sha256": "1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8",
+ "threat.indicator.first_seen": "2021-06-20T18:40:18.093Z",
+ "threat.indicator.last_seen": "2021-06-20T18:40:18.093Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -301,24 +313,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 8550,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.file.hash.md5": "02062782c7eeaff185ea6966460f7c9a",
- "threatintel.indicator.file.hash.sha1": "64355796dc38992ca5e434682ddbf63bdfabeb4e",
- "threatintel.indicator.file.hash.sha256": "bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1",
- "threatintel.indicator.first_seen": "2021-06-20T18:40:18.070Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:40:18.070Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1",
- "threatintel.indicator.type": "file",
- "threatintel.recordedfuture.entity.id": "hash:bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1",
- "threatintel.recordedfuture.entity.type": "Hash",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1",
- "threatintel.recordedfuture.risk.criticality": 3,
- "threatintel.recordedfuture.risk.criticalityLabel": "Malicious",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "hash:bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1",
+ "recordedfuture.entity.type": "Hash",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1",
+ "recordedfuture.risk.criticality": 3,
+ "recordedfuture.risk.criticalityLabel": "Malicious",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 3,
"criticalityLabel": "Malicious",
@@ -336,10 +336,24 @@
"timestamp": "2021-06-20T18:40:18.070Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "2/14",
- "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 2,
- "threatintel.recordedfuture.risk.score": 65
+ "recordedfuture.risk.riskString": "2/14",
+ "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 2,
+ "recordedfuture.risk.score": 65,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.file.hash.md5": "02062782c7eeaff185ea6966460f7c9a",
+ "threat.indicator.file.hash.sha1": "64355796dc38992ca5e434682ddbf63bdfabeb4e",
+ "threat.indicator.file.hash.sha256": "bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1",
+ "threat.indicator.first_seen": "2021-06-20T18:40:18.070Z",
+ "threat.indicator.last_seen": "2021-06-20T18:40:18.070Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -351,24 +365,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 10020,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.file.hash.md5": "bdd205ffc81c54e7cc1a9080cfa093e4",
- "threatintel.indicator.file.hash.sha1": "a6b928fd6fee43495b96941ef80b25d074f6e0e2",
- "threatintel.indicator.file.hash.sha256": "c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9",
- "threatintel.indicator.first_seen": "2021-06-20T18:40:18.011Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:40:18.011Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9",
- "threatintel.indicator.type": "file",
- "threatintel.recordedfuture.entity.id": "hash:c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9",
- "threatintel.recordedfuture.entity.type": "Hash",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9",
- "threatintel.recordedfuture.risk.criticality": 3,
- "threatintel.recordedfuture.risk.criticalityLabel": "Malicious",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "hash:c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9",
+ "recordedfuture.entity.type": "Hash",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9",
+ "recordedfuture.risk.criticality": 3,
+ "recordedfuture.risk.criticalityLabel": "Malicious",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 3,
"criticalityLabel": "Malicious",
@@ -386,10 +388,24 @@
"timestamp": "2021-06-20T18:40:18.010Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "2/14",
- "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 2,
- "threatintel.recordedfuture.risk.score": 65
+ "recordedfuture.risk.riskString": "2/14",
+ "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 2,
+ "recordedfuture.risk.score": 65,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.file.hash.md5": "bdd205ffc81c54e7cc1a9080cfa093e4",
+ "threat.indicator.file.hash.sha1": "a6b928fd6fee43495b96941ef80b25d074f6e0e2",
+ "threat.indicator.file.hash.sha256": "c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9",
+ "threat.indicator.first_seen": "2021-06-20T18:40:18.011Z",
+ "threat.indicator.last_seen": "2021-06-20T18:40:18.011Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -401,24 +417,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 11492,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.file.hash.md5": "af45390e39574cdb037d684074e6a542",
- "threatintel.indicator.file.hash.sha1": "f6a14c7424604cd51ba6a6d3f7594ec762f48645",
- "threatintel.indicator.file.hash.sha256": "c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc",
- "threatintel.indicator.first_seen": "2021-06-20T18:40:17.964Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:40:17.964Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc",
- "threatintel.indicator.type": "file",
- "threatintel.recordedfuture.entity.id": "hash:c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc",
- "threatintel.recordedfuture.entity.type": "Hash",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc",
- "threatintel.recordedfuture.risk.criticality": 3,
- "threatintel.recordedfuture.risk.criticalityLabel": "Malicious",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "hash:c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc",
+ "recordedfuture.entity.type": "Hash",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc",
+ "recordedfuture.risk.criticality": 3,
+ "recordedfuture.risk.criticalityLabel": "Malicious",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 3,
"criticalityLabel": "Malicious",
@@ -436,10 +440,24 @@
"timestamp": "2021-06-20T18:40:17.964Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "2/14",
- "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 2,
- "threatintel.recordedfuture.risk.score": 65
+ "recordedfuture.risk.riskString": "2/14",
+ "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 2,
+ "recordedfuture.risk.score": 65,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.file.hash.md5": "af45390e39574cdb037d684074e6a542",
+ "threat.indicator.file.hash.sha1": "f6a14c7424604cd51ba6a6d3f7594ec762f48645",
+ "threat.indicator.file.hash.sha256": "c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc",
+ "threat.indicator.first_seen": "2021-06-20T18:40:17.964Z",
+ "threat.indicator.last_seen": "2021-06-20T18:40:17.964Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc",
+ "threat.indicator.type": "file"
},
{
"event.category": "threat",
@@ -451,24 +469,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 12964,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.file.hash.md5": "5b8bcd367f802cd104210bb47abb3ab1",
- "threatintel.indicator.file.hash.sha1": "b40d1796bd6974860ce6be691152ad963300c711",
- "threatintel.indicator.file.hash.sha256": "0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c",
- "threatintel.indicator.first_seen": "2021-06-20T18:40:17.919Z",
- "threatintel.indicator.last_seen": "2021-06-20T18:40:17.919Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c",
- "threatintel.indicator.type": "file",
- "threatintel.recordedfuture.entity.id": "hash:0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c",
- "threatintel.recordedfuture.entity.type": "Hash",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c",
- "threatintel.recordedfuture.risk.criticality": 3,
- "threatintel.recordedfuture.risk.criticalityLabel": "Malicious",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "hash:0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c",
+ "recordedfuture.entity.type": "Hash",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c",
+ "recordedfuture.risk.criticality": 3,
+ "recordedfuture.risk.criticalityLabel": "Malicious",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 3,
"criticalityLabel": "Malicious",
@@ -486,9 +492,23 @@
"timestamp": "2021-06-20T18:40:17.919Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "2/14",
- "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 2,
- "threatintel.recordedfuture.risk.score": 65
+ "recordedfuture.risk.riskString": "2/14",
+ "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 2,
+ "recordedfuture.risk.score": 65,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.file.hash.md5": "5b8bcd367f802cd104210bb47abb3ab1",
+ "threat.indicator.file.hash.sha1": "b40d1796bd6974860ce6be691152ad963300c711",
+ "threat.indicator.file.hash.sha256": "0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c",
+ "threat.indicator.first_seen": "2021-06-20T18:40:17.919Z",
+ "threat.indicator.last_seen": "2021-06-20T18:40:17.919Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c",
+ "threat.indicator.type": "file"
}
]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json
index 74488f715da..c46c3e2a51f 100644
--- a/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json
@@ -9,32 +9,34 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 0,
+ "recordedfuture.entity.id": "ip:2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21",
+ "recordedfuture.entity.name": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21",
+ "recordedfuture.entity.type": "IpAddress",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21",
+ "recordedfuture.ip_range": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21",
+ "recordedfuture.risk.criticality": 0,
+ "recordedfuture.risk.criticalityLabel": "None",
+ "recordedfuture.risk.evidenceDetails": [],
+ "recordedfuture.risk.riskString": "0/54",
+ "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
+ "recordedfuture.risk.rules": 0,
+ "recordedfuture.risk.score": 0,
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-recordedfuture"
],
- "threatintel.indicator.as.number": 31287,
- "threatintel.indicator.as.organization.name": "IPACCT CABLE Ltd",
- "threatintel.indicator.first_seen": "2021-04-18T00:11:48.512Z",
- "threatintel.indicator.geo.city_name": "Radnevo",
- "threatintel.indicator.geo.continent_name": "Europe",
- "threatintel.indicator.geo.country_name": "Bulgaria",
- "threatintel.indicator.last_seen": "2021-06-19T19:40:32.897Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21",
- "threatintel.indicator.type": "ipv6-addr",
- "threatintel.recordedfuture.entity.id": "ip:2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21",
- "threatintel.recordedfuture.entity.name": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21",
- "threatintel.recordedfuture.entity.type": "IpAddress",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21",
- "threatintel.recordedfuture.ip_range": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21",
- "threatintel.recordedfuture.risk.criticality": 0,
- "threatintel.recordedfuture.risk.criticalityLabel": "None",
- "threatintel.recordedfuture.risk.evidenceDetails": [],
- "threatintel.recordedfuture.risk.riskString": "0/54",
- "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
- "threatintel.recordedfuture.risk.rules": 0,
- "threatintel.recordedfuture.risk.score": 0
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.as.number": 31287,
+ "threat.indicator.as.organization.name": "IPACCT CABLE Ltd",
+ "threat.indicator.first_seen": "2021-04-18T00:11:48.512Z",
+ "threat.indicator.geo.city_name": "Radnevo",
+ "threat.indicator.geo.continent_name": "Europe",
+ "threat.indicator.geo.country_name": "Bulgaria",
+ "threat.indicator.last_seen": "2021-06-19T19:40:32.897Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21",
+ "threat.indicator.type": "ipv6-addr"
},
{
"event.category": "threat",
@@ -46,32 +48,33 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 763,
+ "recordedfuture.entity.id": "ip:2001:db8:f800:5c3f:c9f8:fbf8:d537:9071",
+ "recordedfuture.entity.type": "IpAddress",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071",
+ "recordedfuture.ip_range": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071/128",
+ "recordedfuture.risk.criticality": 0,
+ "recordedfuture.risk.criticalityLabel": "None",
+ "recordedfuture.risk.evidenceDetails": [],
+ "recordedfuture.risk.riskString": "0/54",
+ "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
+ "recordedfuture.risk.rules": 0,
+ "recordedfuture.risk.score": 0,
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-recordedfuture"
],
- "threatintel.indicator.as.number": 197207,
- "threatintel.indicator.as.organization.name": "Mobile Communication Company of Iran PLC",
- "threatintel.indicator.first_seen": "2021-06-19T17:55:58.019Z",
- "threatintel.indicator.geo.city_name": null,
- "threatintel.indicator.geo.continent_name": "Asia",
- "threatintel.indicator.geo.country_name": "Iran",
- "threatintel.indicator.ip": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071",
- "threatintel.indicator.last_seen": "2021-06-19T19:40:32.839Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071",
- "threatintel.indicator.type": "ipv6-addr",
- "threatintel.recordedfuture.entity.id": "ip:2001:db8:f800:5c3f:c9f8:fbf8:d537:9071",
- "threatintel.recordedfuture.entity.type": "IpAddress",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071",
- "threatintel.recordedfuture.ip_range": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071/128",
- "threatintel.recordedfuture.risk.criticality": 0,
- "threatintel.recordedfuture.risk.criticalityLabel": "None",
- "threatintel.recordedfuture.risk.evidenceDetails": [],
- "threatintel.recordedfuture.risk.riskString": "0/54",
- "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
- "threatintel.recordedfuture.risk.rules": 0,
- "threatintel.recordedfuture.risk.score": 0
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.as.number": 197207,
+ "threat.indicator.as.organization.name": "Mobile Communication Company of Iran PLC",
+ "threat.indicator.first_seen": "2021-06-19T17:55:58.019Z",
+ "threat.indicator.geo.continent_name": "Asia",
+ "threat.indicator.geo.country_name": "Iran",
+ "threat.indicator.ip": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071",
+ "threat.indicator.last_seen": "2021-06-19T19:40:32.839Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071",
+ "threat.indicator.type": "ipv6-addr"
},
{
"event.category": "threat",
@@ -83,31 +86,29 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 1531,
+ "recordedfuture.entity.id": "ip:203.0.113.55",
+ "recordedfuture.entity.type": "IpAddress",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55",
+ "recordedfuture.ip_range": "203.0.113.55/32",
+ "recordedfuture.risk.criticality": 0,
+ "recordedfuture.risk.criticalityLabel": "None",
+ "recordedfuture.risk.evidenceDetails": [],
+ "recordedfuture.risk.riskString": "0/54",
+ "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
+ "recordedfuture.risk.rules": 0,
+ "recordedfuture.risk.score": 0,
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-recordedfuture"
],
- "threatintel.indicator.as.organization.name": null,
- "threatintel.indicator.first_seen": "2021-06-19T19:40:30.596Z",
- "threatintel.indicator.geo.city_name": null,
- "threatintel.indicator.geo.continent_name": null,
- "threatintel.indicator.geo.country_name": null,
- "threatintel.indicator.ip": "203.0.113.55",
- "threatintel.indicator.last_seen": "2021-06-19T19:40:30.596Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55",
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.recordedfuture.entity.id": "ip:203.0.113.55",
- "threatintel.recordedfuture.entity.type": "IpAddress",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55",
- "threatintel.recordedfuture.ip_range": "203.0.113.55/32",
- "threatintel.recordedfuture.risk.criticality": 0,
- "threatintel.recordedfuture.risk.criticalityLabel": "None",
- "threatintel.recordedfuture.risk.evidenceDetails": [],
- "threatintel.recordedfuture.risk.riskString": "0/54",
- "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
- "threatintel.recordedfuture.risk.rules": 0,
- "threatintel.recordedfuture.risk.score": 0
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2021-06-19T19:40:30.596Z",
+ "threat.indicator.ip": "203.0.113.55",
+ "threat.indicator.last_seen": "2021-06-19T19:40:30.596Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -119,32 +120,34 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 2161,
+ "recordedfuture.entity.id": "ip:203.0.113.108",
+ "recordedfuture.entity.type": "IpAddress",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108",
+ "recordedfuture.ip_range": "203.0.113.108/32",
+ "recordedfuture.risk.criticality": 0,
+ "recordedfuture.risk.criticalityLabel": "None",
+ "recordedfuture.risk.evidenceDetails": [],
+ "recordedfuture.risk.riskString": "0/54",
+ "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
+ "recordedfuture.risk.rules": 0,
+ "recordedfuture.risk.score": 0,
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-recordedfuture"
],
- "threatintel.indicator.as.number": 17622,
- "threatintel.indicator.as.organization.name": "China Unicom Guangzhou network",
- "threatintel.indicator.first_seen": "2021-06-19T19:40:20.534Z",
- "threatintel.indicator.geo.city_name": "Guangzhou",
- "threatintel.indicator.geo.continent_name": "Asia",
- "threatintel.indicator.geo.country_name": "China",
- "threatintel.indicator.ip": "203.0.113.108",
- "threatintel.indicator.last_seen": "2021-06-19T19:40:20.534Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108",
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.recordedfuture.entity.id": "ip:203.0.113.108",
- "threatintel.recordedfuture.entity.type": "IpAddress",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108",
- "threatintel.recordedfuture.ip_range": "203.0.113.108/32",
- "threatintel.recordedfuture.risk.criticality": 0,
- "threatintel.recordedfuture.risk.criticalityLabel": "None",
- "threatintel.recordedfuture.risk.evidenceDetails": [],
- "threatintel.recordedfuture.risk.riskString": "0/54",
- "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
- "threatintel.recordedfuture.risk.rules": 0,
- "threatintel.recordedfuture.risk.score": 0
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.as.number": 17622,
+ "threat.indicator.as.organization.name": "China Unicom Guangzhou network",
+ "threat.indicator.first_seen": "2021-06-19T19:40:20.534Z",
+ "threat.indicator.geo.city_name": "Guangzhou",
+ "threat.indicator.geo.continent_name": "Asia",
+ "threat.indicator.geo.country_name": "China",
+ "threat.indicator.ip": "203.0.113.108",
+ "threat.indicator.last_seen": "2021-06-19T19:40:20.534Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -156,32 +159,33 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 2851,
+ "recordedfuture.entity.id": "ip:203.0.113.139",
+ "recordedfuture.entity.type": "IpAddress",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139",
+ "recordedfuture.ip_range": "203.0.113.139/32",
+ "recordedfuture.risk.criticality": 0,
+ "recordedfuture.risk.criticalityLabel": "None",
+ "recordedfuture.risk.evidenceDetails": [],
+ "recordedfuture.risk.riskString": "0/54",
+ "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
+ "recordedfuture.risk.rules": 0,
+ "recordedfuture.risk.score": 0,
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-recordedfuture"
],
- "threatintel.indicator.as.number": 7713,
- "threatintel.indicator.as.organization.name": "PT Telekomunikasi Indonesia",
- "threatintel.indicator.first_seen": "2016-06-23T07:39:06.418Z",
- "threatintel.indicator.geo.city_name": null,
- "threatintel.indicator.geo.continent_name": "Asia",
- "threatintel.indicator.geo.country_name": "Indonesia",
- "threatintel.indicator.ip": "203.0.113.139",
- "threatintel.indicator.last_seen": "2021-06-19T19:40:03.882Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139",
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.recordedfuture.entity.id": "ip:203.0.113.139",
- "threatintel.recordedfuture.entity.type": "IpAddress",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139",
- "threatintel.recordedfuture.ip_range": "203.0.113.139/32",
- "threatintel.recordedfuture.risk.criticality": 0,
- "threatintel.recordedfuture.risk.criticalityLabel": "None",
- "threatintel.recordedfuture.risk.evidenceDetails": [],
- "threatintel.recordedfuture.risk.riskString": "0/54",
- "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
- "threatintel.recordedfuture.risk.rules": 0,
- "threatintel.recordedfuture.risk.score": 0
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.as.number": 7713,
+ "threat.indicator.as.organization.name": "PT Telekomunikasi Indonesia",
+ "threat.indicator.first_seen": "2016-06-23T07:39:06.418Z",
+ "threat.indicator.geo.continent_name": "Asia",
+ "threat.indicator.geo.country_name": "Indonesia",
+ "threat.indicator.ip": "203.0.113.139",
+ "threat.indicator.last_seen": "2021-06-19T19:40:03.882Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -193,32 +197,34 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 3532,
+ "recordedfuture.entity.id": "ip:2001:db8:bf58:c5c3:7a06:5267:82e0:621a",
+ "recordedfuture.entity.type": "IpAddress",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a",
+ "recordedfuture.ip_range": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a/128",
+ "recordedfuture.risk.criticality": 0,
+ "recordedfuture.risk.criticalityLabel": "None",
+ "recordedfuture.risk.evidenceDetails": [],
+ "recordedfuture.risk.riskString": "0/54",
+ "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
+ "recordedfuture.risk.rules": 0,
+ "recordedfuture.risk.score": 0,
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-recordedfuture"
],
- "threatintel.indicator.as.number": 17622,
- "threatintel.indicator.as.organization.name": "China Unicom Guangzhou network",
- "threatintel.indicator.first_seen": "2021-06-19T19:40:02.557Z",
- "threatintel.indicator.geo.city_name": "Guangzhou",
- "threatintel.indicator.geo.continent_name": "Asia",
- "threatintel.indicator.geo.country_name": "China",
- "threatintel.indicator.ip": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a",
- "threatintel.indicator.last_seen": "2021-06-19T19:40:02.557Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a",
- "threatintel.indicator.type": "ipv6-addr",
- "threatintel.recordedfuture.entity.id": "ip:2001:db8:bf58:c5c3:7a06:5267:82e0:621a",
- "threatintel.recordedfuture.entity.type": "IpAddress",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a",
- "threatintel.recordedfuture.ip_range": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a/128",
- "threatintel.recordedfuture.risk.criticality": 0,
- "threatintel.recordedfuture.risk.criticalityLabel": "None",
- "threatintel.recordedfuture.risk.evidenceDetails": [],
- "threatintel.recordedfuture.risk.riskString": "0/54",
- "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
- "threatintel.recordedfuture.risk.rules": 0,
- "threatintel.recordedfuture.risk.score": 0
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.as.number": 17622,
+ "threat.indicator.as.organization.name": "China Unicom Guangzhou network",
+ "threat.indicator.first_seen": "2021-06-19T19:40:02.557Z",
+ "threat.indicator.geo.city_name": "Guangzhou",
+ "threat.indicator.geo.continent_name": "Asia",
+ "threat.indicator.geo.country_name": "China",
+ "threat.indicator.ip": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a",
+ "threat.indicator.last_seen": "2021-06-19T19:40:02.557Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a",
+ "threat.indicator.type": "ipv6-addr"
},
{
"event.category": "threat",
@@ -230,32 +236,34 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 4295,
+ "recordedfuture.entity.id": "ip:192.0.2.147",
+ "recordedfuture.entity.type": "IpAddress",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147",
+ "recordedfuture.ip_range": "192.0.2.147/32",
+ "recordedfuture.risk.criticality": 0,
+ "recordedfuture.risk.criticalityLabel": "None",
+ "recordedfuture.risk.evidenceDetails": [],
+ "recordedfuture.risk.riskString": "0/54",
+ "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
+ "recordedfuture.risk.rules": 0,
+ "recordedfuture.risk.score": 0,
"service.type": "threatintel",
"tags": [
"forwarded",
"threatintel-recordedfuture"
],
- "threatintel.indicator.as.number": 4837,
- "threatintel.indicator.as.organization.name": "CHINA UNICOM China169 Backbone",
- "threatintel.indicator.first_seen": "2017-12-20T02:21:07.734Z",
- "threatintel.indicator.geo.city_name": "Zhengzhou",
- "threatintel.indicator.geo.continent_name": "Asia",
- "threatintel.indicator.geo.country_name": "China",
- "threatintel.indicator.ip": "192.0.2.147",
- "threatintel.indicator.last_seen": "2021-06-19T19:39:43.160Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147",
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.recordedfuture.entity.id": "ip:192.0.2.147",
- "threatintel.recordedfuture.entity.type": "IpAddress",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147",
- "threatintel.recordedfuture.ip_range": "192.0.2.147/32",
- "threatintel.recordedfuture.risk.criticality": 0,
- "threatintel.recordedfuture.risk.criticalityLabel": "None",
- "threatintel.recordedfuture.risk.evidenceDetails": [],
- "threatintel.recordedfuture.risk.riskString": "0/54",
- "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.",
- "threatintel.recordedfuture.risk.rules": 0,
- "threatintel.recordedfuture.risk.score": 0
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.as.number": 4837,
+ "threat.indicator.as.organization.name": "CHINA UNICOM China169 Backbone",
+ "threat.indicator.first_seen": "2017-12-20T02:21:07.734Z",
+ "threat.indicator.geo.city_name": "Zhengzhou",
+ "threat.indicator.geo.continent_name": "Asia",
+ "threat.indicator.geo.country_name": "China",
+ "threat.indicator.ip": "192.0.2.147",
+ "threat.indicator.last_seen": "2021-06-19T19:39:43.160Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -267,28 +275,13 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 4972,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.as.number": 9829,
- "threatintel.indicator.as.organization.name": "National Internet Backbone",
- "threatintel.indicator.first_seen": "2019-12-24T09:54:02.935Z",
- "threatintel.indicator.geo.city_name": "Palakkad",
- "threatintel.indicator.geo.continent_name": "Asia",
- "threatintel.indicator.geo.country_name": "India",
- "threatintel.indicator.ip": "203.0.113.198",
- "threatintel.indicator.last_seen": "2021-06-19T19:39:25.532Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198",
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.recordedfuture.entity.id": "ip:203.0.113.198",
- "threatintel.recordedfuture.entity.type": "IpAddress",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198",
- "threatintel.recordedfuture.ip_range": "203.0.113.198/32",
- "threatintel.recordedfuture.risk.criticality": 1,
- "threatintel.recordedfuture.risk.criticalityLabel": "Unusual",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "ip:203.0.113.198",
+ "recordedfuture.entity.type": "IpAddress",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198",
+ "recordedfuture.ip_range": "203.0.113.198/32",
+ "recordedfuture.risk.criticality": 1,
+ "recordedfuture.risk.criticalityLabel": "Unusual",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 1,
"criticalityLabel": "Unusual",
@@ -298,10 +291,27 @@
"timestamp": "2019-12-24T09:53:13.546Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "1/54",
- "threatintel.recordedfuture.risk.riskSummary": "1 of 54 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 1,
- "threatintel.recordedfuture.risk.score": 5
+ "recordedfuture.risk.riskString": "1/54",
+ "recordedfuture.risk.riskSummary": "1 of 54 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 1,
+ "recordedfuture.risk.score": 5,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.as.number": 9829,
+ "threat.indicator.as.organization.name": "National Internet Backbone",
+ "threat.indicator.first_seen": "2019-12-24T09:54:02.935Z",
+ "threat.indicator.geo.city_name": "Palakkad",
+ "threat.indicator.geo.continent_name": "Asia",
+ "threat.indicator.geo.country_name": "India",
+ "threat.indicator.ip": "203.0.113.198",
+ "threat.indicator.last_seen": "2021-06-19T19:39:25.532Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -313,28 +323,13 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 5970,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.as.number": 9829,
- "threatintel.indicator.as.organization.name": "National Internet Backbone",
- "threatintel.indicator.first_seen": "2020-03-03T08:10:28.489Z",
- "threatintel.indicator.geo.city_name": "Bangalore",
- "threatintel.indicator.geo.continent_name": "Asia",
- "threatintel.indicator.geo.country_name": "India",
- "threatintel.indicator.ip": "192.0.2.179",
- "threatintel.indicator.last_seen": "2021-06-19T19:39:11.694Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179",
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.recordedfuture.entity.id": "ip:192.0.2.179",
- "threatintel.recordedfuture.entity.type": "IpAddress",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179",
- "threatintel.recordedfuture.ip_range": "192.0.2.179/32",
- "threatintel.recordedfuture.risk.criticality": 1,
- "threatintel.recordedfuture.risk.criticalityLabel": "Unusual",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "ip:192.0.2.179",
+ "recordedfuture.entity.type": "IpAddress",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179",
+ "recordedfuture.ip_range": "192.0.2.179/32",
+ "recordedfuture.risk.criticality": 1,
+ "recordedfuture.risk.criticalityLabel": "Unusual",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 1,
"criticalityLabel": "Unusual",
@@ -360,10 +355,27 @@
"timestamp": "2021-06-21T19:53:19.897Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "3/54",
- "threatintel.recordedfuture.risk.riskSummary": "3 of 54 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 3,
- "threatintel.recordedfuture.risk.score": 15
+ "recordedfuture.risk.riskString": "3/54",
+ "recordedfuture.risk.riskSummary": "3 of 54 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 3,
+ "recordedfuture.risk.score": 15,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.as.number": 9829,
+ "threat.indicator.as.organization.name": "National Internet Backbone",
+ "threat.indicator.first_seen": "2020-03-03T08:10:28.489Z",
+ "threat.indicator.geo.city_name": "Bangalore",
+ "threat.indicator.geo.continent_name": "Asia",
+ "threat.indicator.geo.country_name": "India",
+ "threat.indicator.ip": "192.0.2.179",
+ "threat.indicator.last_seen": "2021-06-19T19:39:11.694Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179",
+ "threat.indicator.type": "ipv4-addr"
},
{
"event.category": "threat",
@@ -375,28 +387,13 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 7483,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.as.number": 45899,
- "threatintel.indicator.as.organization.name": "VNPT Corp",
- "threatintel.indicator.first_seen": "2021-06-19T19:38:57.372Z",
- "threatintel.indicator.geo.city_name": "Long Phu",
- "threatintel.indicator.geo.continent_name": "Asia",
- "threatintel.indicator.geo.country_name": "Vietnam",
- "threatintel.indicator.ip": "192.0.2.245",
- "threatintel.indicator.last_seen": "2021-06-19T19:38:57.372Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245",
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.recordedfuture.entity.id": "ip:192.0.2.245",
- "threatintel.recordedfuture.entity.type": "IpAddress",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245",
- "threatintel.recordedfuture.ip_range": "192.0.2.245/32",
- "threatintel.recordedfuture.risk.criticality": 1,
- "threatintel.recordedfuture.risk.criticalityLabel": "Unusual",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "ip:192.0.2.245",
+ "recordedfuture.entity.type": "IpAddress",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245",
+ "recordedfuture.ip_range": "192.0.2.245/32",
+ "recordedfuture.risk.criticality": 1,
+ "recordedfuture.risk.criticalityLabel": "Unusual",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 1,
"criticalityLabel": "Unusual",
@@ -406,9 +403,26 @@
"timestamp": "2021-06-19T19:50:20.162Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "1/54",
- "threatintel.recordedfuture.risk.riskSummary": "1 of 54 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 1,
- "threatintel.recordedfuture.risk.score": 5
+ "recordedfuture.risk.riskString": "1/54",
+ "recordedfuture.risk.riskSummary": "1 of 54 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 1,
+ "recordedfuture.risk.score": 5,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.as.number": 45899,
+ "threat.indicator.as.organization.name": "VNPT Corp",
+ "threat.indicator.first_seen": "2021-06-19T19:38:57.372Z",
+ "threat.indicator.geo.city_name": "Long Phu",
+ "threat.indicator.geo.continent_name": "Asia",
+ "threat.indicator.geo.country_name": "Vietnam",
+ "threat.indicator.ip": "192.0.2.245",
+ "threat.indicator.last_seen": "2021-06-19T19:38:57.372Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245",
+ "threat.indicator.type": "ipv4-addr"
}
]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json
index 779d86ae965..f840643fef3 100644
--- a/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json
@@ -9,26 +9,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 0,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z",
- "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "d6s.example.net",
- "threatintel.indicator.url.original": "https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj",
- "threatintel.indicator.url.path": "/nzy/vvc68ke",
- "threatintel.indicator.url.query": "p5uxwn=1bj",
- "threatintel.indicator.url.scheme": "https",
- "threatintel.recordedfuture.entity.id": "url:https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj",
- "threatintel.recordedfuture.entity.type": "URL",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj",
- "threatintel.recordedfuture.risk.criticality": 1,
- "threatintel.recordedfuture.risk.criticalityLabel": "Unusual",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "url:https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj",
+ "recordedfuture.entity.type": "URL",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj",
+ "recordedfuture.risk.criticality": 1,
+ "recordedfuture.risk.criticalityLabel": "Unusual",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 1,
"criticalityLabel": "Unusual",
@@ -38,10 +24,26 @@
"timestamp": "2021-04-15T00:00:00.000Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "1/25",
- "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 1,
- "threatintel.recordedfuture.risk.score": 5
+ "recordedfuture.risk.riskString": "1/25",
+ "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 1,
+ "recordedfuture.risk.score": 5,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z",
+ "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "d6s.example.net",
+ "threat.indicator.url.original": "https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj",
+ "threat.indicator.url.path": "/nzy/vvc68ke",
+ "threat.indicator.url.query": "p5uxwn=1bj",
+ "threat.indicator.url.scheme": "https"
},
{
"event.category": "threat",
@@ -53,26 +55,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 874,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z",
- "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "ga7v9u.example.org",
- "threatintel.indicator.url.original": "https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61",
- "threatintel.indicator.url.path": "/bnqv8e2v8/qb49",
- "threatintel.indicator.url.query": "7kq=iw61",
- "threatintel.indicator.url.scheme": "https",
- "threatintel.recordedfuture.entity.id": "url:https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61",
- "threatintel.recordedfuture.entity.type": "URL",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61",
- "threatintel.recordedfuture.risk.criticality": 1,
- "threatintel.recordedfuture.risk.criticalityLabel": "Unusual",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "url:https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61",
+ "recordedfuture.entity.type": "URL",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61",
+ "recordedfuture.risk.criticality": 1,
+ "recordedfuture.risk.criticalityLabel": "Unusual",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 1,
"criticalityLabel": "Unusual",
@@ -82,10 +70,26 @@
"timestamp": "2021-02-14T00:00:00.000Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "1/25",
- "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 1,
- "threatintel.recordedfuture.risk.score": 5
+ "recordedfuture.risk.riskString": "1/25",
+ "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 1,
+ "recordedfuture.risk.score": 5,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z",
+ "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "ga7v9u.example.org",
+ "threat.indicator.url.original": "https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61",
+ "threat.indicator.url.path": "/bnqv8e2v8/qb49",
+ "threat.indicator.url.query": "7kq=iw61",
+ "threat.indicator.url.scheme": "https"
},
{
"event.category": "threat",
@@ -97,26 +101,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 1760,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z",
- "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "cdmw.example.net",
- "threatintel.indicator.url.original": "https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc",
- "threatintel.indicator.url.path": "/c20fwa/wwn",
- "threatintel.indicator.url.query": "dlz53=z6ovc",
- "threatintel.indicator.url.scheme": "https",
- "threatintel.recordedfuture.entity.id": "url:https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc",
- "threatintel.recordedfuture.entity.type": "URL",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc",
- "threatintel.recordedfuture.risk.criticality": 1,
- "threatintel.recordedfuture.risk.criticalityLabel": "Unusual",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "url:https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc",
+ "recordedfuture.entity.type": "URL",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc",
+ "recordedfuture.risk.criticality": 1,
+ "recordedfuture.risk.criticalityLabel": "Unusual",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 1,
"criticalityLabel": "Unusual",
@@ -126,10 +116,26 @@
"timestamp": "2021-05-15T00:00:00.000Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "1/25",
- "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 1,
- "threatintel.recordedfuture.risk.score": 5
+ "recordedfuture.risk.riskString": "1/25",
+ "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 1,
+ "recordedfuture.risk.score": 5,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z",
+ "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "cdmw.example.net",
+ "threat.indicator.url.original": "https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc",
+ "threat.indicator.url.path": "/c20fwa/wwn",
+ "threat.indicator.url.query": "dlz53=z6ovc",
+ "threat.indicator.url.scheme": "https"
},
{
"event.category": "threat",
@@ -141,26 +147,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 2627,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z",
- "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "4mne.example.local",
- "threatintel.indicator.url.original": "https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0",
- "threatintel.indicator.url.path": "/ns2rk8f/wngtk2xz",
- "threatintel.indicator.url.query": "vceuk7wl6=3p0",
- "threatintel.indicator.url.scheme": "https",
- "threatintel.recordedfuture.entity.id": "url:https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0",
- "threatintel.recordedfuture.entity.type": "URL",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0",
- "threatintel.recordedfuture.risk.criticality": 1,
- "threatintel.recordedfuture.risk.criticalityLabel": "Unusual",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "url:https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0",
+ "recordedfuture.entity.type": "URL",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0",
+ "recordedfuture.risk.criticality": 1,
+ "recordedfuture.risk.criticalityLabel": "Unusual",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 1,
"criticalityLabel": "Unusual",
@@ -170,10 +162,26 @@
"timestamp": "2021-02-14T00:00:00.000Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "1/25",
- "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 1,
- "threatintel.recordedfuture.risk.score": 5
+ "recordedfuture.risk.riskString": "1/25",
+ "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 1,
+ "recordedfuture.risk.score": 5,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z",
+ "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "4mne.example.local",
+ "threat.indicator.url.original": "https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0",
+ "threat.indicator.url.path": "/ns2rk8f/wngtk2xz",
+ "threat.indicator.url.query": "vceuk7wl6=3p0",
+ "threat.indicator.url.scheme": "https"
},
{
"event.category": "threat",
@@ -185,26 +193,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 3524,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z",
- "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "z198hloc8.example.com",
- "threatintel.indicator.url.original": "http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii",
- "threatintel.indicator.url.path": "/f8ih39/f6kou",
- "threatintel.indicator.url.query": "f6-u3=uwhii",
- "threatintel.indicator.url.scheme": "http",
- "threatintel.recordedfuture.entity.id": "url:http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii",
- "threatintel.recordedfuture.entity.type": "URL",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii",
- "threatintel.recordedfuture.risk.criticality": 1,
- "threatintel.recordedfuture.risk.criticalityLabel": "Unusual",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "url:http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii",
+ "recordedfuture.entity.type": "URL",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii",
+ "recordedfuture.risk.criticality": 1,
+ "recordedfuture.risk.criticalityLabel": "Unusual",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 1,
"criticalityLabel": "Unusual",
@@ -214,10 +208,26 @@
"timestamp": "2020-06-24T12:01:33.000Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "1/25",
- "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 1,
- "threatintel.recordedfuture.risk.score": 5
+ "recordedfuture.risk.riskString": "1/25",
+ "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 1,
+ "recordedfuture.risk.score": 5,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z",
+ "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "z198hloc8.example.com",
+ "threat.indicator.url.original": "http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii",
+ "threat.indicator.url.path": "/f8ih39/f6kou",
+ "threat.indicator.url.query": "f6-u3=uwhii",
+ "threat.indicator.url.scheme": "http"
},
{
"event.category": "threat",
@@ -229,26 +239,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 4377,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z",
- "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "y484j-fb6.example.local",
- "threatintel.indicator.url.original": "http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont",
- "threatintel.indicator.url.path": "/b97s24xf/prz",
- "threatintel.indicator.url.query": "sg-x1do=4myont",
- "threatintel.indicator.url.scheme": "http",
- "threatintel.recordedfuture.entity.id": "url:http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont",
- "threatintel.recordedfuture.entity.type": "URL",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont",
- "threatintel.recordedfuture.risk.criticality": 1,
- "threatintel.recordedfuture.risk.criticalityLabel": "Unusual",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "url:http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont",
+ "recordedfuture.entity.type": "URL",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont",
+ "recordedfuture.risk.criticality": 1,
+ "recordedfuture.risk.criticalityLabel": "Unusual",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 1,
"criticalityLabel": "Unusual",
@@ -258,10 +254,26 @@
"timestamp": "2021-02-14T00:00:00.000Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "1/25",
- "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 1,
- "threatintel.recordedfuture.risk.score": 5
+ "recordedfuture.risk.riskString": "1/25",
+ "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 1,
+ "recordedfuture.risk.score": 5,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z",
+ "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "y484j-fb6.example.local",
+ "threat.indicator.url.original": "http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont",
+ "threat.indicator.url.path": "/b97s24xf/prz",
+ "threat.indicator.url.query": "sg-x1do=4myont",
+ "threat.indicator.url.scheme": "http"
},
{
"event.category": "threat",
@@ -273,26 +285,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 5272,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z",
- "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "sp2xyqq82.example.local",
- "threatintel.indicator.url.original": "http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513",
- "threatintel.indicator.url.path": "/zxvm093/kat1rcz",
- "threatintel.indicator.url.query": "vaev0aeod=rc0513",
- "threatintel.indicator.url.scheme": "http",
- "threatintel.recordedfuture.entity.id": "url:http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513",
- "threatintel.recordedfuture.entity.type": "URL",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513",
- "threatintel.recordedfuture.risk.criticality": 1,
- "threatintel.recordedfuture.risk.criticalityLabel": "Unusual",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "url:http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513",
+ "recordedfuture.entity.type": "URL",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513",
+ "recordedfuture.risk.criticality": 1,
+ "recordedfuture.risk.criticalityLabel": "Unusual",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 1,
"criticalityLabel": "Unusual",
@@ -302,10 +300,26 @@
"timestamp": "2020-11-16T00:00:00.000Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "1/25",
- "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 1,
- "threatintel.recordedfuture.risk.score": 5
+ "recordedfuture.risk.riskString": "1/25",
+ "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 1,
+ "recordedfuture.risk.score": 5,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z",
+ "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "sp2xyqq82.example.local",
+ "threat.indicator.url.original": "http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513",
+ "threat.indicator.url.path": "/zxvm093/kat1rcz",
+ "threat.indicator.url.query": "vaev0aeod=rc0513",
+ "threat.indicator.url.scheme": "http"
},
{
"event.category": "threat",
@@ -317,26 +331,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 6187,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z",
- "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "zh4o7xc.example.com",
- "threatintel.indicator.url.original": "https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r",
- "threatintel.indicator.url.path": "/-yiq/vg2whtxif",
- "threatintel.indicator.url.query": "cb0-knk=s6poib5r",
- "threatintel.indicator.url.scheme": "https",
- "threatintel.recordedfuture.entity.id": "url:https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r",
- "threatintel.recordedfuture.entity.type": "URL",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r",
- "threatintel.recordedfuture.risk.criticality": 1,
- "threatintel.recordedfuture.risk.criticalityLabel": "Unusual",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "url:https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r",
+ "recordedfuture.entity.type": "URL",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r",
+ "recordedfuture.risk.criticality": 1,
+ "recordedfuture.risk.criticalityLabel": "Unusual",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 1,
"criticalityLabel": "Unusual",
@@ -346,10 +346,26 @@
"timestamp": "2021-05-15T00:00:00.000Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "1/25",
- "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 1,
- "threatintel.recordedfuture.risk.score": 5
+ "recordedfuture.risk.riskString": "1/25",
+ "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 1,
+ "recordedfuture.risk.score": 5,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z",
+ "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "zh4o7xc.example.com",
+ "threat.indicator.url.original": "https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r",
+ "threat.indicator.url.path": "/-yiq/vg2whtxif",
+ "threat.indicator.url.query": "cb0-knk=s6poib5r",
+ "threat.indicator.url.scheme": "https"
},
{
"event.category": "threat",
@@ -361,26 +377,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 7094,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z",
- "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "fiivf4s.example.org",
- "threatintel.indicator.url.original": "http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2",
- "threatintel.indicator.url.path": "/8u2qi/86vfcfq7m",
- "threatintel.indicator.url.query": "pfb2ensc0=h7imk8io2",
- "threatintel.indicator.url.scheme": "http",
- "threatintel.recordedfuture.entity.id": "url:http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2",
- "threatintel.recordedfuture.entity.type": "URL",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2",
- "threatintel.recordedfuture.risk.criticality": 1,
- "threatintel.recordedfuture.risk.criticalityLabel": "Unusual",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "url:http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2",
+ "recordedfuture.entity.type": "URL",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2",
+ "recordedfuture.risk.criticality": 1,
+ "recordedfuture.risk.criticalityLabel": "Unusual",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 1,
"criticalityLabel": "Unusual",
@@ -390,10 +392,26 @@
"timestamp": "2021-02-14T00:00:00.000Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "1/25",
- "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 1,
- "threatintel.recordedfuture.risk.score": 5
+ "recordedfuture.risk.riskString": "1/25",
+ "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 1,
+ "recordedfuture.risk.score": 5,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z",
+ "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "fiivf4s.example.org",
+ "threat.indicator.url.original": "http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2",
+ "threat.indicator.url.path": "/8u2qi/86vfcfq7m",
+ "threat.indicator.url.query": "pfb2ensc0=h7imk8io2",
+ "threat.indicator.url.scheme": "http"
},
{
"event.category": "threat",
@@ -405,26 +423,12 @@
"fileset.name": "recordedfuture",
"input.type": "log",
"log.offset": 8007,
- "service.type": "threatintel",
- "tags": [
- "forwarded",
- "threatintel-recordedfuture"
- ],
- "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z",
- "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z",
- "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1",
- "threatintel.indicator.type": "url",
- "threatintel.indicator.url.domain": "abav9v.example.org",
- "threatintel.indicator.url.original": "http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1",
- "threatintel.indicator.url.path": "/gj93q/7fs7",
- "threatintel.indicator.url.query": "kcq7=pjaj1",
- "threatintel.indicator.url.scheme": "http",
- "threatintel.recordedfuture.entity.id": "url:http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1",
- "threatintel.recordedfuture.entity.type": "URL",
- "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1",
- "threatintel.recordedfuture.risk.criticality": 1,
- "threatintel.recordedfuture.risk.criticalityLabel": "Unusual",
- "threatintel.recordedfuture.risk.evidenceDetails": [
+ "recordedfuture.entity.id": "url:http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1",
+ "recordedfuture.entity.type": "URL",
+ "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1",
+ "recordedfuture.risk.criticality": 1,
+ "recordedfuture.risk.criticalityLabel": "Unusual",
+ "recordedfuture.risk.evidenceDetails": [
{
"criticality": 1,
"criticalityLabel": "Unusual",
@@ -434,9 +438,25 @@
"timestamp": "2021-02-14T00:00:00.000Z"
}
],
- "threatintel.recordedfuture.risk.riskString": "1/25",
- "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
- "threatintel.recordedfuture.risk.rules": 1,
- "threatintel.recordedfuture.risk.score": 5
+ "recordedfuture.risk.riskString": "1/25",
+ "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.",
+ "recordedfuture.risk.rules": 1,
+ "recordedfuture.risk.score": 5,
+ "service.type": "threatintel",
+ "tags": [
+ "forwarded",
+ "threatintel-recordedfuture"
+ ],
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] RecordedFuture",
+ "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z",
+ "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z",
+ "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1",
+ "threat.indicator.type": "url",
+ "threat.indicator.url.domain": "abav9v.example.org",
+ "threat.indicator.url.original": "http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1",
+ "threat.indicator.url.path": "/gj93q/7fs7",
+ "threat.indicator.url.query": "kcq7=pjaj1",
+ "threat.indicator.url.scheme": "http"
}
]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/threatintel/threatq/config/config.yml b/x-pack/filebeat/module/threatintel/threatq/config/config.yml
index 89e8cab731e..0f520215bc8 100644
--- a/x-pack/filebeat/module/threatintel/threatq/config/config.yml
+++ b/x-pack/filebeat/module/threatintel/threatq/config/config.yml
@@ -1,7 +1,6 @@
{{ if eq .input "httpjson" }}
type: httpjson
-config_version: "2"
interval: {{ .interval }}
auth.oauth2:
@@ -50,22 +49,12 @@ exclude_files: [".gz$"]
{{ end }}
-tags: {{.tags | tojson}}
-publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
+tags:
+{{if .preserve_original_event}}
+ - preserve_original_event
+{{end}}
+{{range $val := .tags}}
+ - {{$val}}
+{{end}}
-processors:
- - decode_json_fields:
- fields: [message]
- target: json
- process_array: true
- max_depth: 5
- overwrite_keys: true
- add_error_key: true
- - fingerprint:
- fields: ["json.id", "json.indicator_id"]
- target_field: "@metadata._id"
- ignore_missing: true
- - add_fields:
- target: ''
- fields:
- ecs.version: 1.12.0
\ No newline at end of file
+publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
diff --git a/x-pack/filebeat/module/threatintel/threatq/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/threatq/ingest/pipeline.yml
index 6d301f89844..96f8b224e19 100644
--- a/x-pack/filebeat/module/threatintel/threatq/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/threatintel/threatq/ingest/pipeline.yml
@@ -1,3 +1,4 @@
+---
description: Pipeline for parsing ThreatQ Threat Intel
processors:
####################
@@ -6,6 +7,9 @@ processors:
- set:
field: event.ingested
value: "{{_ingest.timestamp}}"
+ - set:
+ field: ecs.version
+ value: "1.12"
- set:
field: event.kind
value: enrichment
@@ -19,6 +23,19 @@ processors:
###############
# Parse dates #
###############
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+ - fingerprint:
+ fields:
+ - json.id
+ - json.indicator_id
+ target_field: "_id"
+ ignore_missing: true
- date:
target_field: "@timestamp"
field: "json.updated_at"
@@ -27,28 +44,28 @@ processors:
if: "ctx.json.updated_at != null"
ignore_failure: true
- date:
- target_field: "threatintel.threatq.created_at"
+ target_field: "threatq.created_at"
field: "json.created_at"
formats:
- "yyyy-MM-dd HH:mm:ss"
if: "ctx.json.created_at != null"
ignore_failure: true
- date:
- target_field: "threatintel.threatq.expires_at"
+ target_field: "threatq.expires_at"
field: "json.expires_at"
formats:
- "yyyy-MM-dd HH:mm:ss"
if: "ctx.json.expires_at != null"
ignore_failure: true
- date:
- target_field: "threatintel.threatq.expires_calculated_at"
+ target_field: "threatq.expires_calculated_at"
field: "json.expires_calculated_at"
formats:
- "yyyy-MM-dd HH:mm:ss"
if: "ctx.json.expires_calculated_at != null"
ignore_failure: true
- date:
- target_field: "threatintel.threatq.published_at"
+ target_field: "threatq.published_at"
field: "json.published_at"
formats:
- "yyyy-MM-dd HH:mm:ss"
@@ -58,29 +75,50 @@ processors:
#####################
# Threat ECS Fields #
#####################
+ - set:
+ field: threat.feed.name
+ value: "[Filebeat] ThreatQuotient"
+ - set:
+ field: threat.feed.dashboard_id
+ value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f"
- rename:
field: json.type.name
- target_field: threatintel.indicator.type
+ target_field: threat.indicator.type
ignore_missing: true
- rename:
field: json.description
- target_field: threatintel.indicator.description
+ target_field: threat.indicator.description
ignore_missing: true
- - convert:
- field: json.score
- target_field: threatintel.indicator.confidence
- type: integer
- on_failure:
- - append:
- field: error.message
- value: "Cannot convert json.score to integer: {{{ _ingest.on_failure_message }}}"
+ - script:
+ lang: painless
+ if: ctx.json?.score != null
+ description: >
+ Normalize confidence level.
+ source: >
+ def value = ctx.json.score;
+ if (value <= 0.0 || value > 100.0) {
+ ctx.threat.indicator.confidence = "None";
+ return;
+ }
+ if (value >= 1.0 && value <= 29.0) {
+ ctx.threat.indicator.confidence = "Low";
+ return;
+ }
+ if (value >= 30.0 && value <= 69.0) {
+ ctx.threat.indicator.confidence = "Med";
+ return;
+ }
+ if (value >= 70 && value <= 100) {
+ ctx.threat.indicator.confidence = "High";
+ return;
+ }
- rename:
field: json.status.name
- target_field: threatintel.threatq.status
+ target_field: threatq.status
ignore_missing: true
- rename:
field: json.value
- target_field: threatintel.threatq.indicator_value
+ target_field: threatq.indicator_value
ignore_missing: true
#########################################
@@ -89,119 +127,144 @@ processors:
# Indicator type: Email Address
- set:
- field: threatintel.indicator.email.address
- value: "{{threatintel.threatq.indicator_value}}"
- if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'Email Address'"
+ field: threat.indicator.email.address
+ copy_from: threatq.indicator_value
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'Email Address'"
+ ignore_empty_value: true
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: email-addr
- if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'Email Address'"
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'Email Address'"
# Indicator type: FQDN
- set:
- field: threatintel.indicator.domain
- value: "{{threatintel.threatq.indicator_value}}"
- if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'FQDN'"
+ field: threat.indicator.domain
+ copy_from: threatq.indicator_value
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'FQDN'"
+ ignore_empty_value: true
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: domain-name
- if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'FQDN'"
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'FQDN'"
# Indicator type: IP Address
- set:
- field: threatintel.indicator.ip
- value: "{{threatintel.threatq.indicator_value}}"
- if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'IP Address'"
+ field: threat.indicator.ip
+ copy_from: threatq.indicator_value
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IP Address'"
+ ignore_empty_value: true
+
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: ipv4-addr
- if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'IP Address'"
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IP Address'"
# Indicator type: IPv6 Address
- set:
- field: threatintel.indicator.domain
- value: "{{threatintel.threatq.indicator_value}}"
- if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'IPv6 Address'"
+ field: threat.indicator.domain
+ copy_from: threatq.indicator_value
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IPv6 Address'"
+ ignore_empty_value: true
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: ipv6-addr
- if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'IPv6 Address'"
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IPv6 Address'"
# Indicator type: MD5
- set:
- field: threatintel.indicator.file.hash.md5
- value: "{{threatintel.threatq.indicator_value}}"
- if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'MD5'"
+ field: threat.indicator.file.hash.md5
+ copy_from: threatq.indicator_value
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'MD5'"
+ ignore_empty_value: true
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: file
- if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'MD5'"
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'MD5'"
# Indicator type: SHA-1
- set:
- field: threatintel.indicator.file.hash.sha1
- value: "{{threatintel.threatq.indicator_value}}"
- if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-1'"
+ field: threat.indicator.file.hash.sha1
+ copy_from: threatq.indicator_value
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-1'"
+ ignore_empty_value: true
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: file
- if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-1'"
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-1'"
# Indicator type: SHA-256
- set:
- field: threatintel.indicator.file.hash.sha256
- value: "{{threatintel.threatq.indicator_value}}"
- if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-256'"
+ field: threat.indicator.file.hash.sha256
+ copy_from: threatq.indicator_value
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-256'"
+ ignore_empty_value: true
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: file
- if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-256'"
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-256'"
# Indicator type: SHA-512
- set:
- field: threatintel.indicator.file.hash.sha512
- value: "{{threatintel.threatq.indicator_value}}"
- if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-512'"
+ field: threat.indicator.file.hash.sha512
+ copy_from: threatq.indicator_value
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-512'"
+ ignore_empty_value: true
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: file
- if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-512'"
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-512'"
# Indicator type: URL
+ - uri_parts:
+ field: threatq.indicator_value
+ target_field: threat.indicator.url
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'URL' && ctx.threatq?.indicator_value != null"
+ remove_if_successful: true
- set:
- field: threatintel.indicator.url.full
- value: "{{threatintel.threatq.indicator_value}}"
- if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'URL'"
- - set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: url
- if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'URL'"
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'URL'"
# Indicator type: x509 Serial
- set:
- field: threatintel.indicator.x509.serial_number
- value: "{{threatintel.threatq.indicator_value}}"
- if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'x509 Serial'"
+ field: threat.indicator.x509.serial_number
+ copy_from: threatq.indicator_value
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'x509 Serial'"
+ ignore_empty_value: true
###################################
# Map indicator providers and TLP #
###################################
- - foreach:
- description: Append threat intel sources
- field: json.sources
- ignore_missing: true
- processor:
- append:
- field: threatintel.indicator.provider
- value: "{{{ _ingest._value.name }}}"
- - foreach:
- description: Append threat intel source TLP values
- field: json.sources
- ignore_missing: true
- processor:
- append:
- field: threatintel.indicator.marking.tlp
- value: "{{{ _ingest._value.tlp_name }}}"
+ - script:
+ if: "ctx.json?.sources != null && ctx.json?.sources instanceof List && ctx.json?.sources.size() > 0"
+ lang: painless
+ description: "Extract TLP and providers from source"
+ source: |-
+ def providers = new ArrayList();
+ def tlps = new ArrayList();
+ for (source in ctx.json.sources) {
+ if (source == null) {
+ return;
+ }
+ if (source.containsKey("provider") && source["provider"] != null) {
+ providers.add(source["provider"]);
+ }
+ if (source.containsKey("tlp_name") && source["tlp_name"] != null) {
+ tlps.add(source["tlp_name"]);
+ }
+ }
+ if (tlps.size() > 0) {
+ if (ctx.threat.indicator.marking == null) {
+ ctx.threat.indicator.marking = new HashMap();
+ }
+ ctx.threat.indicator.marking.tlp = tlps;
+ }
+ if (providers.size() > 0) {
+ if (ctx.threat.indicator.provider == null) {
+ ctx.threat.indicator.provider = new HashMap();
+ }
+ ctx.threat.indicator.provider = providers;
+ }
############################
# Map indicator attributes #
@@ -228,7 +291,7 @@ processors:
ignore_missing: true
processor:
append:
- field: threatintel.threatq.attributes.{{{ _ingest._value.name }}}
+ field: threatq.attributes.{{{ _ingest._value.name }}}
value: "{{{ _ingest._value.value }}}"
#############################
@@ -239,20 +302,25 @@ processors:
ignore_missing: true
processor:
append:
- field: threatintel.threatq.adversaries
+ field: threatq.adversaries
value: "{{{ _ingest._value.name }}}"
######################
# Cleanup processors #
######################
# Setting indicator type to unknown if it does not match anything
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
- set:
- field: threatintel.indicator.type
+ field: threat.indicator.type
value: unknown
- if: ctx?.threatintel?.indicator?.type == null
+ if: ctx.threat?.indicator?.type == null
- script:
lang: painless
- if: ctx?.threatintel != null
+ if: ctx.threat != null
source: |
void handleMap(Map map) {
for (def x : map.values()) {
diff --git a/x-pack/filebeat/module/threatintel/threatq/manifest.yml b/x-pack/filebeat/module/threatintel/threatq/manifest.yml
index dd7165b182f..d5628d2a705 100644
--- a/x-pack/filebeat/module/threatintel/threatq/manifest.yml
+++ b/x-pack/filebeat/module/threatintel/threatq/manifest.yml
@@ -11,11 +11,13 @@ var:
- name: client_id
- name: client_secret
- name: host
- default: "https://www.threatq.com/"
+ default: "https://www.threatq.com"
- name: proxy_url
- name: http_client_timeout
- name: tags
default: [threatintel-threatq, forwarded]
+ - name: preserve_original_event
+ default: false
ingest_pipeline:
- ingest/pipeline.yml
diff --git a/x-pack/filebeat/module/threatintel/threatq/test/threatq_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/threatq/test/threatq_sample.ndjson.log-expected.json
index 58c61e5161c..58958850bd5 100644
--- a/x-pack/filebeat/module/threatintel/threatq/test/threatq_sample.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/threatintel/threatq/test/threatq_sample.ndjson.log-expected.json
@@ -14,38 +14,34 @@
"forwarded",
"threatintel-threatq"
],
- "threatintel.indicator.confidence": 4,
- "threatintel.indicator.ip": "69.44.202.220",
- "threatintel.indicator.marking.tlp": [
- ""
- ],
- "threatintel.indicator.provider": [
- "AlienVault OTX"
- ],
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.threatq.attributes.alienvault_reliability": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] ThreatQuotient",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.ip": "69.44.202.220",
+ "threat.indicator.type": "ipv4-addr",
+ "threatq.attributes.alienvault_reliability": [
"4"
],
- "threatintel.threatq.attributes.alienvault_revision": [
+ "threatq.attributes.alienvault_revision": [
"3"
],
- "threatintel.threatq.attributes.alienvault_threat_level": [
+ "threatq.attributes.alienvault_threat_level": [
"3"
],
- "threatintel.threatq.attributes.city": [
+ "threatq.attributes.city": [
"Saipan"
],
- "threatintel.threatq.attributes.country": [
+ "threatq.attributes.country": [
"MP"
],
- "threatintel.threatq.attributes.description": [
+ "threatq.attributes.description": [
"Malicious Host"
],
- "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z",
- "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z",
- "threatintel.threatq.indicator_value": "69.44.202.220",
- "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z",
- "threatintel.threatq.status": "Expired"
+ "threatq.created_at": "2020-09-11T14:35:51.000Z",
+ "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z",
+ "threatq.indicator_value": "69.44.202.220",
+ "threatq.published_at": "2020-09-11T14:35:51.000Z",
+ "threatq.status": "Expired"
},
{
"@timestamp": "2020-11-15T00:00:02.000Z",
@@ -62,38 +58,34 @@
"forwarded",
"threatintel-threatq"
],
- "threatintel.indicator.confidence": 4,
- "threatintel.indicator.ip": "69.94.155.176",
- "threatintel.indicator.marking.tlp": [
- ""
- ],
- "threatintel.indicator.provider": [
- "AlienVault OTX"
- ],
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.threatq.attributes.alienvault_reliability": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] ThreatQuotient",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.ip": "69.94.155.176",
+ "threat.indicator.type": "ipv4-addr",
+ "threatq.attributes.alienvault_reliability": [
"4"
],
- "threatintel.threatq.attributes.alienvault_revision": [
+ "threatq.attributes.alienvault_revision": [
"3"
],
- "threatintel.threatq.attributes.alienvault_threat_level": [
+ "threatq.attributes.alienvault_threat_level": [
"2"
],
- "threatintel.threatq.attributes.city": [
+ "threatq.attributes.city": [
"Sacramento"
],
- "threatintel.threatq.attributes.country": [
+ "threatq.attributes.country": [
"US"
],
- "threatintel.threatq.attributes.description": [
+ "threatq.attributes.description": [
"Malicious Host"
],
- "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z",
- "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z",
- "threatintel.threatq.indicator_value": "69.94.155.176",
- "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z",
- "threatintel.threatq.status": "Expired"
+ "threatq.created_at": "2020-09-11T14:35:51.000Z",
+ "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z",
+ "threatq.indicator_value": "69.94.155.176",
+ "threatq.published_at": "2020-09-11T14:35:51.000Z",
+ "threatq.status": "Expired"
},
{
"@timestamp": "2020-11-15T00:00:02.000Z",
@@ -110,38 +102,34 @@
"forwarded",
"threatintel-threatq"
],
- "threatintel.indicator.confidence": 4,
- "threatintel.indicator.ip": "69.42.81.68",
- "threatintel.indicator.marking.tlp": [
- ""
- ],
- "threatintel.indicator.provider": [
- "AlienVault OTX"
- ],
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.threatq.attributes.alienvault_reliability": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] ThreatQuotient",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.ip": "69.42.81.68",
+ "threat.indicator.type": "ipv4-addr",
+ "threatq.attributes.alienvault_reliability": [
"4"
],
- "threatintel.threatq.attributes.alienvault_revision": [
+ "threatq.attributes.alienvault_revision": [
"3"
],
- "threatintel.threatq.attributes.alienvault_threat_level": [
+ "threatq.attributes.alienvault_threat_level": [
"2"
],
- "threatintel.threatq.attributes.city": [
+ "threatq.attributes.city": [
"New York"
],
- "threatintel.threatq.attributes.country": [
+ "threatq.attributes.country": [
"US"
],
- "threatintel.threatq.attributes.description": [
+ "threatq.attributes.description": [
"Malicious Host"
],
- "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z",
- "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z",
- "threatintel.threatq.indicator_value": "69.42.81.68",
- "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z",
- "threatintel.threatq.status": "Expired"
+ "threatq.created_at": "2020-09-11T14:35:51.000Z",
+ "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z",
+ "threatq.indicator_value": "69.42.81.68",
+ "threatq.published_at": "2020-09-11T14:35:51.000Z",
+ "threatq.status": "Expired"
},
{
"@timestamp": "2020-11-15T00:00:02.000Z",
@@ -158,32 +146,28 @@
"forwarded",
"threatintel-threatq"
],
- "threatintel.indicator.confidence": 4,
- "threatintel.indicator.ip": "37.17.250.101",
- "threatintel.indicator.marking.tlp": [
- ""
- ],
- "threatintel.indicator.provider": [
- "AlienVault OTX"
- ],
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.threatq.attributes.alienvault_reliability": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] ThreatQuotient",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.ip": "37.17.250.101",
+ "threat.indicator.type": "ipv4-addr",
+ "threatq.attributes.alienvault_reliability": [
"4"
],
- "threatintel.threatq.attributes.alienvault_revision": [
+ "threatq.attributes.alienvault_revision": [
"3"
],
- "threatintel.threatq.attributes.alienvault_threat_level": [
+ "threatq.attributes.alienvault_threat_level": [
"2"
],
- "threatintel.threatq.attributes.description": [
+ "threatq.attributes.description": [
"Malicious Host"
],
- "threatintel.threatq.created_at": "2020-09-11T14:35:41.000Z",
- "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:02.000Z",
- "threatintel.threatq.indicator_value": "37.17.250.101",
- "threatintel.threatq.published_at": "2020-09-11T14:35:41.000Z",
- "threatintel.threatq.status": "Expired"
+ "threatq.created_at": "2020-09-11T14:35:41.000Z",
+ "threatq.expires_calculated_at": "2020-10-15T14:40:02.000Z",
+ "threatq.indicator_value": "37.17.250.101",
+ "threatq.published_at": "2020-09-11T14:35:41.000Z",
+ "threatq.status": "Expired"
},
{
"@timestamp": "2020-11-15T00:00:02.000Z",
@@ -200,38 +184,34 @@
"forwarded",
"threatintel-threatq"
],
- "threatintel.indicator.confidence": 4,
- "threatintel.indicator.ip": "69.94.129.203",
- "threatintel.indicator.marking.tlp": [
- ""
- ],
- "threatintel.indicator.provider": [
- "AlienVault OTX"
- ],
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.threatq.attributes.alienvault_reliability": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] ThreatQuotient",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.ip": "69.94.129.203",
+ "threat.indicator.type": "ipv4-addr",
+ "threatq.attributes.alienvault_reliability": [
"4"
],
- "threatintel.threatq.attributes.alienvault_revision": [
+ "threatq.attributes.alienvault_revision": [
"3"
],
- "threatintel.threatq.attributes.alienvault_threat_level": [
+ "threatq.attributes.alienvault_threat_level": [
"2"
],
- "threatintel.threatq.attributes.city": [
+ "threatq.attributes.city": [
"Sacramento"
],
- "threatintel.threatq.attributes.country": [
+ "threatq.attributes.country": [
"US"
],
- "threatintel.threatq.attributes.description": [
+ "threatq.attributes.description": [
"Malicious Host"
],
- "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z",
- "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z",
- "threatintel.threatq.indicator_value": "69.94.129.203",
- "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z",
- "threatintel.threatq.status": "Expired"
+ "threatq.created_at": "2020-09-11T14:35:51.000Z",
+ "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z",
+ "threatq.indicator_value": "69.94.129.203",
+ "threatq.published_at": "2020-09-11T14:35:51.000Z",
+ "threatq.status": "Expired"
},
{
"@timestamp": "2020-11-15T00:00:02.000Z",
@@ -248,38 +228,34 @@
"forwarded",
"threatintel-threatq"
],
- "threatintel.indicator.confidence": 4,
- "threatintel.indicator.ip": "69.216.117.22",
- "threatintel.indicator.marking.tlp": [
- ""
- ],
- "threatintel.indicator.provider": [
- "AlienVault OTX"
- ],
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.threatq.attributes.alienvault_reliability": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] ThreatQuotient",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.ip": "69.216.117.22",
+ "threat.indicator.type": "ipv4-addr",
+ "threatq.attributes.alienvault_reliability": [
"4"
],
- "threatintel.threatq.attributes.alienvault_revision": [
+ "threatq.attributes.alienvault_revision": [
"3"
],
- "threatintel.threatq.attributes.alienvault_threat_level": [
+ "threatq.attributes.alienvault_threat_level": [
"3"
],
- "threatintel.threatq.attributes.city": [
+ "threatq.attributes.city": [
"Houston"
],
- "threatintel.threatq.attributes.country": [
+ "threatq.attributes.country": [
"US"
],
- "threatintel.threatq.attributes.description": [
+ "threatq.attributes.description": [
"Malicious Host"
],
- "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z",
- "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z",
- "threatintel.threatq.indicator_value": "69.216.117.22",
- "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z",
- "threatintel.threatq.status": "Expired"
+ "threatq.created_at": "2020-09-11T14:35:51.000Z",
+ "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z",
+ "threatq.indicator_value": "69.216.117.22",
+ "threatq.published_at": "2020-09-11T14:35:51.000Z",
+ "threatq.status": "Expired"
},
{
"@timestamp": "2020-11-15T00:00:02.000Z",
@@ -296,38 +272,34 @@
"forwarded",
"threatintel-threatq"
],
- "threatintel.indicator.confidence": 4,
- "threatintel.indicator.ip": "69.80.70.115",
- "threatintel.indicator.marking.tlp": [
- ""
- ],
- "threatintel.indicator.provider": [
- "AlienVault OTX"
- ],
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.threatq.attributes.alienvault_reliability": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] ThreatQuotient",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.ip": "69.80.70.115",
+ "threat.indicator.type": "ipv4-addr",
+ "threatq.attributes.alienvault_reliability": [
"4"
],
- "threatintel.threatq.attributes.alienvault_revision": [
+ "threatq.attributes.alienvault_revision": [
"3"
],
- "threatintel.threatq.attributes.alienvault_threat_level": [
+ "threatq.attributes.alienvault_threat_level": [
"2"
],
- "threatintel.threatq.attributes.city": [
+ "threatq.attributes.city": [
"Fort Lauderdale"
],
- "threatintel.threatq.attributes.country": [
+ "threatq.attributes.country": [
"US"
],
- "threatintel.threatq.attributes.description": [
+ "threatq.attributes.description": [
"Malicious Host"
],
- "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z",
- "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z",
- "threatintel.threatq.indicator_value": "69.80.70.115",
- "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z",
- "threatintel.threatq.status": "Expired"
+ "threatq.created_at": "2020-09-11T14:35:51.000Z",
+ "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z",
+ "threatq.indicator_value": "69.80.70.115",
+ "threatq.published_at": "2020-09-11T14:35:51.000Z",
+ "threatq.status": "Expired"
},
{
"@timestamp": "2020-11-15T00:00:02.000Z",
@@ -344,38 +316,34 @@
"forwarded",
"threatintel-threatq"
],
- "threatintel.indicator.confidence": 4,
- "threatintel.indicator.ip": "69.65.79.99",
- "threatintel.indicator.marking.tlp": [
- ""
- ],
- "threatintel.indicator.provider": [
- "AlienVault OTX"
- ],
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.threatq.attributes.alienvault_reliability": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] ThreatQuotient",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.ip": "69.65.79.99",
+ "threat.indicator.type": "ipv4-addr",
+ "threatq.attributes.alienvault_reliability": [
"4"
],
- "threatintel.threatq.attributes.alienvault_revision": [
+ "threatq.attributes.alienvault_revision": [
"3"
],
- "threatintel.threatq.attributes.alienvault_threat_level": [
+ "threatq.attributes.alienvault_threat_level": [
"2"
],
- "threatintel.threatq.attributes.city": [
+ "threatq.attributes.city": [
"Pompano Beach"
],
- "threatintel.threatq.attributes.country": [
+ "threatq.attributes.country": [
"US"
],
- "threatintel.threatq.attributes.description": [
+ "threatq.attributes.description": [
"Malicious Host"
],
- "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z",
- "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z",
- "threatintel.threatq.indicator_value": "69.65.79.99",
- "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z",
- "threatintel.threatq.status": "Expired"
+ "threatq.created_at": "2020-09-11T14:35:51.000Z",
+ "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z",
+ "threatq.indicator_value": "69.65.79.99",
+ "threatq.published_at": "2020-09-11T14:35:51.000Z",
+ "threatq.status": "Expired"
},
{
"@timestamp": "2020-11-15T00:00:02.000Z",
@@ -392,37 +360,33 @@
"forwarded",
"threatintel-threatq"
],
- "threatintel.indicator.confidence": 4,
- "threatintel.indicator.ip": "69.199.22.46",
- "threatintel.indicator.marking.tlp": [
- ""
- ],
- "threatintel.indicator.provider": [
- "AlienVault OTX"
- ],
- "threatintel.indicator.type": "ipv4-addr",
- "threatintel.threatq.attributes.alienvault_reliability": [
+ "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f",
+ "threat.feed.name": "[Filebeat] ThreatQuotient",
+ "threat.indicator.confidence": "Low",
+ "threat.indicator.ip": "69.199.22.46",
+ "threat.indicator.type": "ipv4-addr",
+ "threatq.attributes.alienvault_reliability": [
"4"
],
- "threatintel.threatq.attributes.alienvault_revision": [
+ "threatq.attributes.alienvault_revision": [
"3"
],
- "threatintel.threatq.attributes.alienvault_threat_level": [
+ "threatq.attributes.alienvault_threat_level": [
"2"
],
- "threatintel.threatq.attributes.city": [
+ "threatq.attributes.city": [
"Little Elm"
],
- "threatintel.threatq.attributes.country": [
+ "threatq.attributes.country": [
"US"
],
- "threatintel.threatq.attributes.description": [
+ "threatq.attributes.description": [
"Malicious Host"
],
- "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z",
- "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z",
- "threatintel.threatq.indicator_value": "69.199.22.46",
- "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z",
- "threatintel.threatq.status": "Expired"
+ "threatq.created_at": "2020-09-11T14:35:51.000Z",
+ "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z",
+ "threatq.indicator_value": "69.199.22.46",
+ "threatq.published_at": "2020-09-11T14:35:51.000Z",
+ "threatq.status": "Expired"
}
]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc b/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc
index 9b7e4401204..d56df0ba01b 100644
--- a/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc
@@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "apachetomcat" devic
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.paths`*::
diff --git a/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc b/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc
index 5728796de54..779c5deabc0 100644
--- a/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc
@@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "zscalernss" device
*`var.input`*::
-The input from which messages are read. One of `file`, `tcp` or `udp`.
+The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`.
*`var.syslog_host`*::
diff --git a/x-pack/functionbeat/functionbeat.reference.yml b/x-pack/functionbeat/functionbeat.reference.yml
index fc162f600dd..5ea23a3b0db 100644
--- a/x-pack/functionbeat/functionbeat.reference.yml
+++ b/x-pack/functionbeat/functionbeat.reference.yml
@@ -1177,11 +1177,6 @@ logging.files:
# file. Defaults to true.
# rotateonstartup: true
- # Rotated files are either suffixed with a number e.g. functionbeat.1 when
- # renamed during rotation. Or when set to date, the date is added to
- # the end of the file. On rotation a new file is created, older files are untouched.
- #suffix: count
-
# ============================= X-Pack Monitoring ==============================
# Functionbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
@@ -1366,6 +1361,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
# ============================== Process Security ==============================
# Enable or disable seccomp system call filtering on Linux. Default is enabled.
diff --git a/x-pack/heartbeat/heartbeat.reference.yml b/x-pack/heartbeat/heartbeat.reference.yml
index dc6622a50b3..8f0f019626b 100644
--- a/x-pack/heartbeat/heartbeat.reference.yml
+++ b/x-pack/heartbeat/heartbeat.reference.yml
@@ -1529,11 +1529,6 @@ logging.files:
# file. Defaults to true.
# rotateonstartup: true
- # Rotated files are either suffixed with a number e.g. heartbeat.1 when
- # renamed during rotation. Or when set to date, the date is added to
- # the end of the file. On rotation a new file is created, older files are untouched.
- #suffix: count
-
# ============================= X-Pack Monitoring ==============================
# Heartbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
@@ -1718,6 +1713,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
# ============================== Process Security ==============================
# Enable or disable seccomp system call filtering on Linux. Default is enabled.
diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml
index c1d3f485cb6..be4adb144c8 100644
--- a/x-pack/metricbeat/metricbeat.reference.yml
+++ b/x-pack/metricbeat/metricbeat.reference.yml
@@ -2727,11 +2727,6 @@ logging.files:
# file. Defaults to true.
# rotateonstartup: true
- # Rotated files are either suffixed with a number e.g. metricbeat.1 when
- # renamed during rotation. Or when set to date, the date is added to
- # the end of the file. On rotation a new file is created, older files are untouched.
- #suffix: count
-
# ============================= X-Pack Monitoring ==============================
# Metricbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
@@ -2916,6 +2911,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
# ============================== Process Security ==============================
# Enable or disable seccomp system call filtering on Linux. Default is enabled.
diff --git a/x-pack/metricbeat/module/aws/rds/manifest.yml b/x-pack/metricbeat/module/aws/rds/manifest.yml
index 0cd7117778d..997a8c71ea3 100644
--- a/x-pack/metricbeat/module/aws/rds/manifest.yml
+++ b/x-pack/metricbeat/module/aws/rds/manifest.yml
@@ -159,7 +159,7 @@ processors:
- from: "aws.rds.metrics.TransactionLogsGeneration.avg"
to: "aws.rds.transaction_logs_generation"
- from: "aws.rds.metrics.WriteIOPS.avg"
- to: "aws.rds.write_iops"
+ to: "aws.rds.write.iops"
- from: "aws.rds.metrics.Queries.avg"
to: "aws.rds.queries"
- from: "aws.rds.metrics.Deadlocks.avg"
diff --git a/x-pack/metricbeat/module/azure/billing/billing.go b/x-pack/metricbeat/module/azure/billing/billing.go
index 66917644296..ea2a788b292 100644
--- a/x-pack/metricbeat/module/azure/billing/billing.go
+++ b/x-pack/metricbeat/module/azure/billing/billing.go
@@ -5,8 +5,6 @@
package billing
import (
- "time"
-
"github.com/pkg/errors"
"github.com/elastic/beats/v7/x-pack/metricbeat/module/azure"
@@ -60,13 +58,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
// It publishes the event which is then forwarded to the output. In case
// of an error set the Error field of mb.Event or simply call report.Error().
func (m *MetricSet) Fetch(report mb.ReporterV2) error {
- startTime := time.Now().UTC().Truncate(24 * time.Hour).Add((-48) * time.Hour)
- endTime := startTime.Add(time.Hour * 24).Add(time.Second * (-1))
- results, err := m.client.GetMetrics(startTime, endTime)
+ results, err := m.client.GetMetrics()
if err != nil {
return errors.Wrap(err, "error retrieving usage information")
}
- events := EventsMapping(results, startTime, endTime, m.client.Config.SubscriptionId)
+ events := EventsMapping(m.client.Config.SubscriptionId, results)
for _, event := range events {
isOpen := report.Event(event)
if !isOpen {
diff --git a/x-pack/metricbeat/module/azure/billing/client.go b/x-pack/metricbeat/module/azure/billing/client.go
index 2d7ce9bca9a..3f1c73bf2f0 100644
--- a/x-pack/metricbeat/module/azure/billing/client.go
+++ b/x-pack/metricbeat/module/azure/billing/client.go
@@ -12,6 +12,7 @@ import (
"github.com/pkg/errors"
+ prevConsumption "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption"
"github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption"
"github.com/elastic/beats/v7/libbeat/logp"
@@ -25,7 +26,7 @@ type Client struct {
}
type Usage struct {
- UsageDetails []consumption.BasicUsageDetail
+ UsageDetails []prevConsumption.UsageDetail
ActualCosts []consumption.Forecast
ForecastCosts []consumption.Forecast
}
@@ -45,7 +46,8 @@ func NewClient(config azure.Config) (*Client, error) {
}
// GetMetrics returns the usage detail and forecast values.
-func (client *Client) GetMetrics(startTime time.Time, endTime time.Time) (Usage, error) {
+func (client *Client) GetMetrics() (Usage, error) {
+
var usage Usage
scope := fmt.Sprintf("subscriptions/%s", client.Config.SubscriptionId)
if client.Config.BillingScopeDepartment != "" {
@@ -53,9 +55,11 @@ func (client *Client) GetMetrics(startTime time.Time, endTime time.Time) (Usage,
} else if client.Config.BillingScopeAccountId != "" {
scope = fmt.Sprintf("/providers/Microsoft.Billing/billingAccounts/%s", client.Config.BillingScopeAccountId)
}
-
- filter := fmt.Sprintf("properties/usageStart eq '%s' and properties/usageEnd eq '%s'", startTime.Format(time.RFC3339Nano), endTime.Format(time.RFC3339Nano))
- usageDetails, err := client.BillingService.GetUsageDetails(scope, "properties/meterDetails", filter, "", nil, consumption.MetrictypeActualCostMetricType)
+ startTime := time.Now().UTC().Truncate(24 * time.Hour).Add((-24) * time.Hour)
+ endTime := startTime.Add(time.Hour * 24).Add(time.Second * (-1))
+ usageDetails, err := client.BillingService.GetUsageDetails(scope, "properties/meterDetails",
+ fmt.Sprintf("properties/usageStart eq '%s' and properties/usageEnd eq '%s'", startTime.Format(time.RFC3339Nano), endTime.Format(time.RFC3339Nano)),
+ "", nil, "properties/instanceLocation")
if err != nil {
return usage, errors.Wrap(err, "Retrieving usage details failed in client")
}
diff --git a/x-pack/metricbeat/module/azure/billing/client_test.go b/x-pack/metricbeat/module/azure/billing/client_test.go
index 55bd15062d3..c18562fd945 100644
--- a/x-pack/metricbeat/module/azure/billing/client_test.go
+++ b/x-pack/metricbeat/module/azure/billing/client_test.go
@@ -7,8 +7,8 @@ package billing
import (
"errors"
"testing"
- "time"
+ prevConsumption "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption"
"github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/mock"
@@ -26,11 +26,9 @@ func TestClient(t *testing.T) {
client.Config = config
m := &MockService{}
m.On("GetForcast", mock.Anything).Return(consumption.ForecastsListResult{}, errors.New("invalid query"))
- m.On("GetUsageDetails", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(consumption.UsageDetailsListResultPage{}, nil)
+ m.On("GetUsageDetails", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(prevConsumption.UsageDetailsListResultPage{}, nil)
client.BillingService = m
- startTime := time.Now().UTC().Truncate(24 * time.Hour).Add((-48) * time.Hour)
- endTime := startTime.Add(time.Hour * 24).Add(time.Second * (-1))
- results, err := client.GetMetrics(startTime, endTime)
+ results, err := client.GetMetrics()
assert.Error(t, err)
assert.Equal(t, len(results.ActualCosts), 0)
m.AssertExpectations(t)
@@ -41,11 +39,9 @@ func TestClient(t *testing.T) {
m := &MockService{}
forecasts := []consumption.Forecast{{}, {}}
m.On("GetForcast", mock.Anything).Return(consumption.ForecastsListResult{Value: &forecasts}, nil)
- m.On("GetUsageDetails", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(consumption.UsageDetailsListResultPage{}, nil)
+ m.On("GetUsageDetails", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(prevConsumption.UsageDetailsListResultPage{}, nil)
client.BillingService = m
- startTime := time.Now().UTC().Truncate(24 * time.Hour).Add((-48) * time.Hour)
- endTime := startTime.Add(time.Hour * 24).Add(time.Second * (-1))
- results, err := client.GetMetrics(startTime, endTime)
+ results, err := client.GetMetrics()
assert.NoError(t, err)
assert.Equal(t, len(results.ActualCosts), 2)
assert.Equal(t, len(results.ForecastCosts), 2)
diff --git a/x-pack/metricbeat/module/azure/billing/data.go b/x-pack/metricbeat/module/azure/billing/data.go
index 7f9c0a19279..9aafb87d992 100644
--- a/x-pack/metricbeat/module/azure/billing/data.go
+++ b/x-pack/metricbeat/module/azure/billing/data.go
@@ -5,6 +5,8 @@
package billing
import (
+ "fmt"
+ "strings"
"time"
"github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption"
@@ -15,71 +17,36 @@ import (
"github.com/elastic/beats/v7/metricbeat/mb"
)
-func EventsMapping(results Usage, startTime time.Time, endTime time.Time, subscriptionId string) []mb.Event {
+func EventsMapping(subscriptionId string, results Usage) []mb.Event {
var events []mb.Event
- // usage details come in different forms, most common for this api call is LegacyUsageDetail
if len(results.UsageDetails) > 0 {
- for _, ud := range results.UsageDetails {
- event := mb.Event{Timestamp: time.Now().UTC()}
- if legacyUsageDetail, err := ud.AsLegacyUsageDetail(); err == true {
- event.ModuleFields = common.MapStr{
+ for _, usageDetail := range results.UsageDetails {
+ event := mb.Event{
+ ModuleFields: common.MapStr{
"resource": common.MapStr{
- "type": legacyUsageDetail.ConsumedService,
- "group": legacyUsageDetail.ResourceGroup,
- "name": legacyUsageDetail.ResourceName,
+ "type": usageDetail.ConsumedService,
+ "group": getResourceGroupFromId(*usageDetail.InstanceID),
+ "name": usageDetail.InstanceName,
},
- "subscription_id": legacyUsageDetail.SubscriptionID,
- }
- event.MetricSetFields = common.MapStr{
- "pretax_cost": legacyUsageDetail.Cost,
- "department_name": legacyUsageDetail.InvoiceSection,
- "product": legacyUsageDetail.Product,
- "usage_start": startTime,
- "usage_end": endTime,
- "billing_period_start": legacyUsageDetail.BillingPeriodStartDate.ToTime(),
- "billing_period_end": legacyUsageDetail.BillingPeriodEndDate.ToTime(),
- "currency": legacyUsageDetail.BillingCurrency,
- "effective_price": legacyUsageDetail.EffectivePrice,
- "account_name": legacyUsageDetail.BillingAccountName,
- "account_id": legacyUsageDetail.BillingAccountID,
- "subscription_name": legacyUsageDetail.SubscriptionName,
- "unit_price": legacyUsageDetail.UnitPrice,
- "quantity": legacyUsageDetail.Quantity,
- }
- event.RootFields = common.MapStr{}
- event.RootFields.Put("cloud.provider", "azure")
- event.RootFields.Put("cloud.region", legacyUsageDetail.ResourceLocation)
- event.RootFields.Put("cloud.instance.name", legacyUsageDetail.ResourceName)
- event.RootFields.Put("cloud.instance.id", legacyUsageDetail.ResourceID)
- }
- if modernUsageDetail, err := ud.AsModernUsageDetail(); err == true {
- event.ModuleFields = common.MapStr{
- "resource": common.MapStr{
- "type": modernUsageDetail.ConsumedService,
- "group": modernUsageDetail.ResourceGroup,
- "name": modernUsageDetail.InstanceName,
- },
- "subscription_id": modernUsageDetail.SubscriptionGUID,
- }
- event.MetricSetFields = common.MapStr{
- "product": modernUsageDetail.Product,
- "usage_start": startTime,
- "usage_end": endTime,
- "billing_period_start": modernUsageDetail.BillingPeriodStartDate.ToTime(),
- "billing_period_end": modernUsageDetail.BillingPeriodEndDate.ToTime(),
- "currency": modernUsageDetail.BillingCurrencyCode,
- "account_id": modernUsageDetail.BillingAccountID,
- "billing_account_name": modernUsageDetail.BillingAccountName,
- "subscription_name": modernUsageDetail.SubscriptionName,
- "unit_price": modernUsageDetail.UnitPrice,
- }
- event.RootFields = common.MapStr{}
- event.RootFields.Put("cloud.provider", "azure")
- event.RootFields.Put("cloud.region", modernUsageDetail.ResourceLocation)
- }
- if _, err := ud.AsUsageDetail(); err == true {
- continue
+ "subscription_id": usageDetail.SubscriptionGUID,
+ },
+ MetricSetFields: common.MapStr{
+ "pretax_cost": usageDetail.PretaxCost,
+ "department_name": usageDetail.DepartmentName,
+ "product": usageDetail.Product,
+ "usage_start": usageDetail.UsageStart.ToTime(),
+ "usage_end": usageDetail.UsageEnd.ToTime(),
+ "currency": usageDetail.Currency,
+ "billing_period_id": usageDetail.BillingPeriodID,
+ "account_name": usageDetail.AccountName,
+ },
+ Timestamp: time.Now().UTC(),
}
+ event.RootFields = common.MapStr{}
+ event.RootFields.Put("cloud.provider", "azure")
+ event.RootFields.Put("cloud.region", usageDetail.InstanceLocation)
+ event.RootFields.Put("cloud.instance.name", usageDetail.InstanceName)
+ event.RootFields.Put("cloud.instance.id", usageDetail.InstanceID)
events = append(events, event)
}
}
@@ -125,3 +92,14 @@ func EventsMapping(results Usage, startTime time.Time, endTime time.Time, subscr
}
return events
}
+
+// getResourceGroupFromId maps resource group from resource ID
+func getResourceGroupFromId(path string) string {
+ params := strings.Split(path, "/")
+ for i, param := range params {
+ if param == "resourceGroups" {
+ return fmt.Sprintf("%s", params[i+1])
+ }
+ }
+ return ""
+}
diff --git a/x-pack/metricbeat/module/azure/billing/data_test.go b/x-pack/metricbeat/module/azure/billing/data_test.go
index 25490b33213..8d883d2862d 100644
--- a/x-pack/metricbeat/module/azure/billing/data_test.go
+++ b/x-pack/metricbeat/module/azure/billing/data_test.go
@@ -8,9 +8,9 @@ import (
"testing"
"time"
+ prevConsumption "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption"
+ consumption "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption"
"github.com/Azure/go-autorest/autorest/date"
-
- "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption"
"github.com/shopspring/decimal"
"github.com/stretchr/testify/assert"
)
@@ -18,7 +18,6 @@ import (
func TestEventMapping(t *testing.T) {
usageDate := "2020-08-08"
name := "test"
- billingAccountId := "123"
startDate := date.Time{}
var charge decimal.Decimal = decimal.NewFromFloat(8.123456)
@@ -38,19 +37,26 @@ func TestEventMapping(t *testing.T) {
ChargeType: "Actual",
ConfidenceLevels: nil,
}
- var pros = consumption.LegacyUsageDetailProperties{
- BillingAccountID: &billingAccountId,
- BillingAccountName: &name,
- BillingPeriodStartDate: &startDate,
- BillingPeriodEndDate: &startDate,
- Cost: &charge,
- InvoiceSection: &name,
- Product: &name,
- }
- var legacy = consumption.LegacyUsageDetail{
- LegacyUsageDetailProperties: &pros,
+ var prop1 = prevConsumption.UsageDetailProperties{
+ InstanceName: &name,
+ SubscriptionName: &name,
+ AccountName: &name,
+ DepartmentName: &name,
+ Product: &name,
+ InstanceID: &name,
+ UsageStart: &startDate,
+ UsageEnd: &startDate,
}
- var usage = Usage{UsageDetails: []consumption.BasicUsageDetail{legacy},
+ usage := Usage{
+ UsageDetails: []prevConsumption.UsageDetail{
+ {
+ UsageDetailProperties: &prop1,
+ ID: nil,
+ Name: nil,
+ Type: nil,
+ Tags: nil,
+ },
+ },
ActualCosts: []consumption.Forecast{
{
ForecastProperties: &prop2,
@@ -58,17 +64,17 @@ func TestEventMapping(t *testing.T) {
Name: nil,
Type: nil,
Tags: nil,
- }}, ForecastCosts: []consumption.Forecast{
+ }},
+ ForecastCosts: []consumption.Forecast{
{
ForecastProperties: &prop,
ID: nil,
Name: nil,
Type: nil,
Tags: nil,
- }}}
- startTime := time.Now().UTC().Truncate(24 * time.Hour).Add((-48) * time.Hour)
- endTime := startTime.Add(time.Hour * 24).Add(time.Second * (-1))
- events := EventsMapping(usage, startTime, endTime, "sub")
+ }},
+ }
+ events := EventsMapping("sub", usage)
assert.Equal(t, len(events), 2)
for _, event := range events {
diff --git a/x-pack/metricbeat/module/azure/billing/mock_service.go b/x-pack/metricbeat/module/azure/billing/mock_service.go
index c91723aee12..2ab1d557855 100644
--- a/x-pack/metricbeat/module/azure/billing/mock_service.go
+++ b/x-pack/metricbeat/module/azure/billing/mock_service.go
@@ -11,6 +11,7 @@ import (
"github.com/elastic/beats/v7/libbeat/logp"
+ prevConsumption "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption"
"github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption"
)
@@ -35,19 +36,7 @@ func (service *MockService) GetForcast(filter string) (consumption.ForecastsList
}
// GetUsageDetails is a mock function for the billing service
-func (service *MockService) GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply consumption.Metrictype) (consumption.UsageDetailsListResultPage, error) {
+func (service *MockService) GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply string) (prevConsumption.UsageDetailsListResultPage, error) {
args := service.Called(scope, expand, filter, skiptoken, top, apply)
- return args.Get(0).(consumption.UsageDetailsListResultPage), args.Error(1)
-}
-
-// GetMarketplaceUsage
-func (service *MockService) GetMarketplaceUsage(scope string, filter string, skiptoken string, top *int32) (consumption.MarketplacesListResultPage, error) {
- args := service.Called(scope, filter, skiptoken, top)
- return args.Get(0).(consumption.MarketplacesListResultPage), args.Error(1)
-}
-
-// GetCharges
-func (service *MockService) GetCharges(scope string, startDate string, endDate string, filter string, apply string) (consumption.ChargesListResult, error) {
- args := service.Called(scope, startDate, endDate, filter, apply)
- return args.Get(0).(consumption.ChargesListResult), args.Error(1)
+ return args.Get(0).(prevConsumption.UsageDetailsListResultPage), args.Error(1)
}
diff --git a/x-pack/metricbeat/module/azure/billing/service.go b/x-pack/metricbeat/module/azure/billing/service.go
index 7f7831130df..cb7d588a0f2 100644
--- a/x-pack/metricbeat/module/azure/billing/service.go
+++ b/x-pack/metricbeat/module/azure/billing/service.go
@@ -12,25 +12,23 @@ import (
"github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption"
"github.com/Azure/go-autorest/autorest/azure/auth"
+ prevConsumption "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption"
+
"github.com/elastic/beats/v7/libbeat/logp"
)
// Service interface for the azure monitor service and mock for testing
type Service interface {
GetForcast(filter string) (consumption.ForecastsListResult, error)
- GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply consumption.Metrictype) (consumption.UsageDetailsListResultPage, error)
- GetMarketplaceUsage(scope string, filter string, skiptoken string, top *int32) (consumption.MarketplacesListResultPage, error)
- GetCharges(scope string, startDate string, endDate string, filter string, apply string) (consumption.ChargesListResult, error)
+ GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply string) (prevConsumption.UsageDetailsListResultPage, error)
}
// BillingService service wrapper to the azure sdk for go
type UsageService struct {
- forcastsClient *consumption.ForecastsClient
- usageClient *consumption.UsageDetailsClient
- marketplaceClient *consumption.MarketplacesClient
- chargesClient *consumption.ChargesClient
- context context.Context
- log *logp.Logger
+ usageDetailsClient *prevConsumption.UsageDetailsClient
+ forcastsClient *consumption.ForecastsClient
+ context context.Context
+ log *logp.Logger
}
// NewService instantiates the Azure monitoring service
@@ -43,21 +41,15 @@ func NewService(config azure.Config) (*UsageService, error) {
return nil, err
}
forcastsClient := consumption.NewForecastsClientWithBaseURI(config.ResourceManagerEndpoint, config.SubscriptionId)
- usageDetailsClient := consumption.NewUsageDetailsClientWithBaseURI(config.ResourceManagerEndpoint, config.SubscriptionId)
- // no data available for marketplace and charges apis but could be in the future
- marketplaceClient := consumption.NewMarketplacesClientWithBaseURI(config.ResourceManagerEndpoint, config.SubscriptionId)
- chargesClient := consumption.NewChargesClientWithBaseURI(config.ResourceManagerEndpoint, config.SubscriptionId)
+ usageDetailsClient := prevConsumption.NewUsageDetailsClientWithBaseURI(config.ResourceManagerEndpoint, config.SubscriptionId)
+
forcastsClient.Authorizer = authorizer
usageDetailsClient.Authorizer = authorizer
- marketplaceClient.Authorizer = authorizer
- chargesClient.Authorizer = authorizer
service := &UsageService{
- forcastsClient: &forcastsClient,
- usageClient: &usageDetailsClient,
- marketplaceClient: &marketplaceClient,
- chargesClient: &chargesClient,
- context: context.Background(),
- log: logp.NewLogger("azure billing service"),
+ usageDetailsClient: &usageDetailsClient,
+ forcastsClient: &forcastsClient,
+ context: context.Background(),
+ log: logp.NewLogger("azure billing service"),
}
return service, nil
}
@@ -68,16 +60,6 @@ func (service *UsageService) GetForcast(filter string) (consumption.ForecastsLis
}
// GetUsageDetails
-func (service *UsageService) GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply consumption.Metrictype) (consumption.UsageDetailsListResultPage, error) {
- return service.usageClient.List(service.context, scope, expand, filter, skiptoken, top, apply)
-}
-
-// GetMarketplaceUsage
-func (service *UsageService) GetMarketplaceUsage(scope string, filter string, skiptoken string, top *int32) (consumption.MarketplacesListResultPage, error) {
- return service.marketplaceClient.List(service.context, scope, filter, top, skiptoken)
-}
-
-// GetCharges
-func (service *UsageService) GetCharges(scope string, startDate string, endDate string, filter string, apply string) (consumption.ChargesListResult, error) {
- return service.chargesClient.List(service.context, scope, startDate, endDate, filter, apply)
+func (service *UsageService) GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply string) (prevConsumption.UsageDetailsListResultPage, error) {
+ return service.usageDetailsClient.List(service.context, scope, expand, filter, skiptoken, top, apply)
}
diff --git a/x-pack/osquerybeat/osquerybeat.reference.yml b/x-pack/osquerybeat/osquerybeat.reference.yml
index 9e00e1efbbf..edb3adcfb1d 100644
--- a/x-pack/osquerybeat/osquerybeat.reference.yml
+++ b/x-pack/osquerybeat/osquerybeat.reference.yml
@@ -896,11 +896,6 @@ logging.files:
# file. Defaults to true.
# rotateonstartup: true
- # Rotated files are either suffixed with a number e.g. osquerybeat.1 when
- # renamed during rotation. Or when set to date, the date is added to
- # the end of the file. On rotation a new file is created, older files are untouched.
- #suffix: count
-
# ============================= X-Pack Monitoring ==============================
# Osquerybeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
@@ -1085,6 +1080,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
# ============================== Process Security ==============================
# Enable or disable seccomp system call filtering on Linux. Default is enabled.
diff --git a/x-pack/packetbeat/packetbeat.reference.yml b/x-pack/packetbeat/packetbeat.reference.yml
index 236087aae23..5f931ddde70 100644
--- a/x-pack/packetbeat/packetbeat.reference.yml
+++ b/x-pack/packetbeat/packetbeat.reference.yml
@@ -1878,11 +1878,6 @@ logging.files:
# file. Defaults to true.
# rotateonstartup: true
- # Rotated files are either suffixed with a number e.g. packetbeat.1 when
- # renamed during rotation. Or when set to date, the date is added to
- # the end of the file. On rotation a new file is created, older files are untouched.
- #suffix: count
-
# ============================= X-Pack Monitoring ==============================
# Packetbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
@@ -2067,6 +2062,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
# ============================== Process Security ==============================
# Enable or disable seccomp system call filtering on Linux. Default is enabled.
diff --git a/x-pack/winlogbeat/module/powershell/_meta/fields.yml b/x-pack/winlogbeat/module/powershell/_meta/fields.yml
index 7507fcc099c..093ac17761c 100644
--- a/x-pack/winlogbeat/module/powershell/_meta/fields.yml
+++ b/x-pack/winlogbeat/module/powershell/_meta/fields.yml
@@ -127,6 +127,14 @@
- name: script_block_text
type: text
+ analyzer:
+ winlogbeat_powershell_script_analyzer:
+ type: pattern
+ pattern: "[\\W&&[^-]]+"
+ search_analyzer:
+ winlogbeat_powershell_script_analyzer:
+ type: pattern
+ pattern: "[\\W&&[^-]]+"
description: >
Text of the executed script block.
example: ".\\a_script.ps1"
diff --git a/x-pack/winlogbeat/module/powershell/fields.go b/x-pack/winlogbeat/module/powershell/fields.go
index 16bb78e0a37..8ca3a28ece4 100644
--- a/x-pack/winlogbeat/module/powershell/fields.go
+++ b/x-pack/winlogbeat/module/powershell/fields.go
@@ -19,5 +19,5 @@ func init() {
// AssetPowershell returns asset data.
// This is the base64 encoded zlib format compressed contents of module/powershell.
func AssetPowershell() string {
- return "eJy8V1FP6zgTfe+vGPGefBQKfO3DlVhWu6q0CwhY9qVSNYknjRfHztpOS/fXr2wn0Nwkl7ag5QGpsT3nzPjMmSSCF9rOoFQb0iYnIUYAlltBM7h3zx7dMygUqwSNABiZVPPSciVn8G0EAPCUkyFATWBzAlqTtJBxEsyAKSnlGU/BKr8YwkCmtP/5O0+1Miqz0Z9cMrUx0Tvk/+5K0uhwUABKBvWWXVZCrUw8AtAkCA3NICGLI6jRZyNPLwKJBe1mGHPmVwDstqSZK8BG6eZZK8OAM2dxvUivWJSuNm/UA59QuSG8kpckuKTl/sD39RHgXeyT8ckglK6kKTE9BOqhPtILNclweno1YdHkApNoQhfn0XQ8vYhoOp7+f4zpWZIkw2wM/V2RTKlFRSi56q11vRlkVSSkQWVeJO/hgF4prdzmDs/xIAWrLIq98J/czh3wgozBFRng0hNpkumCnw6ip6ooULavYqVVVfYR+BktOi2jJdZ0TEiZGNSRGvBG4lD/vWGjzd8e9l9+V2to86baQ3htVdzMFou6HxcLszWWivOzxSItWEyvVOthl5b7fyitWyzoMFrD+A7wUPynbXkY/nVZCp56z+oyWKOouhQsvdpB/JyAy7V6+QB2XpRK2+g3laLg/xDzMoL2zyjjghwRuNZpztf0QEZVOiXTZeowQxZLRha5MB3aqDVuh3h/21kAuJZht6ukSv6i1BpIlbTIJZcrCAjEgMtM6cLDDhd9D67xUVedk9/okEOc3krfBB7zN9C9CNUdvWx7wUHc6qPOFDY5T3NfnhAfuNnxjH5dMhY5Me/F9phObd/4nRRbqAwxP+fvUWNBlvRPXLL3G/eBY5hL5jqGTLD6Zq+n15+LMVQkYuvMYa98Du+7djau/D5Go8paH36hIPQqVhlwCxsuBDAqSTJQcveOfLJ96Tx674znd/GNKkpNxrjp9gsXFFZ+MFikpNTJqjKkj58vb3HcjelmwspVvbjXzGGqQC4PFc0fDi8c7S3N8/WvD9e3T18zSzzYoKjWuNIo7WCxSa64pOOLvPPKGkJ9VNE1aSeEQ7N8DscapXZgm7ihO61qHLbvslsFOrmIx/H46uryPB6fnl71DNhS05qryiyNRftJA7mvY4GPNZhNvz+skQtMRI85SNp8Bbtb2hxD7NGqsiQ2qDE3oL/gNTHsAxftI5GFrctEqPTl/XNh76rMWWdO1+A+4oCOTtkZSxhGV+eX42gyPbuMcDphEZsSsowlk/MMe9TVovqddx9s6PRqj2AeLxa4DNvi0vzgC6zUKiVj4hDbSXHZbucPP8i+a+O6d3NlvDHX8eE9fverrbdd+7muOfvM/Oh6jOP5kfT+g1ZsUut3idTydZ9FfPrl576GHR42z6i5N6h/AwAA///IlkMK"
+ return "eJzEV8Fu4zYQvfsrBjnspZAaJ86m9mGBdIsWBtokSNLsYb01RuLYYkORKknb8X59QYqKrUhKbCdocwhgkZz3ZubxjRTBA61HUKgVaZORED0Ay62gEVy7Z7fuGeSKLQT1ABiZVPPCciVH8KkHAHCXkSFATWAzAlqStDDjJJgBU1DKZzwFq/xiGQZmSvuff/BUK6NmNvrCJVMrE20gf7wqSKPDQQEoGYQt26yEmpu4B6BJEBoaQUIWexDQRz1PLwKJOW1nGHPmVwDsuqCRK8BK6epZLcMSZ8zisEiPmBeuNk/USz5l5brwCl6Q4JKmuwNfhyPAm9hH/aNOKL2QpsB0H6ibcKQVajDD4fH5gEWDM0yiAZ2dRsP+8CyiYX/4Ux/TkyRJutkY+mdBMqUaFaHkvLXWYTPIRZ6QBjXzItmEA3qkdOE2N3j2OylYZVHshH/ndm6B52QMzskAl55IlUwT/LgTPVV5jrLeirlWi6KNwC9o0WkZLbHqxpQpE4MQqQKvJA7h7wkbbfb0sL35Ta2hzapqd+HVVfF5NJmE+ziZmLWxlJ+eTCZpzmJ6pKCHbVru/760LjGn/Wh14zvAffHv1sV++BdFIXjqPavJYIli0aRg6dF24mcEXC7Vwyuw47xQ2ka/qxQF/07MywjqP6MZF+SIwIVOM76kGzJqoVMyTaYOs8xiysgiF6ZBG7XGdRfvT1sLABey3O0qqZK/KbUGUiUtcsnlHEoEYsDlTOncw3YXfQeu8UGtzshvdMhlnNZKfy55jJ9AdyIUbvS07gV7cQtHnSmsMp5mvjxlfOBmyzPadclY5MS8E9tDbmq941dSrGFhiPk5f40ac7Kkf+aSbTruA8cwlszdGDKl1Vd7Pb32XIyhPBFrZw475bP/vatn48rvY1SqDPrwCzmhV7GaAbew4kIAo4IkAyW3e+STbUvn1ntnPL6KP6u80GSMm26/ckHlyguDRUpKnawWhvTh8+UpjuuYriasnIfFnWYOUzlyua9o/nR45dHW0txf/HZzcXn3PrPEg3WKaolzjdJ2FpvknEs6vMhbr6xlqNcquiTthLBvlvflsUqpDdgqbnk7raoctq3ZtQIdncX9uH9+/vE07h8fn7cM2ELTkquFmRqL9o0Gch1igY/VmU27PyyRC0xEizlIWr0Hu0taHULs1qqiINapMTeg3+E1sdwHLtprIiu3ThOh0ofN58LOVRmzxpwO4D5ih46O2QlLGEbnpx/70WB48jHC4YBFbEjIZiwZnM6wRV01qs+8u9XQUaJYfyc9qrVuxaVQ84TQTjeVn4bg7Ueq+AVaS1o+WwtPR3D0dTL58uHD17+ib99+ONraZQh1mnUE/x/4vDTp6NEe0NJ4MsHAOS7MC5+mhVYpGROXsd0dndZ97tUv1Wf+FkwtU8ZPrBAfNvGbn7OtPtbOdcnZWwZr03wdz9fu5H/gUVVq7faZWr5s8843vxVeB9juKXyPmnvn/jcAAP//Kx+R4w=="
}
diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index 76ef1f0b21e..39739db1479 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -1595,6 +1595,32 @@ var security = (function () {
[0x00010000, 'Delete']
];
+ // https://docs.microsoft.com/en-us/windows/win32/secauthz/access-rights-and-access-masks
+ var accessMaskDescriptions = [
+ [0x00000001, 'Create Child'],
+ [0x00000002, 'Delete Child'],
+ [0x00000004, 'List Contents'],
+ [0x00000008, 'SELF'],
+ [0x00000010, 'Read Property'],
+ [0x00000020, 'Write Property'],
+ [0x00000040, 'Delete Treee'],
+ [0x00000080, 'List Object'],
+ [0x00000100, 'Control Access'],
+ [0x00010000, 'DELETE'],
+ [0x00020000, 'READ_CONTROL'],
+ [0x00040000, 'WRITE_DAC'],
+ [0x00080000, 'WRITE_OWNER'],
+ [0x00100000, 'SYNCHRONIZE'],
+ [0x00F00000, 'STANDARD_RIGHTS_REQUIRED'],
+ [0x001F0000, 'STANDARD_RIGHTS_ALL'],
+ [0x0000FFFF, 'SPECIFIC_RIGHTS_ALL'],
+ [0x01000000, 'ADS_RIGHT_ACCESS_SYSTEM_SECURITY'],
+ [0x10000000, 'ADS_RIGHT_GENERIC_ALL'],
+ [0x20000000, 'ADS_RIGHT_GENERIC_EXECUTE'],
+ [0x40000000, 'ADS_RIGHT_GENERIC_WRITE'],
+ [0x80000000, 'ADS_RIGHT_GENERIC_READ']
+ ];
+
// lookupMessageCode returns the string associated with the code. key should
// be the name of the field in evt containing the code (e.g. %%2313).
var lookupMessageCode = function (evt, key) {
@@ -1844,6 +1870,22 @@ var security = (function () {
}
};
+ var translateAccessMask = function(mask) {
+ if (!mask) {
+ return;
+ }
+ var accessCode = parseInt(mask);
+ var accessResult = [];
+ for (var i = 0; i < accessMaskDescriptions.length; i++) {
+ if ((accessCode | accessMaskDescriptions[i][0]) === accessCode) {
+ accessResult.push(accessMaskDescriptions[i][1]);
+ }
+ }
+ if (accessResult) {
+ return accessResult;
+ }
+ };
+
var addSessionData = new processor.Chain()
.Convert({
fields: [
@@ -2389,22 +2431,44 @@ var security = (function () {
evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/));
})
.Add(function(evt){
- var maskCodes = evt.Get("winlog.event_data.AccessMask");
- if (!maskCodes) {
+ var accessMask = evt.Get("winlog.event_data.AccessMask");
+ if (!accessMask) {
return;
}
- var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String);
- evt.Put("winlog.event_data.AccessMask", maskList);
- var maskResults = [];
- for (var j = 0; j < maskList.length; j++) {
- var description = msobjsMessageTable[maskList[j]];
- if (description === undefined) {
- return;
+ var accessDescriptions = translateAccessMask(accessMask);
+ if (!accessDescriptions) {
+ return;
+ }
+ if (accessDescriptions.length > 0) {
+ evt.Put("winlog.event_data.AccessMaskDescription", accessDescriptions);
+ }
+ })
+ .Add(function(evt){
+ var listNames = ["AccessList", "AccessMask"]
+ for (var i = 0; i < listNames.length; i++) {
+ var listContents = evt.Get("winlog.event_data." + listNames[i])
+ if (!listContents) {
+ continue;
}
- maskResults.push(description);
+ var listDescription = evt.Get("winlog.event_data." + listNames[i] + "Description")
+ if (listDescription) {
+ continue;
+ }
+
+ var items = listContents.replace(/\s+/g, '').split("%%").filter(String);
+ evt.Put("winlog.event_data." + listNames[i], items)
+ var results = [];
+ for (var j = 0; j < items.length; j++) {
+ var description = msobjsMessageTable[items[j]];
+ if (description === undefined) {
+ continue;
+ }
+ results.push(description);
+ }
+ evt.Put("winlog.event_data." + listNames[i] + "Description", results);
}
- evt.Put("winlog.event_data.AccessMaskDescription", maskResults);
})
+
.Build();
var trustDomainMgmtEvts = new processor.Chain()
diff --git a/x-pack/winlogbeat/winlogbeat.reference.yml b/x-pack/winlogbeat/winlogbeat.reference.yml
index 17a5016f02d..5d06be1566a 100644
--- a/x-pack/winlogbeat/winlogbeat.reference.yml
+++ b/x-pack/winlogbeat/winlogbeat.reference.yml
@@ -1349,11 +1349,6 @@ logging.files:
# file. Defaults to true.
# rotateonstartup: true
- # Rotated files are either suffixed with a number e.g. winlogbeat.1 when
- # renamed during rotation. Or when set to date, the date is added to
- # the end of the file. On rotation a new file is created, older files are untouched.
- #suffix: count
-
# ============================= X-Pack Monitoring ==============================
# Winlogbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
@@ -1538,6 +1533,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
# ============================== Process Security ==============================
# Enable or disable seccomp system call filtering on Linux. Default is enabled.