diff --git a/.ci/jobs/beats.yml b/.ci/jobs/beats.yml index 29dc703c515..e9a26c87a0d 100644 --- a/.ci/jobs/beats.yml +++ b/.ci/jobs/beats.yml @@ -17,7 +17,7 @@ discover-pr-forks-strategy: 'merge-current' discover-pr-forks-trust: 'permission' discover-pr-origin: 'merge-current' - head-filter-regex: '(master|6\.[89]|7\.[x789]|7\.1\d|8\.\d+|PR-.*|v\d+\.\d+\.\d+)' + head-filter-regex: '(master|6\.[89]|7\.16|8\.\d+|PR-.*|v\d+\.\d+\.\d+)' discover-tags: true notification-context: "beats-ci" repo: 'beats' diff --git a/.ci/schedule-daily.groovy b/.ci/schedule-daily.groovy index adad76cbd76..2211dec4c49 100644 --- a/.ci/schedule-daily.groovy +++ b/.ci/schedule-daily.groovy @@ -21,8 +21,11 @@ pipeline { stage('Nighly beats builds') { steps { runBuild(quietPeriod: 0, job: 'Beats/beats/master') - runBuild(quietPeriod: 2000, job: 'Beats/beats/7.16') - runBuild(quietPeriod: 4000, job: 'Beats/beats/7.15') + // This should be `current_8` bump.getCurrentMinorReleaseFor8 + runBuild(quietPeriod: 2000, job: 'Beats/beats/8.0') + // This should be `current_7` bump.getCurrentMinorReleaseFor7 or + // `next_minor_7` bump.getNextMinorReleaseFor7 + runBuild(quietPeriod: 4000, job: 'Beats/beats/7.16') } } } diff --git a/.ci/schedule-weekly.groovy b/.ci/schedule-weekly.groovy index 74293ab7b9f..c2d96964575 100644 --- a/.ci/schedule-weekly.groovy +++ b/.ci/schedule-weekly.groovy @@ -21,8 +21,11 @@ pipeline { stage('Weekly beats builds') { steps { runBuild(quietPeriod: 0, job: 'Beats/beats/master') - runBuild(quietPeriod: 1000, job: 'Beats/beats/7.16') - runBuild(quietPeriod: 2000, job: 'Beats/beats/7.15') + // This should be `current_8` bump.getCurrentMinorReleaseFor8 + runBuild(quietPeriod: 1000, job: 'Beats/beats/8.0') + // This should be `current_7` bump.getCurrentMinorReleaseFor7 or + // `next_minor_7` bump.getNextMinorReleaseFor7 + runBuild(quietPeriod: 2000, job: 'Beats/beats/7.16') } } } diff --git a/.mergify.yml b/.mergify.yml index c438000f415..15ef4cd538a 100644 --- a/.mergify.yml +++ b/.mergify.yml @@ -101,10 +101,24 @@ pull_request_rules: - files~=^\.mergify\.yml$ actions: delete_head_branch: + - name: notify the backport has not been merged yet + conditions: + - -merged + - -closed + - author=mergify[bot] + - "#check-success>0" + - schedule=Mon-Mon 06:00-10:00[Europe/Paris] + - "#assignee>=1" + actions: + comment: + message: | + This pull request has not been merged yet. Could you please review and merge it @{{ assignee | join(', @') }}? 🙏 - name: notify the backport policy conditions: - -label~=^backport - base=master + - -merged + - -closed actions: comment: message: | @@ -120,6 +134,8 @@ pull_request_rules: - name: remove-backport label conditions: - label~=backport-v + - -merged + - -closed actions: label: remove: diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index fc952f28646..8f0348c51b1 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -3,6 +3,11 @@ :issue: https://github.com/elastic/beats/issues/ :pull: https://github.com/elastic/beats/pull/ +[[release-notes-8.0.0-beta1]] +=== Beats version 8.0.0-beta1 + +Changes will be described in a later RC / GA. + [[release-notes-8.0.0-alpha2]] === Beats version 8.0.0-alpha2 @@ -12,6 +17,37 @@ Changes will be described in a later alpha / beta. === Beats version 8.0.0-alpha1 Changes will be described in a later alpha / beta. +[[release-notes-7.15.2]] +=== Beats version 7.15.2 +https://github.com/elastic/beats/compare/v7.15.1...v7.15.2[View commits] + +==== Bugfixes + +*Affecting all Beats* + +- Beats dashboards use custom index when `setup.dashboards.index` is set. {issue}21232[21232] {pull}27901[27901] +- Fix handling of float data types within processors. {issue}28279[28279] {pull}28280[28280] +- Allow `clone3` syscall in seccomp filters. {pull}28117[28117] +- Remove unnecessary escaping step in dashboard loading, so they can be displayed in Kibana. {pull}28395[28395] +- Fix AWS proxy_url config from url to string type. {pull}28725[28725] +- Fix `fingerprint` processor to give it access to the `@timestamp` field. {issue}28683[28683] + +*Filebeat* + +- Fix initialization of http client in Cloudfoundry input. {issue}28271[28271] {pull}28277[28277] +- Fix aws-s3 input by checking if GetObject API call response content type exists. {pull}28457[28457] +- Set `url` as a pointer in the `httpjson` template context to ensure access to all methods. {pull}28695[28695] +- Fix `google_workspace` documentation links. {pull}28657[28657] + +*Metricbeat* + +- Divide RDS metric cpu.total.pct by 100. {pull}28456[28456] + +*Packetbeat* + +- Handle truncated DNS records more gracefully. {issue}21495[21495] {pull}28297[28297] +- Fix data stream name for network flows when running under Elastic Agent and Fleet. {pull}28408[28408] + [[release-notes-7.15.1]] === Beats version 7.15.1 https://github.com/elastic/beats/compare/v7.15.0...v7.15.1[View commits] diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b0b60113c7c..f97755a0e02 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -27,6 +27,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - add_process_metadata processor: Replace usage of deprecated `process.ppid` field with `process.parent.pid`. {pull}28620[28620] - add_docker_metadata processor: Replace usage of deprecated `process.ppid` field with `process.parent.pid`. {pull}28620[28620] - Index template's default_fields setting is only populated with ECS fields. {pull}28596[28596] {issue}28215[28215] +- Remove options `logging.files.suffix` and default to datetime endings. {pull}28927[28927] *Auditbeat* @@ -37,6 +38,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix handling of long file names on Windows. {issue}25334[25334] {pull}28517[28517] - System/socket dataset: Fix uninstallation of return kprobes. {issue}28608[28608] {pull}28609[28609] - Replace usage of deprecated `process.ppid` field with `process.parent.pid`. {pull}28620[28620] +- Fix auditbeat tracing struct decoding. {pull}28580[28580] *Filebeat* @@ -61,6 +63,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - All modules: Replace usages of deprecated ECS fields `process.ppid` and `log.original` with `process.parent.pid` and `event.original`. {pull}28620[28620] - Replace usages of `host.user.*` fields with `user.*` in `cisco`, `microsoft` and `oracle` modules. {pull}28620[28620] - Remove `docker` input. Please use `filestream` input with `container` parser or `container` input. {pull}28817[28817] +- Change `threatintel` module to use new `threat.*` ECS fields. {pull}29014[29014] +- `filestream` and `log` inputs accept null (`\u0000`) as line terminator. {pull}28998[28998] *Heartbeat* @@ -134,15 +138,10 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Output errors when Kibana index pattern setup fails. {pull}20121[20121] - Fix issue in autodiscover that kept inputs stopped after config updates. {pull}20305[20305] - Add service resource in k8s cluster role. {pull}20546[20546] -- Fixed documentation for commands in beats dev guide {pull}22194[22194] - Periodic metrics in logs will now report `libbeat.output.events.active` and `beat.memstats.rss` -- Beats dashboards use custom index when `setup.dashboards.index` is set. {issue}21232[21232] {pull}27901[27901] -- Fix handling of float data types within processors. {issue}28279[28279] {pull}28280[28280] -- Allow `clone3` syscall in seccomp filters. {pull}28117[28117] -- Remove unnecessary escaping step in dashboard loading, so they can be displayed in Kibana. {pull}28395[28395] - Allows disable pod events enrichment with deployment name {pull}28521[28521] -- Fix AWS proxy_url config from url to string type. {pull}28725[28725] - Fix `fingerprint` processor to give it access to the `@timestamp` field. {issue}28683[28683] +- Fix the wrong beat name on monitoring and state endpoint {issue}27755[27755] *Auditbeat* @@ -184,10 +183,10 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add support for username in cisco asa security negotiation logs {pull}26975[26975] - Relax time parsing and capture group and session type in Cisco ASA module {issue}24710[24710] {pull}28325[28325] - Correctly track bytes read when max_bytes is exceeded. {issue}28317[28317] {pull}28352[28352] -- Fix initialization of http client in Cloudfoundry input. {issue}28271[28271] {pull}28277[28277] -- Fix aws-s3 input by checking if GetObject API call response content type exists. {pull}28457[28457] -- Set `url` as a pointer in the `httpjson` template context to ensure access to all methods. {pull}28695[28695] -- Fix `google_workspace` documentation links. {pull}28657[28657] +- Upgrade azure-eventhub sdk reference, contains potential checkpoint fixes. {pull}28919[28919] +- Revert usageDetails api version to 2019-01-01. {pull}28995[28995] +- Fix in `aws-s3` input regarding provider discovery through endpoint {pull}28963[28963] +- Fix `threatintel.misp` filters configuration. {issue}27970[27970] *Heartbeat* @@ -195,6 +194,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Log browser `zip_url` download failures as `warn` instead of as `info`. {pull}28440[28440] - Properly locate base stream in fleet configs. {pull}28455[28455] - Stop logging params values. {pull}28774[28774] +- Remove accidentally included cups library in docker images. {pull}28853[pull] +- Fix broken monitors with newer versions of image relying on dup3. {pull}28938[pull] *Journalbeat* @@ -230,19 +231,19 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Groups same timestamp metric values to one event in the app_insights metricset. {pull}20403[20403] - `beat` module respects `basepath` config option. {pull}28162[28162] - Fix list_docker.go {pull}28374[28374] -- Divide RDS metric cpu.total.pct by 100. {pull}28456[28456] - Use xpack.enabled on SM modules to write into .monitoring indices when using Metricbeat standalone {pull}28365[28365] +- Fix in rename processor to ingest metrics for `write.iops` to proper field instead of `write_iops` in rds metricset. {pull}28960[28960] *Packetbeat* -- Handle truncated DNS records more gracefully. {issue}21495[21495] {pull}28297[28297] -- Fix data stream name for network flows when running under Elastic Agent and Fleet. {pull}28408[28408] *Winlogbeat* - Add source.ip validation for event ID 4778 in the Security module. {issue}19627[19627] - Tolerate faults when Windows Event Log session is interrupted {issue}27947[27947] {pull}28191[28191] - Add ECS 1.9 new users fields {pull}26509[26509] +- Don't split hyphenated tokens {pull}28483[28483] +- Correctly handle AccessMask if it is an integer or list of masks. {pull}29016[29016] *Functionbeat* @@ -282,6 +283,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Update kubernetes scheduler and controllermanager endpoints in elastic-agent-standalone-kubernetes.yaml with secure ports {pull}28675[28675] - Add options to configure k8s client qps/burst. {pull}28151[28151] - Update to ECS 8.0 fields. {pull}28620[28620] +- Add http.pprof.enabled option to libbeat to allow http/pprof endpoints on the socket that libbeat creates for metrics. {issue}21965[21965] +- Support custom analyzers in fields.yml. {issue}28540[28540] {pull}28926[28926] *Auditbeat* @@ -335,6 +338,11 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Update `aws-s3` input to connect to non AWS S3 buckets {issue}28222[28222] {pull}28234[28234] - Sophos UTM: Support logs containing hostname in syslog header. {pull}28638[28638] - Moving Oracle Filebeat module to GA. {pull}28754[28754] +- Add support for '/var/log/pods/' path for add_kubernetes_metadata processor with `resource_type: pod`. {pull}28868[28868] +- Add documentation for add_kubernetes_metadata processors `log_path` matcher. {pull}28868[28868] +- Add support in aws-s3 input for s3 notification from SNS to SQS. {pull}28800[28800] +- Add support in aws-s3 input for custom script parsing of s3 notifications. {pull}28946[28946] +- Improve error handling in aws-s3 input for malformed s3 notifications. {issue}28828[28828] {pull}28946[28946] *Heartbeat* @@ -359,6 +367,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added a new beta `enterprisesearch` module for Elastic Enterprise Search {pull}27549[27549] - Preliminary AIX support {pull}27954[27954] - Register additional name for `storage` metricset in the azure module. {pull}28447[28447] +- Update reference to gosigar pacakge for filesystem windows fix. {pull}28909[28909] *Packetbeat* diff --git a/Jenkinsfile b/Jenkinsfile index 4b809935de4..35ae38cb840 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -836,7 +836,7 @@ def archiveTestOutput(Map args = [:]) { def fileName = 'build/system-tests-*.tar.gz' // see dev-tools/mage/target/common/package.go#PackageSystemTests method def files = findFiles(glob: "${fileName}") - if (files?.length() > 0) { + if (files?.length > 0) { googleStorageUploadExt( bucket: "gs://${JOB_GCS_BUCKET}/${env.JOB_NAME}-${env.BUILD_ID}", credentialsId: "${JOB_GCS_EXT_CREDENTIALS}", diff --git a/NOTICE.txt b/NOTICE.txt index 89473d4b95f..e4d0e19c26c 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -832,11 +832,11 @@ Contents of probable licence file $GOMODCACHE/code.cloudfoundry.org/go-loggregat -------------------------------------------------------------------------------- Dependency : github.com/Azure/azure-event-hubs-go/v3 -Version: v3.1.2 +Version: v3.3.15 Licence type (autodetected): MIT -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-event-hubs-go/v3@v3.1.2/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-event-hubs-go/v3@v3.3.15/LICENSE: MIT License @@ -863,15 +863,15 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-event-hubs -------------------------------------------------------------------------------- Dependency : github.com/Azure/azure-sdk-for-go -Version: v57.0.0+incompatible +Version: v59.0.0+incompatible Licence type (autodetected): MIT -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-sdk-for-go@v57.0.0+incompatible/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-sdk-for-go@v59.0.0+incompatible/LICENSE.txt: The MIT License (MIT) -Copyright (c) 2021 Microsoft +Copyright (c) Microsoft Corporation. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal @@ -891,6 +891,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + -------------------------------------------------------------------------------- Dependency : github.com/Azure/azure-storage-blob-go Version: v0.8.0 @@ -8065,11 +8066,11 @@ Contents of probable licence file $GOMODCACHE/github.com/elastic/go-windows@v1.0 -------------------------------------------------------------------------------- Dependency : github.com/elastic/gosigar -Version: v0.14.1 +Version: v0.14.2 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/gosigar@v0.14.1/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/elastic/gosigar@v0.14.2/LICENSE: Apache License Version 2.0, January 2004 @@ -20039,11 +20040,11 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- Dependency : github.com/Azure/azure-amqp-common-go/v3 -Version: v3.0.0 +Version: v3.2.1 Licence type (autodetected): MIT -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-amqp-common-go/v3@v3.0.0/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-amqp-common-go/v3@v3.2.1/LICENSE: MIT License @@ -20100,15 +20101,16 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-pipeline-g -------------------------------------------------------------------------------- Dependency : github.com/Azure/go-amqp -Version: v0.12.6 +Version: v0.16.0 Licence type (autodetected): MIT -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/!azure/go-amqp@v0.12.6/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/!azure/go-amqp@v0.16.0/LICENSE: MIT License - Copyright (c) Microsoft Corporation. + Copyright (C) 2017 Kale Blankenship + Portions Copyright (C) Microsoft Corporation Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index 35cba184321..32d411d74ac 100644 --- a/README.md +++ b/README.md @@ -74,14 +74,6 @@ create your own Beat. Please start by reading our [CONTRIBUTING](CONTRIBUTING.md) file. -If you are creating a new Beat, you don't need to submit the code to this -repository. You can simply start working in a new repository and make use of the -libbeat packages, by following our [developer -guide](https://www.elastic.co/guide/en/beats/libbeat/current/new-beat.html). -After you have a working prototype, open a pull request to add your Beat to the -list of [community -Beats](https://github.com/elastic/beats/blob/master/libbeat/docs/communitybeats.asciidoc). - ## Building Beats from the Source See our [CONTRIBUTING](CONTRIBUTING.md) file for information about setting up diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml index 274935e571a..24bfac14414 100644 --- a/auditbeat/auditbeat.reference.yml +++ b/auditbeat/auditbeat.reference.yml @@ -1383,11 +1383,6 @@ logging.files: # file. Defaults to true. # rotateonstartup: true - # Rotated files are either suffixed with a number e.g. auditbeat.1 when - # renamed during rotation. Or when set to date, the date is added to - # the end of the file. On rotation a new file is created, older files are untouched. - #suffix: count - # ============================= X-Pack Monitoring ============================== # Auditbeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The @@ -1572,6 +1567,10 @@ logging.files: # `http.user`. #http.named_pipe.security_descriptor: +# Defines if the HTTP pprof endpoints are enabled. +# It is recommended that this is only enabled on localhost as these endpoints may leak data. +#http.pprof.enabled: false + # ============================== Process Security ============================== # Enable or disable seccomp system call filtering on Linux. Default is enabled. diff --git a/dev-tools/mage/crossbuild.go b/dev-tools/mage/crossbuild.go index c2f87784063..b2349310abc 100644 --- a/dev-tools/mage/crossbuild.go +++ b/dev-tools/mage/crossbuild.go @@ -134,16 +134,37 @@ func CrossBuild(options ...CrossBuildOption) error { opt(¶ms) } - // Docker is required for this target. - if err := HaveDocker(); err != nil { - return err - } - if len(params.Platforms) == 0 { log.Printf("Skipping cross-build of target=%v because platforms list is empty.", params.Target) return nil } + // AIX can't really be crossbuilt, due to cgo and various compiler shortcomings. + // If we have a singular AIX platform set, revert to a native build toolchain + if runtime.GOOS == "aix" { + for _, platform := range params.Platforms { + if platform.GOOS() == "aix" { + if len(params.Platforms) != 1 { + return errors.New("AIX cannot be crossbuilt with other platforms. Set PLATFORMS='aix/ppc64'") + } else { + // This is basically a short-out so we can attempt to build on AIX in a relatively generic way + log.Printf("Target is building for AIX, skipping normal crossbuild process") + args := DefaultBuildArgs() + args.OutputDir = filepath.Join("build", "golang-crossbuild") + args.Name += "-" + Platform.GOOS + "-" + Platform.Arch + return Build(args) + } + } + } + // If we're here, something isn't set. + return errors.New("Cannot crossbuild on AIX. Either run `mage build` or set PLATFORMS='aix/ppc64'") + } + + // Docker is required for this target. + if err := HaveDocker(); err != nil { + return err + } + if CrossBuildMountModcache { // Make sure the module dependencies are downloaded on the host, // as they will be mounted into the container read-only. diff --git a/dev-tools/mage/pkgtypes.go b/dev-tools/mage/pkgtypes.go index c2c454c873d..1fc5fe79e50 100644 --- a/dev-tools/mage/pkgtypes.go +++ b/dev-tools/mage/pkgtypes.go @@ -176,6 +176,11 @@ var OSArchNames = map[string]map[PackageType]map[string]string{ "arm64": "arm64", }, }, + "aix": map[PackageType]map[string]string{ + TarGz: map[string]string{ + "ppc64": "ppc64", + }, + }, } // getOSArchName returns the architecture name to use in a package. diff --git a/dev-tools/mage/platforms.go b/dev-tools/mage/platforms.go index 4be617ada83..f583ed6d02d 100644 --- a/dev-tools/mage/platforms.go +++ b/dev-tools/mage/platforms.go @@ -27,6 +27,7 @@ import ( // BuildPlatforms is a list of GOOS/GOARCH pairs supported by Go. // The list originated from 'go tool dist list -json'. var BuildPlatforms = BuildPlatformList{ + {"aix/ppc64", CGOSupported}, {"android/386", CGOSupported}, {"android/amd64", CGOSupported}, {"android/arm", CGOSupported}, @@ -256,7 +257,6 @@ func (list BuildPlatformList) Remove(name string) BuildPlatformList { // Select returns a new list containing the platforms that match name. func (list BuildPlatformList) Select(name string) BuildPlatformList { attrs := BuildPlatform{Name: name}.Attributes() - if attrs.Arch == "" { // Filter by GOOS only. return list.filter(func(bp BuildPlatform) bool { @@ -353,8 +353,11 @@ func NewPlatformList(expr string) BuildPlatformList { var out BuildPlatformList if len(pe.Add) == 0 || (len(pe.Select) == 0 && len(pe.Remove) == 0) { - // Bootstrap list with default platforms when the expression is + // Bootstrap list with platforms when the expression is // exclusively adds OR exclusively selects and removes. + out = BuildPlatforms + } + if len(pe.Remove) > 0 || len(pe.Add) > 0 { out = BuildPlatforms.Defaults() } @@ -375,7 +378,6 @@ func NewPlatformList(expr string) BuildPlatformList { } out = selected } - for _, name := range pe.Remove { if name == "defaults" { for _, defaultBP := range all.Defaults() { diff --git a/dev-tools/mage/pytest.go b/dev-tools/mage/pytest.go index fa0e57dc3bc..d4b8dd3fcee 100644 --- a/dev-tools/mage/pytest.go +++ b/dev-tools/mage/pytest.go @@ -41,7 +41,8 @@ import ( // to point to somewhere on C:\. const ( - libbeatRequirements = "{{ elastic_beats_dir}}/libbeat/tests/system/requirements.txt" + libbeatRequirements = "{{ elastic_beats_dir}}/libbeat/tests/system/requirements.txt" + aixLibbeatRequirements = "{{ elastic_beats_dir}}/libbeat/tests/system/requirements_aix.txt" ) var ( @@ -199,11 +200,12 @@ func PythonVirtualenv() (string, error) { pythonVirtualenvLock.Lock() defer pythonVirtualenvLock.Unlock() - // When upgrading pip we might run into an error with the cryptography package - // (pip dependency) will not compile if no recent rust development environment is available. - // We set `CRYPTOGRAPHY_DONT_BUILD_RUST=1`, to disable the need for python. - // See: https://github.com/pyca/cryptography/issues/5771 - os.Setenv("CRYPTOGRAPHY_DONT_BUILD_RUST", "1") + // Certain docker requirements simply won't build on AIX + // Skipping them here will obviously break the components that require docker-compose, + // But at least the components that don't require it will still run + if runtime.GOOS == "aix" { + VirtualenvReqs[0] = aixLibbeatRequirements + } // Determine the location of the virtualenv. ve, err := pythonVirtualenvPath() diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml index 938075fbb81..4978d4ffb4d 100644 --- a/dev-tools/packaging/packages.yml +++ b/dev-tools/packaging/packages.yml @@ -712,6 +712,11 @@ specs: spec: <<: *docker_spec + - os: aix + types: [tgz] + spec: + <<: *binary_spec + # Elastic Beat with Apache License (OSS) and binary taken the current # directory. elastic_beat_oss: @@ -758,6 +763,13 @@ specs: <<: *apache_license_for_binaries name: '{{.BeatName}}-oss' + - os: aix + types: [tgz] + spec: + <<: *binary_spec + <<: *apache_license_for_binaries + name: '{{.BeatName}}-oss' + # Elastic Beat with Elastic License and binary taken the current directory. elastic_beat_xpack: ### @@ -827,6 +839,12 @@ specs: <<: *elastic_docker_spec <<: *elastic_license_for_binaries + - os: aix + types: [tgz] + spec: + <<: *binary_spec + <<: *elastic_license_for_binaries + # Elastic Beat with Elastic License and binary taken the current directory. elastic_beat_xpack_reduced: ### @@ -850,6 +868,12 @@ specs: <<: *binary_spec <<: *elastic_license_for_binaries + - os: aix + types: [tgz] + spec: + <<: *binary_spec + <<: *elastic_license_for_binaries + # Elastic Beat with Elastic License and binary taken from the x-pack dir. elastic_beat_xpack_separate_binaries: ### @@ -947,6 +971,15 @@ specs: '{{.BeatName}}{{.BinaryExt}}': source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + - os: aix + types: [tgz] + spec: + <<: *binary_spec + <<: *elastic_license_for_binaries + files: + '{{.BeatName}}{{.BinaryExt}}': + source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + # Elastic Beat with Elastic License and binary taken from the x-pack dir. elastic_beat_agent_binaries: ### @@ -1105,6 +1138,17 @@ specs: '{{.BeatName}}{{.BinaryExt}}': source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + - os: aix + types: [tgz] + spec: + <<: *agent_binary_spec + <<: *elastic_license_for_binaries + files: + '{{.BeatName}}{{.BinaryExt}}': + source: data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}} + symlink: true + mode: 0755 + # Elastic Beat with Elastic License and binary taken from the x-pack dir. elastic_beat_agent_demo_binaries: @@ -1130,3 +1174,12 @@ specs: files: '{{.BeatName}}{{.BinaryExt}}': source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + + - os: aix + types: [tgz] + spec: + <<: *agent_binary_spec + <<: *elastic_license_for_binaries + files: + '{{.BeatName}}{{.BinaryExt}}': + source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} \ No newline at end of file diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl index 614062c3f02..38f7934a9d7 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl @@ -57,8 +57,8 @@ RUN case $(arch) in aarch64) YUM_FLAGS="-x bind-license";; esac; \ {{- if (and (contains .image_name "-complete") (not (contains .from "ubi-minimal"))) }} RUN for iter in {1..10}; do \ - yum -y install atk cups gtk gdk xrandr pango libXcomposite libXcursor libXdamage \ - libXext libXi libXtst cups-libs libXScrnSaver libXrandr GConf2 \ + yum -y install atk gtk gdk xrandr pango libXcomposite libXcursor libXdamage \ + libXext libXi libXtst libXScrnSaver libXrandr GConf2 \ alsa-lib atk gtk3 ipa-gothic-fonts xorg-x11-fonts-100dpi xorg-x11-fonts-75dpi xorg-x11-utils \ xorg-x11-fonts-cyrillic xorg-x11-fonts-Type1 xorg-x11-fonts-misc \ yum clean all && \ diff --git a/dev-tools/packaging/templates/docker/Dockerfile.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.tmpl index ae3e4cf9100..91a636f50b0 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.tmpl @@ -38,8 +38,8 @@ RUN case $(arch) in aarch64) YUM_FLAGS="-x bind-license";; esac; \ yum -y update $YUM_FLAGS \ {{- if (eq .BeatName "heartbeat") }} && yum -y install epel-release \ - && yum -y install atk cups gtk gdk xrandr pango libXcomposite libXcursor libXdamage \ - libXext libXi libXtst cups-libs libXScrnSaver libXrandr GConf2 \ + && yum -y install atk gtk gdk xrandr pango libXcomposite libXcursor libXdamage \ + libXext libXi libXtst libXScrnSaver libXrandr GConf2 \ alsa-lib atk gtk3 ipa-gothic-fonts xorg-x11-fonts-100dpi xorg-x11-fonts-75dpi xorg-x11-utils \ xorg-x11-fonts-cyrillic xorg-x11-fonts-Type1 xorg-x11-fonts-misc \ {{- end }} diff --git a/docs/devguide/fields-yml.asciidoc b/docs/devguide/fields-yml.asciidoc index caaca6624bb..87197fc2fe9 100644 --- a/docs/devguide/fields-yml.asciidoc +++ b/docs/devguide/fields-yml.asciidoc @@ -121,3 +121,43 @@ use in aggregations or ordering, you can use a multi-field mapping: For more information, see the {ref}/multi-fields.html[{es} documentation about multi-fields]. + +==== Defining a text analyzer in-line + +It is possible to define a new text analyzer or search analyzer in-line with +the field definition in the field's mapping parameters. + +For example, you can define a new text analyzer that does not break hyphenated names: + +[source,yaml] +---------------------------------------------------------------------- +- key: mybeat + title: mybeat + description: These are the fields used by mybeat. + fields: + - name: last_name + type: text + required: true + description: > + The last name. + analyzer: + mybeat_hyphenated_name: <1> + type: pattern <2> + pattern: "[\\W&&[^-]]+" <3> + search_analyzer: + mybeat_hyphenated_name: <4> + type: pattern + pattern: "[\\W&&[^-]]+" +---------------------------------------------------------------------- +<1> Use a newly defined text analyzer +<2> Define the custome analyzer type +<3> Specify the analyzer behaviour +<4> Use the same analyzer for the search + +The names of custom analyzers that are defined in-line may not be reused for a different +text analyzer. If a text analyzer name is reused it is checked for matching existing +instances of the analyzer. It is recommended that the analyzer name is prefixed with the +beat name to avoid name clashes. + +For more information, see {ref}/analysis-custom-analyzer.html[{es} documentation about +defining custom text analyzers]. diff --git a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl index a47e70d98c2..8da4a2e75fd 100644 --- a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl +++ b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl @@ -94,7 +94,8 @@ filebeat.inputs: #max_bytes: 10485760 # Characters which separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed, - # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator. + # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator, + # null_terminator #line_terminator: auto ### Recursive glob configuration @@ -348,7 +349,8 @@ filebeat.inputs: #message_max_bytes: 10485760 # Characters which separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed, - # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator. + # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator, + # null_terminator #line_terminator: auto # The ingest pipeline ID associated with this input. If this is set, it diff --git a/filebeat/_meta/test/docs/01_playground/filebeat.yaml b/filebeat/_meta/test/docs/01_playground/filebeat.yaml new file mode 100644 index 00000000000..c16b68757e4 --- /dev/null +++ b/filebeat/_meta/test/docs/01_playground/filebeat.yaml @@ -0,0 +1,227 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: filebeat-config + namespace: kube-system + labels: + k8s-app: filebeat +data: + filebeat.yml: |- + filebeat.inputs: + - type: container + paths: + - /var/log/containers/*.log + processors: + - add_kubernetes_metadata: + host: ${NODE_NAME} + matchers: + - logs_path: + logs_path: "/var/log/containers/" + + # To enable hints based autodiscover, remove `filebeat.inputs` configuration and uncomment this: + #filebeat.autodiscover: + # providers: + # - type: kubernetes + # node: ${NODE_NAME} + # hints.enabled: true + # hints.default_config: + # type: container + # paths: + # - /var/log/containers/*${data.kubernetes.container.id}.log + + processors: + - add_cloud_metadata: + - add_host_metadata: + + cloud.id: ${ELASTIC_CLOUD_ID} + cloud.auth: ${ELASTIC_CLOUD_AUTH} + + output.elasticsearch: + hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}'] + username: ${ELASTICSEARCH_USERNAME} + password: ${ELASTICSEARCH_PASSWORD} +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: filebeat + namespace: kube-system + labels: + k8s-app: filebeat +spec: + selector: + matchLabels: + k8s-app: filebeat + template: + metadata: + labels: + k8s-app: filebeat + spec: + serviceAccountName: filebeat + terminationGracePeriodSeconds: 30 + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: filebeat + image: docker.elastic.co/beats/filebeat:8.0.0-SNAPSHOT + command: [ "sleep" ] + args: [ "infinity" ] + env: + - name: ELASTICSEARCH_HOST + value: elasticsearch.default.svc.cluster.local + - name: ELASTICSEARCH_PORT + value: "9200" + - name: ELASTICSEARCH_USERNAME + value: elastic + - name: ELASTICSEARCH_PASSWORD + value: changeme + - name: ELASTIC_CLOUD_ID + value: + - name: ELASTIC_CLOUD_AUTH + value: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + # If using Red Hat OpenShift uncomment this: + #privileged: true + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi + volumeMounts: + - name: config + mountPath: /etc/filebeat.yml + readOnly: true + subPath: filebeat.yml + - name: data + mountPath: /usr/share/filebeat/data + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + - name: varlog + mountPath: /var/log + readOnly: true + volumes: + - name: config + configMap: + defaultMode: 0640 + name: filebeat-config + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers + - name: varlog + hostPath: + path: /var/log + # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart + - name: data + hostPath: + # When filebeat runs as non-root user, this directory needs to be writable by group (g+w). + path: /var/lib/filebeat-data + type: DirectoryOrCreate +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: filebeat +subjects: +- kind: ServiceAccount + name: filebeat + namespace: kube-system +roleRef: + kind: ClusterRole + name: filebeat + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: filebeat + namespace: kube-system +subjects: + - kind: ServiceAccount + name: filebeat + namespace: kube-system +roleRef: + kind: Role + name: filebeat + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: filebeat-kubeadm-config + namespace: kube-system +subjects: + - kind: ServiceAccount + name: filebeat + namespace: kube-system +roleRef: + kind: Role + name: filebeat-kubeadm-config + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: filebeat + labels: + k8s-app: filebeat +rules: +- apiGroups: [""] # "" indicates the core API group + resources: + - namespaces + - pods + - nodes + verbs: + - get + - watch + - list +- apiGroups: ["apps"] + resources: + - replicasets + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: filebeat + # should be the namespace where filebeat is running + namespace: kube-system + labels: + k8s-app: filebeat +rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: ["get", "create", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: filebeat-kubeadm-config + namespace: kube-system + labels: + k8s-app: filebeat +rules: + - apiGroups: [""] + resources: + - configmaps + resourceNames: + - kubeadm-config + verbs: ["get"] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: filebeat + namespace: kube-system + labels: + k8s-app: filebeat +--- diff --git a/filebeat/_meta/test/docs/testing.md b/filebeat/_meta/test/docs/testing.md new file mode 100644 index 00000000000..05836fcd65a --- /dev/null +++ b/filebeat/_meta/test/docs/testing.md @@ -0,0 +1,55 @@ +# Testing Filebeat + +## Testing on Kubernetes + +### Prerequisites +- create kubernetes cluster using kind, check [here](https://github.com/elastic/beats/blob/master/metricbeat/module/kubernetes/_meta/test/docs/README.md) for details +- deploy ELK stack, check [here](https://github.com/elastic/beats/blob/master/metricbeat/module/kubernetes/_meta/test/docs/README.md) for details + +## Playground Filebeat Pod + +A slightly modified (comparing to beats/deploy/kubernetes/filebeat-kubernetes.yaml) all-in-one filebeat manifest resides under `01_playground` directory. +Modifications: +- the daemonset executes an infinite sleep command instead of starting filebeat. +- variables `ELASTICSEARCH_HOST`, `ELASTICSEARCH_PORT`, `ELASTICSEARCH_USERNAME`, `ELASTICSEARCH_PASSWORD` variables are set according to local kind EK stack. + +> Note: In case of using Elastic Cloud deployment configure the variables `ELASTIC_CLOUD_ID` and `ELASTIC_CLOUD_AUTH` accordingly. + +Deploy filebeat: +```bash +cd filebeat/_meta/test/docs +kubectl apply -f 01_playground/filebeat.yaml +``` + +## Build and launch filebeat process + +1. Build filebeat binary and copy it in the running filebeat pod. +Under beats/filebeat execute: +```bash +# Build filebeat +GOOS=linux GOARCH=amd64 go build + +# Copy binary in pod +kubectl cp ./filebeat `kubectl get pod -n kube-system -l k8s-app=filebeat -o jsonpath='{.items[].metadata.name}'`:/usr/share/filebeat/ -n kube-system +```` +The above command only copies filebeat binary. + +2. For configuration files updates modify `filebeat.yml`, defined in the `ConfigMap` and execute again: +``` +kubectl apply -f 01_playground/filebeat.yaml +``` +> Note: Filebeat on kubernetes can be running with one of the configurations: +> 1. Filebeat use [container input](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-container.html) to read container logs under the given +> path in combination with [`add_kubernetes_metadata` processor](https://www.elastic.co/guide/en/beats/filebeat/current/add-kubernetes-metadata.html) to enrich logs +> with relevant Kubernetes pod metadata. +> 2. Filebeat use autodiscover [kubernetes provider](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-autodiscover.html#_kubernetes). + +3. Start filebeat. +```bash +# Exec in the container and launch filebeat +kubectl exec `kubectl get pod -n kube-system -l k8s-app=filebeat -o jsonpath='{.items[].metadata.name}'` -n kube-system -- bash -c "filebeat -e -c /etc/filebeat.yml" +``` +Filebeat will launch and the process logs will appear in the terminal. + +You can as well exec in filebeat pod with bash command and then run filebeat. +This gives the flexibility to easily start and stop the process. \ No newline at end of file diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index d89839516fe..34b05a0fd24 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -150641,385 +150641,8 @@ Threat intelligence Filebeat Module. -[float] -=== threatintel - -Fields from the threatintel Filebeat module. - - - -*`threatintel.indicator.first_seen`*:: -+ --- -The date and time when intelligence source first reported sighting this indicator. - - -type: date - --- - -*`threatintel.indicator.last_seen`*:: -+ --- -The date and time when intelligence source last reported sighting this indicator. - - -type: date - --- - -*`threatintel.indicator.sightings`*:: -+ --- -Number of times this indicator was observed conducting threat activity. - - -type: long - --- - -*`threatintel.indicator.type`*:: -+ --- -Type of indicator as represented by Cyber Observable in STIX 2.0. Expected values - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * process - * software - * url - * user-account - * windows-registry-key - * x-509-certificate - - -type: keyword - --- - -*`threatintel.indicator.description`*:: -+ --- -Describes the type of action conducted by the threat. - - -type: keyword - --- - -*`threatintel.indicator.scanner_stats`*:: -+ --- -Count of AV/EDR vendors that successfully detected malicious file or URL. - - -type: long - --- - -*`threatintel.indicator.provider`*:: -+ --- -Identifies the name of the intelligence provider. - - -type: keyword - --- - -*`threatintel.indicator.confidence`*:: -+ --- -Identifies the confidence rating assigned by the provider using STIX confidence scales. Expected values - * Not Specified, None, Low, Medium, High - * 0-10 - * Admirality Scale (1-6) - * DNI Scale (5-95) - * WEP Scale (Impossible - Certain) - - -type: keyword - --- - -*`threatintel.indicator.module`*:: -+ --- -Identifies the name of specific module this data is coming from. - - -type: keyword - --- - -*`threatintel.indicator.dataset`*:: -+ --- -Identifies the name of specific dataset from the intelligence source. - - -type: keyword - --- - -*`threatintel.indicator.reference`*:: -+ --- -Reference URL linking to additional information about this indicator. - - -type: keyword - --- - -*`threatintel.indicator.ip`*:: -+ --- -Identifies a threat indicator as an IP address (irrespective of direction). - - -type: ip - --- - -*`threatintel.indicator.port`*:: -+ --- -Identifies a threat indicator as a port number (irrespective of direction). - - -type: long - --- - -*`threatintel.indicator.email.address`*:: -+ --- -Identifies a threat indicator as an email address (irrespective of direction). - - -type: keyword - --- - -*`threatintel.indicator.marking.tlp`*:: -+ --- -Traffic Light Protocol sharing markings. Expected values are: - * White - * Green - * Amber - * Red - - -type: keyword - --- - - -*`threatintel.indicator.matched.atomic`*:: -+ --- -Identifies the atomic indicator that matched a local environment endpoint or network event. - - -type: keyword - --- - -*`threatintel.indicator.matched.field`*:: -+ --- -Identifies the field of the atomic indicator that matched a local environment endpoint or network event. - - -type: keyword - --- - -*`threatintel.indicator.matched.type`*:: -+ --- -Identifies the type of the atomic indicator that matched a local environment endpoint or network event. - - -type: keyword - --- - - -*`threatintel.indicator.as.number`*:: -+ --- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long - -example: 15169 - --- - -*`threatintel.indicator.as.organization.name`*:: -+ --- -Organization name. - -type: keyword - -example: Google LLC - --- - -*`threatintel.indicator.as.organization.name.text`*:: -+ --- -type: text - --- - - -*`threatintel.indicator.registry.data.strings`*:: -+ --- -Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). - - -type: keyword - -example: ["C:\rta\red_ttp\bin\myapp.exe"] - --- - -*`threatintel.indicator.registry.path`*:: -+ --- -Full path, including hive, key and value - -type: keyword - -example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - --- - -*`threatintel.indicator.registry.value`*:: -+ --- -Name of the value written. - -type: keyword - -example: Debugger - --- - -*`threatintel.indicator.registry.key`*:: -+ --- -Registry key value - -type: keyword - --- - - -*`threatintel.indicator.geo.city_name`*:: -+ --- -City name. - -type: keyword - -example: Montreal - --- - -*`threatintel.indicator.geo.continent_name`*:: -+ --- -Name of the continent. - -type: keyword - -example: North America - --- - -*`threatintel.indicator.geo.country_iso_code`*:: -+ --- -Country ISO code. - -type: keyword - -example: CA - --- - -*`threatintel.indicator.geo.country_name`*:: -+ --- -Country name. - -type: keyword - -example: Canada - --- - -*`threatintel.indicator.geo.location`*:: -+ --- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } - --- - -*`threatintel.indicator.geo.region_iso_code`*:: -+ --- -Region ISO code. - -type: keyword - -example: CA-QC - --- - -*`threatintel.indicator.geo.region_name`*:: -+ --- -Region name. - -type: keyword - -example: Quebec - --- - -*`threatintel.indicator.file.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - - -*`threatintel.indicator.file.hash.tlsh`*:: +*`threat.indicator.file.hash.tlsh`*:: + -- The file's import tlsh, if available. @@ -151029,47 +150652,7 @@ type: keyword -- -*`threatintel.indicator.file.hash.ssdeep`*:: -+ --- -The file's ssdeep hash, if available. - - -type: keyword - --- - -*`threatintel.indicator.file.hash.md5`*:: -+ --- -The file's md5 hash, if available. - - -type: keyword - --- - -*`threatintel.indicator.file.hash.sha1`*:: -+ --- -The file's sha1 hash, if available. - - -type: keyword - --- - -*`threatintel.indicator.file.hash.sha256`*:: -+ --- -The file's sha256 hash, if available. - - -type: keyword - --- - -*`threatintel.indicator.file.hash.sha384`*:: +*`threat.indicator.file.hash.sha384`*:: + -- The file's sha384 hash, if available. @@ -151079,272 +150662,28 @@ type: keyword -- -*`threatintel.indicator.file.hash.sha512`*:: -+ --- -The file's sha512 hash, if available. - - -type: keyword - --- - -*`threatintel.indicator.file.type`*:: -+ --- -The file type. - - -type: keyword - --- - -*`threatintel.indicator.file.size`*:: -+ --- -The file's total size. - - -type: long - --- - -*`threatintel.indicator.file.name`*:: -+ --- -The file's name. - - -type: keyword - --- - -*`threatintel.indicator.file.extension`*:: -+ --- -The file's extension. - - -type: keyword - --- - -*`threatintel.indicator.file.mime_type`*:: -+ --- -The file's MIME type. - - -type: keyword - --- - - -*`threatintel.indicator.url.domain`*:: -+ --- -Domain of the url, such as "www.elastic.co". - - -type: keyword - --- - -*`threatintel.indicator.url.extension`*:: -+ --- -The field contains the file extension from the original request - - -type: keyword - --- - -*`threatintel.indicator.url.fragment`*:: -+ --- -Portion of the url after the `#`, such as "top". - - -type: keyword - --- - -*`threatintel.indicator.url.full`*:: -+ --- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - - -type: keyword - --- - -*`threatintel.indicator.url.original`*:: -+ --- -Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. - - -type: keyword - --- - -*`threatintel.indicator.url.password`*:: -+ --- -Password of the request. - - -type: keyword - --- - -*`threatintel.indicator.url.path`*:: -+ --- -Path of the request, such as "/search". - - -type: keyword - --- - -*`threatintel.indicator.url.port`*:: -+ --- -Port of the request, such as 443. - - -type: long - -format: string - --- - -*`threatintel.indicator.url.query`*:: -+ --- -The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - - -type: keyword - --- - -*`threatintel.indicator.url.registered_domain`*:: -+ --- -The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - - -type: keyword - --- - -*`threatintel.indicator.url.scheme`*:: -+ --- -Scheme of the request, such as "https". - - -type: keyword - --- - -*`threatintel.indicator.url.subdomain`*:: -+ --- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - - -type: keyword - --- - -*`threatintel.indicator.url.top_level_domain`*:: -+ --- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - - -type: keyword - --- - -*`threatintel.indicator.url.username`*:: -+ --- -Username of the request. - - -type: keyword - --- - - -*`threatintel.indicator.x509.serial_number`*:: -+ --- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - -type: keyword - -example: 55FBB9C7DEBF09809D12CCAA - --- - -*`threatintel.indicator.x509.issuer`*:: -+ --- -Name of issuing certificate authority. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. - -type: keyword - -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - --- - -*`threatintel.indicator.x509.subject`*:: -+ --- -Name of the certificate subject entity. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. - -type: keyword - -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - --- - -*`threatintel.indicator.x509.alternative_names`*:: +*`threat.feed.name`*:: + -- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - type: keyword -example: *.elastic.co - -- -*`threatintel.indicator.signature`*:: +*`threat.feed.dashboard_id`*:: + -- -Malware family of sample (if available). - - type: keyword -- [float] -=== abusemalware +=== abusech.malware Fields for AbuseCH Malware Threat Intel -*`threatintel.abusemalware.file_type`*:: +*`abusech.malware.file_type`*:: + -- File type guessed by URLhaus. @@ -151354,7 +150693,7 @@ type: keyword -- -*`threatintel.abusemalware.signature`*:: +*`abusech.malware.signature`*:: + -- Malware familiy. @@ -151364,7 +150703,7 @@ type: keyword -- -*`threatintel.abusemalware.urlhaus_download`*:: +*`abusech.malware.urlhaus_download`*:: + -- Location (URL) where you can download a copy of this file. @@ -151374,7 +150713,7 @@ type: keyword -- -*`threatintel.abusemalware.virustotal.result`*:: +*`abusech.malware.virustotal.result`*:: + -- AV detection ration. @@ -151384,7 +150723,7 @@ type: keyword -- -*`threatintel.abusemalware.virustotal.percent`*:: +*`abusech.malware.virustotal.percent`*:: + -- AV detection in percent. @@ -151394,7 +150733,7 @@ type: float -- -*`threatintel.abusemalware.virustotal.link`*:: +*`abusech.malware.virustotal.link`*:: + -- Link to the Virustotal report. @@ -151405,13 +150744,13 @@ type: keyword -- [float] -=== abuseurl +=== abusech.url Fields for AbuseCH Malware Threat Intel -*`threatintel.abuseurl.id`*:: +*`abusech.url.id`*:: + -- The ID of the url. @@ -151421,7 +150760,7 @@ type: keyword -- -*`threatintel.abuseurl.urlhaus_reference`*:: +*`abusech.url.urlhaus_reference`*:: + -- Link to URLhaus entry. @@ -151431,7 +150770,7 @@ type: keyword -- -*`threatintel.abuseurl.url_status`*:: +*`abusech.url.url_status`*:: + -- The current status of the URL. Possible values are: online, offline and unknown. @@ -151441,7 +150780,7 @@ type: keyword -- -*`threatintel.abuseurl.threat`*:: +*`abusech.url.threat`*:: + -- The threat corresponding to this malware URL. @@ -151451,7 +150790,7 @@ type: keyword -- -*`threatintel.abuseurl.blacklists.surbl`*:: +*`abusech.url.blacklists.surbl`*:: + -- SURBL blacklist status. Possible values are: listed and not_listed @@ -151461,7 +150800,7 @@ type: keyword -- -*`threatintel.abuseurl.blacklists.spamhaus_dbl`*:: +*`abusech.url.blacklists.spamhaus_dbl`*:: + -- Spamhaus DBL blacklist status. @@ -151471,7 +150810,7 @@ type: keyword -- -*`threatintel.abuseurl.reporter`*:: +*`abusech.url.reporter`*:: + -- The Twitter handle of the reporter that has reported this malware URL (or anonymous). @@ -151481,7 +150820,7 @@ type: keyword -- -*`threatintel.abuseurl.larted`*:: +*`abusech.url.larted`*:: + -- Indicates whether the malware URL has been reported to the hosting provider (true or false) @@ -151491,7 +150830,7 @@ type: boolean -- -*`threatintel.abuseurl.tags`*:: +*`abusech.url.tags`*:: + -- A list of tags associated with the queried malware URL @@ -151502,13 +150841,13 @@ type: keyword -- [float] -=== anomali +=== anomali.limo Fields for Anomali Threat Intel -*`threatintel.anomali.id`*:: +*`anomali.limo.id`*:: + -- The ID of the indicator. @@ -151518,7 +150857,7 @@ type: keyword -- -*`threatintel.anomali.name`*:: +*`anomali.limo.name`*:: + -- The name of the indicator. @@ -151528,7 +150867,7 @@ type: keyword -- -*`threatintel.anomali.pattern`*:: +*`anomali.limo.pattern`*:: + -- The pattern ID of the indicator. @@ -151538,7 +150877,7 @@ type: keyword -- -*`threatintel.anomali.valid_from`*:: +*`anomali.limo.valid_from`*:: + -- When the indicator was first found or is considered valid. @@ -151548,7 +150887,7 @@ type: date -- -*`threatintel.anomali.modified`*:: +*`anomali.limo.modified`*:: + -- When the indicator was last modified @@ -151558,7 +150897,7 @@ type: date -- -*`threatintel.anomali.labels`*:: +*`anomali.limo.labels`*:: + -- The labels related to the indicator @@ -151568,7 +150907,7 @@ type: keyword -- -*`threatintel.anomali.indicator`*:: +*`anomali.limo.indicator`*:: + -- The value of the indicator, for example if the type is domain, this would be the value. @@ -151578,7 +150917,7 @@ type: keyword -- -*`threatintel.anomali.description`*:: +*`anomali.limo.description`*:: + -- A description of the indicator. @@ -151588,7 +150927,7 @@ type: keyword -- -*`threatintel.anomali.title`*:: +*`anomali.limo.title`*:: + -- Title describing the indicator. @@ -151598,7 +150937,7 @@ type: keyword -- -*`threatintel.anomali.content`*:: +*`anomali.limo.content`*:: + -- Extra text or descriptive content related to the indicator. @@ -151608,7 +150947,7 @@ type: keyword -- -*`threatintel.anomali.type`*:: +*`anomali.limo.type`*:: + -- The indicator type, can for example be "domain, email, FileHash-SHA256". @@ -151618,7 +150957,7 @@ type: keyword -- -*`threatintel.anomali.object_marking_refs`*:: +*`anomali.limo.object_marking_refs`*:: + -- The STIX reference object. @@ -151629,13 +150968,13 @@ type: keyword -- [float] -=== anomalithreatstream +=== anomali.threatstream Fields for Anomali ThreatStream -*`threatintel.anomalithreatstream.classification`*:: +*`anomali.threatstream.classification`*:: + -- Indicates whether an indicator is private or from a public feed and available publicly. Possible values: private, public. @@ -151647,7 +150986,7 @@ example: private -- -*`threatintel.anomalithreatstream.confidence`*:: +*`anomali.threatstream.confidence`*:: + -- The measure of the accuracy (from 0 to 100) assigned by ThreatStream's predictive analytics technology to indicators. @@ -151657,7 +150996,7 @@ type: short -- -*`threatintel.anomalithreatstream.detail2`*:: +*`anomali.threatstream.detail2`*:: + -- Detail text for indicator. @@ -151669,7 +151008,7 @@ example: Imported by user 42. -- -*`threatintel.anomalithreatstream.id`*:: +*`anomali.threatstream.id`*:: + -- The ID of the indicator. @@ -151679,7 +151018,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.import_session_id`*:: +*`anomali.threatstream.import_session_id`*:: + -- ID of the import session that created the indicator on ThreatStream. @@ -151689,7 +151028,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.itype`*:: +*`anomali.threatstream.itype`*:: + -- Indicator type. Possible values: "apt_domain", "apt_email", "apt_ip", "apt_url", "bot_ip", "c2_domain", "c2_ip", "c2_url", "i2p_ip", "mal_domain", "mal_email", "mal_ip", "mal_md5", "mal_url", "parked_ip", "phish_email", "phish_ip", "phish_url", "scan_ip", "spam_domain", "ssh_ip", "suspicious_domain", "tor_ip" and "torrent_tracker_url". @@ -151699,7 +151038,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.maltype`*:: +*`anomali.threatstream.maltype`*:: + -- Information regarding a malware family, a CVE ID, or another attack or threat, associated with the indicator. @@ -151709,7 +151048,7 @@ type: wildcard -- -*`threatintel.anomalithreatstream.md5`*:: +*`anomali.threatstream.md5`*:: + -- Hash for the indicator. @@ -151719,7 +151058,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.resource_uri`*:: +*`anomali.threatstream.resource_uri`*:: + -- Relative URI for the indicator details. @@ -151729,7 +151068,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.severity`*:: +*`anomali.threatstream.severity`*:: + -- Criticality associated with the threat feed that supplied the indicator. Possible values: low, medium, high, very-high. @@ -151739,7 +151078,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.source`*:: +*`anomali.threatstream.source`*:: + -- Source for the indicator. @@ -151751,7 +151090,7 @@ example: Analyst -- -*`threatintel.anomalithreatstream.source_feed_id`*:: +*`anomali.threatstream.source_feed_id`*:: + -- ID for the integrator source. @@ -151761,7 +151100,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.state`*:: +*`anomali.threatstream.state`*:: + -- State for this indicator. @@ -151773,7 +151112,7 @@ example: active -- -*`threatintel.anomalithreatstream.trusted_circle_ids`*:: +*`anomali.threatstream.trusted_circle_ids`*:: + -- ID of the trusted circle that imported the indicator. @@ -151783,7 +151122,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.update_id`*:: +*`anomali.threatstream.update_id`*:: + -- Update ID. @@ -151793,7 +151132,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.url`*:: +*`anomali.threatstream.url`*:: + -- URL for the indicator. @@ -151803,7 +151142,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.value_type`*:: +*`anomali.threatstream.value_type`*:: + -- Data type of the indicator. Possible values: ip, domain, url, email, md5. @@ -151814,13 +151153,13 @@ type: keyword -- [float] -=== malwarebazaar +=== abusech.malwarebazaar Fields for Malware Bazaar Threat Intel -*`threatintel.malwarebazaar.file_type`*:: +*`abusech.malwarebazaar.file_type`*:: + -- File type guessed by Malware Bazaar. @@ -151830,7 +151169,7 @@ type: keyword -- -*`threatintel.malwarebazaar.signature`*:: +*`abusech.malwarebazaar.signature`*:: + -- Malware familiy. @@ -151840,7 +151179,7 @@ type: keyword -- -*`threatintel.malwarebazaar.tags`*:: +*`abusech.malwarebazaar.tags`*:: + -- A list of tags associated with the queried malware sample. @@ -151851,7 +151190,7 @@ type: keyword -- -*`threatintel.malwarebazaar.intelligence.downloads`*:: +*`abusech.malwarebazaar.intelligence.downloads`*:: + -- Number of downloads from MalwareBazaar. @@ -151861,7 +151200,7 @@ type: long -- -*`threatintel.malwarebazaar.intelligence.uploads`*:: +*`abusech.malwarebazaar.intelligence.uploads`*:: + -- Number of uploads from MalwareBazaar. @@ -151872,7 +151211,7 @@ type: long -- -*`threatintel.malwarebazaar.intelligence.mail.Generic`*:: +*`abusech.malwarebazaar.intelligence.mail.Generic`*:: + -- Malware seen in generic spam traffic. @@ -151882,7 +151221,7 @@ type: keyword -- -*`threatintel.malwarebazaar.intelligence.mail.IT`*:: +*`abusech.malwarebazaar.intelligence.mail.IT`*:: + -- Malware seen in IT spam traffic. @@ -151892,7 +151231,7 @@ type: keyword -- -*`threatintel.malwarebazaar.anonymous`*:: +*`abusech.malwarebazaar.anonymous`*:: + -- Identifies if the sample was submitted anonymously. @@ -151902,7 +151241,7 @@ type: long -- -*`threatintel.malwarebazaar.code_sign`*:: +*`abusech.malwarebazaar.code_sign`*:: + -- Code signing information for the sample. @@ -151919,7 +151258,7 @@ Fields for MISP Threat Intel -*`threatintel.misp.id`*:: +*`misp.id`*:: + -- Attribute ID. @@ -151929,7 +151268,7 @@ type: keyword -- -*`threatintel.misp.orgc_id`*:: +*`misp.orgc_id`*:: + -- Organization Community ID of the event. @@ -151939,7 +151278,7 @@ type: keyword -- -*`threatintel.misp.org_id`*:: +*`misp.org_id`*:: + -- Organization ID of the event. @@ -151949,7 +151288,7 @@ type: keyword -- -*`threatintel.misp.threat_level_id`*:: +*`misp.threat_level_id`*:: + -- Threat level from 5 to 1, where 1 is the most critical. @@ -151959,7 +151298,7 @@ type: long -- -*`threatintel.misp.info`*:: +*`misp.info`*:: + -- Additional text or information related to the event. @@ -151969,7 +151308,7 @@ type: keyword -- -*`threatintel.misp.published`*:: +*`misp.published`*:: + -- When the event was published. @@ -151979,7 +151318,7 @@ type: boolean -- -*`threatintel.misp.uuid`*:: +*`misp.uuid`*:: + -- The UUID of the event object. @@ -151989,7 +151328,7 @@ type: keyword -- -*`threatintel.misp.date`*:: +*`misp.date`*:: + -- The date of when the event object was created. @@ -151999,7 +151338,7 @@ type: date -- -*`threatintel.misp.attribute_count`*:: +*`misp.attribute_count`*:: + -- How many attributes are included in a single event object. @@ -152009,7 +151348,7 @@ type: long -- -*`threatintel.misp.timestamp`*:: +*`misp.timestamp`*:: + -- The timestamp of when the event object was created. @@ -152019,7 +151358,7 @@ type: date -- -*`threatintel.misp.distribution`*:: +*`misp.distribution`*:: + -- Distribution type related to MISP. @@ -152029,7 +151368,7 @@ type: keyword -- -*`threatintel.misp.proposal_email_lock`*:: +*`misp.proposal_email_lock`*:: + -- Settings configured on MISP for email lock on this event object. @@ -152039,7 +151378,7 @@ type: boolean -- -*`threatintel.misp.locked`*:: +*`misp.locked`*:: + -- If the current MISP event object is locked or not. @@ -152049,7 +151388,7 @@ type: boolean -- -*`threatintel.misp.publish_timestamp`*:: +*`misp.publish_timestamp`*:: + -- At what time the event object was published @@ -152059,7 +151398,7 @@ type: date -- -*`threatintel.misp.sharing_group_id`*:: +*`misp.sharing_group_id`*:: + -- The ID of the grouped events or sources of the event. @@ -152069,7 +151408,7 @@ type: keyword -- -*`threatintel.misp.disable_correlation`*:: +*`misp.disable_correlation`*:: + -- If correlation is disabled on the MISP event object. @@ -152079,7 +151418,7 @@ type: boolean -- -*`threatintel.misp.extends_uuid`*:: +*`misp.extends_uuid`*:: + -- The UUID of the event object it might extend. @@ -152089,7 +151428,7 @@ type: keyword -- -*`threatintel.misp.org.id`*:: +*`misp.org.id`*:: + -- The organization ID related to the event object. @@ -152099,7 +151438,7 @@ type: keyword -- -*`threatintel.misp.org.name`*:: +*`misp.org.name`*:: + -- The organization name related to the event object. @@ -152109,7 +151448,7 @@ type: keyword -- -*`threatintel.misp.org.uuid`*:: +*`misp.org.uuid`*:: + -- The UUID of the organization related to the event object. @@ -152119,7 +151458,7 @@ type: keyword -- -*`threatintel.misp.org.local`*:: +*`misp.org.local`*:: + -- If the event object is local or from a remote source. @@ -152129,7 +151468,7 @@ type: boolean -- -*`threatintel.misp.orgc.id`*:: +*`misp.orgc.id`*:: + -- The Organization Community ID in which the event object was reported from. @@ -152139,7 +151478,7 @@ type: keyword -- -*`threatintel.misp.orgc.name`*:: +*`misp.orgc.name`*:: + -- The Organization Community name in which the event object was reported from. @@ -152149,7 +151488,7 @@ type: keyword -- -*`threatintel.misp.orgc.uuid`*:: +*`misp.orgc.uuid`*:: + -- The Organization Community UUID in which the event object was reported from. @@ -152159,7 +151498,7 @@ type: keyword -- -*`threatintel.misp.orgc.local`*:: +*`misp.orgc.local`*:: + -- If the Organization Community was local or synced from a remote source. @@ -152169,7 +151508,7 @@ type: boolean -- -*`threatintel.misp.attribute.id`*:: +*`misp.attribute.id`*:: + -- The ID of the attribute related to the event object. @@ -152179,7 +151518,7 @@ type: keyword -- -*`threatintel.misp.attribute.type`*:: +*`misp.attribute.type`*:: + -- The type of the attribute related to the event object. For example email, ipv4, sha1 and such. @@ -152189,7 +151528,7 @@ type: keyword -- -*`threatintel.misp.attribute.category`*:: +*`misp.attribute.category`*:: + -- The category of the attribute related to the event object. For example "Network Activity". @@ -152199,7 +151538,7 @@ type: keyword -- -*`threatintel.misp.attribute.to_ids`*:: +*`misp.attribute.to_ids`*:: + -- If the attribute should be automatically synced with an IDS. @@ -152209,7 +151548,7 @@ type: boolean -- -*`threatintel.misp.attribute.uuid`*:: +*`misp.attribute.uuid`*:: + -- The UUID of the attribute related to the event. @@ -152219,7 +151558,7 @@ type: keyword -- -*`threatintel.misp.attribute.event_id`*:: +*`misp.attribute.event_id`*:: + -- The local event ID of the attribute related to the event. @@ -152229,7 +151568,7 @@ type: keyword -- -*`threatintel.misp.attribute.distribution`*:: +*`misp.attribute.distribution`*:: + -- How the attribute has been distributed, represented by integer numbers. @@ -152239,7 +151578,7 @@ type: long -- -*`threatintel.misp.attribute.timestamp`*:: +*`misp.attribute.timestamp`*:: + -- The timestamp in which the attribute was attached to the event object. @@ -152249,7 +151588,7 @@ type: date -- -*`threatintel.misp.attribute.comment`*:: +*`misp.attribute.comment`*:: + -- Comments made to the attribute itself. @@ -152259,7 +151598,7 @@ type: keyword -- -*`threatintel.misp.attribute.sharing_group_id`*:: +*`misp.attribute.sharing_group_id`*:: + -- The group ID of the sharing group related to the specific attribute. @@ -152269,7 +151608,7 @@ type: keyword -- -*`threatintel.misp.attribute.deleted`*:: +*`misp.attribute.deleted`*:: + -- If the attribute has been removed from the event object. @@ -152279,7 +151618,7 @@ type: boolean -- -*`threatintel.misp.attribute.disable_correlation`*:: +*`misp.attribute.disable_correlation`*:: + -- If correlation has been enabled on the attribute related to the event object. @@ -152289,7 +151628,7 @@ type: boolean -- -*`threatintel.misp.attribute.object_id`*:: +*`misp.attribute.object_id`*:: + -- The ID of the Object in which the attribute is attached. @@ -152299,7 +151638,7 @@ type: keyword -- -*`threatintel.misp.attribute.object_relation`*:: +*`misp.attribute.object_relation`*:: + -- The type of relation the attribute has with the event object itself. @@ -152309,7 +151648,7 @@ type: keyword -- -*`threatintel.misp.attribute.value`*:: +*`misp.attribute.value`*:: + -- The value of the attribute, depending on the type like "url, sha1, email-src". @@ -152319,7 +151658,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.id`*:: +*`misp.context.attribute.id`*:: + -- The ID of the secondary attribute related to the event object. @@ -152329,7 +151668,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.type`*:: +*`misp.context.attribute.type`*:: + -- The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such. @@ -152339,7 +151678,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.category`*:: +*`misp.context.attribute.category`*:: + -- The category of the secondary attribute related to the event object. For example "Network Activity". @@ -152349,7 +151688,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.to_ids`*:: +*`misp.context.attribute.to_ids`*:: + -- If the secondary attribute should be automatically synced with an IDS. @@ -152359,7 +151698,7 @@ type: boolean -- -*`threatintel.misp.context.attribute.uuid`*:: +*`misp.context.attribute.uuid`*:: + -- The UUID of the secondary attribute related to the event. @@ -152369,7 +151708,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.event_id`*:: +*`misp.context.attribute.event_id`*:: + -- The local event ID of the secondary attribute related to the event. @@ -152379,7 +151718,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.distribution`*:: +*`misp.context.attribute.distribution`*:: + -- How the secondary attribute has been distributed, represented by integer numbers. @@ -152389,7 +151728,7 @@ type: long -- -*`threatintel.misp.context.attribute.timestamp`*:: +*`misp.context.attribute.timestamp`*:: + -- The timestamp in which the secondary attribute was attached to the event object. @@ -152399,7 +151738,7 @@ type: date -- -*`threatintel.misp.context.attribute.comment`*:: +*`misp.context.attribute.comment`*:: + -- Comments made to the secondary attribute itself. @@ -152409,7 +151748,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.sharing_group_id`*:: +*`misp.context.attribute.sharing_group_id`*:: + -- The group ID of the sharing group related to the specific secondary attribute. @@ -152419,7 +151758,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.deleted`*:: +*`misp.context.attribute.deleted`*:: + -- If the secondary attribute has been removed from the event object. @@ -152429,7 +151768,7 @@ type: boolean -- -*`threatintel.misp.context.attribute.disable_correlation`*:: +*`misp.context.attribute.disable_correlation`*:: + -- If correlation has been enabled on the secondary attribute related to the event object. @@ -152439,7 +151778,7 @@ type: boolean -- -*`threatintel.misp.context.attribute.object_id`*:: +*`misp.context.attribute.object_id`*:: + -- The ID of the Object in which the secondary attribute is attached. @@ -152449,7 +151788,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.object_relation`*:: +*`misp.context.attribute.object_relation`*:: + -- The type of relation the secondary attribute has with the event object itself. @@ -152459,7 +151798,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.value`*:: +*`misp.context.attribute.value`*:: + -- The value of the attribute, depending on the type like "url, sha1, email-src". @@ -152476,7 +151815,7 @@ Fields for OTX Threat Intel -*`threatintel.otx.id`*:: +*`otx.id`*:: + -- The ID of the indicator. @@ -152486,7 +151825,7 @@ type: keyword -- -*`threatintel.otx.indicator`*:: +*`otx.indicator`*:: + -- The value of the indicator, for example if the type is domain, this would be the value. @@ -152496,7 +151835,7 @@ type: keyword -- -*`threatintel.otx.description`*:: +*`otx.description`*:: + -- A description of the indicator. @@ -152506,7 +151845,7 @@ type: keyword -- -*`threatintel.otx.title`*:: +*`otx.title`*:: + -- Title describing the indicator. @@ -152516,7 +151855,7 @@ type: keyword -- -*`threatintel.otx.content`*:: +*`otx.content`*:: + -- Extra text or descriptive content related to the indicator. @@ -152526,7 +151865,7 @@ type: keyword -- -*`threatintel.otx.type`*:: +*`otx.type`*:: + -- The indicator type, can for example be "domain, email, FileHash-SHA256". @@ -152550,7 +151889,7 @@ Entity that represents a threat. -*`threatintel.recordedfuture.entity.id`*:: +*`recordedfuture.entity.id`*:: + -- Entity ID. @@ -152562,7 +151901,7 @@ example: ip:192.0.2.13 -- -*`threatintel.recordedfuture.entity.name`*:: +*`recordedfuture.entity.name`*:: + -- Entity name. Value for the entity. @@ -152574,7 +151913,7 @@ example: 192.0.2.13 -- -*`threatintel.recordedfuture.entity.type`*:: +*`recordedfuture.entity.type`*:: + -- Entity type. @@ -152586,7 +151925,7 @@ example: IpAddress -- -*`threatintel.recordedfuture.intelCard`*:: +*`recordedfuture.intelCard`*:: + -- Link to the Recorded Future Intelligence Card for to this indicator. @@ -152596,7 +151935,7 @@ type: keyword -- -*`threatintel.recordedfuture.ip_range`*:: +*`recordedfuture.ip_range`*:: + -- Range of IPs for this indicator. @@ -152615,7 +151954,7 @@ Risk fields. -*`threatintel.recordedfuture.risk.criticality`*:: +*`recordedfuture.risk.criticality`*:: + -- Risk criticality (0-4). @@ -152625,7 +151964,7 @@ type: byte -- -*`threatintel.recordedfuture.risk.criticalityLabel`*:: +*`recordedfuture.risk.criticalityLabel`*:: + -- Risk criticality label. One of None, Unusual, Suspicious, Malicious, Very Malicious. @@ -152635,7 +151974,7 @@ type: keyword -- -*`threatintel.recordedfuture.risk.evidenceDetails`*:: +*`recordedfuture.risk.evidenceDetails`*:: + -- Risk's evidence details. @@ -152645,7 +151984,7 @@ type: flattened -- -*`threatintel.recordedfuture.risk.score`*:: +*`recordedfuture.risk.score`*:: + -- Risk score (0-99). @@ -152655,7 +151994,7 @@ type: short -- -*`threatintel.recordedfuture.risk.riskString`*:: +*`recordedfuture.risk.riskString`*:: + -- Number of Risk Rules observed as a factor of total number of rules. @@ -152667,7 +152006,7 @@ example: 1/54 -- -*`threatintel.recordedfuture.risk.riskSummary`*:: +*`recordedfuture.risk.riskSummary`*:: + -- Risk summary. @@ -152679,14 +152018,14 @@ example: 1 of 54 Risk Rules currently observed. -- -*`threatintel.recordedfuture.risk.riskSummary.text`*:: +*`recordedfuture.risk.riskSummary.text`*:: + -- type: text -- -*`threatintel.recordedfuture.risk.rules`*:: +*`recordedfuture.risk.rules`*:: + -- Number of rules observed. @@ -152703,7 +152042,7 @@ Fields for ThreatQ Threat Library -*`threatintel.threatq.updated_at`*:: +*`threatq.updated_at`*:: + -- Last modification time @@ -152713,7 +152052,7 @@ type: date -- -*`threatintel.threatq.created_at`*:: +*`threatq.created_at`*:: + -- Object creation time @@ -152723,7 +152062,7 @@ type: date -- -*`threatintel.threatq.expires_at`*:: +*`threatq.expires_at`*:: + -- Expiration time @@ -152733,7 +152072,7 @@ type: date -- -*`threatintel.threatq.expires_calculated_at`*:: +*`threatq.expires_calculated_at`*:: + -- Expiration calculation time @@ -152743,7 +152082,7 @@ type: date -- -*`threatintel.threatq.published_at`*:: +*`threatq.published_at`*:: + -- Object publication time @@ -152753,7 +152092,7 @@ type: date -- -*`threatintel.threatq.status`*:: +*`threatq.status`*:: + -- Object status within the Threat Library @@ -152763,7 +152102,7 @@ type: keyword -- -*`threatintel.threatq.indicator_value`*:: +*`threatq.indicator_value`*:: + -- Original indicator value @@ -152773,7 +152112,7 @@ type: keyword -- -*`threatintel.threatq.adversaries`*:: +*`threatq.adversaries`*:: + -- Adversaries that are linked to the object @@ -152783,7 +152122,7 @@ type: keyword -- -*`threatintel.threatq.attributes`*:: +*`threatq.attributes`*:: + -- These provide additional context about an object diff --git a/filebeat/docs/modules/barracuda.asciidoc b/filebeat/docs/modules/barracuda.asciidoc index fc5529cf059..e1732beb061 100644 --- a/filebeat/docs/modules/barracuda.asciidoc +++ b/filebeat/docs/modules/barracuda.asciidoc @@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "barracudawaf" devic *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: @@ -78,7 +78,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "barracudasf" device *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/filebeat/docs/modules/bluecoat.asciidoc b/filebeat/docs/modules/bluecoat.asciidoc index b6e1e23e50a..4f7c7e243b5 100644 --- a/filebeat/docs/modules/bluecoat.asciidoc +++ b/filebeat/docs/modules/bluecoat.asciidoc @@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "bluecoatdirector" d *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc index e2a0a89acba..ae06741b09e 100644 --- a/filebeat/docs/modules/cisco.asciidoc +++ b/filebeat/docs/modules/cisco.asciidoc @@ -305,7 +305,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "cisconxos" device r *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: @@ -350,7 +350,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "ciscomeraki" device *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/filebeat/docs/modules/cylance.asciidoc b/filebeat/docs/modules/cylance.asciidoc index 641c369f4e5..3e70754430f 100644 --- a/filebeat/docs/modules/cylance.asciidoc +++ b/filebeat/docs/modules/cylance.asciidoc @@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "cylance" device rev *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/filebeat/docs/modules/f5.asciidoc b/filebeat/docs/modules/f5.asciidoc index 5b886f8cae6..611239e2c21 100644 --- a/filebeat/docs/modules/f5.asciidoc +++ b/filebeat/docs/modules/f5.asciidoc @@ -37,7 +37,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "bigipapm" device re *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: @@ -82,7 +82,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "bigipafm" device re *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/filebeat/docs/modules/fortinet.asciidoc b/filebeat/docs/modules/fortinet.asciidoc index 8a5da7b80f7..9dc8c1e3f26 100644 --- a/filebeat/docs/modules/fortinet.asciidoc +++ b/filebeat/docs/modules/fortinet.asciidoc @@ -85,7 +85,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "forticlientendpoint *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: @@ -130,7 +130,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "fortinetfortimail" *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: @@ -175,7 +175,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "fortinetmgr" device *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/filebeat/docs/modules/imperva.asciidoc b/filebeat/docs/modules/imperva.asciidoc index bdbf16b0bec..480ed29d30d 100644 --- a/filebeat/docs/modules/imperva.asciidoc +++ b/filebeat/docs/modules/imperva.asciidoc @@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "impervawaf" device *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/filebeat/docs/modules/infoblox.asciidoc b/filebeat/docs/modules/infoblox.asciidoc index 745a52e0c96..a830d765247 100644 --- a/filebeat/docs/modules/infoblox.asciidoc +++ b/filebeat/docs/modules/infoblox.asciidoc @@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "infobloxnios" devic *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/filebeat/docs/modules/juniper.asciidoc b/filebeat/docs/modules/juniper.asciidoc index a97baa17de5..113fe33c513 100644 --- a/filebeat/docs/modules/juniper.asciidoc +++ b/filebeat/docs/modules/juniper.asciidoc @@ -146,7 +146,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "junosrouter" device *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: @@ -191,7 +191,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "netscreen" device r *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/filebeat/docs/modules/microsoft.asciidoc b/filebeat/docs/modules/microsoft.asciidoc index ff00507119f..7a1170c67d9 100644 --- a/filebeat/docs/modules/microsoft.asciidoc +++ b/filebeat/docs/modules/microsoft.asciidoc @@ -224,7 +224,7 @@ include::../include/var-paths.asciidoc[] *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/filebeat/docs/modules/netscout.asciidoc b/filebeat/docs/modules/netscout.asciidoc index a1d4d3dcdd5..13e78e5b116 100644 --- a/filebeat/docs/modules/netscout.asciidoc +++ b/filebeat/docs/modules/netscout.asciidoc @@ -31,7 +31,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "arborpeakflowsp" de *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/filebeat/docs/modules/proofpoint.asciidoc b/filebeat/docs/modules/proofpoint.asciidoc index 905288fab3d..b5ebebc6ccd 100644 --- a/filebeat/docs/modules/proofpoint.asciidoc +++ b/filebeat/docs/modules/proofpoint.asciidoc @@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "proofpoint" device *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/filebeat/docs/modules/radware.asciidoc b/filebeat/docs/modules/radware.asciidoc index 3d1dbc4dcbc..d76a5b96fe0 100644 --- a/filebeat/docs/modules/radware.asciidoc +++ b/filebeat/docs/modules/radware.asciidoc @@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "radwaredp" device r *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/filebeat/docs/modules/snort.asciidoc b/filebeat/docs/modules/snort.asciidoc index ff9d5809ae8..aa6a08f8f26 100644 --- a/filebeat/docs/modules/snort.asciidoc +++ b/filebeat/docs/modules/snort.asciidoc @@ -31,7 +31,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "snort" device revis *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/filebeat/docs/modules/sonicwall.asciidoc b/filebeat/docs/modules/sonicwall.asciidoc index a50c6477307..17e953dcfc1 100644 --- a/filebeat/docs/modules/sonicwall.asciidoc +++ b/filebeat/docs/modules/sonicwall.asciidoc @@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "sonicwall" device r *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/filebeat/docs/modules/sophos.asciidoc b/filebeat/docs/modules/sophos.asciidoc index 88572fee06a..4e8a2367424 100644 --- a/filebeat/docs/modules/sophos.asciidoc +++ b/filebeat/docs/modules/sophos.asciidoc @@ -156,7 +156,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "astarosg" device re *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/filebeat/docs/modules/squid.asciidoc b/filebeat/docs/modules/squid.asciidoc index b72a4412537..4bf202b262a 100644 --- a/filebeat/docs/modules/squid.asciidoc +++ b/filebeat/docs/modules/squid.asciidoc @@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "squid" device revis *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/filebeat/docs/modules/threatintel.asciidoc b/filebeat/docs/modules/threatintel.asciidoc index a05384ff446..b8b5b6f950d 100644 --- a/filebeat/docs/modules/threatintel.asciidoc +++ b/filebeat/docs/modules/threatintel.asciidoc @@ -17,7 +17,7 @@ https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-ind Match rules], but is also compatible with other features like https://www.elastic.co/guide/en/elasticsearch/reference/current/enrich-processor.html[Enrich Processors]. The related threat intel attribute that is meant to be used for -matching incoming source data is stored under the `threatintel.indicator.*` +matching incoming source data is stored under the `threat.indicator.*` fields. The available filesets are: @@ -73,9 +73,9 @@ Abuse.ch URL Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================== | URL Threat Intel Fields | ECS Fields -| url | threatintel.indicator.url.full +| url | threat.indicator.url.full | date_added | @timestamp -| host | threatintel.indicator.ip/domain +| host | threat.indicator.ip/domain |============================================================== [[abusemalware]] @@ -117,9 +117,9 @@ Abuse.ch Malware Threat Intel is mapped to the following ECS fields. [options="header"] |================================================================ | Malware Threat IntelFields | ECS Fields -| md5_hash | threatintel.indicator.file.hash.md5 -| sha256_hash | threatintel.indicator.file.hash.sha256 -| file_size | threatintel.indicator.file.size +| md5_hash | threat.indicator.file.hash.md5 +| sha256_hash | threat.indicator.file.hash.sha256 +| file_size | threat.indicator.file.size |================================================================ [[malwarebazaar]] @@ -161,24 +161,25 @@ Malware Bazaar Threat Intel is mapped to the following ECS fields. [options="header"] |================================================================ | Malware Threat IntelFields | ECS Fields -| md5_hash | threatintel.indicator.file.hash.md5 -| sha256_hash | threatintel.indicator.file.hash.sha256 -| tlsh | threatintel.indicator.file.hash.tlsh -| ssdeep | threatintel.indicator.file.hash.ssdeep -| imphash | threatintel.indicator.file.pe.imphash -| file_size | threatintel.indicator.file.size -| file_name | threatintel.indicator.file.name -| file_type_mime | threatintel.indicator.file.mime_type -| file_type | threatintel.indicator.file.type -| reporter | threatintel.indicator.provider -| origin_country | threatintel.indicator.geo.country_iso_code -| signature | threatintel.indicator.signature -| code_sign.subject_cn | threatintel.indicator.file.x509.subject.common_name -| code_sign.issuer_cn | threatintel.indicator.file.x509.issuer.common_name -| code_sign.algorithm | threatintel.indicator.file.x509.public_key_algorithm -| code_sign.valid_from | threatintel.indicator.file.x509.not_before -| code_sign.valid_to | threatintel.indicator.file.x509.not_after -| code_sign.serial_number | threatintel.indicator.file.x509.serial_number +| md5_hash | threat.indicator.file.hash.md5 +| sha256_hash | threat.indicator.file.hash.sha256 +| sha384_hash | threat.indicator.file.hash.sha384 +| tlsh | threat.indicator.file.hash.tlsh +| ssdeep | threat.indicator.file.hash.ssdeep +| imphash | threat.indicator.file.pe.imphash +| file_size | threat.indicator.file.size +| file_name | threat.indicator.file.name +| file_type_mime | threat.indicator.file.mime_type +| file_type | threat.indicator.file.type +| reporter | threat.indicator.provider +| origin_country | threat.indicator.geo.country_iso_code +| signature | threat.indicator.signature +| code_sign.subject_cn | threat.indicator.file.x509.subject.common_name +| code_sign.issuer_cn | threat.indicator.file.x509.issuer.common_name +| code_sign.algorithm | threat.indicator.file.x509.public_key_algorithm +| code_sign.valid_from | threat.indicator.file.x509.not_before +| code_sign.valid_to | threat.indicator.file.x509.not_after +| code_sign.serial_number | threat.indicator.file.x509.serial_number |================================================================ [[misp]] @@ -255,10 +256,10 @@ MISP Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================== | Malware Threat IntelFields | ECS Fields -| misp.first_seen | threatintel.indicator.first_seen -| misp.last_seen | threatintel.indicator.last_seen +| misp.first_seen | threat.indicator.first_seen +| misp.last_seen | threat.indicator.last_seen | misp.tag | tag -| misp.value | threatintel.indicator.* +| misp.value | threat.indicator.* |============================================================== `misp.value` is mapped to the appropriate field dependent on attribute type. @@ -336,9 +337,9 @@ OTX Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================ | Malware Threat Intel Fields | ECS Fields -| otx.type | threatintel.indicator.type -| otx.description | threatintel.indicator.description -| otx.indicator | threatintel.indicator.* +| otx.type | threat.indicator.type +| otx.description | threat.indicator.description +| otx.indicator | threat.indicator.* |============================================================ `otx.indicator` is mapped to the appropriate field dependent on attribute type. @@ -420,10 +421,10 @@ Anomali Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================= | Malware Threat Intel Fields | ECS Fields -| anomali.description | threatintel.indicator.description -| anomali.created | threatintel.indicator.first_seen -| anomali.modified | threatintel.indicator.last_seen -| anomali.pattern | threatintel.indicator.* +| anomali.description | threat.indicator.description +| anomali.created | threat.indicator.first_seen +| anomali.modified | threat.indicator.last_seen +| anomali.pattern | threat.indicator.* | anomali.labels | tags |============================================================= @@ -491,24 +492,24 @@ Anomali ThreatStream fields are mapped to the following ECS fields: [options="header"] |============================================================= | ThreatStream fields | ECS Fields -| asn | threatintel.indicator.as.number -| classification<> | threatintel.indicator.marking.tlp -| confidence<> | threatintel.indicator.confidence -| country | threatintel.indicator.geo.country_iso_code -| date_first | threatintel.indicator.first_seen -| date_last | threatintel.indicator.last_seen +| asn | threat.indicator.as.number +| classification<> | threat.indicator.marking.tlp +| confidence<> | threat.indicator.confidence +| country | threat.indicator.geo.country_iso_code +| date_first | threat.indicator.first_seen +| date_last | threat.indicator.last_seen | detail | tags -| domain | threatintel.indicator.url.domain -| email | threatintel.indicator.email.address -| itype<> | threatintel.indicator.type -| lat | threatintel.indicator.geo.location.lat -| lon | threatintel.indicator.geo.location.lon -| md5 | threatintel.indicator.file.hash -| org | threatintel.indicator.as.organization.name +| domain | threat.indicator.url.domain +| email | threat.indicator.email.address +| itype<> | threat.indicator.type +| lat | threat.indicator.geo.location.lat +| lon | threat.indicator.geo.location.lon +| md5 | threat.indicator.file.hash +| org | threat.indicator.as.organization.name | severity<> | event.severity -| source | threatintel.indicator.provider -| srcip | threatintel.indicator.ip -| url | threatintel.indicator.url.original +| source | threat.indicator.provider +| srcip | threat.indicator.ip +| url | threat.indicator.url.original |============================================================= [[a]] @@ -590,16 +591,16 @@ Recorded Future fields are mapped to the following ECS fields: [options="header"] |============================================================= | Recorded Future fields | ECS Fields -| entity.name | threatintel.indicator.{url,ip,domain,file.hash} -| entity.type | threatintel.indicator.type -| fileHashes | threatintel.indicator.file.hash +| entity.name | threat.indicator.{url,ip,domain,file.hash} +| entity.type | threat.indicator.type +| fileHashes | threat.indicator.file.hash | intelCard | event.reference -| location.asn | threatintel.indicator.as.number -| location.location | threatintel.indicator.geo -| location.organization | threatintel.indicator.as.organization.name +| location.asn | threat.indicator.as.number +| location.location | threat.indicator.geo +| location.organization | threat.indicator.as.organization.name | risk.score | event.risk_score -| timestamps.firstSeen | threatintel.indicator.first_seen -| timestamps.lastSeen | threatintel.indicator.last_seen +| timestamps.firstSeen | threat.indicator.first_seen +| timestamps.lastSeen | threat.indicator.last_seen |============================================================= :has-dashboards!: @@ -707,11 +708,11 @@ Recorded Future fields are mapped to the following ECS fields: [options="header"] |============================================================= | ThreatQ fields | ECS Fields -| type.name | threatintel.indicator.type -| description | threatintel.indicator.description -| score | threatintel.indicator.confidence -| value | threatintel.indicator.{url,ip,domain,file.hash} -| sources | threatintel.indicator.provider +| type.name | threat.indicator.type +| description | threat.indicator.description +| score | threat.indicator.confidence +| value | threat.indicator.{url,ip,domain,file.hash} +| sources | threat.indicator.provider |============================================================= :has-dashboards!: diff --git a/filebeat/docs/modules/tomcat.asciidoc b/filebeat/docs/modules/tomcat.asciidoc index 7f80711b1c4..f3057c08be8 100644 --- a/filebeat/docs/modules/tomcat.asciidoc +++ b/filebeat/docs/modules/tomcat.asciidoc @@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "apachetomcat" devic *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.paths`*:: diff --git a/filebeat/docs/modules/zscaler.asciidoc b/filebeat/docs/modules/zscaler.asciidoc index 3586f16d6d1..0a09654200d 100644 --- a/filebeat/docs/modules/zscaler.asciidoc +++ b/filebeat/docs/modules/zscaler.asciidoc @@ -33,7 +33,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "zscalernss" device *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index d970fe2cead..45d679cc194 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -501,7 +501,8 @@ filebeat.inputs: #max_bytes: 10485760 # Characters which separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed, - # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator. + # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator, + # null_terminator #line_terminator: auto ### Recursive glob configuration @@ -755,7 +756,8 @@ filebeat.inputs: #message_max_bytes: 10485760 # Characters which separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed, - # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator. + # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator, + # null_terminator #line_terminator: auto # The ingest pipeline ID associated with this input. If this is set, it @@ -2295,11 +2297,6 @@ logging.files: # file. Defaults to true. # rotateonstartup: true - # Rotated files are either suffixed with a number e.g. filebeat.1 when - # renamed during rotation. Or when set to date, the date is added to - # the end of the file. On rotation a new file is created, older files are untouched. - #suffix: count - # ============================= X-Pack Monitoring ============================== # Filebeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The @@ -2484,6 +2481,10 @@ logging.files: # `http.user`. #http.named_pipe.security_descriptor: +# Defines if the HTTP pprof endpoints are enabled. +# It is recommended that this is only enabled on localhost as these endpoints may leak data. +#http.pprof.enabled: false + # ============================== Process Security ============================== # Enable or disable seccomp system call filtering on Linux. Default is enabled. diff --git a/filebeat/processor/add_kubernetes_metadata/matchers.go b/filebeat/processor/add_kubernetes_metadata/matchers.go index 55336c3a315..7e7996fede7 100644 --- a/filebeat/processor/add_kubernetes_metadata/matchers.go +++ b/filebeat/processor/add_kubernetes_metadata/matchers.go @@ -78,59 +78,78 @@ func newLogsPathMatcher(cfg common.Config) (add_kubernetes_metadata.Matcher, err // Docker container ID is a 64-character-long hexadecimal string const containerIdLen = 64 -// Pod UID is on the 5th index of the path directories -const podUIDPos = 5 - func (f *LogPathMatcher) MetadataIndex(event common.MapStr) string { value, err := event.GetValue("log.file.path") - if err == nil { - source := value.(string) - f.logger.Debugf("Incoming log.file.path value: %s", source) + if err != nil { + f.logger.Debugf("Error extracting log.file.path from the event: %s.", event) + return "" + } - if !strings.Contains(source, f.LogsPath) { - f.logger.Errorf("Error extracting container id - source value does not contain matcher's logs_path '%s'.", f.LogsPath) - return "" - } + source := value.(string) + f.logger.Debugf("Incoming log.file.path value: %s", source) + + if !strings.Contains(source, f.LogsPath) { + f.logger.Errorf("Error extracting container id - source value does not contain matcher's logs_path '%s'.", f.LogsPath) + return "" + } - sourceLen := len(source) - logsPathLen := len(f.LogsPath) + sourceLen := len(source) + logsPathLen := len(f.LogsPath) - if f.ResourceType == "pod" { - // Specify a pod resource type when manually mounting log volumes and they end up under "/var/lib/kubelet/pods/" - // This will extract only the pod UID, which offers less granularity of metadata when compared to the container ID - if strings.HasPrefix(f.LogsPath, podLogsPath()) && strings.HasSuffix(source, ".log") { + if f.ResourceType == "pod" { + // Pod resource type will extract only the pod UID, which offers less granularity of metadata when compared to the container ID + if strings.HasSuffix(source, ".log") { + // Specify a pod resource type when writting logs into manually mounted log volume, + // those logs apper under under "/var/lib/kubelet/pods//volumes/..." + if strings.HasPrefix(f.LogsPath, podKubeletLogsPath()) { pathDirs := strings.Split(source, pathSeparator) + podUIDPos := 5 if len(pathDirs) > podUIDPos { podUID := strings.Split(source, pathSeparator)[podUIDPos] - f.logger.Debugf("Using pod uid: %s", podUID) return podUID } - - f.logger.Error("Error extracting pod uid - source value contains matcher's logs_path, however it is too short to contain a Pod UID.") - } - } else { - // In case of the Kubernetes log path "/var/log/containers/", - // the container ID will be located right before the ".log" extension. - if strings.HasPrefix(f.LogsPath, containerLogsPath()) && strings.HasSuffix(source, ".log") && sourceLen >= containerIdLen+4 { - containerIDEnd := sourceLen - 4 - cid := source[containerIDEnd-containerIdLen : containerIDEnd] - f.logger.Debugf("Using container id: %s", cid) - return cid } - - // In any other case, we assume the container ID will follow right after the log path. - // However we need to check the length to prevent "slice bound out of range" runtime errors. - if sourceLen >= logsPathLen+containerIdLen { - cid := source[logsPathLen : logsPathLen+containerIdLen] - f.logger.Debugf("Using container id: %s", cid) - return cid + // In case of the Kubernetes log path "/var/log/pods/", + // the pod ID will be extracted from the directory name, + // file name example: "/var/log/pods/'__'/container_name/0.log". + if strings.HasPrefix(f.LogsPath, podLogsPath()) { + pathDirs := strings.Split(source, pathSeparator) + podUIDPos := 4 + if len(pathDirs) > podUIDPos { + podUID := strings.Split(pathDirs[podUIDPos], "_") + if len(podUID) > 2 { + f.logger.Debugf("Using pod uid: %s", podUID[2]) + return podUID[2] + } + } } - f.logger.Error("Error extracting container id - source value contains matcher's logs_path, however it is too short to contain a Docker container ID.") + f.logger.Error("Error extracting pod uid - source value does not contains matcher's logs_path") + return "" } } + // In case of the Kubernetes log path "/var/log/containers/", + // the container ID will be located right before the ".log" extension. + // file name example: /var/log/containers/__-.log + if strings.HasPrefix(f.LogsPath, containerLogsPath()) && strings.HasSuffix(source, ".log") && sourceLen >= containerIdLen+4 { + containerIDEnd := sourceLen - 4 + cid := source[containerIDEnd-containerIdLen : containerIDEnd] + f.logger.Debugf("Using container id: %s", cid) + return cid + } + // In any other case, we assume the container ID will follow right after the log path. + // However we need to check the length to prevent "slice bound out of range" runtime errors. + // for the default log path /var/lib/docker/containers/ container ID will follow right after the log path. + // file name example: /var/lib/docker/containers//-json.log + if sourceLen >= logsPathLen+containerIdLen { + cid := source[logsPathLen : logsPathLen+containerIdLen] + f.logger.Debugf("Using container id: %s", cid) + return cid + } + + f.logger.Error("Error extracting container id - source value contains matcher's logs_path, however it is too short to contain a Docker container ID.") return "" } @@ -141,13 +160,20 @@ func defaultLogPath() string { return "/var/lib/docker/containers/" } -func podLogsPath() string { +func podKubeletLogsPath() string { if runtime.GOOS == "windows" { return "C:\\var\\lib\\kubelet\\pods\\" } return "/var/lib/kubelet/pods/" } +func podLogsPath() string { + if runtime.GOOS == "windows" { + return "C:\\var\\log\\pods\\" + } + return "/var/log/pods/" +} + func containerLogsPath() string { if runtime.GOOS == "windows" { return "C:\\var\\log\\containers\\" diff --git a/filebeat/processor/add_kubernetes_metadata/matchers_test.go b/filebeat/processor/add_kubernetes_metadata/matchers_test.go index 5fc76514377..27e376c8816 100644 --- a/filebeat/processor/add_kubernetes_metadata/matchers_test.go +++ b/filebeat/processor/add_kubernetes_metadata/matchers_test.go @@ -117,6 +117,36 @@ func TestLogsPathMatcher_InvalidSource4(t *testing.T) { executeTestWithResourceType(t, cfgLogsPath, cfgResourceType, source, expectedResult) } +func TestLogsPathMatcher_InvalidVarLogPodSource(t *testing.T) { + cfgLogsPath := "/var/log/pods/" + cfgResourceType := "pod" + source := fmt.Sprintf("/invalid/dir/namespace_pod-name_%s/container/0.log", puid) + expectedResult := "" + executeTestWithResourceType(t, cfgLogsPath, cfgResourceType, source, expectedResult) +} + +func TestLogsPathMatcher_InvalidVarLogPodIDFormat(t *testing.T) { + cfgLogsPath := "/var/log/pods/" + cfgResourceType := "pod" + source := fmt.Sprintf("/var/log/pods/%s/container/0.log", puid) + expectedResult := "" + executeTestWithResourceType(t, cfgLogsPath, cfgResourceType, source, expectedResult) +} + +func TestLogsPathMatcher_ValidVarLogPod(t *testing.T) { + cfgLogsPath := "/var/log/pods/" + cfgResourceType := "pod" + sourcePath := "/var/log/pods/namespace_pod-name_%s/container/0.log" + + if runtime.GOOS == "windows" { + cfgLogsPath = "C:\\var\\log\\pods\\" + sourcePath = "C:\\var\\log\\pods\\namespace_pod-name_%s\\container\\0.log" + } + source := fmt.Sprintf(sourcePath, puid) + expectedResult := puid + executeTestWithResourceType(t, cfgLogsPath, cfgResourceType, source, expectedResult) +} + func executeTest(t *testing.T, cfgLogsPath string, source string, expectedResult string) { executeTestWithResourceType(t, cfgLogsPath, "", source, expectedResult) } diff --git a/filebeat/tests/system/filebeat.py b/filebeat/tests/system/filebeat.py index 92df15911bb..9f1f7905d16 100644 --- a/filebeat/tests/system/filebeat.py +++ b/filebeat/tests/system/filebeat.py @@ -36,7 +36,7 @@ def access_registry(self, name=None, data_path=None): return Registry(data_path, name) def log_access(self, file=None): - file = file if file else self.beat_name + ".log" + file = file if file else self.beat_name + "-" + self.today + ".ndjson" return LogState(os.path.join(self.working_dir, file)) def has_registry(self, name=None, data_path=None): diff --git a/filebeat/tests/system/test_harvester.py b/filebeat/tests/system/test_harvester.py index f56a51d0fe0..ecbb23fab77 100644 --- a/filebeat/tests/system/test_harvester.py +++ b/filebeat/tests/system/test_harvester.py @@ -493,11 +493,11 @@ def test_boms(self, fb_encoding, py_encoding, bom): filebeat = self.start_beat(output=fb_encoding + ".log") self.wait_until( - lambda: self.output_has(lines=1, output_file="output/" + fb_encoding), + lambda: self.output_has(lines=1, output_file="output/" + fb_encoding + "-" + self.today + ".ndjson"), max_timeout=10) # Verify that output does not contain bom - output = self.read_output_json(output_file="output/" + fb_encoding) + output = self.read_output_json(output_file="output/" + fb_encoding + "-" + self.today + ".ndjson") assert output[0]["message"] == message filebeat.kill_and_wait() diff --git a/filebeat/tests/system/test_input.py b/filebeat/tests/system/test_input.py index f9dbd138a2e..a4215587735 100644 --- a/filebeat/tests/system/test_input.py +++ b/filebeat/tests/system/test_input.py @@ -633,10 +633,10 @@ def test_restart_recursive_glob(self): with open(testfile_path, 'a') as testfile: testfile.write("entry2\n") - filebeat = self.start_beat(output="filebeat2.log") + filebeat = self.start_beat() self.wait_until( - lambda: self.output_has_message("entry2"), + lambda: self.output_has_message("entry2", output_file="output/filebeat-"+self.today+"-1.ndjson"), max_timeout=10, name="output contains 'entry2'") @@ -783,7 +783,7 @@ def test_inode_marker_based_identity_tracking_to_path_based(self): proc = self.start_beat() # on startup output is rotated - self.wait_until(lambda: self.output_has(lines=1, output_file="output/filebeat.1")) + self.wait_until(lambda: self.output_has(lines=1, output_file="output/filebeat-" + self.today + "-1.ndjson")) self.wait_until(lambda: self.output_has(lines=1)) proc.check_kill_and_wait() diff --git a/filebeat/tests/system/test_load.py b/filebeat/tests/system/test_load.py index 6a35a6ce250..b48b83e2659 100644 --- a/filebeat/tests/system/test_load.py +++ b/filebeat/tests/system/test_load.py @@ -72,7 +72,7 @@ def test_no_missing_events(self): entry_list = [] - with open(self.working_dir + "/output/filebeat") as f: + with open(self.working_dir + "/output/filebeat-" + self.today + ".ndjson") as f: for line in f: content = json.loads(line) v = int(content["message"]) diff --git a/filebeat/tests/system/test_multiline.py b/filebeat/tests/system/test_multiline.py index ee5384ef5ef..31d4f0258ca 100644 --- a/filebeat/tests/system/test_multiline.py +++ b/filebeat/tests/system/test_multiline.py @@ -148,11 +148,11 @@ def test_max_lines(self): # Checks line 3 is sent assert True == self.log_contains( - "MetaDataMappingService.java:388", "output/filebeat") + "MetaDataMappingService.java:388", "output/filebeat-" + self.today + ".ndjson") # Checks line 4 is not sent anymore assert False == self.log_contains( - "InternalClusterService.java:388", "output/filebeat") + "InternalClusterService.java:388", "output/filebeat-" + self.today + ".ndjson") # Check that output file has the same number of lines as the log file assert 20 == len(output) @@ -231,10 +231,10 @@ def test_max_bytes(self): output = self.read_output() # Check that first 60 chars are sent - assert True == self.log_contains("cluster.metadata", "output/filebeat") + assert True == self.log_contains("cluster.metadata", "output/filebeat-" + self.today + ".ndjson") # Checks that chars afterwards are not sent - assert False == self.log_contains("Zach", "output/filebeat") + assert False == self.log_contains("Zach", "output/filebeat-" + self.today + ".ndjson") # Check that output file has the same number of lines as the log file assert 20 == len(output) diff --git a/filebeat/tests/system/test_registrar.py b/filebeat/tests/system/test_registrar.py index 02d07a32446..bb55ef547b3 100644 --- a/filebeat/tests/system/test_registrar.py +++ b/filebeat/tests/system/test_registrar.py @@ -486,11 +486,11 @@ def test_restart_continue(self): # Output file was rotated self.wait_until( - lambda: self.output_has(lines=1, output_file="output/filebeat.1"), + lambda: self.output_has(lines=1, output_file="output/filebeat-" + self.today + ".ndjson"), max_timeout=10) self.wait_until( - lambda: self.output_has(lines=1), + lambda: self.output_has(lines=1, output_file="output/filebeat-" + self.today + "-1.ndjson"), max_timeout=10) filebeat.check_kill_and_wait() @@ -505,7 +505,7 @@ def test_restart_continue(self): # should never have been detected assert len(data) == 1 - output = self.read_output() + output = self.read_output(output_file="output/filebeat-" + self.today + "-1.ndjson") # Check that output file has the same number of lines as the log file assert len(output) == 1 @@ -592,15 +592,15 @@ def test_rotating_file_with_restart(self): with open(testfile_path, 'w') as testfile: testfile.write("entry3\n") - filebeat = self.start_beat(output="filebeat2.log") + filebeat = self.start_beat() # Output file was rotated self.wait_until( - lambda: self.output_has(lines=2, output_file="output/filebeat.1"), + lambda: self.output_has(lines=2), max_timeout=10) self.wait_until( - lambda: self.output_has(lines=1), + lambda: self.output_has(lines=1, output_file="output/filebeat-" + self.today + "-1.ndjson"), max_timeout=10) filebeat.check_kill_and_wait() @@ -951,8 +951,8 @@ def test_restart_state(self): clean_inactive="3s", ) - filebeat = self.start_beat(output="filebeat2.log") - logs = self.log_access("filebeat2.log") + filebeat = self.start_beat() + logs = self.log_access() # Write additional file for name in restart_files: diff --git a/go.mod b/go.mod index dcb29623f7a..c47fcd15bc8 100644 --- a/go.mod +++ b/go.mod @@ -9,8 +9,8 @@ require ( code.cloudfoundry.org/go-diodes v0.0.0-20190809170250-f77fb823c7ee // indirect code.cloudfoundry.org/go-loggregator v7.4.0+incompatible code.cloudfoundry.org/rfc5424 v0.0.0-20180905210152-236a6d29298a // indirect - github.com/Azure/azure-event-hubs-go/v3 v3.1.2 - github.com/Azure/azure-sdk-for-go v57.0.0+incompatible + github.com/Azure/azure-event-hubs-go/v3 v3.3.15 + github.com/Azure/azure-sdk-for-go v59.0.0+incompatible github.com/Azure/azure-storage-blob-go v0.8.0 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect github.com/Azure/go-autorest/autorest v0.11.19 @@ -74,7 +74,7 @@ require ( github.com/elastic/go-sysinfo v1.7.1 github.com/elastic/go-ucfg v0.8.3 github.com/elastic/go-windows v1.0.1 - github.com/elastic/gosigar v0.14.1 + github.com/elastic/gosigar v0.14.2 github.com/fatih/color v1.9.0 github.com/fearful-symmetry/gorapl v0.0.4 github.com/fsnotify/fsevents v0.1.1 @@ -195,9 +195,9 @@ require ( require ( code.cloudfoundry.org/gofileutils v0.0.0-20170111115228-4d0c80011a0f // indirect - github.com/Azure/azure-amqp-common-go/v3 v3.0.0 // indirect + github.com/Azure/azure-amqp-common-go/v3 v3.2.1 // indirect github.com/Azure/azure-pipeline-go v0.2.1 // indirect - github.com/Azure/go-amqp v0.12.6 // indirect + github.com/Azure/go-amqp v0.16.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest/azure/cli v0.3.1 // indirect github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect diff --git a/go.sum b/go.sum index ff81dbb5d18..3ba3d94b54e 100644 --- a/go.sum +++ b/go.sum @@ -55,25 +55,25 @@ code.cloudfoundry.org/rfc5424 v0.0.0-20180905210152-236a6d29298a h1:8rqv2w8xEceN code.cloudfoundry.org/rfc5424 v0.0.0-20180905210152-236a6d29298a/go.mod h1:tkZo8GtzBjySJ7USvxm4E36lNQw1D3xM6oKHGqdaAJ4= collectd.org v0.3.0/go.mod h1:A/8DzQBkF6abtvrT2j/AU/4tiBgJWYyh0y/oB/4MlWE= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -github.com/Azure/azure-amqp-common-go/v3 v3.0.0 h1:j9tjcwhypb/jek3raNrwlCIl7iKQYOug7CLpSyBBodc= -github.com/Azure/azure-amqp-common-go/v3 v3.0.0/go.mod h1:SY08giD/XbhTz07tJdpw1SoxQXHPN30+DI3Z04SYqyg= -github.com/Azure/azure-event-hubs-go/v3 v3.1.2 h1:S/NjCZ1Z2R4rHJd2Hbbad6rIhxJ4lZZebKTsKHweX4A= -github.com/Azure/azure-event-hubs-go/v3 v3.1.2/go.mod h1:hR40byNJjKkS74+3RhloPQ8sJ8zFQeJ920Uk3oYY0+k= +github.com/Azure/azure-amqp-common-go/v3 v3.2.1 h1:uQyDk81yn5hTP1pW4Za+zHzy97/f4vDz9o1d/exI4j4= +github.com/Azure/azure-amqp-common-go/v3 v3.2.1/go.mod h1:O6X1iYHP7s2x7NjUKsXVhkwWrQhxrd+d8/3rRadj4CI= +github.com/Azure/azure-event-hubs-go/v3 v3.3.15 h1:2yAik9gS5Qjs4Z6EM1B6d0tfZJ506B/0oA08JlRQxb8= +github.com/Azure/azure-event-hubs-go/v3 v3.3.15/go.mod h1:xgDvUi1+8/bb11WTEaU7VwZREYufzKzjWE4YiPZixb0= github.com/Azure/azure-pipeline-go v0.1.8/go.mod h1:XA1kFWRVhSK+KNFiOhfv83Fv8L9achrP7OxIzeTn1Yg= github.com/Azure/azure-pipeline-go v0.1.9/go.mod h1:XA1kFWRVhSK+KNFiOhfv83Fv8L9achrP7OxIzeTn1Yg= github.com/Azure/azure-pipeline-go v0.2.1 h1:OLBdZJ3yvOn2MezlWvbrBMTEUQC72zAftRZOMdj5HYo= github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiUVpqIlpz/HKHylF4= github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v37.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v41.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v51.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v55.2.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v57.0.0+incompatible h1:isVki3PbIFrwKvKdVP1byxo73/pt+Nn174YxW1k4PNw= -github.com/Azure/azure-sdk-for-go v57.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v59.0.0+incompatible h1:I1ULJqny1qQhUBFy11yDXHhW3pLvbhwV0PTn7mjp9V0= +github.com/Azure/azure-sdk-for-go v59.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-storage-blob-go v0.6.0/go.mod h1:oGfmITT1V6x//CswqY2gtAHND+xIP64/qL7a5QJix0Y= github.com/Azure/azure-storage-blob-go v0.8.0 h1:53qhf0Oxa0nOjgbDeeYPUeyiNmafAFEY95rZLK0Tj6o= github.com/Azure/azure-storage-blob-go v0.8.0/go.mod h1:lPI3aLPpuLTeUwh1sViKXFxwl2B6teiRqI0deQUvsw0= -github.com/Azure/go-amqp v0.12.6 h1:34yItuwhA/nusvq2sPSNPQxZLCf/CtaogYH8n578mnY= -github.com/Azure/go-amqp v0.12.6/go.mod h1:qApuH6OFTSKZFmCOxccvAv5rLizBQf4v8pRmG138DPo= +github.com/Azure/go-amqp v0.16.0 h1:6mhxUxaKLjMtHlGqzeih/LKqjUPLZxbM6zwfz5/C4NQ= +github.com/Azure/go-amqp v0.16.0/go.mod h1:9YJ3RhxRT1gquYnzpZO1vcYMMpAdJT+QEg6fwmw9Zlg= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-autorest v10.8.1+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= @@ -85,6 +85,7 @@ github.com/Azure/go-autorest/autorest v0.10.0/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUd github.com/Azure/go-autorest/autorest v0.10.1/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630= github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= github.com/Azure/go-autorest/autorest v0.11.12/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw= +github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= github.com/Azure/go-autorest/autorest v0.11.19 h1:7/IqD2fEYVha1EPeaiytVKhzmPV223pfkRIQUGOK2IE= github.com/Azure/go-autorest/autorest v0.11.19/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= @@ -534,8 +535,8 @@ github.com/elastic/go-ucfg v0.8.3/go.mod h1:iaiY0NBIYeasNgycLyTvhJftQlQEUO2hpF+F github.com/elastic/go-windows v1.0.0/go.mod h1:TsU0Nrp7/y3+VwE82FoZF8gC/XFg/Elz6CcloAxnPgU= github.com/elastic/go-windows v1.0.1 h1:AlYZOldA+UJ0/2nBuqWdo90GFCgG9xuyw9SYzGUtJm0= github.com/elastic/go-windows v1.0.1/go.mod h1:FoVvqWSun28vaDQPbj2Elfc0JahhPB7WQEGa3c814Ss= -github.com/elastic/gosigar v0.14.1 h1:T0aQ7n/n2ZA9W7DmAnj60v+qzqKERdBgJBO1CG2W6rc= -github.com/elastic/gosigar v0.14.1/go.mod h1:iXRIGg2tLnu7LBdpqzyQfGDEidKCfWcCMS0WKyPWoMs= +github.com/elastic/gosigar v0.14.2 h1:Dg80n8cr90OZ7x+bAax/QjoW/XqTI11RmA79ZwIm9/4= +github.com/elastic/gosigar v0.14.2/go.mod h1:iXRIGg2tLnu7LBdpqzyQfGDEidKCfWcCMS0WKyPWoMs= github.com/elastic/sarama v1.19.1-0.20210823122811-11c3ef800752 h1:5/RUNg7rkIvayjPhAIoI3v8p45NfWcfWs5DZSElycis= github.com/elastic/sarama v1.19.1-0.20210823122811-11c3ef800752/go.mod h1:mdtqvCSg8JOxk8PmpTNGyo6wzd4BMm4QXSfDnTXmgkE= github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= diff --git a/heartbeat/docs/monitors/monitor-browser.asciidoc b/heartbeat/docs/monitors/monitor-browser.asciidoc index 3bd4e183f97..49f31668d47 100644 --- a/heartbeat/docs/monitors/monitor-browser.asciidoc +++ b/heartbeat/docs/monitors/monitor-browser.asciidoc @@ -4,7 +4,7 @@ TIP: Want to get started with synthetic monitoring? See the {observability-guide}/synthetics-quickstart.html[quick start guide]. -The options described here configure {beatname_uc} to run the synthetic +beta[] The options described here configure {beatname_uc} to run the synthetic monitoring test suites via Synthetic Agent on the Chromium browser. Additional shared options are defined in <>. Example configuration: diff --git a/heartbeat/hbtest/hbtestutil.go b/heartbeat/hbtest/hbtestutil.go index 80753294d8e..7b73f79514f 100644 --- a/heartbeat/hbtest/hbtestutil.go +++ b/heartbeat/hbtest/hbtestutil.go @@ -83,9 +83,12 @@ func SizedResponseHandler(bytes int) http.HandlerFunc { ) } -func CustomResponseHandler(body []byte, status int) http.HandlerFunc { +func CustomResponseHandler(body []byte, status int, extraHeaders map[string]string) http.HandlerFunc { return http.HandlerFunc( func(w http.ResponseWriter, r *http.Request) { + for key, val := range extraHeaders { + w.Header().Add(key, val) + } w.WriteHeader(status) w.Write(body) }, diff --git a/heartbeat/heartbeat.reference.yml b/heartbeat/heartbeat.reference.yml index dc6622a50b3..8f0f019626b 100644 --- a/heartbeat/heartbeat.reference.yml +++ b/heartbeat/heartbeat.reference.yml @@ -1529,11 +1529,6 @@ logging.files: # file. Defaults to true. # rotateonstartup: true - # Rotated files are either suffixed with a number e.g. heartbeat.1 when - # renamed during rotation. Or when set to date, the date is added to - # the end of the file. On rotation a new file is created, older files are untouched. - #suffix: count - # ============================= X-Pack Monitoring ============================== # Heartbeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The @@ -1718,6 +1713,10 @@ logging.files: # `http.user`. #http.named_pipe.security_descriptor: +# Defines if the HTTP pprof endpoints are enabled. +# It is recommended that this is only enabled on localhost as these endpoints may leak data. +#http.pprof.enabled: false + # ============================== Process Security ============================== # Enable or disable seccomp system call filtering on Linux. Default is enabled. diff --git a/heartbeat/monitors/active/http/http_test.go b/heartbeat/monitors/active/http/http_test.go index c715fc6bf50..8d25d876358 100644 --- a/heartbeat/monitors/active/http/http_test.go +++ b/heartbeat/monitors/active/http/http_test.go @@ -18,6 +18,8 @@ package http import ( + "bytes" + "compress/gzip" "crypto/tls" "crypto/x509" "fmt" @@ -412,7 +414,7 @@ func TestJsonBody(t *testing.T) { for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { - server := httptest.NewServer(hbtest.CustomResponseHandler([]byte(tc.responseBody), 200)) + server := httptest.NewServer(hbtest.CustomResponseHandler([]byte(tc.responseBody), 200, nil)) defer server.Close() jsonCheck := common.MapStr{"description": tc.name} @@ -808,6 +810,87 @@ func mustParseURL(t *testing.T, url string) *url.URL { return parsed } +// helper that compresses some content as gzip +func gzipBuffer(t *testing.T, toZip string) *bytes.Buffer { + var gzipBuffer bytes.Buffer + gzipWriter := gzip.NewWriter(&gzipBuffer) + defer gzipWriter.Close() + _, err := gzipWriter.Write([]byte(toZip)) + if err != nil { + t.Fatal(err) + } + return &gzipBuffer +} + +/* + * This test ensures Heartbeat will decode the response body if the server specifies + * that it is gzip encoded. This is a test of the happy path where client/server behave as expected. */ +func TestDecodesGzip(t *testing.T) { + gzBuffer := gzipBuffer(t, "TestEncodingAccept") + + server := httptest.NewServer(hbtest.CustomResponseHandler(gzBuffer.Bytes(), 200, map[string]string{ + "Content-Encoding": "gzip", + })) + defer server.Close() + + evt := sendTLSRequest(t, server.URL, false, map[string]interface{}{ + "response.include_body": "always", + "check.request.headers": map[string]interface{}{"Accept-Encoding": "gzip"}, + }) + + content, err := evt.Fields.GetValue("http.response.body.content") + + assert.NoError(t, err) + assert.Exactly(t, content, "TestEncodingAccept") +} + +/* + * This test verifies that, in the absence of the response header `Content-Encoding: gzip`, Heartbeat + * will not decode the response body. */ +func TestNoGzipDecodeWithoutHeader(t *testing.T) { + gzBuffer := gzipBuffer(t, "TestEncodingAccept") + + // here Heartbeat asks the server for a `gzip` body, but the server omits the appropriate response header + server := httptest.NewServer(hbtest.CustomResponseHandler(gzBuffer.Bytes(), 200, map[string]string{})) + defer server.Close() + + evt := sendTLSRequest(t, server.URL, false, map[string]interface{}{ + "response.include_body": "always", + "check.request.headers": map[string]interface{}{"Accept-Encoding": "gzip"}, + }) + + content, err := evt.Fields.GetValue("http.response.body.content") + + assert.NoError(t, err) + + // doesn't decode gzip text without content header + assert.Exactly(t, content, "\x1f\x8b\b\x00\x00\x00\x00\x00\x00\xff\nI-.q\xcdK\xceO\xc9\xccKwLNN-(\x01\x04\x00\x00\xff\xffW\xbeE\x0e\x12\x00\x00\x00") +} + +/* When Heartbeat doesn't request `gzip`, and the server responds with a `gzip` body/header anyway, + * Heartbeat will still decode it gracefully. This is a case where the server behaved inappropriately, + * but as long as the header is included Heartbeat tries to do the right thing. */ +func TestGzipDecodeWithoutRequestHeader(t *testing.T) { + gzBuffer := gzipBuffer(t, "TestEncodingAccept") + + server := httptest.NewServer(hbtest.CustomResponseHandler(gzBuffer.Bytes(), 200, map[string]string{ + "Content-Encoding": "gzip", + })) + defer server.Close() + + evt := sendTLSRequest(t, server.URL, false, map[string]interface{}{ + // no header here from Heartbeat asking the server for `gzip` + "response.include_body": "always", + }) + + content, err := evt.Fields.GetValue("http.response.body.content") + + assert.NoError(t, err) + + // Heartbeat decoded the `gzip` even without requesting it + assert.Exactly(t, content, "TestEncodingAccept") +} + func TestUserAgentInject(t *testing.T) { ua := "" ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { diff --git a/heartbeat/monitors/active/http/simple_transp.go b/heartbeat/monitors/active/http/simple_transp.go index a16ccb350ce..45aafcb0f31 100644 --- a/heartbeat/monitors/active/http/simple_transp.go +++ b/heartbeat/monitors/active/http/simple_transp.go @@ -39,8 +39,7 @@ const ( // SimpleTransport contains the dialer and read/write callbacks type SimpleTransport struct { - Dialer transport.Dialer - DisableCompression bool + Dialer transport.Dialer OnStartWrite func() OnEndWrite func() @@ -86,17 +85,6 @@ func (t *SimpleTransport) RoundTrip(req *http.Request) (*http.Response, error) { return nil, err } - requestedGzip := false - if t.DisableCompression && - req.Header.Get("Accept-Encoding") == "" && - req.Header.Get("Range") == "" && - req.Method != "HEAD" { - - requestedGzip = true - req.Header.Add("Accept-Encoding", gzipEncoding) - defer req.Header.Del("Accept-Encoding") - } - done := req.Context().Done() readerDone := make(chan readReturn, 1) writerDone := make(chan error, 1) @@ -108,7 +96,7 @@ func (t *SimpleTransport) RoundTrip(req *http.Request) (*http.Response, error) { // read response go func() { - resp, err := t.readResponse(conn, req, requestedGzip) + resp, err := t.readResponse(conn, req) readerDone <- readReturn{resp, err} }() @@ -180,7 +168,6 @@ func (c comboConnReadCloser) Close() error { func (t *SimpleTransport) readResponse( conn net.Conn, req *http.Request, - requestedGzip bool, ) (*http.Response, error) { reader := bufio.NewReader(conn) resp, err := http.ReadResponse(reader, req) @@ -191,11 +178,7 @@ func (t *SimpleTransport) readResponse( t.sigStartRead() - if requestedGzip && resp.Header.Get("Content-Encoding") == gzipEncoding { - resp.Header.Del("Content-Encoding") - resp.Header.Del("Content-Length") - resp.ContentLength = -1 - + if resp.Header.Get("Content-Encoding") == gzipEncoding { unzipper, err := gzip.NewReader(resp.Body) if err != nil { resp.Body.Close() diff --git a/heartbeat/security/security.go b/heartbeat/security/security.go index 00b70c698b6..7d151121354 100644 --- a/heartbeat/security/security.go +++ b/heartbeat/security/security.go @@ -147,7 +147,9 @@ func setSeccompRules() error { "close", "connect", "creat", + "dup", "dup2", + "dup3", "epoll_ctl", "epoll_pwait", "eventfd2", diff --git a/journalbeat/journalbeat.reference.yml b/journalbeat/journalbeat.reference.yml index 26c27de77e7..19692cfec94 100644 --- a/journalbeat/journalbeat.reference.yml +++ b/journalbeat/journalbeat.reference.yml @@ -1326,11 +1326,6 @@ logging.files: # file. Defaults to true. # rotateonstartup: true - # Rotated files are either suffixed with a number e.g. journalbeat.1 when - # renamed during rotation. Or when set to date, the date is added to - # the end of the file. On rotation a new file is created, older files are untouched. - #suffix: count - # ============================= X-Pack Monitoring ============================== # Journalbeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The @@ -1515,6 +1510,10 @@ logging.files: # `http.user`. #http.named_pipe.security_descriptor: +# Defines if the HTTP pprof endpoints are enabled. +# It is recommended that this is only enabled on localhost as these endpoints may leak data. +#http.pprof.enabled: false + # ============================== Process Security ============================== # Enable or disable seccomp system call filtering on Linux. Default is enabled. diff --git a/libbeat/_meta/config/http.reference.yml.tmpl b/libbeat/_meta/config/http.reference.yml.tmpl index 19a9f5fcd50..ccf85bb6189 100644 --- a/libbeat/_meta/config/http.reference.yml.tmpl +++ b/libbeat/_meta/config/http.reference.yml.tmpl @@ -22,3 +22,7 @@ # Descriptor Definition Language (SDDL) to define the permission. This option cannot be used with # `http.user`. #http.named_pipe.security_descriptor: + +# Defines if the HTTP pprof endpoints are enabled. +# It is recommended that this is only enabled on localhost as these endpoints may leak data. +#http.pprof.enabled: false diff --git a/libbeat/_meta/config/logging.reference.yml.tmpl b/libbeat/_meta/config/logging.reference.yml.tmpl index 9a1e91a0af8..f4ca435be01 100644 --- a/libbeat/_meta/config/logging.reference.yml.tmpl +++ b/libbeat/_meta/config/logging.reference.yml.tmpl @@ -67,8 +67,3 @@ logging.files: # Rotate existing logs on startup rather than appending to the existing # file. Defaults to true. # rotateonstartup: true - - # Rotated files are either suffixed with a number e.g. {{.BeatName}}.1 when - # renamed during rotation. Or when set to date, the date is added to - # the end of the file. On rotation a new file is created, older files are untouched. - #suffix: count diff --git a/libbeat/api/routes.go b/libbeat/api/routes.go index bc72347cf28..14b213b1928 100644 --- a/libbeat/api/routes.go +++ b/libbeat/api/routes.go @@ -20,6 +20,7 @@ package api import ( "fmt" "net/http" + _ "net/http/pprof" "net/url" "github.com/elastic/beats/v7/libbeat/common" @@ -47,6 +48,14 @@ func NewWithDefaultRoutes(log *logp.Logger, config *common.Config, ns lookupFunc return New(log, mux, config) } +func (s *Server) AttachPprof() { + s.log.Info("Attaching pprof endpoints") + s.mux.HandleFunc("/debug/pprof/", func(w http.ResponseWriter, r *http.Request) { + http.DefaultServeMux.ServeHTTP(w, r) + }) + +} + func makeRootAPIHandler(handler handlerFunc) handlerFunc { return func(w http.ResponseWriter, r *http.Request) { if r.URL.Path != "/" { diff --git a/libbeat/cmd/instance/beat.go b/libbeat/cmd/instance/beat.go index 9b4d05494f5..3e1da0f62fb 100644 --- a/libbeat/cmd/instance/beat.go +++ b/libbeat/cmd/instance/beat.go @@ -105,6 +105,7 @@ type beatConfig struct { // beat internal components configurations HTTP *common.Config `config:"http"` + HTTPPprof *common.Config `config:"http.pprof"` Path paths.Path `config:"path"` Logging *common.Config `config:"logging"` MetricLogging *common.Config `config:"logging.metrics"` @@ -162,19 +163,14 @@ func Run(settings Settings, bt beat.Creator) error { return errw.Wrap(err, "could not set umask") } - name := settings.Name - idxPrefix := settings.IndexPrefix - agentVersion := settings.Version - elasticLicensed := settings.ElasticLicensed - return handleError(func() error { defer func() { if r := recover(); r != nil { - logp.NewLogger(name).Fatalw("Failed due to panic.", + logp.NewLogger(settings.Name).Fatalw("Failed due to panic.", "panic", r, zap.Stack("stack")) } }() - b, err := NewBeat(name, idxPrefix, agentVersion, elasticLicensed) + b, err := NewInitializedBeat(settings) if err != nil { return err } @@ -409,10 +405,6 @@ func (b *Beat) launch(settings Settings, bt beat.Creator) error { defer logp.Sync() defer logp.Info("%s stopped.", b.Info.Beat) - err := b.InitWithSettings(settings) - if err != nil { - return err - } defer func() { if err := b.processing.Close(); err != nil { logp.Warn("Failed to close global processing: %v", err) @@ -428,7 +420,7 @@ func (b *Beat) launch(settings Settings, bt beat.Creator) error { // Try to acquire exclusive lock on data path to prevent another beat instance // sharing same data path. bl := newLocker(b) - err = bl.lock() + err := bl.lock() if err != nil { return err } @@ -455,6 +447,9 @@ func (b *Beat) launch(settings Settings, bt beat.Creator) error { } s.Start() defer s.Stop() + if b.Config.HTTPPprof.Enabled() { + s.AttachPprof() + } } if err = seccomp.LoadFilter(b.Config.Seccomp); err != nil { diff --git a/libbeat/cmd/instance/beat_integration_test.go b/libbeat/cmd/instance/beat_integration_test.go new file mode 100644 index 00000000000..7e7db83daa4 --- /dev/null +++ b/libbeat/cmd/instance/beat_integration_test.go @@ -0,0 +1,130 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package instance_test + +import ( + "encoding/json" + "flag" + "net/http" + "sync" + "testing" + "time" + + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/cmd/instance" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/mock" +) + +type mockbeat struct { + done chan struct{} + initDone chan struct{} +} + +func (mb mockbeat) Run(b *beat.Beat) error { + client, err := b.Publisher.Connect() + if err != nil { + return err + } + + ticker := time.NewTicker(1 * time.Second) + go func() { + // unblocks mb.waitUntilRunning + close(mb.initDone) + for { + select { + case <-ticker.C: + client.Publish(beat.Event{ + Timestamp: time.Now(), + Fields: common.MapStr{ + "type": "mock", + "message": "Mockbeat is alive!", + }, + }) + case <-mb.done: + ticker.Stop() + return + } + } + }() + + <-mb.done + return nil +} + +func (mb mockbeat) waitUntilRunning() { + <-mb.initDone +} + +func (mb mockbeat) Stop() { + close(mb.done) +} + +func TestMonitoringNameFromConfig(t *testing.T) { + mockBeat := mockbeat{ + done: make(chan struct{}), + initDone: make(chan struct{}), + } + var wg sync.WaitGroup + wg.Add(1) + + // Make sure the beat has stopped before finishing the test + t.Cleanup(wg.Wait) + + go func() { + defer wg.Done() + + // Set the configuration file path flag so the beat can read it + flag.Set("c", "testdata/mockbeat.yml") + instance.Run(mock.Settings, func(_ *beat.Beat, _ *common.Config) (beat.Beater, error) { + return &mockBeat, nil + }) + }() + + t.Cleanup(func() { + mockBeat.Stop() + }) + + // Make sure the beat is running + mockBeat.waitUntilRunning() + + // As the HTTP server runs in a different goroutine from the + // beat main loop, give the scheduler another chance to schedule + // the HTTP server goroutine + time.Sleep(10 * time.Millisecond) + + resp, err := http.Get("http://localhost:5066/state") + if err != nil { + t.Fatal("calling state endpoint: ", err.Error()) + } + defer resp.Body.Close() + + beatName := struct { + Beat struct { + Name string + } + }{} + + if err := json.NewDecoder(resp.Body).Decode(&beatName); err != nil { + t.Fatalf("could not decode response body: %s", err.Error()) + } + + if got, want := beatName.Beat.Name, "TestMonitoringNameFromConfig"; got != want { + t.Fatalf("expecting '%s', got '%s'", want, got) + } +} diff --git a/libbeat/cmd/instance/testdata/mockbeat.yml b/libbeat/cmd/instance/testdata/mockbeat.yml new file mode 100644 index 00000000000..a5016eb7f91 --- /dev/null +++ b/libbeat/cmd/instance/testdata/mockbeat.yml @@ -0,0 +1,24 @@ +############################# Mockbeat ###################################### +mockbeat: +############################# General ############################################ + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +# If this options is not defined, the hostname is used. + +name: TestMonitoringNameFromConfig + +# The tags of the shipper are included in their own field with each +# transaction published. Tags make it easy to group servers by different +# logical properties. +# tags: [] + +############################# Output ############################################ + +# Configure what outputs to use when sending the data collected by mockbeat. +# Multiple outputs may NOT be enabled. +output.elasticsearch: + hosts: ["localhost:9200"] +http: + enabled: true + port: 5066 diff --git a/libbeat/common/file/interval_rotator.go b/libbeat/common/file/interval_rotator.go deleted file mode 100644 index e5105beb0a7..00000000000 --- a/libbeat/common/file/interval_rotator.go +++ /dev/null @@ -1,192 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package file - -import ( - "fmt" - "os" - "path/filepath" - "sort" - "strconv" - "time" - - "github.com/pkg/errors" -) - -type intervalRotator struct { - log Logger - interval time.Duration - lastRotate time.Time - filename string - fileFormat string - clock clock - weekly bool - arbitrary bool -} - -func newIntervalRotator(log Logger, interval time.Duration, filename string) rotater { - ir := &intervalRotator{ - filename: filename, - log: log, - interval: (interval / time.Second) * time.Second, // drop fractional seconds - clock: realClock{}, - } - ir.initialize() - return ir -} - -func (r *intervalRotator) initialize() { - switch r.interval { - case time.Second: - r.fileFormat = "2006-01-02-15-04-05" - case time.Minute: - r.fileFormat = "2006-01-02-15-04" - case time.Hour: - r.fileFormat = "2006-01-02-15" - case 24 * time.Hour: // calendar day - r.fileFormat = "2006-01-02" - case 7 * 24 * time.Hour: // calendar week - r.fileFormat = "" - r.weekly = true - case 30 * 24 * time.Hour: // calendar month - r.fileFormat = "2006-01" - case 365 * 24 * time.Hour: // calendar year - r.fileFormat = "2006" - default: - r.arbitrary = true - r.fileFormat = "2006-01-02-15-04-05" - } - - fi, err := os.Stat(r.filename) - if err != nil { - if r.log != nil { - r.log.Debugw("Not attempting to find last rotated time, configured logs dir cannot be opened: %v", err) - } - return - } - r.lastRotate = fi.ModTime() -} - -func (r *intervalRotator) ActiveFile() string { - return r.filename -} - -func (r *intervalRotator) LogPrefix(filename string, modTime time.Time) string { - var t time.Time - if r.lastRotate.IsZero() { - t = modTime - } else { - t = r.lastRotate - } - - if r.weekly { - y, w := t.ISOWeek() - return fmt.Sprintf("%s-%04d-%02d-", filename, y, w) - } - if r.arbitrary { - intervalNumber := t.Unix() / (int64(r.interval) / int64(time.Second)) - intervalStart := time.Unix(0, intervalNumber*int64(r.interval)) - return fmt.Sprintf("%s-%s-", filename, intervalStart.Format(r.fileFormat)) - } - return fmt.Sprintf("%s-%s-", filename, t.Format(r.fileFormat)) -} - -func (r *intervalRotator) RotatedFiles() []string { - files, err := filepath.Glob(r.filename + "*") - if err != nil { - if r.log != nil { - r.log.Debugw("failed to list existing logs: %+v", err) - } - } - r.SortIntervalLogs(files) - return files -} - -func (r *intervalRotator) Rotate(reason rotateReason, t time.Time) error { - fi, err := os.Stat(r.ActiveFile()) - if os.IsNotExist(err) { - return nil - } else if err != nil { - return errors.Wrap(err, "failed to rotate backups") - } - - logPrefix := r.LogPrefix(r.ActiveFile(), fi.ModTime()) - files, err := filepath.Glob(logPrefix + "*") - if err != nil { - return errors.Wrap(err, "failed to list logs during rotation") - } - - var targetFilename string - if len(files) == 0 { - targetFilename = logPrefix + "1" - } else { - r.SortIntervalLogs(files) - lastLogIndex, _, err := IntervalLogIndex(files[len(files)-1]) - if err != nil { - return errors.Wrap(err, "failed to locate last log index during rotation") - } - targetFilename = logPrefix + strconv.Itoa(int(lastLogIndex)+1) - } - - if err := os.Rename(r.ActiveFile(), targetFilename); err != nil { - return errors.Wrap(err, "failed to rotate backups") - } - - if r.log != nil { - r.log.Debugw("Rotating file", "filename", r.ActiveFile(), "reason", reason) - } - - r.lastRotate = t - return nil -} - -func (r *intervalRotator) SortIntervalLogs(strings []string) { - sort.Slice( - strings, - func(i, j int) bool { - return OrderIntervalLogs(strings[i]) < OrderIntervalLogs(strings[j]) - }, - ) -} - -// OrderIntervalLogs, when given a log filename in the form [prefix]-[formattedDate]-n -// returns the filename after zero-padding the trailing n so that foo-[date]-2 sorts -// before foo-[date]-10. -func OrderIntervalLogs(filename string) string { - index, i, err := IntervalLogIndex(filename) - if err == nil { - return filename[:i] + fmt.Sprintf("%020d", index) - } - - return "" -} - -// IntervalLogIndex returns n as int given a log filename in the form [prefix]-[formattedDate]-n -func IntervalLogIndex(filename string) (uint64, int, error) { - i := len(filename) - 1 - for ; i >= 0; i-- { - if '0' > filename[i] || filename[i] > '9' { - break - } - } - i++ - - s64 := filename[i:] - u64, err := strconv.ParseUint(s64, 10, 64) - return u64, i, err -} diff --git a/libbeat/common/file/interval_rotator_test.go b/libbeat/common/file/interval_rotator_test.go deleted file mode 100644 index 729d8c713b7..00000000000 --- a/libbeat/common/file/interval_rotator_test.go +++ /dev/null @@ -1,154 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package file - -import ( - "testing" - "time" - - "github.com/stretchr/testify/assert" -) - -func TestSecondRotator(t *testing.T) { - a := newMockIntervalRotator(time.Second) - - clock := &testClock{time.Date(2018, 12, 31, 0, 0, 1, 100, time.Local)} - a.clock = clock - a.lastRotate = a.clock.Now() - assert.Equal(t, "foo-2018-12-31-00-00-01-", a.LogPrefix("foo", time.Now())) -} - -func TestMinuteRotator(t *testing.T) { - a := newMockIntervalRotator(time.Minute) - - clock := &testClock{time.Date(2018, 12, 31, 0, 1, 1, 0, time.Local)} - a.clock = clock - a.lastRotate = a.clock.Now() - assert.Equal(t, "foo-2018-12-31-00-01-", a.LogPrefix("foo", time.Now())) -} - -func TestHourlyRotator(t *testing.T) { - a := newMockIntervalRotator(time.Hour) - - clock := &testClock{time.Date(2018, 12, 31, 1, 0, 1, 0, time.Local)} - a.clock = clock - a.lastRotate = a.clock.Now() - assert.Equal(t, "foo-2018-12-31-01-", a.LogPrefix("foo", time.Now())) -} - -func TestDailyRotator(t *testing.T) { - a := newMockIntervalRotator(24 * time.Hour) - - clock := &testClock{time.Date(2018, 12, 31, 0, 0, 0, 0, time.Local)} - a.clock = clock - a.lastRotate = a.clock.Now() - assert.Equal(t, "foo-2018-12-31-", a.LogPrefix("foo", time.Now())) -} - -func TestWeeklyRotator(t *testing.T) { - a := newMockIntervalRotator(7 * 24 * time.Hour) - - // Monday, 2018-Dec-31 - clock := &testClock{time.Date(2018, 12, 31, 0, 0, 0, 0, time.Local)} - a.clock = clock - a.lastRotate = a.clock.Now() - assert.Equal(t, "foo-2019-01-", a.LogPrefix("foo", time.Now())) - - // Monday, 2019-Jan-7 - clock.time = clock.time.Add(7 * 24 * time.Hour) - a.lastRotate = a.clock.Now() - assert.Equal(t, "foo-2019-02-", a.LogPrefix("foo", time.Now())) -} - -func TestMonthlyRotator(t *testing.T) { - a := newMockIntervalRotator(30 * 24 * time.Hour) - - clock := &testClock{time.Date(2018, 12, 1, 0, 0, 0, 0, time.Local)} - a.clock = clock - a.lastRotate = a.clock.Now() - assert.Equal(t, "foo-2018-12-", a.LogPrefix("foo", time.Now())) - - clock.time = clock.time.Add(30 * 24 * time.Hour) - assert.Equal(t, "foo-2018-12-", a.LogPrefix("foo", time.Now())) - - clock.time = clock.time.Add(24 * time.Hour) - a.lastRotate = a.clock.Now() - assert.Equal(t, "foo-2019-01-", a.LogPrefix("foo", time.Now())) -} - -func TestYearlyRotator(t *testing.T) { - a := newMockIntervalRotator(365 * 24 * time.Hour) - - clock := &testClock{time.Date(2018, 12, 31, 0, 0, 0, 0, time.Local)} - a.clock = clock - a.lastRotate = a.clock.Now() - assert.Equal(t, "foo-2018-", a.LogPrefix("foo", time.Now())) - - clock.time = clock.time.Add(23 * time.Hour) - assert.Equal(t, "foo-2018-", a.LogPrefix("foo", time.Now())) - - clock.time = clock.time.Add(time.Hour) - a.lastRotate = a.clock.Now() - assert.Equal(t, "foo-2019-", a.LogPrefix("foo", time.Now())) -} - -func TestArbitraryIntervalRotator(t *testing.T) { - a := newMockIntervalRotator(3 * time.Second) - - // Monday, 2018-Dec-31 - clock := &testClock{time.Date(2018, 12, 31, 0, 0, 1, 0, time.Local)} - a.clock = clock - assert.Equal(t, "foo-2018-12-30-00-00-00-", a.LogPrefix("foo", time.Date(2018, 12, 30, 0, 0, 0, 0, time.Local))) - a.lastRotate = a.clock.Now() - assert.Equal(t, "foo-2018-12-31-00-00-00-", a.LogPrefix("foo", time.Now())) - - clock.time = clock.time.Add(time.Second) - assert.Equal(t, "foo-2018-12-31-00-00-00-", a.LogPrefix("foo", time.Now())) - - clock.time = clock.time.Add(time.Second) - a.lastRotate = a.clock.Now() - assert.Equal(t, "foo-2018-12-31-00-00-03-", a.LogPrefix("foo", time.Now())) - - clock.time = clock.time.Add(time.Second) - assert.Equal(t, "foo-2018-12-31-00-00-03-", a.LogPrefix("foo", time.Now())) - - clock.time = clock.time.Add(time.Second) - assert.Equal(t, "foo-2018-12-31-00-00-03-", a.LogPrefix("foo", time.Now())) - - clock.time = clock.time.Add(time.Second) - a.lastRotate = a.clock.Now() - assert.Equal(t, "foo-2018-12-31-00-00-06-", a.LogPrefix("foo", time.Now())) -} - -func TestIntervalIsTruncatedToSeconds(t *testing.T) { - a := newMockIntervalRotator(2345 * time.Millisecond) - assert.Equal(t, 2*time.Second, a.interval) -} - -type testClock struct { - time time.Time -} - -func (t testClock) Now() time.Time { - return t.time -} - -func newMockIntervalRotator(interval time.Duration) *intervalRotator { - r := newIntervalRotator(nil, interval, "foo").(*intervalRotator) - return r -} diff --git a/libbeat/common/file/rotator.go b/libbeat/common/file/rotator.go index 633f94232ef..e32e317dbfb 100644 --- a/libbeat/common/file/rotator.go +++ b/libbeat/common/file/rotator.go @@ -29,22 +29,13 @@ import ( "github.com/pkg/errors" ) -type SuffixType uint32 - const ( // MaxBackupsLimit is the upper bound on the number of backup files. Any values // greater will result in an error. MaxBackupsLimit = 1024 - - SuffixCount SuffixType = iota + 1 - SuffixDate + DateFormat = "20060102" ) -var suffixes = map[string]SuffixType{ - "count": SuffixCount, - "date": SuffixDate, -} - // rotater is the interface responsible for rotating and finding files. type rotater interface { // ActiveFile returns the path to the file that is actively written. @@ -69,9 +60,9 @@ type Rotator struct { interval time.Duration permissions os.FileMode log Logger // Optional Logger (may be nil). - suffix SuffixType rotateOnStartup bool redirectStderr bool + clock clock file *os.File mutex sync.Mutex @@ -85,14 +76,6 @@ type Logger interface { // RotatorOption is a configuration option for Rotator. type RotatorOption func(r *Rotator) -// Interval sets the time interval for log rotation in addition to log -// rotation by size. The default is 0 for disabled. -func Suffix(s SuffixType) RotatorOption { - return func(r *Rotator) { - r.suffix = s - } -} - // MaxSizeBytes configures the maximum number of bytes that a file should // contain before being rotated. The default is 10 MiB. func MaxSizeBytes(n uint) RotatorOption { @@ -150,6 +133,12 @@ func RedirectStderr(redirect bool) RotatorOption { } } +func WithClock(clock clock) RotatorOption { + return func(r *Rotator) { + r.clock = clock + } +} + // NewFileRotator returns a new Rotator. func NewFileRotator(filename string, options ...RotatorOption) (*Rotator, error) { r := &Rotator{ @@ -158,7 +147,7 @@ func NewFileRotator(filename string, options ...RotatorOption) (*Rotator, error) permissions: 0600, interval: 0, rotateOnStartup: true, - suffix: SuffixCount, + clock: &realClock{}, } for _, opt := range options { @@ -179,14 +168,14 @@ func NewFileRotator(filename string, options ...RotatorOption) (*Rotator, error) return nil, errors.New("the minimum time interval for log rotation is 1 second") } - r.rot = newRotater(r.log, r.suffix, filename, r.maxBackups, r.interval) + r.rot = newDateRotater(r.log, filename, r.clock) shouldRotateOnStart := r.rotateOnStartup if _, err := os.Stat(r.rot.ActiveFile()); os.IsNotExist(err) { shouldRotateOnStart = false } - r.triggers = newTriggers(shouldRotateOnStart, r.interval, r.maxSizeBytes) + r.triggers = newTriggers(shouldRotateOnStart, r.interval, r.maxSizeBytes, r.clock) if r.log != nil { r.log.Debugw("Initialized file rotator", @@ -194,7 +183,6 @@ func NewFileRotator(filename string, options ...RotatorOption) (*Rotator, error) "max_size_bytes", r.maxSizeBytes, "max_backups", r.maxBackups, "permissions", r.permissions, - "suffix", r.suffix, ) } @@ -292,7 +280,7 @@ func (r *Rotator) openFile() error { } func (r *Rotator) rotate(reason rotateReason) error { - return r.rotateWithTime(reason, time.Now()) + return r.rotateWithTime(reason, r.clock.Now()) } // rotateWithTime closes the actively written file, and rotates it along with exising @@ -339,7 +327,7 @@ func (r *Rotator) isRotationTriggered(dataLen uint) (rotateReason, time.Time) { for _, t := range r.triggers { reason := t.TriggerRotation(dataLen) if reason != rotateReasonNoRotate { - return reason, time.Now() + return reason, r.clock.Now() } } return rotateReasonNoRotate, time.Time{} @@ -395,52 +383,37 @@ func (r *Rotator) closeFile() error { return errors.Wrap(err, "failed to close active file") } -type countRotator struct { - log Logger - filename string - intervalRotator *intervalRotator - maxBackups uint -} - type dateRotator struct { log Logger + clock clock format string filenamePrefix string currentFilename string - intervalRotator *intervalRotator -} + extension string -func newRotater(log Logger, s SuffixType, filename string, maxBackups uint, interval time.Duration) rotater { - switch s { - case SuffixCount: - if interval > 0 { - return newIntervalRotator(log, interval, filename) - } - return &countRotator{ - log: log, - filename: filename, - maxBackups: maxBackups, - } - case SuffixDate: - return newDateRotater(log, filename) - default: - return &countRotator{ - log: log, - filename: filename, - maxBackups: maxBackups, - } - } + prefixLen int + filenameLen int + extensionLen int + + // logOrderCache is used to cache log file meta information between rotations + logOrderCache map[string]logOrder } -func newDateRotater(log Logger, filename string) rotater { +func newDateRotater(log Logger, filename string, clock clock) rotater { d := &dateRotator{ log: log, + clock: clock, filenamePrefix: filename + "-", - format: "20060102150405", + extension: ".ndjson", + format: DateFormat, + logOrderCache: make(map[string]logOrder), } + d.prefixLen = len(d.filenamePrefix) + d.filenameLen = d.prefixLen + len(DateFormat) + d.extensionLen = len(d.extension) - d.currentFilename = d.filenamePrefix + time.Now().Format(d.format) - files, err := filepath.Glob(d.filenamePrefix + "*") + d.currentFilename = d.filenamePrefix + d.clock.Now().Format(d.format) + d.extension + files, err := filepath.Glob(d.filenamePrefix + "*" + d.extension) if err != nil { return d } @@ -467,7 +440,24 @@ func (d *dateRotator) Rotate(reason rotateReason, rotateTime time.Time) error { d.log.Debugw("Rotating file", "filename", d.currentFilename, "reason", reason) } - d.currentFilename = d.filenamePrefix + rotateTime.Format(d.format) + d.logOrderCache = make(map[string]logOrder, 0) + + newFileNamePrefix := d.filenamePrefix + rotateTime.Format(d.format) + files, err := filepath.Glob(newFileNamePrefix + "*" + d.extension) + if err != nil { + return fmt.Errorf("failed to get possible files: %+v", err) + } + + if len(files) == 0 { + d.currentFilename = newFileNamePrefix + d.extension + return nil + } + + d.SortModTimeLogs(files) + order := d.OrderLog(files[len(files)-1]) + + d.currentFilename = newFileNamePrefix + "-" + strconv.Itoa(order.index+1) + d.extension + return nil } @@ -479,10 +469,18 @@ func (d *dateRotator) RotatedFiles() []string { } } + for i, name := range files { + if name == d.ActiveFile() { + files = append(files[:i], files[i+1:]...) + break + } + } + d.SortModTimeLogs(files) return files } +// SortModTimeLogs puts newest file to the last func (d *dateRotator) SortModTimeLogs(strings []string) { sort.Slice( strings, @@ -492,88 +490,53 @@ func (d *dateRotator) SortModTimeLogs(strings []string) { ) } -func (d *dateRotator) OrderLog(filename string) time.Time { - ts, err := time.Parse(d.filenamePrefix+d.format, filepath.Base(filename)) - if err != nil { - return time.Time{} - } - return ts -} - -func (c *countRotator) ActiveFile() string { - return c.filename +// logOrder stores information required to sort log files +// parsed out from the following format {filename}-{datetime}-{index}.ndjson +type logOrder struct { + index int + datetime time.Time } -func (c *countRotator) RotatedFiles() []string { - files := make([]string, 0) - for i := c.maxBackups + 1; i >= 1; i-- { - name := c.backupName(i) - if _, err := os.Stat(name); os.IsNotExist(err) { - continue - } else if err != nil { - c.log.Debugw("failed to stat rotated file") - return files - } - files = append(files, name) +func (o logOrder) After(other logOrder) bool { + if o.datetime.Equal(other.datetime) { + return other.index > o.index } - - return files + return !o.datetime.After(other.datetime) } -func (c *countRotator) backupName(n uint) string { - if n == 0 { - return c.ActiveFile() +func (d *dateRotator) OrderLog(filename string) logOrder { + if o, ok := d.logOrderCache[filename]; ok { + return o } - return c.ActiveFile() + "." + strconv.Itoa(int(n)) -} -func (c *countRotator) Rotate(reason rotateReason, _ time.Time) error { - for i := c.maxBackups + 1; i > 0; i-- { - old := c.backupName(i - 1) - older := c.backupName(i) + var o logOrder + var err error - if _, err := os.Stat(old); os.IsNotExist(err) { - continue - } else if err != nil { - return errors.Wrap(err, "failed to rotate backups") - } + o.datetime, err = time.Parse(d.format, filename[d.prefixLen:d.filenameLen]) + if err != nil { + return o + } - if err := os.Remove(older); err != nil && !os.IsNotExist(err) { - return errors.Wrap(err, "failed to rotate backups") - } - if err := os.Rename(old, older); err != nil { - return errors.Wrap(err, "failed to rotate backups") - } else if i == 1 { - // Log when rotation of the main file occurs. - if c.log != nil { - c.log.Debugw("Rotating file", "filename", old, "reason", reason) - } + if d.isFilenameWithIndex(filename) { + o.index, err = d.filenameIndex(filename) + if err != nil { + return o } } - return nil -} -func (s *SuffixType) Unpack(v string) error { - i, err := strconv.Atoi(v) - if err == nil { - t := SuffixType(i) - v = t.String() - } + d.logOrderCache[filename] = o - val, ok := suffixes[v] - if !ok { - return fmt.Errorf("invalid suffix type: %+v", v) - } + return o +} - *s = val - return nil +func (d *dateRotator) isFilenameWithIndex(filename string) bool { + return d.filenameLen+d.extensionLen < len(filename) } -func (s *SuffixType) String() string { - for k, v := range suffixes { - if v == *s { - return k - } +func (d *dateRotator) filenameIndex(filename string) (int, error) { + indexStr := filename[d.filenameLen+1 : len(filename)-d.extensionLen] + if len(indexStr) > 0 { + return strconv.Atoi(indexStr) } - return "" + return 0, nil } diff --git a/libbeat/common/file/rotator_test.go b/libbeat/common/file/rotator_test.go index 585d1690e78..6294b042d13 100644 --- a/libbeat/common/file/rotator_test.go +++ b/libbeat/common/file/rotator_test.go @@ -21,8 +21,6 @@ import ( "fmt" "os" "path/filepath" - "regexp" - "sort" "sync" "testing" "time" @@ -39,43 +37,57 @@ func TestFileRotator(t *testing.T) { logp.TestingSetup() dir := t.TempDir() + logname := "sample" + c := &testClock{time.Date(2021, 11, 11, 0, 0, 0, 0, time.Local)} - filename := filepath.Join(dir, "sample.log") + filename := filepath.Join(dir, logname) r, err := file.NewFileRotator(filename, file.MaxBackups(2), file.WithLogger(logp.NewLogger("rotator").With(logp.Namespace("rotator"))), + file.WithClock(c), ) if err != nil { t.Fatal(err) } defer r.Close() + firstFile := fmt.Sprintf("%s-%s.ndjson", logname, c.Now().Format(file.DateFormat)) + WriteMsg(t, r) - AssertDirContents(t, dir, "sample.log") + AssertDirContents(t, dir, firstFile) + + c.time = time.Date(2021, 11, 12, 0, 0, 0, 0, time.Local) Rotate(t, r) - AssertDirContents(t, dir, "sample.log.1") + AssertDirContents(t, dir, firstFile) WriteMsg(t, r) - AssertDirContents(t, dir, "sample.log", "sample.log.1") + + secondFile := fmt.Sprintf("%s-%s.ndjson", logname, c.Now().Format(file.DateFormat)) + AssertDirContents(t, dir, firstFile, secondFile) + + c.time = time.Date(2021, 11, 13, 0, 0, 0, 0, time.Local) Rotate(t, r) - AssertDirContents(t, dir, "sample.log.1", "sample.log.2") + AssertDirContents(t, dir, firstFile, secondFile) WriteMsg(t, r) - AssertDirContents(t, dir, "sample.log", "sample.log.1", "sample.log.2") + thirdFile := fmt.Sprintf("%s-%s.ndjson", logname, c.Now().Format(file.DateFormat)) + AssertDirContents(t, dir, firstFile, secondFile, thirdFile) + c.time = time.Date(2021, 11, 14, 0, 0, 0, 0, time.Local) Rotate(t, r) - AssertDirContents(t, dir, "sample.log.1", "sample.log.2") + AssertDirContents(t, dir, secondFile, thirdFile) + c.time = time.Date(2021, 11, 15, 0, 0, 0, 0, time.Local) Rotate(t, r) - AssertDirContents(t, dir, "sample.log.2", "sample.log.3") + AssertDirContents(t, dir, secondFile, thirdFile) } func TestFileRotatorConcurrently(t *testing.T) { dir := t.TempDir() - filename := filepath.Join(dir, "sample.log") + filename := filepath.Join(dir, "sample") r, err := file.NewFileRotator(filename, file.MaxBackups(2)) if err != nil { t.Fatal(err) @@ -97,29 +109,27 @@ func TestDailyRotation(t *testing.T) { dir := t.TempDir() logname := "daily" - dateFormat := "2006-01-02" - today := time.Now().Format(dateFormat) - yesterday := time.Now().AddDate(0, 0, -1).Format(dateFormat) - twoDaysAgo := time.Now().AddDate(0, 0, -2).Format(dateFormat) + yesterday := time.Now().AddDate(0, 0, -1).Format(file.DateFormat) + twoDaysAgo := time.Now().AddDate(0, 0, -2).Format(file.DateFormat) // seed directory with existing log files files := []string{ - logname + "-" + yesterday + "-1", - logname + "-" + yesterday + "-2", - logname + "-" + yesterday + "-3", - logname + "-" + yesterday + "-4", - logname + "-" + yesterday + "-5", - logname + "-" + yesterday + "-6", - logname + "-" + yesterday + "-7", - logname + "-" + yesterday + "-8", - logname + "-" + yesterday + "-9", - logname + "-" + yesterday + "-10", - logname + "-" + yesterday + "-11", - logname + "-" + yesterday + "-12", - logname + "-" + yesterday + "-13", - logname + "-" + twoDaysAgo + "-1", - logname + "-" + twoDaysAgo + "-2", - logname + "-" + twoDaysAgo + "-3", + logname + "-" + yesterday + "-1.ndjson", + logname + "-" + yesterday + "-2.ndjson", + logname + "-" + yesterday + "-3.ndjson", + logname + "-" + yesterday + "-4.ndjson", + logname + "-" + yesterday + "-5.ndjson", + logname + "-" + yesterday + "-6.ndjson", + logname + "-" + yesterday + "-7.ndjson", + logname + "-" + yesterday + "-8.ndjson", + logname + "-" + yesterday + "-9.ndjson", + logname + "-" + yesterday + "-10.ndjson", + logname + "-" + yesterday + "-11.ndjson", + logname + "-" + yesterday + "-12.ndjson", + logname + "-" + yesterday + "-13.ndjson", + logname + "-" + twoDaysAgo + "-1.ndjson", + logname + "-" + twoDaysAgo + "-2.ndjson", + logname + "-" + twoDaysAgo + "-3.ndjson", } for _, f := range files { @@ -139,25 +149,26 @@ func TestDailyRotation(t *testing.T) { Rotate(t, r) - AssertDirContents(t, dir, logname+"-"+yesterday+"-12", logname+"-"+yesterday+"-13") + AssertDirContents(t, dir, logname+"-"+yesterday+"-12.ndjson", logname+"-"+yesterday+"-13.ndjson") WriteMsg(t, r) - AssertDirContents(t, dir, logname+"-"+yesterday+"-12", logname+"-"+yesterday+"-13", logname) + today := time.Now().Format(file.DateFormat) + AssertDirContents(t, dir, logname+"-"+yesterday+"-12.ndjson", logname+"-"+yesterday+"-13.ndjson", logname+"-"+today+".ndjson") Rotate(t, r) - AssertDirContents(t, dir, logname+"-"+yesterday+"-13", logname+"-"+today+"-1") + AssertDirContents(t, dir, logname+"-"+yesterday+"-13.ndjson", logname+"-"+today+".ndjson") WriteMsg(t, r) - AssertDirContents(t, dir, logname+"-"+yesterday+"-13", logname+"-"+today+"-1", logname) + AssertDirContents(t, dir, logname+"-"+yesterday+"-13.ndjson", logname+"-"+today+".ndjson", logname+"-"+today+"-1.ndjson") for i := 0; i < (int(maxSizeBytes)/len(logMessage))+1; i++ { WriteMsg(t, r) } - AssertDirContents(t, dir, logname+"-"+today+"-1", logname+"-"+today+"-2", logname) + AssertDirContents(t, dir, logname+"-"+today+"-1.ndjson", logname+"-"+today+"-2.ndjson", logname+"-"+today+"-3.ndjson") } // Tests the FileConfig.RotateOnStartup parameter @@ -165,13 +176,15 @@ func TestRotateOnStartup(t *testing.T) { dir := t.TempDir() logname := "rotate_on_open" - filename := filepath.Join(dir, logname) + c := &testClock{time.Date(2021, 11, 11, 0, 0, 0, 0, time.Local)} + firstFile := fmt.Sprintf("%s-%s.ndjson", logname, c.Now().Format(file.DateFormat)) + filename := filepath.Join(dir, firstFile) // Create an existing log file with this name. CreateFile(t, filename) - AssertDirContents(t, dir, logname) + AssertDirContents(t, dir, firstFile) - r, err := file.NewFileRotator(filename, file.RotateOnStartup(false)) + r, err := file.NewFileRotator(filepath.Join(dir, logname), file.RotateOnStartup(false), file.WithClock(c)) if err != nil { t.Fatal(err) } @@ -179,33 +192,37 @@ func TestRotateOnStartup(t *testing.T) { WriteMsg(t, r) // The line should have been appended to the existing file without rotation. - AssertDirContents(t, dir, logname) + AssertDirContents(t, dir, firstFile) // Close the first rotator early (the deferred close will be a no-op if // we haven't hit an error by now), so it can't interfere with the second one. r.Close() // Create a second rotator with the default setting of rotateOnStartup=true - r, err = file.NewFileRotator(filename) + c = &testClock{time.Date(2021, 11, 12, 0, 0, 0, 0, time.Local)} + r, err = file.NewFileRotator(filepath.Join(dir, logname), file.WithClock(c)) if err != nil { t.Fatal(err) } defer r.Close() // The directory contents shouldn't change until the first Write. - AssertDirContents(t, dir, logname) + AssertDirContents(t, dir, firstFile) + + secondFile := fmt.Sprintf("%s-%s.ndjson", logname, c.Now().Format(file.DateFormat)) WriteMsg(t, r) - AssertDirContents(t, dir, logname, logname+".1") + AssertDirContents(t, dir, firstFile, secondFile) } -func TestRotateDateSuffix(t *testing.T) { +func TestRotate(t *testing.T) { dir := t.TempDir() logname := "beatname" filename := filepath.Join(dir, logname) - r, err := file.NewFileRotator(filename, file.Suffix(file.SuffixDate), file.MaxBackups(1)) + c := &testClock{time.Date(2021, 11, 11, 0, 0, 0, 0, time.Local)} + r, err := file.NewFileRotator(filename, file.MaxBackups(1), file.WithClock(c)) if err != nil { t.Fatal(err) } @@ -213,24 +230,24 @@ func TestRotateDateSuffix(t *testing.T) { WriteMsg(t, r) - firstExpectedPattern := fmt.Sprintf("%s-%s.*", logname, time.Now().Format("20060102150405")) - AssertDirContentsPattern(t, dir, firstExpectedPattern) + firstFile := fmt.Sprintf("%s-%s.ndjson", logname, c.Now().Format(file.DateFormat)) + AssertDirContents(t, dir, firstFile) - time.Sleep(2 * time.Second) - secondExpectedPattern := fmt.Sprintf("%s-%s.*", logname, time.Now().Format("20060102150405")) + c.time = time.Date(2021, 11, 13, 0, 0, 0, 0, time.Local) + secondFile := fmt.Sprintf("%s-%s.ndjson", logname, c.Now().Format(file.DateFormat)) Rotate(t, r) WriteMsg(t, r) - AssertDirContentsPattern(t, dir, firstExpectedPattern, secondExpectedPattern) + AssertDirContents(t, dir, firstFile, secondFile) - time.Sleep(2 * time.Second) - thirdExpectedPattern := fmt.Sprintf("%s-%s.*", logname, time.Now().Format("20060102150405")) + c.time = time.Date(2021, 11, 15, 0, 0, 0, 0, time.Local) + thirdFile := fmt.Sprintf("%s-%s.ndjson", logname, c.Now().Format(file.DateFormat)) Rotate(t, r) WriteMsg(t, r) - AssertDirContentsPattern(t, dir, secondExpectedPattern, thirdExpectedPattern) + AssertDirContents(t, dir, secondFile, thirdFile) } func CreateFile(t *testing.T, filename string) { @@ -258,36 +275,7 @@ func AssertDirContents(t *testing.T, dir string, files ...string) { t.Fatal(err) } - sort.Strings(files) - sort.Strings(names) - assert.EqualValues(t, files, names) -} - -func AssertDirContentsPattern(t *testing.T, dir string, patterns ...string) { - t.Helper() - - f, err := os.Open(dir) - if err != nil { - t.Fatal(err) - } - - names, err := f.Readdirnames(-1) - if err != nil { - t.Fatal(err) - } - if len(patterns) != len(names) { - t.Fatal("unexpected number of files") - } - - sort.Strings(patterns) - sort.Strings(names) - for i := 0; i < len(patterns); i++ { - matches, err := regexp.MatchString(patterns[i], names[i]) - if err != nil { - t.Fatal(err) - } - assert.True(t, matches, "pattern: %s name: %s", patterns[i], names[i]) - } + assert.ElementsMatch(t, files, names) } func WriteMsg(t *testing.T, r *file.Rotator) { @@ -307,3 +295,11 @@ func Rotate(t *testing.T, r *file.Rotator) { t.Fatal(err) } } + +type testClock struct { + time time.Time +} + +func (t testClock) Now() time.Time { + return t.time +} diff --git a/libbeat/common/file/trigger.go b/libbeat/common/file/trigger.go index d96d748f922..22c128a334b 100644 --- a/libbeat/common/file/trigger.go +++ b/libbeat/common/file/trigger.go @@ -52,14 +52,14 @@ type trigger interface { TriggerRotation(dataLen uint) rotateReason } -func newTriggers(rotateOnStartup bool, interval time.Duration, maxSizeBytes uint) []trigger { +func newTriggers(rotateOnStartup bool, interval time.Duration, maxSizeBytes uint, clock clock) []trigger { triggers := make([]trigger, 0) if rotateOnStartup { triggers = append(triggers, &initTrigger{}) } if interval > 0 { - triggers = append(triggers, newIntervalTrigger(interval)) + triggers = append(triggers, newIntervalTrigger(interval, clock)) } if maxSizeBytes > 0 { triggers = append(triggers, &sizeTrigger{maxSizeBytes: maxSizeBytes, size: 0}) @@ -113,8 +113,8 @@ func (realClock) Now() time.Time { return time.Now() } -func newIntervalTrigger(interval time.Duration) trigger { - t := intervalTrigger{interval: interval, clock: realClock{}} +func newIntervalTrigger(interval time.Duration, clock clock) trigger { + t := intervalTrigger{interval: interval, clock: clock} switch interval { case time.Second: diff --git a/libbeat/common/fmtstr/formatevents_test.go b/libbeat/common/fmtstr/formatevents_test.go index 6e78eb5713f..a644676db75 100644 --- a/libbeat/common/fmtstr/formatevents_test.go +++ b/libbeat/common/fmtstr/formatevents_test.go @@ -109,7 +109,7 @@ func TestEventFormatString(t *testing.T) { "test timestamp formatter", "%{[key]}: %{+YYYY.MM.dd}", beat.Event{ - Timestamp: time.Date(2015, 5, 1, 20, 12, 34, 0, time.Local), + Timestamp: time.Date(2015, 5, 1, 20, 12, 34, 0, time.UTC), Fields: common.MapStr{ "key": "timestamp", }, @@ -121,7 +121,7 @@ func TestEventFormatString(t *testing.T) { "test timestamp formatter", "%{[@timestamp]}: %{+YYYY.MM.dd}", beat.Event{ - Timestamp: time.Date(2015, 5, 1, 20, 12, 34, 0, time.Local), + Timestamp: time.Date(2015, 5, 1, 20, 12, 34, 0, time.UTC), Fields: common.MapStr{ "key": "timestamp", }, diff --git a/libbeat/common/fmtstr/formattimestamp_test.go b/libbeat/common/fmtstr/formattimestamp_test.go index 4df8e6b3fdc..1a2c91decdd 100644 --- a/libbeat/common/fmtstr/formattimestamp_test.go +++ b/libbeat/common/fmtstr/formattimestamp_test.go @@ -73,14 +73,14 @@ func TestTimestampFormatString(t *testing.T) { "test timestamp formatter", "%{[key]}: %{+YYYY.MM.dd}", common.MapStr{"key": "timestamp"}, - time.Date(2015, 5, 1, 20, 12, 34, 0, time.Local), + time.Date(2015, 5, 1, 20, 12, 34, 0, time.UTC), "timestamp: 2015.05.01", }, { "test timestamp formatter", "%{[@timestamp]}: %{+YYYY.MM.dd}", common.MapStr{"key": "timestamp"}, - time.Date(2015, 5, 1, 20, 12, 34, 0, time.Local), + time.Date(2015, 5, 1, 20, 12, 34, 0, time.UTC), "2015-05-01T20:12:34.000Z: 2015.05.01", }, } diff --git a/libbeat/docs/http-endpoint.asciidoc b/libbeat/docs/http-endpoint.asciidoc index 0db4e705935..853e7d3c2d9 100644 --- a/libbeat/docs/http-endpoint.asciidoc +++ b/libbeat/docs/http-endpoint.asciidoc @@ -32,6 +32,7 @@ It is recommended to use only localhost. Default is `localhost` current user. `http.named_pipe.security_descriptor`:: (Optional) Windows Security descriptor string defined in the SDDL format. Default to read and write permission for the current user. +`http.pprof.enabled`:: (Optional) Enable the `/debug/pprof/` endpoints when serving HTTP. It is recommended that this is only enabled on localhost as these endpoints may leak data. Default is `false`. This is the list of paths you can access. For pretty JSON output append `?pretty` to the URL. diff --git a/libbeat/docs/loggingconfig.asciidoc b/libbeat/docs/loggingconfig.asciidoc index 4b47c45d5fb..d6232e2cb07 100644 --- a/libbeat/docs/loggingconfig.asciidoc +++ b/libbeat/docs/loggingconfig.asciidoc @@ -246,15 +246,6 @@ Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h are boundary-aligned with minutes, hours, days, weeks, months, and years as reported by the local system clock. All other intervals are calculated from the unix epoch. Defaults to disabled. - -[float] -==== `logging.files.suffix` - -When a log rotation happens it can either rename older files with -an incresing index if `count` is configured. The other option is `date` -that appends the current date and time to the end of the filename. -When the log is rotated a new file is created and older files -remain untouched. endif::serverless[] [float] diff --git a/libbeat/docs/release.asciidoc b/libbeat/docs/release.asciidoc index d6c3a0d5922..aed042ea25b 100644 --- a/libbeat/docs/release.asciidoc +++ b/libbeat/docs/release.asciidoc @@ -8,8 +8,10 @@ This section summarizes the changes in each release. Also read <> for more detail about changes that affect upgrade. +* <> * <> * <> +* <> * <> * <> * <> diff --git a/libbeat/logp/config.go b/libbeat/logp/config.go index c5de43ae51a..1e82b6e7dd8 100644 --- a/libbeat/logp/config.go +++ b/libbeat/logp/config.go @@ -19,8 +19,6 @@ package logp import ( "time" - - "github.com/elastic/beats/v7/libbeat/common/file" ) // Config contains the configuration options for the logger. To create a Config @@ -47,15 +45,14 @@ type Config struct { // FileConfig contains the configuration options for the file output. type FileConfig struct { - Path string `config:"path" yaml:"path"` - Name string `config:"name" yaml:"name"` - Suffix file.SuffixType `config:"suffix" yaml:"suffix"` - MaxSize uint `config:"rotateeverybytes" yaml:"rotateeverybytes" validate:"min=1"` - MaxBackups uint `config:"keepfiles" yaml:"keepfiles" validate:"max=1024"` - Permissions uint32 `config:"permissions"` - Interval time.Duration `config:"interval"` - RotateOnStartup bool `config:"rotateonstartup"` - RedirectStderr bool `config:"redirect_stderr" yaml:"redirect_stderr"` + Path string `config:"path" yaml:"path"` + Name string `config:"name" yaml:"name"` + MaxSize uint `config:"rotateeverybytes" yaml:"rotateeverybytes" validate:"min=1"` + MaxBackups uint `config:"keepfiles" yaml:"keepfiles" validate:"max=1024"` + Permissions uint32 `config:"permissions"` + Interval time.Duration `config:"interval"` + RotateOnStartup bool `config:"rotateonstartup"` + RedirectStderr bool `config:"redirect_stderr" yaml:"redirect_stderr"` } // MetricsConfig contains configuration used by the monitor to output metrics into the logstream. @@ -76,7 +73,6 @@ func DefaultConfig(environment Environment) Config { return Config{ Level: defaultLevel, Files: FileConfig{ - Suffix: file.SuffixCount, MaxSize: 10 * 1024 * 1024, MaxBackups: 7, Permissions: 0600, diff --git a/libbeat/logp/core.go b/libbeat/logp/core.go index c85a5feeaec..552c81e9201 100644 --- a/libbeat/logp/core.go +++ b/libbeat/logp/core.go @@ -241,7 +241,6 @@ func makeFileOutput(cfg Config) (zapcore.Core, error) { file.Interval(cfg.Files.Interval), file.RotateOnStartup(cfg.Files.RotateOnStartup), file.RedirectStderr(cfg.Files.RedirectStderr), - file.Suffix(cfg.Files.Suffix), ) if err != nil { return nil, errors.Wrap(err, "failed to create file rotator") diff --git a/libbeat/logp/core_test.go b/libbeat/logp/core_test.go index 293f57098eb..f8537eb6aa7 100644 --- a/libbeat/logp/core_test.go +++ b/libbeat/logp/core_test.go @@ -153,7 +153,7 @@ func TestLoggingECSFields(t *testing.T) { Level: DebugLevel, development: true, Files: FileConfig{ - Name: "beat1.log", + Name: "beat1", }, } ToObserverOutput()(&cfg) diff --git a/libbeat/mapping/field.go b/libbeat/mapping/field.go index 13342a5f9be..9ac27d86ace 100644 --- a/libbeat/mapping/field.go +++ b/libbeat/mapping/field.go @@ -24,13 +24,14 @@ import ( "github.com/joeshaw/multierror" "github.com/pkg/errors" + "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/go-ucfg/yaml" ) -//This reflects allowed attributes for field definitions in the fields.yml. -//No logic is put into this data structure. -//The purpose is to enable using different kinds of transformation, on top of the same data structure. -//Current transformation: +// This reflects allowed attributes for field definitions in the fields.yml. +// No logic is put into this data structure. +// The purpose is to enable using different kinds of transformation, on top of the same data structure. +// Current transformation: // -ElasticSearch Template // -Kibana Index Pattern @@ -44,8 +45,8 @@ type Field struct { Fields Fields `config:"fields"` MultiFields Fields `config:"multi_fields"` Enabled *bool `config:"enabled"` - Analyzer string `config:"analyzer"` - SearchAnalyzer string `config:"search_analyzer"` + Analyzer Analyzer `config:"analyzer"` + SearchAnalyzer Analyzer `config:"search_analyzer"` Norms bool `config:"norms"` Dynamic DynamicType `config:"dynamic"` Index *bool `config:"index"` @@ -125,6 +126,35 @@ func (d *DynamicType) Unpack(s string) error { return nil } +type Analyzer struct { + Name string + Definition interface{} +} + +func (a *Analyzer) Unpack(v interface{}) error { + var m common.MapStr + switch v := v.(type) { + case string: + a.Name = v + return nil + case common.MapStr: + m = v + case map[string]interface{}: + m = common.MapStr(v) + default: + return fmt.Errorf("'%v' is invalid analyzer setting", v) + } + + if len(m) != 1 { + return fmt.Errorf("'%v' is invalid analyzer setting", v) + } + for a.Name, a.Definition = range m { + break + } + + return nil +} + // Validate ensures objectTypeParams are not mixed with top level objectType configuration func (f *Field) Validate() error { if err := f.validateType(); err != nil { @@ -264,7 +294,6 @@ func (f Fields) HasKey(key string) bool { func (f Fields) GetField(key string) *Field { keys := strings.Split(key, ".") return f.getField(keys) - } // HasNode checks if inside fields the given node exists @@ -276,7 +305,6 @@ func (f Fields) HasNode(key string) bool { } func (f Fields) hasNode(keys []string) bool { - // Nothing to compare, so does not contain it if len(keys) == 0 { return false @@ -286,7 +314,6 @@ func (f Fields) hasNode(keys []string) bool { keys = keys[1:] for _, field := range f { - if field.Name == key { //// It's the last key to compare @@ -373,7 +400,6 @@ func (f Fields) GetKeys() []string { } func (f Fields) getKeys(namespace string) []string { - var keys []string for _, field := range f { diff --git a/libbeat/mapping/field_test.go b/libbeat/mapping/field_test.go index 52c03c6a018..6d69787a445 100644 --- a/libbeat/mapping/field_test.go +++ b/libbeat/mapping/field_test.go @@ -18,6 +18,7 @@ package mapping import ( + "fmt" "strings" "testing" @@ -58,7 +59,8 @@ func TestFieldsHasNode(t *testing.T) { Field{Name: "a", Fields: Fields{ Field{Name: "b", Fields: Fields{ Field{Name: "c"}, - }}}}, + }}, + }}, }, hasNode: true, }, @@ -68,7 +70,8 @@ func TestFieldsHasNode(t *testing.T) { Field{Name: "a", Fields: Fields{ Field{Name: "b", Fields: Fields{ Field{Name: "c"}, - }}}}, + }}, + }}, }, hasNode: true, }, @@ -185,6 +188,46 @@ func TestDynamicYaml(t *testing.T) { } } +func TestAnalyzer(t *testing.T) { + tests := map[string]struct { + input []byte + output Field + err error + }{ + "simple analyzer": { + input: []byte(`{name: test, analyzer: simple}`), + output: Field{ + Name: "test", + Analyzer: Analyzer{Name: "simple"}, + }, + err: nil, + }, + "pattern analyzer": { + input: []byte(`{"name": "test", "analyzer": {"custom": {"type": "pattern", "pattern":"[\\W&&[^-]]+"}}}`), + output: Field{ + Name: "test", + Analyzer: Analyzer{Name: "custom", Definition: map[string]interface{}{"type": "pattern", "pattern": "[\\W\u0026\u0026[^-]]+"}}, + }, + err: nil, + }, + } + + for name, test := range tests { + t.Run(name, func(t *testing.T) { + keys := Field{} + + cfg, err := yaml.NewConfig(test.input) + assert.NoError(t, err) + err = cfg.Unpack(&keys) + + if fmt.Sprint(err) != fmt.Sprint(test.err) { + t.Fatalf("unexpected error for %s: got:%v want:%v", name, err, test.err) + } + assert.Equal(t, test.output.Analyzer, keys.Analyzer) + }) + } +} + func TestGetKeys(t *testing.T) { tests := []struct { fields Fields diff --git a/libbeat/metric/system/cgroup/util.go b/libbeat/metric/system/cgroup/util.go index cc8d51e5ee5..70879b87738 100644 --- a/libbeat/metric/system/cgroup/util.go +++ b/libbeat/metric/system/cgroup/util.go @@ -29,7 +29,6 @@ import ( "github.com/pkg/errors" "github.com/elastic/beats/v7/libbeat/logp" - "github.com/elastic/beats/v7/libbeat/paths" ) var ( @@ -273,14 +272,14 @@ func (r Reader) ProcessCgroupPaths(pid int) (PathList, error) { // If it's not set, warn the user that they've hit this. controllerPath := filepath.Join(r.cgroupMountpoints.V2Loc, path) // Depending on the test environment, Hostfs can either be blank, or `/` - if r.cgroupMountpoints.V2Loc == "" && len(paths.Paths.Hostfs) <= 1 { + if r.cgroupMountpoints.V2Loc == "" && len(r.rootfsMountpoint) <= 1 { logp.L().Debugf(`PID %d contains a cgroups V2 path (%s) but no V2 mountpoint was found. This may be because metricbeat is running inside a container on a hybrid system. To monitor cgroups V2 processess in this way, mount the unified (V2) hierarchy inside the container as /sys/fs/cgroup/unified and start metricbeat with --system.hostfs.`, pid, line) continue - } else if r.cgroupMountpoints.V2Loc == "" && len(paths.Paths.Hostfs) > 1 { - controllerPath = filepath.Join(paths.Paths.Hostfs, "/sys/fs/cgroup/unified", path) + } else if r.cgroupMountpoints.V2Loc == "" && len(r.rootfsMountpoint) > 1 { + controllerPath = filepath.Join(r.rootfsMountpoint, "/sys/fs/cgroup/unified", path) } cgpaths, err := ioutil.ReadDir(controllerPath) diff --git a/libbeat/metric/system/cpu/cpu.go b/libbeat/metric/system/cpu/cpu.go index 24523366413..eee30555e83 100644 --- a/libbeat/metric/system/cpu/cpu.go +++ b/libbeat/metric/system/cpu/cpu.go @@ -15,8 +15,8 @@ // specific language governing permissions and limitations // under the License. -//go:build darwin || freebsd || linux || openbsd || windows -// +build darwin freebsd linux openbsd windows +//go:build darwin || freebsd || linux || openbsd || windows || aix +// +build darwin freebsd linux openbsd windows aix package cpu diff --git a/libbeat/metric/system/process/process.go b/libbeat/metric/system/process/process.go index 65b86f5ab67..b5a1f486d9d 100644 --- a/libbeat/metric/system/process/process.go +++ b/libbeat/metric/system/process/process.go @@ -15,8 +15,8 @@ // specific language governing permissions and limitations // under the License. -//go:build darwin || freebsd || linux || windows -// +build darwin freebsd linux windows +//go:build darwin || freebsd || linux || windows || aix +// +build darwin freebsd linux windows aix package process diff --git a/libbeat/outputs/fileout/config.go b/libbeat/outputs/fileout/config.go index 28441c93bb0..e80f0a27be9 100644 --- a/libbeat/outputs/fileout/config.go +++ b/libbeat/outputs/fileout/config.go @@ -25,19 +25,17 @@ import ( ) type config struct { - Path string `config:"path"` - Filename string `config:"filename"` - Suffix file.SuffixType `config:"suffix"` - RotateEveryKb uint `config:"rotate_every_kb" validate:"min=1"` - NumberOfFiles uint `config:"number_of_files"` - Codec codec.Config `config:"codec"` - Permissions uint32 `config:"permissions"` - RotateOnStartup bool `config:"rotate_on_startup"` + Path string `config:"path"` + Filename string `config:"filename"` + RotateEveryKb uint `config:"rotate_every_kb" validate:"min=1"` + NumberOfFiles uint `config:"number_of_files"` + Codec codec.Config `config:"codec"` + Permissions uint32 `config:"permissions"` + RotateOnStartup bool `config:"rotate_on_startup"` } func defaultConfig() config { return config{ - Suffix: file.SuffixCount, NumberOfFiles: 7, RotateEveryKb: 10 * 1024, Permissions: 0600, diff --git a/libbeat/outputs/fileout/file.go b/libbeat/outputs/fileout/file.go index 48a65adc1c0..b4a10e38396 100644 --- a/libbeat/outputs/fileout/file.go +++ b/libbeat/outputs/fileout/file.go @@ -84,7 +84,6 @@ func (out *fileOutput) init(beat beat.Info, c config) error { var err error out.rotator, err = file.NewFileRotator( path, - file.Suffix(c.Suffix), file.MaxSizeBytes(c.RotateEveryKb*1024), file.MaxBackups(c.NumberOfFiles), file.Permissions(os.FileMode(c.Permissions)), diff --git a/libbeat/outputs/kafka/kafka.go b/libbeat/outputs/kafka/kafka.go index 9be3970b1c4..8f06398eb0c 100644 --- a/libbeat/outputs/kafka/kafka.go +++ b/libbeat/outputs/kafka/kafka.go @@ -18,9 +18,6 @@ package kafka import ( - "errors" - "time" - "github.com/Shopify/sarama" "github.com/elastic/beats/v7/libbeat/beat" @@ -32,20 +29,9 @@ import ( ) const ( - defaultWaitRetry = 1 * time.Second - - // NOTE: maxWaitRetry has no effect on mode, as logstash client currently does - // not return ErrTempBulkFailure - defaultMaxWaitRetry = 60 * time.Second - logSelector = "kafka" ) -var ( - errNoTopicSet = errors.New("No topic configured") - errNoHosts = errors.New("No hosts configured") -) - func init() { sarama.Logger = kafkaLogger{log: logp.NewLogger(logSelector)} diff --git a/libbeat/outputs/kafka/kafka_integration_test.go b/libbeat/outputs/kafka/kafka_integration_test.go index 0cc751d99b9..2be42f639e7 100644 --- a/libbeat/outputs/kafka/kafka_integration_test.go +++ b/libbeat/outputs/kafka/kafka_integration_test.go @@ -45,8 +45,9 @@ import ( ) const ( - kafkaDefaultHost = "localhost" - kafkaDefaultPort = "9092" + kafkaDefaultHost = "kafka" + kafkaDefaultPort = "9092" + kafkaDefaultSASLPort = "9093" ) type eventInfo struct { @@ -183,6 +184,37 @@ func TestKafkaPublish(t *testing.T) { "type": "log", }), }, + { + "publish single event to test topic", + map[string]interface{}{}, + testTopic, + single(common.MapStr{ + "host": "test-host", + "message": id, + }), + }, + { + // Initially I tried rerunning all tests over SASL/SCRAM, but + // that added a full 30sec to the test. Instead most tests run + // in plaintext, and individual tests can switch to SCRAM + // by inserting the config in this example: + "publish single event to test topic over SASL/SCRAM", + map[string]interface{}{ + "hosts": []string{getTestSASLKafkaHost()}, + "protocol": "https", + "sasl.mechanism": "SCRAM-SHA-512", + "ssl.certificate_authorities": []string{ + "../../../testing/environments/docker/kafka/certs/ca-cert", + }, + "username": "beats", + "password": "KafkaTest", + }, + testTopic, + single(common.MapStr{ + "host": "test-host", + "message": id, + }), + }, } defaultConfig := map[string]interface{}{ @@ -322,6 +354,13 @@ func getTestKafkaHost() string { ) } +func getTestSASLKafkaHost() string { + return fmt.Sprintf("%v:%v", + getenv("KAFKA_HOST", kafkaDefaultHost), + getenv("KAFKA_SASL_PORT", kafkaDefaultSASLPort), + ) +} + func makeConfig(t *testing.T, in map[string]interface{}) *common.Config { cfg, err := common.NewConfigFrom(in) if err != nil { diff --git a/libbeat/paths/paths.go b/libbeat/paths/paths.go index 25fbf2697e6..53cabb9f956 100644 --- a/libbeat/paths/paths.go +++ b/libbeat/paths/paths.go @@ -189,6 +189,6 @@ func Resolve(fileType FileType, path string) string { // String returns a textual representation func (paths *Path) String() string { - return fmt.Sprintf("Home path: [%s] Config path: [%s] Data path: [%s] Logs path: [%s]", - paths.Home, paths.Config, paths.Data, paths.Logs) + return fmt.Sprintf("Home path: [%s] Config path: [%s] Data path: [%s] Logs path: [%s] Hostfs Path: [%s]", + paths.Home, paths.Config, paths.Data, paths.Logs, paths.Hostfs) } diff --git a/libbeat/processors/add_kubernetes_metadata/config.go b/libbeat/processors/add_kubernetes_metadata/config.go index 6e738403087..ecc9b5919fe 100644 --- a/libbeat/processors/add_kubernetes_metadata/config.go +++ b/libbeat/processors/add_kubernetes_metadata/config.go @@ -69,5 +69,37 @@ func (k *kubeAnnotatorConfig) Validate() error { k.Host = "" } + // Checks below were added to warn the users early on and avoid initialising the processor in case the `logs_path` + // matcher config is not valid: supported paths defined as a `logs_path` configuration setting are strictly defined + // if `resource_type` is set + for _, matcher := range k.Matchers { + if matcherCfg, ok := matcher["logs_path"]; ok { + if matcherCfg.HasField("resource_type") { + logsPathMatcher := struct { + LogsPath string `config:"logs_path"` + ResourceType string `config:"resource_type"` + }{} + + err := matcherCfg.Unpack(&logsPathMatcher) + if err != nil { + return fmt.Errorf("fail to unpack the `logs_path` matcher configuration: %s", err) + } + if logsPathMatcher.LogsPath == "" { + return fmt.Errorf("invalid logs_path matcher configuration: when resource_type is defined, logs_path must be set as well") + } + if logsPathMatcher.ResourceType != "pod" && logsPathMatcher.ResourceType != "container" { + return fmt.Errorf("invalid resource_type %s, valid values include `pod`, `container`", logsPathMatcher.ResourceType) + } + if logsPathMatcher.ResourceType == "pod" && !(logsPathMatcher.LogsPath == "/var/lib/kubelet/pods/" || logsPathMatcher.LogsPath == "/var/log/pods/") { + return fmt.Errorf("invalid logs_path defined for resource_type: %s, valid values include `/var/lib/kubelet/pods/`, `/var/log/pods/`", logsPathMatcher.ResourceType) + } + if logsPathMatcher.ResourceType == "container" && logsPathMatcher.LogsPath != "/var/log/containers/" { + return fmt.Errorf("invalid logs_path defined for resource_type: %s, valid value is `/var/log/containers/`", logsPathMatcher.ResourceType) + } + } + + } + } + return nil } diff --git a/libbeat/processors/add_kubernetes_metadata/config_test.go b/libbeat/processors/add_kubernetes_metadata/config_test.go index 3bdcf34a1d7..f7cc83812f6 100644 --- a/libbeat/processors/add_kubernetes_metadata/config_test.go +++ b/libbeat/processors/add_kubernetes_metadata/config_test.go @@ -60,3 +60,76 @@ func TestConfigValidate(t *testing.T) { } } } + +func TestConfigValidate_LogsPatchMatcher(t *testing.T) { + tests := []struct { + matcherName string + matcherConfig map[string]interface{} + error bool + }{ + { + matcherName: "", + matcherConfig: map[string]interface{}{}, + error: false, + }, + { + matcherName: "logs_path", + matcherConfig: map[string]interface{}{ + "resource_type": "pod", + }, + error: true, + }, + { + matcherName: "logs_path", + matcherConfig: map[string]interface{}{ + "resource_type": "pod", + "invalid_field": "invalid_value", + }, + error: true, + }, + { + matcherName: "logs_path", + matcherConfig: map[string]interface{}{ + "resource_type": "pod", + "logs_path": "/var/log/invalid/path/", + }, + error: true, + }, + { + matcherName: "logs_path", + matcherConfig: map[string]interface{}{ + "resource_type": "pod", + "logs_path": "/var/log/pods/", + }, + error: false, + }, + { + matcherName: "logs_path", + matcherConfig: map[string]interface{}{ + "resource_type": "container", + "logs_path": "/var/log/containers/", + }, + error: false, + }, + } + + for _, test := range tests { + cfg, _ := common.NewConfigFrom(test.matcherConfig) + + c := defaultKubernetesAnnotatorConfig() + c.DefaultMatchers = Enabled{false} + + err := cfg.Unpack(&c) + c.Matchers = PluginConfig{ + { + test.matcherName: *cfg, + }, + } + err = c.Validate() + if test.error { + require.NotNil(t, err) + } else { + require.Nil(t, err) + } + } +} diff --git a/libbeat/processors/add_kubernetes_metadata/docs/indexers_and_matchers.asciidoc b/libbeat/processors/add_kubernetes_metadata/docs/indexers_and_matchers.asciidoc index 4c7fdba7503..71af7e00dc6 100644 --- a/libbeat/processors/add_kubernetes_metadata/docs/indexers_and_matchers.asciidoc +++ b/libbeat/processors/add_kubernetes_metadata/docs/indexers_and_matchers.asciidoc @@ -83,10 +83,29 @@ the `log.file.path` field. This matcher has the following configuration settings: `logs_path`:: (Optional) Base path of container logs. If not specified, it uses -the default logs path of the platform where {beatname_uc} is running. -`resource_type`:: (Optional) Type of the resource to obtain the ID of. It can be -`pod`, to make the lookup based on the pod UID, or `container`, to make the -lookup based on the container ID. It defaults to `container`. +the default logs path of the platform where {beatname_uc} is running: for Linux - +`/var/lib/docker/containers/`, Windows - `C:\\ProgramData\\Docker\\containers`. +To change the default value: container ID must follow right after the `logs_path` - +`/`, where `container_id` is a 64-character-long +hexadecimal string. + +`resource_type`:: (Optional) Type of the resource to obtain the ID of. +Valid `resource_type`: +* `pod`: to make the lookup based on the pod UID. When `resource_type` is set to +`pod`, `logs_path` must be set as well, supported path in this case: +** `/var/lib/kubelet/pods/` used to read logs from mounted into the pod volumes, +those logs end up under `/var/lib/kubelet/pods//volumes//...` +To use `/var/lib/kubelet/pods/` as a `log_path`, `/var/lib/kubelet/pods` must be +mounted into the filebeat Pods. +** `/var/log/pods/` +Note: when using `resource_type: 'pod'` logs will be enriched only with pod +metadata: pod id, pod name, etc., not container metadata. +*`container`: to make the lookup based on the container ID, `logs_path` must +be set to `/var/log/containers/`. +It defaults to `container`. + +To be able to use `logs_path` matcher filebeat input path must be a subdirectory +of directory defined in `logs_path` configuration setting. The default configuration is able to lookup the metadata using the container ID when the logs are collected from the default docker logs path diff --git a/libbeat/reader/readfile/line_terminator.go b/libbeat/reader/readfile/line_terminator.go index 68ab24736c2..bcd82e36741 100644 --- a/libbeat/reader/readfile/line_terminator.go +++ b/libbeat/reader/readfile/line_terminator.go @@ -44,6 +44,8 @@ const ( LineSeparator // ParagraphSeparator is the unicode char PS ParagraphSeparator + // NullTerminator + NullTerminator ) var ( @@ -57,6 +59,7 @@ var ( "next_line": NextLine, "line_separator": LineSeparator, "paragraph_separator": ParagraphSeparator, + "null_terminator": NullTerminator, } lineTerminatorCharacters = map[LineTerminator][]byte{ @@ -69,6 +72,7 @@ var ( NextLine: []byte{'\u0085'}, LineSeparator: []byte("\u2028"), ParagraphSeparator: []byte("\u2029"), + NullTerminator: []byte{'\u0000'}, } ) diff --git a/libbeat/template/load_test.go b/libbeat/template/load_test.go index 75096e559f2..017f53639fa 100644 --- a/libbeat/template/load_test.go +++ b/libbeat/template/load_test.go @@ -18,6 +18,7 @@ package template import ( + "errors" "fmt" "testing" @@ -38,19 +39,24 @@ func TestFileLoader_Load(t *testing.T) { for name, test := range map[string]struct { settings TemplateSettings body common.MapStr + fields []byte + want common.MapStr + wantErr error }{ "load minimal config info": { body: common.MapStr{ "index_patterns": []string{"mock-7.0.0-*"}, "order": order, - "settings": common.MapStr{"index": nil}}, + "settings": common.MapStr{"index": nil}, + }, }, "load minimal config with index settings": { settings: TemplateSettings{Index: common.MapStr{"code": "best_compression"}}, body: common.MapStr{ "index_patterns": []string{"mock-7.0.0-*"}, "order": order, - "settings": common.MapStr{"index": common.MapStr{"code": "best_compression"}}}, + "settings": common.MapStr{"index": common.MapStr{"code": "best_compression"}}, + }, }, "load minimal config with source settings": { settings: TemplateSettings{Source: common.MapStr{"enabled": false}}, @@ -64,7 +70,134 @@ func TestFileLoader_Load(t *testing.T) { "date_detection": false, "dynamic_templates": nil, "properties": nil, - }}, + }, + }, + }, + "load config and in-line analyzer fields": { + body: common.MapStr{ + "index_patterns": []string{"mock-7.0.0-*"}, + "order": order, + "settings": common.MapStr{"index": nil}, + }, + fields: []byte(`- key: test + title: Test fields.yml with analyzer + description: > + Contains text fields with in-line analyzer for testing + fields: + - name: script_block_text + type: text + analyzer: + test_powershell: + type: pattern + pattern: "[\\W&&[^-]]+" + + - name: code_block_text + type: text + analyzer: + test_powershell: + type: pattern + pattern: "[\\W&&[^-]]+" + + - name: standard_text + type: text + analyzer: simple +`), + want: common.MapStr{ + "index_patterns": []string{ + "mock-7.0.0-*", + }, + "order": 1, + "mappings": common.MapStr{ + "_meta": common.MapStr{ + "version": "7.0.0", + "beat": "mock", + }, + "date_detection": false, + "dynamic_templates": []common.MapStr{ + { + "strings_as_keyword": common.MapStr{ + "mapping": common.MapStr{ + "ignore_above": 1024, + "type": "keyword", + }, + "match_mapping_type": "string", + }, + }, + }, + "properties": common.MapStr{ + "code_block_text": common.MapStr{ + "type": "text", + "norms": false, + "analyzer": "test_powershell", + }, + "script_block_text": common.MapStr{ + "type": "text", + "norms": false, + "analyzer": "test_powershell", + }, + "standard_text": common.MapStr{ + "type": "text", + "norms": false, + "analyzer": "simple", + }, + }, + }, + "settings": common.MapStr{ + "index": common.MapStr{ + "refresh_interval": "5s", + "mapping": common.MapStr{ + "total_fields": common.MapStr{ + "limit": 10000, + }, + }, + "query": common.MapStr{ + "default_field": []string{ + "fields.*", + }, + }, + "max_docvalue_fields_search": 200, + }, + "analysis": common.MapStr{ + "analyzer": common.MapStr{ + "test_powershell": map[string]interface{}{ + "type": "pattern", + "pattern": "[\\W&&[^-]]+", + }, + }, + }, + }, + }, + }, + "load config and in-line analyzer fields with name collision": { + body: common.MapStr{ + "index_patterns": []string{"mock-7.0.0-*"}, + "order": order, + "settings": common.MapStr{"index": nil}, + }, + fields: []byte(`- key: test + title: Test fields.yml with analyzer + description: > + Contains text fields with in-line analyzer for testing + fields: + - name: script_block_text + type: text + analyzer: + test_powershell: + type: pattern + pattern: "[\\W&&[^-]]+" + + - name: code_block_text + type: text + analyzer: + test_powershell: + type: pattern + pattern: "[\\W&&[^*-]]+" + + - name: standard_text + type: text + analyzer: simple +`), + wantErr: errors.New(`error creating template: inconsistent definitions for analyzers with the name "test_powershell"`), }, } { t.Run(name, func(t *testing.T) { @@ -75,11 +208,18 @@ func TestFileLoader_Load(t *testing.T) { cfg := DefaultConfig() cfg.Settings = test.settings - err = fl.Load(cfg, info, nil, false) - require.NoError(t, err) + err = fl.Load(cfg, info, test.fields, false) + require.Equal(t, test.wantErr, err) + if err != nil { + return + } assert.Equal(t, "template", fc.component) assert.Equal(t, tmplName, fc.name) - assert.Equal(t, test.body.StringToPrint()+"\n", fc.body) + want := test.body + if test.fields != nil { + want = test.want + } + assert.Equal(t, want.StringToPrint()+"\n", fc.body) }) } } diff --git a/libbeat/template/processor.go b/libbeat/template/processor.go index 15cea8aed0d..a9489a35a11 100644 --- a/libbeat/template/processor.go +++ b/libbeat/template/processor.go @@ -20,6 +20,7 @@ package template import ( "errors" "fmt" + "reflect" "strings" "github.com/elastic/beats/v7/libbeat/common" @@ -63,7 +64,7 @@ type fieldState struct { } // Process recursively processes the given fields and writes the template in the given output -func (p *Processor) Process(fields mapping.Fields, state *fieldState, output common.MapStr) error { +func (p *Processor) Process(fields mapping.Fields, state *fieldState, output, analyzers common.MapStr) error { if state == nil { // Set the defaults. state = &fieldState{DefaultField: DefaultField} @@ -78,7 +79,10 @@ func (p *Processor) Process(fields mapping.Fields, state *fieldState, output com if field.DefaultField == nil { field.DefaultField = &state.DefaultField } - var indexMapping common.MapStr + var ( + indexMapping common.MapStr + analyzer, searchAnalyzer mapping.Analyzer + ) switch field.Type { case "ip": @@ -90,23 +94,23 @@ func (p *Processor) Process(fields mapping.Fields, state *fieldState, output com case "integer": indexMapping = p.integer(&field) case "text": - indexMapping = p.text(&field) + indexMapping, analyzer, searchAnalyzer = p.text(&field, analyzers) case "match_only_text": noMatchOnlyText := p.EsVersion.LessThan(minVersionMatchOnlyText) if !p.ElasticLicensed || noMatchOnlyText { - indexMapping = p.text(&field) + indexMapping, analyzer, searchAnalyzer = p.text(&field, analyzers) } else { - indexMapping = p.matchOnlyText(&field) + indexMapping, analyzer, searchAnalyzer = p.matchOnlyText(&field, analyzers) } case "wildcard": noWildcards := p.EsVersion.LessThan(minVersionWildcard) if !p.ElasticLicensed || noWildcards { - indexMapping = p.keyword(&field) + indexMapping = p.keyword(&field, analyzers) } else { - indexMapping = p.wildcard(&field) + indexMapping = p.wildcard(&field, analyzers) } case "", "keyword": - indexMapping = p.keyword(&field) + indexMapping = p.keyword(&field, analyzers) case "object": indexMapping = p.object(&field) case "array": @@ -116,13 +120,13 @@ func (p *Processor) Process(fields mapping.Fields, state *fieldState, output com case "histogram": indexMapping = p.histogram(&field) case "nested": - mapping, err := p.nested(&field, output) + mapping, err := p.nested(&field, output, analyzers) if err != nil { return err } indexMapping = mapping case "group": - mapping, err := p.group(&field, output) + mapping, err := p.group(&field, output, analyzers) if err != nil { return err } @@ -149,6 +153,23 @@ func (p *Processor) Process(fields mapping.Fields, state *fieldState, output com output.Put(mapping.GenerateKey(field.Name), indexMapping) } } + + for _, a := range []mapping.Analyzer{ + analyzer, searchAnalyzer, + } { + if a.Definition != nil { + prev, err := analyzers.Put(a.Name, a.Definition) + if err != nil { + // Should never happen. + return err + } + if prev != nil { + if !reflect.DeepEqual(prev, a.Definition) { + return fmt.Errorf("inconsistent definitions for analyzers with the name %q", a.Name) + } + } + } + } } return nil } @@ -204,8 +225,8 @@ func (p *Processor) scaledFloat(f *mapping.Field, params ...common.MapStr) commo return property } -func (p *Processor) nested(f *mapping.Field, output common.MapStr) (common.MapStr, error) { - mapping, err := p.group(f, output) +func (p *Processor) nested(f *mapping.Field, output, analyzers common.MapStr) (common.MapStr, error) { + mapping, err := p.group(f, output, analyzers) if err != nil { return nil, err } @@ -213,7 +234,7 @@ func (p *Processor) nested(f *mapping.Field, output common.MapStr) (common.MapSt return mapping, nil } -func (p *Processor) group(f *mapping.Field, output common.MapStr) (common.MapStr, error) { +func (p *Processor) group(f *mapping.Field, output, analyzers common.MapStr) (common.MapStr, error) { indexMapping := common.MapStr{} if f.Dynamic.Value != nil { indexMapping["dynamic"] = f.Dynamic.Value @@ -236,7 +257,7 @@ func (p *Processor) group(f *mapping.Field, output common.MapStr) (common.MapStr if f.Path != "" { groupState.Path = f.Path + "." + f.Name } - if err := p.Process(f.Fields, groupState, properties); err != nil { + if err := p.Process(f.Fields, groupState, properties, analyzers); err != nil { return nil, err } if len(properties) != 0 { @@ -285,7 +306,7 @@ func stateFromField(f *mapping.Field) *fieldState { return st } -func (p *Processor) keyword(f *mapping.Field) common.MapStr { +func (p *Processor) keyword(f *mapping.Field, analyzers common.MapStr) common.MapStr { property := p.getDefaultProperties(f) property["type"] = "keyword" @@ -305,14 +326,14 @@ func (p *Processor) keyword(f *mapping.Field) common.MapStr { if len(f.MultiFields) > 0 { fields := common.MapStr{} - p.Process(f.MultiFields, stateFromField(f), fields) + p.Process(f.MultiFields, stateFromField(f), fields, analyzers) property["fields"] = fields } return property } -func (p *Processor) wildcard(f *mapping.Field) common.MapStr { +func (p *Processor) wildcard(f *mapping.Field, analyzers common.MapStr) common.MapStr { property := p.getDefaultProperties(f) property["type"] = "wildcard" @@ -327,15 +348,15 @@ func (p *Processor) wildcard(f *mapping.Field) common.MapStr { if len(f.MultiFields) > 0 { fields := common.MapStr{} - p.Process(f.MultiFields, stateFromField(f), fields) + p.Process(f.MultiFields, stateFromField(f), fields, analyzers) property["fields"] = fields } return property } -func (p *Processor) text(f *mapping.Field) common.MapStr { - properties := p.getDefaultProperties(f) +func (p *Processor) text(f *mapping.Field, analyzers common.MapStr) (properties common.MapStr, analyzer, searchAnalyzer mapping.Analyzer) { + properties = p.getDefaultProperties(f) properties["type"] = "text" @@ -353,43 +374,47 @@ func (p *Processor) text(f *mapping.Field) common.MapStr { } } - if f.Analyzer != "" { - properties["analyzer"] = f.Analyzer + if f.Analyzer.Name != "" { + properties["analyzer"] = f.Analyzer.Name + analyzer = f.Analyzer } - if f.SearchAnalyzer != "" { - properties["search_analyzer"] = f.SearchAnalyzer + if f.SearchAnalyzer.Name != "" { + properties["search_analyzer"] = f.SearchAnalyzer.Name + searchAnalyzer = f.SearchAnalyzer } if len(f.MultiFields) > 0 { fields := common.MapStr{} - p.Process(f.MultiFields, stateFromField(f), fields) + p.Process(f.MultiFields, stateFromField(f), fields, analyzers) properties["fields"] = fields } - return properties + return properties, analyzer, searchAnalyzer } -func (p *Processor) matchOnlyText(f *mapping.Field) common.MapStr { - properties := p.getDefaultProperties(f) +func (p *Processor) matchOnlyText(f *mapping.Field, analyzers common.MapStr) (properties common.MapStr, analyzer, searchAnalyzer mapping.Analyzer) { + properties = p.getDefaultProperties(f) properties["type"] = "match_only_text" - if f.Analyzer != "" { + if f.Analyzer.Name != "" { properties["analyzer"] = f.Analyzer + analyzer = f.Analyzer } - if f.SearchAnalyzer != "" { + if f.SearchAnalyzer.Name != "" { properties["search_analyzer"] = f.SearchAnalyzer + searchAnalyzer = f.SearchAnalyzer } if len(f.MultiFields) > 0 { fields := common.MapStr{} - p.Process(f.MultiFields, nil, fields) + p.Process(f.MultiFields, nil, fields, analyzers) properties["fields"] = fields } - return properties + return properties, analyzer, searchAnalyzer } func (p *Processor) array(f *mapping.Field) common.MapStr { diff --git a/libbeat/template/processor_test.go b/libbeat/template/processor_test.go index 9c2156c5cca..c686f2e4738 100644 --- a/libbeat/template/processor_test.go +++ b/libbeat/template/processor_test.go @@ -128,7 +128,7 @@ func TestProcessor(t *testing.T) { }, }, { - output: p.text(&mapping.Field{Type: "text", Analyzer: "autocomplete"}), + output: fieldsOnly(p.text(&mapping.Field{Type: "text", Analyzer: mapping.Analyzer{Name: "autocomplete"}}, nil)), expected: common.MapStr{ "type": "text", "analyzer": "autocomplete", @@ -136,21 +136,21 @@ func TestProcessor(t *testing.T) { }, }, { - output: p.text(&mapping.Field{Type: "text", Analyzer: "autocomplete", Norms: true}), + output: fieldsOnly(p.text(&mapping.Field{Type: "text", Analyzer: mapping.Analyzer{Name: "autocomplete"}, Norms: true}, nil)), expected: common.MapStr{ "type": "text", "analyzer": "autocomplete", }, }, { - output: p.text(&mapping.Field{Type: "text", SearchAnalyzer: "standard", Norms: true}), + output: fieldsOnly(p.text(&mapping.Field{Type: "text", SearchAnalyzer: mapping.Analyzer{Name: "standard"}, Norms: true}, nil)), expected: common.MapStr{ "type": "text", "search_analyzer": "standard", }, }, { - output: p.text(&mapping.Field{Type: "text", Analyzer: "autocomplete", SearchAnalyzer: "standard", Norms: true}), + output: fieldsOnly(p.text(&mapping.Field{Type: "text", Analyzer: mapping.Analyzer{Name: "autocomplete"}, SearchAnalyzer: mapping.Analyzer{Name: "standard"}, Norms: true}, nil)), expected: common.MapStr{ "type": "text", "analyzer": "autocomplete", @@ -158,7 +158,7 @@ func TestProcessor(t *testing.T) { }, }, { - output: p.text(&mapping.Field{Type: "text", MultiFields: mapping.Fields{mapping.Field{Name: "raw", Type: "keyword"}}, Norms: true}), + output: fieldsOnly(p.text(&mapping.Field{Type: "text", MultiFields: mapping.Fields{mapping.Field{Name: "raw", Type: "keyword"}}, Norms: true}, nil)), expected: common.MapStr{ "type": "text", "fields": common.MapStr{ @@ -170,7 +170,7 @@ func TestProcessor(t *testing.T) { }, }, { - output: p.keyword(&mapping.Field{Type: "keyword", MultiFields: mapping.Fields{mapping.Field{Name: "analyzed", Type: "text", Norms: true}}}), + output: p.keyword(&mapping.Field{Type: "keyword", MultiFields: mapping.Fields{mapping.Field{Name: "analyzed", Type: "text", Norms: true}}}, nil), expected: common.MapStr{ "type": "keyword", "ignore_above": 1024, @@ -182,30 +182,30 @@ func TestProcessor(t *testing.T) { }, }, { - output: p.keyword(&mapping.Field{Type: "keyword", IgnoreAbove: 256}), + output: p.keyword(&mapping.Field{Type: "keyword", IgnoreAbove: 256}, nil), expected: common.MapStr{ "type": "keyword", "ignore_above": 256, }, }, { - output: p.keyword(&mapping.Field{Type: "keyword", IgnoreAbove: -1}), + output: p.keyword(&mapping.Field{Type: "keyword", IgnoreAbove: -1}, nil), expected: common.MapStr{ "type": "keyword", }, }, { - output: p.keyword(&mapping.Field{Type: "keyword"}), + output: p.keyword(&mapping.Field{Type: "keyword"}, nil), expected: common.MapStr{ "type": "keyword", "ignore_above": 1024, }, }, { - output: p.text(&mapping.Field{Type: "text", MultiFields: mapping.Fields{ + output: fieldsOnly(p.text(&mapping.Field{Type: "text", MultiFields: mapping.Fields{ mapping.Field{Name: "raw", Type: "keyword"}, mapping.Field{Name: "indexed", Type: "text"}, - }, Norms: true}), + }, Norms: true}, nil)), expected: common.MapStr{ "type": "text", "fields": common.MapStr{ @@ -221,10 +221,10 @@ func TestProcessor(t *testing.T) { }, }, { - output: p.text(&mapping.Field{Type: "text", MultiFields: mapping.Fields{ + output: fieldsOnly(p.text(&mapping.Field{Type: "text", MultiFields: mapping.Fields{ mapping.Field{Name: "raw", Type: "keyword"}, mapping.Field{Name: "indexed", Type: "text"}, - }, Norms: true}), + }, Norms: true}, nil)), expected: common.MapStr{ "type": "text", "fields": common.MapStr{ @@ -335,6 +335,10 @@ func TestProcessor(t *testing.T) { } } +func fieldsOnly(f common.MapStr, _, _ mapping.Analyzer) common.MapStr { + return f +} + func TestDynamicTemplates(t *testing.T) { tests := []struct { field mapping.Field @@ -526,11 +530,12 @@ func TestDynamicTemplates(t *testing.T) { for _, test := range tests { output := make(common.MapStr) + analyzers := make(common.MapStr) p := &Processor{EsVersion: *common.MustNewVersion("8.0.0")} err := p.Process(mapping.Fields{ test.field, test.field, // should not be added twice - }, &fieldState{Path: test.field.Path}, output) + }, &fieldState{Path: test.field.Path}, output, analyzers) require.NoError(t, err) assert.Equal(t, test.expected, p.dynamicTemplates) } @@ -562,13 +567,14 @@ func TestPropertiesCombine(t *testing.T) { } output := common.MapStr{} + analyzers := common.MapStr{} version, err := common.NewVersion("6.0.0") if err != nil { t.Fatal(err) } p := Processor{EsVersion: *version} - err = p.Process(fields, nil, output) + err = p.Process(fields, nil, output, analyzers) if err != nil { t.Fatal(err) } @@ -610,13 +616,14 @@ func TestProcessNoName(t *testing.T) { } output := common.MapStr{} + analyzers := common.MapStr{} version, err := common.NewVersion("6.0.0") if err != nil { t.Fatal(err) } p := Processor{EsVersion: *version} - err = p.Process(fields, nil, output) + err = p.Process(fields, nil, output, analyzers) if err != nil { t.Fatal(err) } @@ -737,7 +744,8 @@ func TestProcessDefaultField(t *testing.T) { p := Processor{EsVersion: *version} output := common.MapStr{} - if err = p.Process(fields, nil, output); err != nil { + analyzers := common.MapStr{} + if err = p.Process(fields, nil, output, analyzers); err != nil { t.Fatal(err) } @@ -771,13 +779,14 @@ func TestProcessWildcardOSS(t *testing.T) { } output := common.MapStr{} + analyzers := common.MapStr{} version, err := common.NewVersion("8.0.0") if err != nil { t.Fatal(err) } p := Processor{EsVersion: *version} - err = p.Process(fields, nil, output) + err = p.Process(fields, nil, output, analyzers) if err != nil { t.Fatal(err) } @@ -813,13 +822,14 @@ func TestProcessWildcardElastic(t *testing.T) { } output := common.MapStr{} + analyzers := common.MapStr{} version, err := common.NewVersion("8.0.0") if err != nil { t.Fatal(err) } p := Processor{EsVersion: *version, ElasticLicensed: true} - err = p.Process(fields, nil, output) + err = p.Process(fields, nil, output, analyzers) if err != nil { t.Fatal(err) } @@ -855,13 +865,14 @@ func TestProcessWildcardPreSupport(t *testing.T) { } output := common.MapStr{} + analyzers := common.MapStr{} version, err := common.NewVersion("7.8.0") if err != nil { t.Fatal(err) } p := Processor{EsVersion: *version, ElasticLicensed: true} - err = p.Process(fields, nil, output) + err = p.Process(fields, nil, output, analyzers) if err != nil { t.Fatal(err) } @@ -896,13 +907,14 @@ func TestProcessNestedSupport(t *testing.T) { } output := common.MapStr{} + analyzers := common.MapStr{} version, err := common.NewVersion("7.8.0") if err != nil { t.Fatal(err) } p := Processor{EsVersion: *version, ElasticLicensed: true} - err = p.Process(fields, nil, output) + err = p.Process(fields, nil, output, analyzers) if err != nil { t.Fatal(err) } @@ -931,13 +943,14 @@ func TestProcessNestedSupportNoSubfields(t *testing.T) { } output := common.MapStr{} + analyzers := common.MapStr{} version, err := common.NewVersion("7.8.0") if err != nil { t.Fatal(err) } p := Processor{EsVersion: *version, ElasticLicensed: true} - err = p.Process(fields, nil, output) + err = p.Process(fields, nil, output, analyzers) if err != nil { t.Fatal(err) } diff --git a/libbeat/template/template.go b/libbeat/template/template.go index 8ed8886e919..291d128d0f4 100644 --- a/libbeat/template/template.go +++ b/libbeat/template/template.go @@ -156,12 +156,13 @@ func (t *Template) load(fields mapping.Fields) (common.MapStr, error) { // Start processing at the root properties := common.MapStr{} + analyzers := common.MapStr{} processor := Processor{EsVersion: t.esVersion, ElasticLicensed: t.elasticLicensed, Migration: t.migration} - if err := processor.Process(fields, nil, properties); err != nil { + if err := processor.Process(fields, nil, properties, analyzers); err != nil { return nil, err } - output := t.Generate(properties, processor.dynamicTemplates) + output := t.Generate(properties, analyzers, processor.dynamicTemplates) return output, nil } @@ -188,7 +189,7 @@ func (t *Template) LoadBytes(data []byte) (common.MapStr, error) { // LoadMinimal loads the template only with the given configuration func (t *Template) LoadMinimal() (common.MapStr, error) { - m := common.MapStr{} + var m common.MapStr switch t.templateType { case IndexTemplateLegacy: m = t.loadMinimalLegacy() @@ -249,21 +250,21 @@ func (t *Template) GetPattern() string { // Generate generates the full template // The default values are taken from the default variable. -func (t *Template) Generate(properties common.MapStr, dynamicTemplates []common.MapStr) common.MapStr { +func (t *Template) Generate(properties, analyzers common.MapStr, dynamicTemplates []common.MapStr) common.MapStr { switch t.templateType { case IndexTemplateLegacy: - return t.generateLegacy(properties, dynamicTemplates) + return t.generateLegacy(properties, analyzers, dynamicTemplates) case IndexTemplateComponent: - return t.generateComponent(properties, dynamicTemplates) + return t.generateComponent(properties, analyzers, dynamicTemplates) case IndexTemplateIndex: - return t.generateIndex(properties, dynamicTemplates) + return t.generateIndex(properties, analyzers, dynamicTemplates) } return nil } -func (t *Template) generateLegacy(properties common.MapStr, dynamicTemplates []common.MapStr) common.MapStr { +func (t *Template) generateLegacy(properties, analyzers common.MapStr, dynamicTemplates []common.MapStr) common.MapStr { keyPattern, patterns := buildPatternSettings(t.esVersion, t.GetPattern()) - return common.MapStr{ + m := common.MapStr{ keyPattern: patterns, "order": t.order, "mappings": buildMappings( @@ -278,10 +279,14 @@ func (t *Template) generateLegacy(properties common.MapStr, dynamicTemplates []c ), }, } + if len(analyzers) != 0 { + m.Put("settings.analysis.analyzer", analyzers) + } + return m } -func (t *Template) generateComponent(properties common.MapStr, dynamicTemplates []common.MapStr) common.MapStr { - return common.MapStr{ +func (t *Template) generateComponent(properties, analyzers common.MapStr, dynamicTemplates []common.MapStr) common.MapStr { + m := common.MapStr{ "template": common.MapStr{ "mappings": buildMappings( t.beatVersion, t.esVersion, t.beatName, @@ -296,10 +301,14 @@ func (t *Template) generateComponent(properties common.MapStr, dynamicTemplates }, }, } + if len(analyzers) != 0 { + m.Put("settings.analysis.analyzer", analyzers) + } + return m } -func (t *Template) generateIndex(properties common.MapStr, dynamicTemplates []common.MapStr) common.MapStr { - tmpl := t.generateComponent(properties, dynamicTemplates) +func (t *Template) generateIndex(properties, analyzers common.MapStr, dynamicTemplates []common.MapStr) common.MapStr { + tmpl := t.generateComponent(properties, analyzers, dynamicTemplates) tmpl["priority"] = t.priority keyPattern, patterns := buildPatternSettings(t.esVersion, t.GetPattern()) tmpl[keyPattern] = patterns diff --git a/libbeat/template/template_test.go b/libbeat/template/template_test.go index b969c4da670..27223ecf6bd 100644 --- a/libbeat/template/template_test.go +++ b/libbeat/template/template_test.go @@ -143,7 +143,7 @@ func createTestTemplate(t *testing.T, beatVersion, esVersion string, config Temp t.Fatalf("Failed to create the template: %+v", err) } - return &testTemplate{t: t, tmpl: template, data: template.Generate(nil, nil)} + return &testTemplate{t: t, tmpl: template, data: template.Generate(nil, nil, nil)} } func (t *testTemplate) Has(path string) bool { diff --git a/libbeat/tests/system/base.py b/libbeat/tests/system/base.py index 7fd9f1dbb49..a768d80e31e 100644 --- a/libbeat/tests/system/base.py +++ b/libbeat/tests/system/base.py @@ -1,9 +1,11 @@ import os +from datetime import datetime from beat.beat import TestCase from elasticsearch import Elasticsearch, NotFoundError class BaseTest(TestCase): + today = datetime.now().strftime("%Y%m%d") @classmethod def setUpClass(self): diff --git a/libbeat/tests/system/beat/beat.py b/libbeat/tests/system/beat/beat.py index 195741b1d31..e7a2c60640a 100644 --- a/libbeat/tests/system/beat/beat.py +++ b/libbeat/tests/system/beat/beat.py @@ -119,6 +119,7 @@ def __del__(self): class TestCase(unittest.TestCase, ComposeMixin): + today = datetime.now().strftime("%Y%m%d") @classmethod def setUpClass(self): @@ -207,7 +208,7 @@ def start_beat(self, config = self.beat_name + ".yml" if output is None: - output = self.beat_name + ".log" + output = self.beat_name + "-" + self.today + ".ndjson" args = [cmd, "-systemTest"] if os.getenv("TEST_COVERAGE") == "true": @@ -264,7 +265,7 @@ def read_output(self, # Init defaults if output_file is None: - output_file = "output/" + self.beat_name + output_file = "output/" + self.beat_name + "-" + self.today + ".ndjson" jsons = [] with open(os.path.join(self.working_dir, output_file), "r", encoding="utf_8") as f: @@ -288,7 +289,7 @@ def read_output_json(self, output_file=None): # Init defaults if output_file is None: - output_file = "output/" + self.beat_name + output_file = "output/" + self.beat_name + "-" + self.today + ".ndjson" jsons = [] with open(os.path.join(self.working_dir, output_file), "r", encoding="utf_8") as f: @@ -368,7 +369,7 @@ def get_log(self, logfile=None): Returns the log as a string. """ if logfile is None: - logfile = self.beat_name + ".log" + logfile = self.beat_name + "-" + self.today + ".ndjson" with open(os.path.join(self.working_dir, logfile), 'r', encoding="utf_8") as f: data = f.read() @@ -380,7 +381,7 @@ def get_log_lines(self, logfile=None): Returns the log lines as a list of strings """ if logfile is None: - logfile = self.beat_name + ".log" + logfile = self.beat_name + "-" + self.today + ".ndjson" with open(os.path.join(self.working_dir, logfile), 'r', encoding="utf_8") as f: data = f.readlines() @@ -417,8 +418,9 @@ def log_contains_count(self, msg, logfile=None, ignore_case=False): # Init defaults if logfile is None: - logfile = self.beat_name + ".log" + logfile = self.beat_name + "-" + self.today + ".ndjson" + print("logfile", logfile, self.working_dir) try: with open(os.path.join(self.working_dir, logfile), "r", encoding="utf_8") as f: for line in f: @@ -430,7 +432,8 @@ def log_contains_count(self, msg, logfile=None, ignore_case=False): line = line.lower() if line.find(msg) >= 0: counter = counter + 1 - except IOError: + except IOError as e: + print(e) counter = -1 return counter @@ -442,7 +445,7 @@ def log_contains_countmap(self, pattern, capture_group, logfile=None): counts = {} if logfile is None: - logfile = self.beat_name + ".log" + logfile = self.beat_name + "-" + self.today + ".ndjson" try: with open(os.path.join(self.working_dir, logfile), "r", encoding="utf_8") as f: @@ -462,7 +465,7 @@ def log_contains_countmap(self, pattern, capture_group, logfile=None): def output_lines(self, output_file=None): """ Count number of lines in a file.""" if output_file is None: - output_file = "output/" + self.beat_name + output_file = "output/" + self.beat_name + "-" + self.today + ".ndjson" try: with open(os.path.join(self.working_dir, output_file), "r", encoding="utf_8") as f: @@ -477,7 +480,7 @@ def output_has(self, lines, output_file=None): # Init defaults if output_file is None: - output_file = "output/" + self.beat_name + output_file = "output/" + self.beat_name + "-" + self.today + ".ndjson" try: with open(os.path.join(self.working_dir, output_file, ), "r", encoding="utf_8") as f: @@ -492,7 +495,7 @@ def output_is_empty(self, output_file=None): # Init defaults if output_file is None: - output_file = "output/" + self.beat_name + output_file = "output/" + self.beat_name + "-" + self.today + ".ndjson" try: with open(os.path.join(self.working_dir, output_file, ), "r", encoding="utf_8") as f: @@ -656,7 +659,7 @@ def output_count(self, pred, output_file=None): # Init defaults if output_file is None: - output_file = "output/" + self.beat_name + output_file = "output/" + self.beat_name + "-" + self.today + ".ndjson" try: with open(os.path.join(self.working_dir, output_file), "r", encoding="utf_8") as f: diff --git a/libbeat/tests/system/requirements_aix.txt b/libbeat/tests/system/requirements_aix.txt new file mode 100644 index 00000000000..9b9df31aa37 --- /dev/null +++ b/libbeat/tests/system/requirements_aix.txt @@ -0,0 +1,48 @@ +attrs==19.3.0 +autopep8==1.5.4 +backports.ssl-match-hostname==3.5.0.1 +cached-property==1.4.2 +certifi==2018.1.18 +chardet==3.0.4 +deepdiff==4.2.0 +docker==4.1.0 +docker-pycreds==0.4.0 +dockerpty==0.4.1 +docopt==0.6.2 +elasticsearch==7.8.1 +enum34==1.1.6 +idna==2.6 +importlib-metadata==1.7.0 +iniconfig==1.0.1 +ipaddress==1.0.19 +Jinja2==2.11.2 +jsondiff==1.1.2 +jsonschema==3.2.0 +kafka-python==1.4.3 +MarkupSafe==1.1.1 +more-itertools==8.4.0 +ordered-set==3.1.1 +packaging==20.4 +parameterized==0.7.0 +pluggy==0.13.1 +py==1.10.0 +pycodestyle==2.6.0 +pyparsing==2.4.7 +pyrsistent==0.16.0 +pytest==6.2.4 +pytest-rerunfailures==9.1.1 +pytest-timeout==1.4.2 +PyYAML==5.4.1 +redis==2.10.6 +requests==2.25.1 +semver==2.8.1 +setuptools==47.3.2 +six==1.15.0 +stomp.py==4.1.22 +termcolor==1.1.0 +texttable==0.9.1 +toml==0.10.1 +urllib3==1.26.5 +wcwidth==0.2.5 +websocket-client==0.47.0 +zipp>=1.2.0,<=3.1.0 \ No newline at end of file diff --git a/libbeat/tests/system/template/template.go b/libbeat/tests/system/template/template.go index 09c9e0dcb19..ed284a6ff79 100644 --- a/libbeat/tests/system/template/template.go +++ b/libbeat/tests/system/template/template.go @@ -63,7 +63,7 @@ func testTemplateDefaultFieldLength(beatName string, elasticLicensed bool) func( t.Fatal("Failed to load template bytes:", err) } - templateMap := tmpl.Generate(fields, nil) + templateMap := tmpl.Generate(fields, nil, nil) v, _ := templateMap.GetValue("settings.index.query.default_field") defaultValue, ok := v.([]string) diff --git a/libbeat/tests/system/test_base.py b/libbeat/tests/system/test_base.py index 97615e7ec00..fbb8b324f16 100644 --- a/libbeat/tests/system/test_base.py +++ b/libbeat/tests/system/test_base.py @@ -165,8 +165,7 @@ def run(): # remove log, restart beat and check meta file did not change # and same UUID is used in log output. - - os.remove(os.path.join(self.working_dir, "mockbeat.log")) + os.remove(os.path.join(self.working_dir, "mockbeat-" + self.today + ".ndjson")) meta1 = run() assert self.log_contains("Beat ID: {}".format(meta1["uuid"])) diff --git a/libbeat/tests/system/test_http.py b/libbeat/tests/system/test_http.py index 5c1baa81bd2..76e5b40b181 100644 --- a/libbeat/tests/system/test_http.py +++ b/libbeat/tests/system/test_http.py @@ -47,3 +47,10 @@ def test_error(self): """ r = requests.get("http://localhost:5066/not-exist") assert r.status_code == 404 + + def test_pprof_disabled(self): + """ + Test /debug/pprof/ http endpoint + """ + r = requests.get("http://localhost:5066/debug/pprof/") + assert r.status_code == 404 diff --git a/libbeat/tests/system/test_http_pprof.py b/libbeat/tests/system/test_http_pprof.py new file mode 100644 index 00000000000..0276206fc9a --- /dev/null +++ b/libbeat/tests/system/test_http_pprof.py @@ -0,0 +1,39 @@ +from base import BaseTest + +import requests +import json + + +class Test(BaseTest): + def setUp(self): + super(BaseTest, self).setUp() + self.render_config_template() + self.proc = self.start_beat(extra_args=["-E", "http.enabled=true", "-E", "http.pprof.enabled=true"]) + self.wait_until(lambda: self.log_contains("Starting stats endpoint")) + + def tearDown(self): + super(BaseTest, self).tearDown() + # Wait till the beat is completely started so it can handle SIGTERM + self.wait_until(lambda: self.log_contains("mockbeat start running.")) + self.proc.check_kill_and_wait() + + def test_pprof(self): + """ + Test /debug/pprof/ http endpoint + """ + r = requests.get("http://localhost:5066/debug/pprof/") + assert r.status_code == 200 + + def test_pprof_cmdline(self): + """ + Test /debug/pprof/cmdline http endpoint + """ + r = requests.get("http://localhost:5066/debug/pprof/cmdline") + assert r.status_code == 200 + + def test_pprof_error(self): + """ + Test not existing http endpoint + """ + r = requests.get("http://localhost:5066/debug/pprof/not-exist") + assert r.status_code == 404 diff --git a/libbeat/tests/system/test_logging.py b/libbeat/tests/system/test_logging.py index 4295bfd1776..4380e25b55c 100644 --- a/libbeat/tests/system/test_logging.py +++ b/libbeat/tests/system/test_logging.py @@ -39,11 +39,11 @@ def test_file_default(self): """ self.run_beat_with_args("Mockbeat is alive!", logging_args=[]) - self.assert_contains_ecs_log(logfile="logs/mockbeat") + self.assert_contains_ecs_log(logfile="logs/mockbeat-"+self.today+".ndjson") def test_file_ecs(self): """ logs to file with ECS format """ self.run_beat_with_args("Mockbeat is alive!") - self.assert_contains_ecs_log(logfile="logs/mockbeat") + self.assert_contains_ecs_log(logfile="logs/mockbeat-"+self.today+".ndjson") diff --git a/libbeat/tests/system/test_umask.py b/libbeat/tests/system/test_umask.py index e78214e2d9c..d6a7b7f391c 100644 --- a/libbeat/tests/system/test_umask.py +++ b/libbeat/tests/system/test_umask.py @@ -30,7 +30,7 @@ def test_output_file_perms(self): """ Test that output file permissions respect default umask """ - output_file_path = os.path.join(self.working_dir, "output", "mockbeat") + output_file_path = os.path.join(self.working_dir, "output", "mockbeat-" + self.today + ".ndjson") perms = stat.S_IMODE(os.lstat(output_file_path).st_mode) self.assertEqual(perms, self.output_file_permissions & ~TestUmask.DEFAULT_UMASK) diff --git a/metricbeat/docs/autodiscover-hints.asciidoc b/metricbeat/docs/autodiscover-hints.asciidoc index 68ee45f5901..240296751cb 100644 --- a/metricbeat/docs/autodiscover-hints.asciidoc +++ b/metricbeat/docs/autodiscover-hints.asciidoc @@ -161,7 +161,7 @@ annotations: ------------------------------------------------------------------------------------- The above configuration would spin up two metricbeat module configurations to ensure that the endpoint "/metrics/p1" is -polled every 60s whereas the "/metrics" endpoint is polled every 60s. +polled every 5s whereas the "/metrics" endpoint is polled every 60s. [float] ===== Namespace Defaults diff --git a/metricbeat/docs/autodiscover-kubernetes-config.asciidoc b/metricbeat/docs/autodiscover-kubernetes-config.asciidoc index 6c01fd03083..dfabef89b72 100644 --- a/metricbeat/docs/autodiscover-kubernetes-config.asciidoc +++ b/metricbeat/docs/autodiscover-kubernetes-config.asciidoc @@ -67,7 +67,7 @@ where `REDIS_PASSWORD` is a key stored in local keystore of Metricbeat. [float] ===== Kubernetes Secrets Metricbeat autodiscover supports leveraging https://kubernetes.io/docs/concepts/configuration/secret/[Kubernetes secrets] -in order to retrieve sensitive data like passwords. In order to enable this future add the following section +in order to retrieve sensitive data like passwords. In order to enable this feature add the following section in Metricbeat's `ClusterRole` rules: ["source","yaml",subs="attributes"] @@ -80,8 +80,8 @@ in Metricbeat's `ClusterRole` rules: CAUTION: The above rule will give permission to Metricbeat Pod to access Kubernetes Secrets API. This means that anyone who have access to Metricbeat Pod (`kubectl exec` for example) will be able to access -Kubernetes Secrets API and get a specific secret no matter which namespace it belongs to. In this, -this option should be carefully considered, specially when used with hints. +Kubernetes Secrets API and get a specific secret no matter which namespace it belongs to. +This option should be carefully considered, specially when used with hints. One option to give permissions only for one namespace, and not cluster-scoped, is to use a specific Role for a targeted namespace so as to better control access: @@ -126,7 +126,7 @@ where `kubernetes.default.somesecret.value` specifies a key stored as Kubernetes . Kubernetes Secret Name: `somesecret` . Secret Data Key: `value` -This secret can be created in a Kubernetes environment using the following the command: +This secret can be created in a Kubernetes environment using the following command: ["source","yaml",subs="attributes"] ------------------------------------------------------------------------------------- cat << EOF | kubectl apply -f - diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index cba51ff349f..886ec623bbc 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -6736,7 +6736,7 @@ alias to: beat.stats.apm_server.acm.response.errors.unauthorized -- type: alias -alias to: beat.stats.beat.host +alias to: beat.stats.info.host -- @@ -6745,7 +6745,7 @@ alias to: beat.stats.beat.host -- type: alias -alias to: beat.stats.beat.name +alias to: beat.stats.info.name -- @@ -6754,7 +6754,7 @@ alias to: beat.stats.beat.name -- type: alias -alias to: beat.stats.beat.type +alias to: beat.stats.info.type -- @@ -6763,7 +6763,7 @@ alias to: beat.stats.beat.type -- type: alias -alias to: beat.stats.beat.uuid +alias to: beat.stats.info.uuid -- @@ -6772,7 +6772,7 @@ alias to: beat.stats.beat.uuid -- type: alias -alias to: beat.stats.beat.version +alias to: beat.stats.info.version -- @@ -8273,35 +8273,35 @@ type: long -- -*`beat.stats.beat.name`*:: +*`beat.stats.info.name`*:: + -- type: keyword -- -*`beat.stats.beat.host`*:: +*`beat.stats.info.host`*:: + -- type: keyword -- -*`beat.stats.beat.type`*:: +*`beat.stats.info.type`*:: + -- type: keyword -- -*`beat.stats.beat.uuid`*:: +*`beat.stats.info.uuid`*:: + -- type: keyword -- -*`beat.stats.beat.version`*:: +*`beat.stats.info.version`*:: + -- type: keyword @@ -52790,10 +52790,40 @@ Openmetrics module +*`openmetrics.help`*:: ++ +-- +Brief description of the MetricFamily + + +type: keyword + +-- + +*`openmetrics.type`*:: ++ +-- +Metric type + + +type: keyword + +-- + +*`openmetrics.unit`*:: ++ +-- +Metric unit + + +type: keyword + +-- + *`openmetrics.labels.*`*:: + -- -Prometheus metric labels +Openmetrics metric labels type: object @@ -52803,7 +52833,27 @@ type: object *`openmetrics.metrics.*`*:: + -- -Prometheus metric +Openmetrics metric + + +type: object + +-- + +*`openmetrics.exemplar.*`*:: ++ +-- +Openmetrics exemplars + + +type: object + +-- + +*`openmetrics.exemplar.labels.*`*:: ++ +-- +Openmetrics metric exemplar labels type: object @@ -58924,7 +58974,7 @@ type: keyword *`system.filesystem.type`*:: + -- -The disk type. For example: `ext4` +The disk type. For example: `ext4`. In some case for Windows OS the value will be `unavailable` as access to this information is not allowed (ex. external disks). type: keyword diff --git a/metricbeat/docs/modules/openmetrics/collector.asciidoc b/metricbeat/docs/modules/openmetrics/collector.asciidoc index 06000e77291..2b184916aa9 100644 --- a/metricbeat/docs/modules/openmetrics/collector.asciidoc +++ b/metricbeat/docs/modules/openmetrics/collector.asciidoc @@ -9,6 +9,7 @@ beta[] include::../../../module/openmetrics/collector/_meta/docs.asciidoc[] +This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. ==== Fields diff --git a/metricbeat/helper/openmetrics/label.go b/metricbeat/helper/openmetrics/label.go new file mode 100644 index 00000000000..0f0a69054dd --- /dev/null +++ b/metricbeat/helper/openmetrics/label.go @@ -0,0 +1,59 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package openmetrics + +// LabelMap defines the mapping from OpenMetrics label to a Metricbeat field +type LabelMap interface { + // GetField returns the resulting field name + GetField() string + + // IsKey returns true if the label is a key label + IsKey() bool +} + +// Label maps a OpenMetrics label to a Metricbeat field +func Label(field string) LabelMap { + return &commonLabel{ + field: field, + key: false, + } +} + +// KeyLabel maps a OpenMetrics label to a Metricbeat field. The label is flagged as key. +// Metrics with the same tuple of key labels will be grouped in the same event. +func KeyLabel(field string) LabelMap { + return &commonLabel{ + field: field, + key: true, + } +} + +type commonLabel struct { + field string + key bool +} + +// GetField returns the resulting field name +func (l *commonLabel) GetField() string { + return l.field +} + +// IsKey returns true if the label is a key label +func (l *commonLabel) IsKey() bool { + return l.key +} diff --git a/metricbeat/helper/openmetrics/metric.go b/metricbeat/helper/openmetrics/metric.go new file mode 100644 index 00000000000..4907ab59c9e --- /dev/null +++ b/metricbeat/helper/openmetrics/metric.go @@ -0,0 +1,495 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package openmetrics + +import ( + "fmt" + "math" + "strconv" + "strings" + "time" + + "github.com/elastic/beats/v7/libbeat/common" +) + +// MetricMap defines the mapping from Openmetrics metric to a Metricbeat field +type MetricMap interface { + // GetOptions returns the list of metric options + GetOptions() []MetricOption + + // GetField returns the resulting field name + GetField() string + + // GetValue returns the resulting value + GetValue(m *OpenMetric) interface{} + GetNilValue() interface{} + + // GetConfiguration returns the configuration for the metric + GetConfiguration() Configuration +} + +// Configuration for mappings that needs extended treatment +type Configuration struct { + // StoreNonMappedLabels indicates if labels found at the metric that are + // not found at the label map should be part of the resulting event. + // This setting should be used when the label name is not known beforehand + StoreNonMappedLabels bool + // NonMappedLabelsPlacement is used when StoreNonMappedLabels is set to true, and + // defines the key path at the event under which to store the dynamically found labels. + // This key path will be added to the events that match this metric along with a subset of + // key/value pairs will be created under it, one for each non mapped label found. + // + // Example: + // + // given a metric family in a Openmetrics resource in the form: + // metric1{label1="value1",label2="value2"} 1 + // and not mapping labels but using this entry on a the MetricMap definition: + // "metric1": ExtendedInfoMetric(Configuration{StoreNonMappedLabels: true, NonMappedLabelsPlacement: "mypath"}), + // would output an event that contains a metricset field as follows + // "mypath": {"label1":"value1","label2":"value2"} + // + NonMappedLabelsPlacement string + // MetricProcessing options are a set of functions that will be + // applied to metrics after they are retrieved + MetricProcessingOptions []MetricOption + // ExtraFields is used to add fields to the + // event where this metric is included + ExtraFields common.MapStr +} + +// MetricOption adds settings to Metric objects behavior +type MetricOption interface { + // Process a tuple of field, value and labels from a metric, return the same tuple updated + Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) +} + +// OpFilterMap only processes metrics matching the given filter +func OpFilterMap(label string, filterMap map[string]string) MetricOption { + return opFilterMap{ + label: label, + filterMap: filterMap, + } +} + +// OpLowercaseValue lowercases the value if it's a string +func OpLowercaseValue() MetricOption { + return opLowercaseValue{} +} + +// OpUnixTimestampValue parses a value into a Unix timestamp +func OpUnixTimestampValue() MetricOption { + return opUnixTimestampValue{} +} + +// OpMultiplyBuckets multiplies bucket labels in histograms, useful to change units +func OpMultiplyBuckets(multiplier float64) MetricOption { + return opMultiplyBuckets{ + multiplier: multiplier, + } +} + +// OpSetSuffix extends the field's name with the given suffix if the value of the metric +// is numeric (and not histogram or quantile), otherwise does nothing +func OpSetNumericMetricSuffix(suffix string) MetricOption { + return opSetNumericMetricSuffix{ + suffix: suffix, + } +} + +// Metric directly maps a Openmetrics metric to a Metricbeat field +func Metric(field string, options ...MetricOption) MetricMap { + return &commonMetric{ + field: field, + config: Configuration{MetricProcessingOptions: options}, + } +} + +// KeywordMetric maps a Openmetrics metric to a Metricbeat field, stores the +// given keyword when source metric value is 1 +func KeywordMetric(field, keyword string, options ...MetricOption) MetricMap { + return &keywordMetric{ + commonMetric{ + field: field, + config: Configuration{MetricProcessingOptions: options}, + }, + keyword, + } +} + +// BooleanMetric maps a Openmetrics metric to a Metricbeat field of bool type +func BooleanMetric(field string, options ...MetricOption) MetricMap { + return &booleanMetric{ + commonMetric{ + field: field, + config: Configuration{MetricProcessingOptions: options}, + }, + } +} + +// LabelMetric maps a Openmetrics metric to a Metricbeat field, stores the value +// of a given label on it if the gauge value is 1 +func LabelMetric(field, label string, options ...MetricOption) MetricMap { + return &labelMetric{ + commonMetric{ + field: field, + config: Configuration{MetricProcessingOptions: options}, + }, + label, + } +} + +// InfoMetric obtains info labels from the given metric and puts them +// into events matching all the key labels present in the metric +func InfoMetric(options ...MetricOption) MetricMap { + return &infoMetric{ + commonMetric{ + config: Configuration{MetricProcessingOptions: options}, + }, + } +} + +// ExtendedInfoMetric obtains info labels from the given metric and puts them +// into events matching all the key labels present in the metric +func ExtendedInfoMetric(configuration Configuration) MetricMap { + return &infoMetric{ + commonMetric{ + config: configuration, + }, + } +} + +// ExtendedMetric is a metric item that allows extended behaviour +// through configuration +func ExtendedMetric(field string, configuration Configuration) MetricMap { + return &commonMetric{ + field: field, + config: configuration, + } +} + +type commonMetric struct { + field string + config Configuration +} + +// GetOptions returns the list of metric options +func (m *commonMetric) GetOptions() []MetricOption { + return m.config.MetricProcessingOptions +} + +// GetField returns the resulting field name +func (m *commonMetric) GetField() string { + return m.field +} + +// GetConfiguration returns the configuration for the metric +func (m *commonMetric) GetConfiguration() Configuration { + return m.config +} +func (m *commonMetric) GetNilValue() interface{} { + return nil +} + +// GetValue returns the resulting value +func (m *commonMetric) GetValue(metric *OpenMetric) interface{} { + info := metric.GetInfo() + if info != nil { + if info.HasValidValue() { + return info.GetValue() + } + } + + stateset := metric.GetStateset() + if stateset != nil { + if stateset.HasValidValue() { + return stateset.GetValue() + } + } + + unknown := metric.GetUnknown() + if unknown != nil { + if !math.IsNaN(unknown.GetValue()) && !math.IsInf(unknown.GetValue(), 0) { + return int64(unknown.GetValue()) + } + } + + counter := metric.GetCounter() + if counter != nil { + if !math.IsNaN(counter.GetValue()) && !math.IsInf(counter.GetValue(), 0) { + return int64(counter.GetValue()) + } + } + + gauge := metric.GetGauge() + if gauge != nil { + if !math.IsNaN(gauge.GetValue()) && !math.IsInf(gauge.GetValue(), 0) { + return gauge.GetValue() + } + } + + summary := metric.GetSummary() + if summary != nil { + value := common.MapStr{} + if !math.IsNaN(summary.GetSampleSum()) && !math.IsInf(summary.GetSampleSum(), 0) { + value["sum"] = summary.GetSampleSum() + value["count"] = summary.GetSampleCount() + } + + quantiles := summary.GetQuantile() + percentileMap := common.MapStr{} + for _, quantile := range quantiles { + if !math.IsNaN(quantile.GetValue()) && !math.IsInf(quantile.GetValue(), 0) { + key := strconv.FormatFloat(100*quantile.GetQuantile(), 'f', -1, 64) + percentileMap[key] = quantile.GetValue() + } + } + + if len(percentileMap) != 0 { + value["percentile"] = percentileMap + } + + return value + } + + histogram := metric.GetHistogram() + if histogram != nil { + value := common.MapStr{} + if !math.IsNaN(histogram.GetSampleSum()) && !math.IsInf(histogram.GetSampleSum(), 0) { + value["sum"] = histogram.GetSampleSum() + value["count"] = histogram.GetSampleCount() + } + + buckets := histogram.GetBucket() + bucketMap := common.MapStr{} + for _, bucket := range buckets { + if bucket.GetCumulativeCount() != uint64(math.NaN()) && bucket.GetCumulativeCount() != uint64(math.Inf(0)) { + key := strconv.FormatFloat(bucket.GetUpperBound(), 'f', -1, 64) + bucketMap[key] = bucket.GetCumulativeCount() + } + } + + if len(bucketMap) != 0 { + value["bucket"] = bucketMap + } + + return value + } + + gaugehistogram := metric.GetGaugeHistogram() + if gaugehistogram != nil { + value := common.MapStr{} + if !math.IsNaN(gaugehistogram.GetSampleSum()) && !math.IsInf(gaugehistogram.GetSampleSum(), 0) { + value["gsum"] = gaugehistogram.GetSampleSum() + value["gcount"] = gaugehistogram.GetSampleCount() + } + + buckets := gaugehistogram.GetBucket() + bucketMap := common.MapStr{} + for _, bucket := range buckets { + if bucket.GetCumulativeCount() != uint64(math.NaN()) && bucket.GetCumulativeCount() != uint64(math.Inf(0)) { + key := strconv.FormatFloat(bucket.GetUpperBound(), 'f', -1, 64) + bucketMap[key] = bucket.GetCumulativeCount() + } + } + + if len(bucketMap) != 0 { + value["bucket"] = bucketMap + } + + return value + } + + // Other types are not supported here + return nil +} + +type keywordMetric struct { + commonMetric + keyword string +} + +// GetValue returns the resulting value +func (m *keywordMetric) GetValue(metric *OpenMetric) interface{} { + if gauge := metric.GetGauge(); gauge != nil && gauge.GetValue() == 1 { + return m.keyword + } + return nil +} + +type booleanMetric struct { + commonMetric +} + +// GetValue returns the resulting value +func (m *booleanMetric) GetValue(metric *OpenMetric) interface{} { + if gauge := metric.GetGauge(); gauge != nil { + return gauge.GetValue() == 1 + } + return nil +} + +type labelMetric struct { + commonMetric + label string +} + +// GetValue returns the resulting value +func (m *labelMetric) GetValue(metric *OpenMetric) interface{} { + if gauge := metric.GetGauge(); gauge != nil && gauge.GetValue() == 1 { + return getLabel(metric, m.label) + } + return nil +} + +func getLabel(metric *OpenMetric, name string) string { + for _, label := range metric.GetLabel() { + if label.Name == name { + return label.Value + } + } + return "" +} + +type infoMetric struct { + commonMetric +} + +// GetValue returns the resulting value +func (m *infoMetric) GetValue(metric *OpenMetric) interface{} { + return "" +} + +// GetField returns the resulting field name +func (m *infoMetric) GetField() string { + return "" +} + +type opFilterMap struct { + label string + filterMap map[string]string +} + +// Called by the Openmetrics helper to apply extra options on retrieved metrics +// Check whether the value of the specified label is allowed and, if yes, return the metric via the specified mapped field +// Else, if the specified label does not match the filter, return nil +// This is useful in cases where multiple Metricbeat fields need to be defined per Openmetrics metric, based on label values +func (o opFilterMap) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { + for k, v := range o.filterMap { + if labels[o.label] == k { + return fmt.Sprintf("%v.%v", field, v), value, labels + } + } + return "", nil, nil +} + +type opLowercaseValue struct{} + +// Process will lowercase the given value if it's a string +func (o opLowercaseValue) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { + if val, ok := value.(string); ok { + value = strings.ToLower(val) + } + return field, value, labels +} + +type opMultiplyBuckets struct { + multiplier float64 +} + +// Process will multiply the bucket labels if it is an histogram with numeric labels +func (o opMultiplyBuckets) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { + histogram, ok := value.(common.MapStr) + if !ok { + return field, value, labels + } + bucket, ok := histogram["bucket"].(common.MapStr) + if !ok { + return field, value, labels + } + sum, ok := histogram["sum"].(float64) + if !ok { + return field, value, labels + } + multiplied := common.MapStr{} + for k, v := range bucket { + if f, err := strconv.ParseFloat(k, 64); err == nil { + key := strconv.FormatFloat(f*o.multiplier, 'f', -1, 64) + multiplied[key] = v + } else { + multiplied[k] = v + } + } + histogram["bucket"] = multiplied + histogram["sum"] = sum * o.multiplier + return field, histogram, labels +} + +type opSetNumericMetricSuffix struct { + suffix string +} + +// Process will extend the field's name with the given suffix +func (o opSetNumericMetricSuffix) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { + _, ok := value.(float64) + if !ok { + return field, value, labels + } + field = fmt.Sprintf("%v.%v", field, o.suffix) + return field, value, labels +} + +type opUnixTimestampValue struct { +} + +// Process converts a value in seconds into an unix time +func (o opUnixTimestampValue) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { + return field, common.Time(time.Unix(int64(value.(float64)), 0)), labels +} + +// OpLabelKeyPrefixRemover removes prefix from label keys +func OpLabelKeyPrefixRemover(prefix string) MetricOption { + return opLabelKeyPrefixRemover{prefix} +} + +// opLabelKeyPrefixRemover is a metric option processor that removes a prefix from the key of a label set +type opLabelKeyPrefixRemover struct { + Prefix string +} + +// Process modifies the labels map, removing a prefix when found at keys of the labels set. +// For each label, if the key is found a new key will be created hosting the same value and the +// old key will be deleted. +// Fields, values and not prefixed labels will remain unmodified. +func (o opLabelKeyPrefixRemover) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { + renameKeys := []string{} + for k := range labels { + if len(k) < len(o.Prefix) { + continue + } + if k[:6] == o.Prefix { + renameKeys = append(renameKeys, k) + } + } + + for i := range renameKeys { + v := labels[renameKeys[i]] + delete(labels, renameKeys[i]) + labels[renameKeys[i][len(o.Prefix):]] = v + } + return "", value, labels +} diff --git a/metricbeat/helper/openmetrics/module.go b/metricbeat/helper/openmetrics/module.go new file mode 100644 index 00000000000..fac374ee1b4 --- /dev/null +++ b/metricbeat/helper/openmetrics/module.go @@ -0,0 +1,61 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package openmetrics + +import ( + "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/beats/v7/metricbeat/mb/parse" +) + +const ( + defaultScheme = "http" + defaultPath = "/metrics" +) + +var ( + // HostParser validates OpenMetrics URLs + HostParser = parse.URLHostParserBuilder{ + DefaultScheme: defaultScheme, + DefaultPath: defaultPath, + }.Build() +) + +// MetricSetBuilder returns a builder function for a new OpenMetrics metricset using the given mapping +func MetricSetBuilder(mapping *MetricsMapping) func(base mb.BaseMetricSet) (mb.MetricSet, error) { + return func(base mb.BaseMetricSet) (mb.MetricSet, error) { + openmetrics, err := NewOpenMetricsClient(base) + if err != nil { + return nil, err + } + return &openmetricsMetricSet{ + BaseMetricSet: base, + openmetrics: openmetrics, + mapping: mapping, + }, nil + } +} + +type openmetricsMetricSet struct { + mb.BaseMetricSet + openmetrics OpenMetrics + mapping *MetricsMapping +} + +func (m *openmetricsMetricSet) Fetch(r mb.ReporterV2) error { + return m.openmetrics.ReportProcessedMetrics(m.mapping, r) +} diff --git a/metricbeat/helper/openmetrics/openmetrics.go b/metricbeat/helper/openmetrics/openmetrics.go new file mode 100644 index 00000000000..9e4abc6428b --- /dev/null +++ b/metricbeat/helper/openmetrics/openmetrics.go @@ -0,0 +1,1000 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package openmetrics + +import ( + "compress/gzip" + "fmt" + "io" + "io/ioutil" + "math" + "mime" + "net/http" + "regexp" + "strconv" + "strings" + "time" + + "github.com/prometheus/common/model" + + "github.com/prometheus/prometheus/pkg/exemplar" + "github.com/prometheus/prometheus/pkg/labels" + "github.com/prometheus/prometheus/pkg/textparse" + "github.com/prometheus/prometheus/pkg/timestamp" + + "github.com/pkg/errors" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/metricbeat/helper" + "github.com/elastic/beats/v7/metricbeat/mb" +) + +const acceptHeader = `application/openmetrics-text; version=1.0.0; charset=utf-8,text/plain` + +var errNameLabelMandatory = fmt.Errorf("missing metric name (%s label)", labels.MetricName) + +type Gauge struct { + Value *float64 +} + +func (m *Gauge) GetValue() float64 { + if m != nil && m.Value != nil { + return *m.Value + } + return 0 +} + +type Info struct { + Value *int64 +} + +func (m *Info) GetValue() int64 { + if m != nil && m.Value != nil { + return *m.Value + } + return 0 +} +func (m *Info) HasValidValue() bool { + return m != nil && *m.Value == 1 +} + +type Stateset struct { + Value *int64 +} + +func (m *Stateset) GetValue() int64 { + if m != nil && m.Value != nil { + return *m.Value + } + return 0 +} +func (m *Stateset) HasValidValue() bool { + return m != nil && (*m.Value == 0 || *m.Value == 1) +} + +type Counter struct { + Value *float64 +} + +func (m *Counter) GetValue() float64 { + if m != nil && m.Value != nil { + return *m.Value + } + return 0 +} + +type Quantile struct { + Quantile *float64 + Value *float64 + Exemplar *exemplar.Exemplar +} + +func (m *Quantile) GetQuantile() float64 { + if m != nil && m.Quantile != nil { + return *m.Quantile + } + return 0 +} + +func (m *Quantile) GetValue() float64 { + if m != nil && m.Value != nil { + return *m.Value + } + return 0 +} + +type Summary struct { + SampleCount *uint64 + SampleSum *float64 + Quantile []*Quantile +} + +func (m *Summary) GetSampleCount() uint64 { + if m != nil && m.SampleCount != nil { + return *m.SampleCount + } + return 0 +} + +func (m *Summary) GetSampleSum() float64 { + if m != nil && m.SampleSum != nil { + return *m.SampleSum + } + return 0 +} + +func (m *Summary) GetQuantile() []*Quantile { + if m != nil { + return m.Quantile + } + return nil +} + +type Unknown struct { + Value *float64 +} + +func (m *Unknown) GetValue() float64 { + if m != nil && m.Value != nil { + return *m.Value + } + return 0 +} + +type Bucket struct { + CumulativeCount *uint64 + UpperBound *float64 + Exemplar *exemplar.Exemplar +} + +func (m *Bucket) GetCumulativeCount() uint64 { + if m != nil && m.CumulativeCount != nil { + return *m.CumulativeCount + } + return 0 +} + +func (m *Bucket) GetUpperBound() float64 { + if m != nil && m.UpperBound != nil { + return *m.UpperBound + } + return 0 +} + +type Histogram struct { + SampleCount *uint64 + SampleSum *float64 + Bucket []*Bucket + IsGaugeHistogram bool +} + +func (m *Histogram) GetSampleCount() uint64 { + if m != nil && m.SampleCount != nil { + return *m.SampleCount + } + return 0 +} + +func (m *Histogram) GetSampleSum() float64 { + if m != nil && m.SampleSum != nil { + return *m.SampleSum + } + return 0 +} + +func (m *Histogram) GetBucket() []*Bucket { + if m != nil { + return m.Bucket + } + return nil +} + +type OpenMetric struct { + Label []*labels.Label + Exemplar *exemplar.Exemplar + Name *string + Gauge *Gauge + Counter *Counter + Info *Info + Stateset *Stateset + Summary *Summary + Unknown *Unknown + Histogram *Histogram + TimestampMs *int64 +} + +func (m *OpenMetric) GetName() *string { + if m != nil { + return m.Name + } + return nil +} + +func (m *OpenMetric) GetLabel() []*labels.Label { + if m != nil { + return m.Label + } + return nil +} + +func (m *OpenMetric) GetGauge() *Gauge { + if m != nil { + return m.Gauge + } + return nil +} + +func (m *OpenMetric) GetCounter() *Counter { + if m != nil { + return m.Counter + } + return nil +} + +func (m *OpenMetric) GetInfo() *Info { + if m != nil { + return m.Info + } + return nil +} + +func (m *OpenMetric) GetStateset() *Stateset { + if m != nil { + return m.Stateset + } + return nil +} + +func (m *OpenMetric) GetSummary() *Summary { + if m != nil { + return m.Summary + } + return nil +} + +func (m *OpenMetric) GetUnknown() *Unknown { + if m != nil { + return m.Unknown + } + return nil +} + +func (m *OpenMetric) GetHistogram() *Histogram { + if m != nil && m.Histogram != nil && !m.Histogram.IsGaugeHistogram { + return m.Histogram + } + return nil +} + +func (m *OpenMetric) GetGaugeHistogram() *Histogram { + if m != nil && m.Histogram != nil && m.Histogram.IsGaugeHistogram { + return m.Histogram + } + return nil +} + +func (m *OpenMetric) GetTimestampMs() int64 { + if m != nil && m.TimestampMs != nil { + return *m.TimestampMs + } + return 0 +} + +type OpenMetricFamily struct { + Name *string + Help *string + Type textparse.MetricType + Unit *string + Metric []*OpenMetric +} + +func (m *OpenMetricFamily) GetName() string { + if m != nil && m.Name != nil { + return *m.Name + } + return "" +} +func (m *OpenMetricFamily) GetUnit() string { + if m != nil && *m.Unit != "" { + return *m.Unit + } + return "" +} + +func (m *OpenMetricFamily) GetMetric() []*OpenMetric { + if m != nil { + return m.Metric + } + return nil +} + +// OpenMetrics helper retrieves openmetrics formatted metrics +// This interface needs to use TextParse +type OpenMetrics interface { + // GetFamilies requests metric families from openmetrics endpoint and returns them + GetFamilies() ([]*OpenMetricFamily, error) + + GetProcessedMetrics(mapping *MetricsMapping) ([]common.MapStr, error) + + ProcessMetrics(families []*OpenMetricFamily, mapping *MetricsMapping) ([]common.MapStr, error) + + ReportProcessedMetrics(mapping *MetricsMapping, r mb.ReporterV2) error +} + +type openmetrics struct { + httpfetcher + logger *logp.Logger +} + +type httpfetcher interface { + FetchResponse() (*http.Response, error) +} + +// NewOpenMetricsClient creates new openmetrics helper +func NewOpenMetricsClient(base mb.BaseMetricSet) (OpenMetrics, error) { + httpclient, err := helper.NewHTTP(base) + if err != nil { + return nil, err + } + + httpclient.SetHeaderDefault("Accept", acceptHeader) + httpclient.SetHeaderDefault("Accept-Encoding", "gzip") + return &openmetrics{httpclient, base.Logger()}, nil +} + +// GetFamilies requests metric families from openmetrics endpoint and returns them +func (p *openmetrics) GetFamilies() ([]*OpenMetricFamily, error) { + var reader io.Reader + + resp, err := p.FetchResponse() + if err != nil { + return nil, err + } + defer resp.Body.Close() + + if resp.Header.Get("Content-Encoding") == "gzip" { + greader, err := gzip.NewReader(resp.Body) + if err != nil { + return nil, err + } + defer greader.Close() + reader = greader + } else { + reader = resp.Body + } + + if resp.StatusCode > 399 { + bodyBytes, err := ioutil.ReadAll(reader) + if err == nil { + p.logger.Debug("error received from openmetrics endpoint: ", string(bodyBytes)) + } + return nil, fmt.Errorf("unexpected status code %d from server", resp.StatusCode) + } + + contentType := getContentType(resp.Header) + if contentType == "" { + return nil, fmt.Errorf("Invalid format for response of response") + } + + appendTime := time.Now().Round(0) + b, err := ioutil.ReadAll(reader) + families, err := parseMetricFamilies(b, contentType, appendTime) + + return families, nil +} + +const ( + suffixInfo = "_info" + suffixTotal = "_total" + suffixGCount = "_gcount" + suffixGSum = "_gsum" + suffixCount = "_count" + suffixSum = "_sum" + suffixBucket = "_bucket" +) + +func isInfo(name string) bool { + return len(name) > 5 && name[len(name)-5:] == suffixInfo +} + +// Counters have _total suffix +func isTotal(name string) bool { + return len(name) > 6 && name[len(name)-6:] == suffixTotal +} + +func isGCount(name string) bool { + return len(name) > 7 && name[len(name)-7:] == suffixGCount +} + +func isGSum(name string) bool { + return len(name) > 5 && name[len(name)-5:] == suffixGSum +} + +func isCount(name string) bool { + return len(name) > 6 && name[len(name)-6:] == suffixCount +} + +func isSum(name string) bool { + return len(name) > 4 && name[len(name)-4:] == suffixSum +} + +func isBucket(name string) bool { + return len(name) > 7 && name[len(name)-7:] == suffixBucket +} + +func summaryMetricName(name string, s float64, qv string, lbls string, t *int64, summariesByName map[string]map[string]*OpenMetric) (string, *OpenMetric) { + var summary = &Summary{} + var quantile = []*Quantile{} + var quant = &Quantile{} + + switch { + case isCount(name): + u := uint64(s) + summary.SampleCount = &u + name = name[:len(name)-6] + case isSum(name): + summary.SampleSum = &s + name = name[:len(name)-4] + default: + f, err := strconv.ParseFloat(qv, 64) + if err != nil { + f = -1 + } + quant.Quantile = &f + quant.Value = &s + } + + _, k := summariesByName[name] + if !k { + summariesByName[name] = make(map[string]*OpenMetric) + } + metric, ok := summariesByName[name][lbls] + if !ok { + metric = &OpenMetric{} + metric.Name = &name + metric.Summary = summary + metric.Summary.Quantile = quantile + summariesByName[name][lbls] = metric + } + if metric.Summary.SampleSum == nil && summary.SampleSum != nil { + metric.Summary.SampleSum = summary.SampleSum + } else if metric.Summary.SampleCount == nil && summary.SampleCount != nil { + metric.Summary.SampleCount = summary.SampleCount + } else if quant.Quantile != nil { + metric.Summary.Quantile = append(metric.Summary.Quantile, quant) + } + + return name, metric +} + +func histogramMetricName(name string, s float64, qv string, lbls string, t *int64, isGaugeHistogram bool, e *exemplar.Exemplar, histogramsByName map[string]map[string]*OpenMetric) (string, *OpenMetric) { + var histogram = &Histogram{} + var bucket = []*Bucket{} + var bkt = &Bucket{} + + switch { + case isCount(name): + u := uint64(s) + histogram.SampleCount = &u + name = name[:len(name)-6] + case isSum(name): + histogram.SampleSum = &s + name = name[:len(name)-4] + case isGaugeHistogram && isGCount(name): + u := uint64(s) + histogram.SampleCount = &u + name = name[:len(name)-7] + case isGaugeHistogram && isGSum(name): + histogram.SampleSum = &s + name = name[:len(name)-5] + default: + if isBucket(name) { + name = name[:len(name)-7] + } + f, err := strconv.ParseFloat(qv, 64) + if err != nil { + f = math.MaxUint64 + } + cnt := uint64(s) + bkt.UpperBound = &f + bkt.CumulativeCount = &cnt + + if e != nil { + if !e.HasTs { + e.Ts = *t + } + bkt.Exemplar = e + } + } + + _, k := histogramsByName[name] + if !k { + histogramsByName[name] = make(map[string]*OpenMetric) + } + metric, ok := histogramsByName[name][lbls] + if !ok { + metric = &OpenMetric{} + metric.Name = &name + metric.Histogram = histogram + metric.Histogram.Bucket = bucket + histogramsByName[name][lbls] = metric + } + if metric.Histogram.SampleSum == nil && histogram.SampleSum != nil { + metric.Histogram.SampleSum = histogram.SampleSum + } else if metric.Histogram.SampleCount == nil && histogram.SampleCount != nil { + metric.Histogram.SampleCount = histogram.SampleCount + } else if bkt.UpperBound != nil { + metric.Histogram.Bucket = append(metric.Histogram.Bucket, bkt) + } + + return name, metric +} + +func parseMetricFamilies(b []byte, contentType string, ts time.Time) ([]*OpenMetricFamily, error) { + var ( + parser = textparse.New(b, contentType) + defTime = timestamp.FromTime(ts) + metricFamiliesByName = map[string]*OpenMetricFamily{} + summariesByName = map[string]map[string]*OpenMetric{} + histogramsByName = map[string]map[string]*OpenMetric{} + fam *OpenMetricFamily + mt = textparse.MetricTypeUnknown + ) + var err error + +loop: + for { + var ( + et textparse.Entry + ok bool + e exemplar.Exemplar + ) + if et, err = parser.Next(); err != nil { + if err == io.EOF { + err = nil + } + break + } + switch et { + case textparse.EntryType: + buf, t := parser.Type() + s := string(buf) + fam, ok = metricFamiliesByName[s] + if !ok { + fam = &OpenMetricFamily{Name: &s, Type: t} + metricFamiliesByName[s] = fam + } + mt = t + continue + case textparse.EntryHelp: + buf, t := parser.Help() + s := string(buf) + h := string(t) + fam, ok = metricFamiliesByName[s] + if !ok { + fam = &OpenMetricFamily{Name: &s, Help: &h, Type: textparse.MetricTypeUnknown} + metricFamiliesByName[s] = fam + } + fam.Help = &h + continue + case textparse.EntryUnit: + buf, t := parser.Unit() + s := string(buf) + u := string(t) + fam, ok = metricFamiliesByName[s] + if !ok { + fam = &OpenMetricFamily{Name: &s, Unit: &u, Type: textparse.MetricTypeUnknown} + metricFamiliesByName[string(buf)] = fam + } + fam.Unit = &u + continue + case textparse.EntryComment: + continue + default: + } + + t := defTime + _, tp, v := parser.Series() + + var ( + lset labels.Labels + mets string + ) + + mets = parser.Metric(&lset) + + if !lset.Has(labels.MetricName) { + err = errNameLabelMandatory + break loop + } + + var lbls strings.Builder + lbls.Grow(len(mets)) + var labelPairs = []*labels.Label{} + for _, l := range lset.Copy() { + if l.Name == labels.MetricName { + continue + } + + if l.Name != model.QuantileLabel && l.Name != labels.BucketLabel { // quantile and le are special labels handled below + + lbls.WriteString(l.Name) + lbls.WriteString(l.Value) + } + n := l.Name + v := l.Value + + labelPairs = append(labelPairs, &labels.Label{ + Name: n, + Value: v, + }) + } + + var metric *OpenMetric + + metricName := lset.Get(labels.MetricName) + var lookupMetricName string + var exm *exemplar.Exemplar + + // Suffixes - https://github.com/OpenObservability/OpenMetrics/blob/main/specification/OpenMetrics.md#suffixes + switch mt { + case textparse.MetricTypeCounter: + var counter = &Counter{Value: &v} + mn := lset.Get(labels.MetricName) + metric = &OpenMetric{Name: &mn, Counter: counter, Label: labelPairs} + if isTotal(metricName) { // Remove suffix _total, get lookup metricname + lookupMetricName = metricName[:len(metricName)-6] + } + break + case textparse.MetricTypeGauge: + var gauge = &Gauge{Value: &v} + metric = &OpenMetric{Name: &metricName, Gauge: gauge, Label: labelPairs} + lookupMetricName = metricName + break + case textparse.MetricTypeInfo: + value := int64(v) + var info = &Info{Value: &value} + metric = &OpenMetric{Name: &metricName, Info: info, Label: labelPairs} + lookupMetricName = metricName + break + case textparse.MetricTypeSummary: + lookupMetricName, metric = summaryMetricName(metricName, v, lset.Get(model.QuantileLabel), lbls.String(), &t, summariesByName) + metric.Label = labelPairs + if !isSum(metricName) { + continue + } + metricName = lookupMetricName + break + case textparse.MetricTypeHistogram: + if hasExemplar := parser.Exemplar(&e); hasExemplar { + exm = &e + } + lookupMetricName, metric = histogramMetricName(metricName, v, lset.Get(labels.BucketLabel), lbls.String(), &t, false, exm, histogramsByName) + metric.Label = labelPairs + if !isSum(metricName) { + continue + } + metricName = lookupMetricName + break + case textparse.MetricTypeGaugeHistogram: + if hasExemplar := parser.Exemplar(&e); hasExemplar { + exm = &e + } + lookupMetricName, metric = histogramMetricName(metricName, v, lset.Get(labels.BucketLabel), lbls.String(), &t, true, exm, histogramsByName) + metric.Label = labelPairs + metric.Histogram.IsGaugeHistogram = true + if !isGSum(metricName) { + continue + } + metricName = lookupMetricName + break + case textparse.MetricTypeStateset: + value := int64(v) + var stateset = &Stateset{Value: &value} + metric = &OpenMetric{Name: &metricName, Stateset: stateset, Label: labelPairs} + lookupMetricName = metricName + break + case textparse.MetricTypeUnknown: + var unknown = &Unknown{Value: &v} + metric = &OpenMetric{Name: &metricName, Unknown: unknown, Label: labelPairs} + lookupMetricName = metricName + break + default: + lookupMetricName = metricName + } + + fam, ok = metricFamiliesByName[lookupMetricName] + if !ok { + fam = &OpenMetricFamily{Type: mt} + metricFamiliesByName[lookupMetricName] = fam + } + + fam.Name = &metricName + + if hasExemplar := parser.Exemplar(&e); hasExemplar && mt != textparse.MetricTypeHistogram && metric != nil { + if !e.HasTs { + e.Ts = t + } + metric.Exemplar = &e + } + + if tp != nil && metric != nil { + t = *tp + metric.TimestampMs = &t + } + + fam.Metric = append(fam.Metric, metric) + } + + families := make([]*OpenMetricFamily, 0, len(metricFamiliesByName)) + for _, v := range metricFamiliesByName { + if v.Metric != nil { + families = append(families, v) + } + } + return families, nil +} + +// MetricsMapping defines mapping settings for OpenMetrics metrics, to be used with `GetProcessedMetrics` +type MetricsMapping struct { + // Metrics translates from openmetrics metric name to Metricbeat fields + Metrics map[string]MetricMap + + // Namespace for metrics managed by this mapping + Namespace string + + // Labels translate from openmetrics label names to Metricbeat fields + Labels map[string]LabelMap + + // ExtraFields adds the given fields to all events coming from `GetProcessedMetrics` + ExtraFields map[string]string +} + +func (p *openmetrics) ProcessMetrics(families []*OpenMetricFamily, mapping *MetricsMapping) ([]common.MapStr, error) { + + eventsMap := map[string]common.MapStr{} + infoMetrics := []*infoMetricData{} + for _, family := range families { + for _, metric := range family.GetMetric() { + m, ok := mapping.Metrics[family.GetName()] + if m == nil || !ok { + // Ignore unknown metrics + continue + } + + field := m.GetField() + value := m.GetValue(metric) + + // Ignore retrieval errors (bad conf) + if value == nil { + continue + } + + storeAllLabels := false + labelsLocation := "" + var extraFields common.MapStr + if m != nil { + c := m.GetConfiguration() + storeAllLabels = c.StoreNonMappedLabels + labelsLocation = c.NonMappedLabelsPlacement + extraFields = c.ExtraFields + } + + // Apply extra options + allLabels := getLabels(metric) + for _, option := range m.GetOptions() { + field, value, allLabels = option.Process(field, value, allLabels) + } + + // Convert labels + labels := common.MapStr{} + keyLabels := common.MapStr{} + for k, v := range allLabels { + if l, ok := mapping.Labels[k]; ok { + if l.IsKey() { + keyLabels.Put(l.GetField(), v) + } else { + labels.Put(l.GetField(), v) + } + } else if storeAllLabels { + // if label for this metric is not found at the label mappings but + // it is configured to store any labels found, make it so + labels.Put(labelsLocation+"."+k, v) + } + } + + // if extra fields have been added through metric configuration + // add them to labels. + // + // not considering these extra fields to be keylabels as that case + // have not appeared yet + for k, v := range extraFields { + labels.Put(k, v) + } + + // Keep a info document if it's an infoMetric + if _, ok = m.(*infoMetric); ok { + labels.DeepUpdate(keyLabels) + infoMetrics = append(infoMetrics, &infoMetricData{ + Labels: keyLabels, + Meta: labels, + }) + continue + } + + if field != "" { + event := getEvent(eventsMap, keyLabels) + update := common.MapStr{} + update.Put(field, value) + // value may be a mapstr (for histograms and summaries), do a deep update to avoid smashing existing fields + event.DeepUpdate(update) + + event.DeepUpdate(labels) + } + } + } + + // populate events array from values in eventsMap + events := make([]common.MapStr, 0, len(eventsMap)) + for _, event := range eventsMap { + // Add extra fields + for k, v := range mapping.ExtraFields { + event[k] = v + } + events = append(events, event) + } + + // fill info from infoMetrics + for _, info := range infoMetrics { + for _, event := range events { + found := true + for k, v := range info.Labels.Flatten() { + value, err := event.GetValue(k) + if err != nil || v != value { + found = false + break + } + } + + // fill info from this metric + if found { + event.DeepUpdate(info.Meta) + } + } + } + + return events, nil +} + +func (p *openmetrics) GetProcessedMetrics(mapping *MetricsMapping) ([]common.MapStr, error) { + families, err := p.GetFamilies() + if err != nil { + return nil, err + } + return p.ProcessMetrics(families, mapping) +} + +// infoMetricData keeps data about an infoMetric +type infoMetricData struct { + Labels common.MapStr + Meta common.MapStr +} + +func (p *openmetrics) ReportProcessedMetrics(mapping *MetricsMapping, r mb.ReporterV2) error { + events, err := p.GetProcessedMetrics(mapping) + if err != nil { + return errors.Wrap(err, "error getting processed metrics") + } + for _, event := range events { + r.Event(mb.Event{ + MetricSetFields: event, + Namespace: mapping.Namespace, + }) + } + + return nil +} + +func getEvent(m map[string]common.MapStr, labels common.MapStr) common.MapStr { + hash := labels.String() + res, ok := m[hash] + if !ok { + res = labels + m[hash] = res + } + return res +} + +func getLabels(metric *OpenMetric) common.MapStr { + labels := common.MapStr{} + for _, label := range metric.GetLabel() { + if label.Name != "" && label.Value != "" { + labels.Put(label.Name, label.Value) + } + } + return labels +} + +// CompilePatternList compiles a pattern list and returns the list of the compiled patterns +func CompilePatternList(patterns *[]string) ([]*regexp.Regexp, error) { + var compiledPatterns []*regexp.Regexp + compiledPatterns = []*regexp.Regexp{} + if patterns != nil { + for _, pattern := range *patterns { + r, err := regexp.Compile(pattern) + if err != nil { + return nil, errors.Wrapf(err, "compiling pattern '%s'", pattern) + } + compiledPatterns = append(compiledPatterns, r) + } + return compiledPatterns, nil + } + return []*regexp.Regexp{}, nil +} + +// MatchMetricFamily checks if the given family/metric name matches any of the given patterns +func MatchMetricFamily(family string, matchMetrics []*regexp.Regexp) bool { + for _, checkMetric := range matchMetrics { + matched := checkMetric.MatchString(family) + if matched { + return true + } + } + return false +} + +const ( + TextVersion = "0.0.4" + OpenMetricsType = `application/openmetrics-text` + + // The Content-Type values for the different wire protocols. + FmtUnknown string = `` + FmtText string = `text/plain; version=` + TextVersion + `; charset=utf-8` +) + +const ( + hdrContentType = "Content-Type" +) + +func getContentType(h http.Header) string { + ct := h.Get(hdrContentType) + + mediatype, params, err := mime.ParseMediaType(ct) + if err != nil { + return FmtUnknown + } + + const textType = "text/plain" + + switch mediatype { + case OpenMetricsType: + if e, ok := params["encoding"]; ok && e != "delimited" { + return FmtUnknown + } + return OpenMetricsType + + case textType: + if v, ok := params["version"]; ok && v != TextVersion { + return FmtUnknown + } + return FmtText + } + + return FmtUnknown +} diff --git a/metricbeat/helper/openmetrics/openmetrics_test.go b/metricbeat/helper/openmetrics/openmetrics_test.go new file mode 100644 index 00000000000..5ebf1903c0f --- /dev/null +++ b/metricbeat/helper/openmetrics/openmetrics_test.go @@ -0,0 +1,1093 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package openmetrics + +import ( + "bytes" + "compress/gzip" + "io/ioutil" + "net/http" + "sort" + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" +) + +const ( + openMetricsTestSamples = `# TYPE first_metric gauge +first_metric{label1="value1",label2="value2",label3="Value3",label4="FOO"} 1 +# TYPE second_metric gauge +second_metric{label1="value1",label3="othervalue"} 0 +# TYPE summary_metric summary +summary_metric{quantile="0.5"} 29735 +summary_metric{quantile="0.9"} 47103 +summary_metric{quantile="0.99"} 50681 +summary_metric_sum 234892394 +summary_metric_count 44000 +# TYPE histogram_metric histogram +histogram_metric_bucket{le="1000"} 1 +histogram_metric_bucket{le="10000"} 1 +histogram_metric_bucket{le="100000"} 1 +histogram_metric_bucket{le="1e+06"} 1 +histogram_metric_bucket{le="1e+08"} 1 +histogram_metric_bucket{le="1e+09"} 1 +histogram_metric_bucket{le="+Inf"} 1 +histogram_metric_sum 117 +histogram_metric_count 1 +# TYPE histogram_decimal_metric histogram +histogram_decimal_metric_bucket{le="0.001"} 1 +histogram_decimal_metric_bucket{le="0.01"} 1 +histogram_decimal_metric_bucket{le="0.1"} 2 +histogram_decimal_metric_bucket{le="1"} 3 +histogram_decimal_metric_bucket{le="+Inf"} 5 +histogram_decimal_metric_sum 4.31 +histogram_decimal_metric_count 5 +# TYPE gaugehistogram_metric gaugehistogram +gaugehistogram_metric_bucket{le="0.01"} 20.0 +gaugehistogram_metric_bucket{le="0.1"} 25.0 +gaugehistogram_metric_bucket{le="1"} 34.0 +gaugehistogram_metric_bucket{le="10"} 34.0 +gaugehistogram_metric_bucket{le="+Inf"} 42.0 +gaugehistogram_metric_gcount 42.0 +gaugehistogram_metric_gsum 3289.3 +gaugehistogram_metric_created 1520430000.123 +# TYPE target info +target_info 1 +# TYPE target_with_labels info +target_with_labels_info{env="prod",hostname="myhost"} 1 +` + + openMetricsGaugeKeyLabel = `# TYPE metrics_one_count_total gauge +metrics_one_count_total{name="jane",surname="foster"} 1 +metrics_one_count_total{name="john",surname="williams"} 2 +metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3 +` + + openMetricsGaugeKeyLabelWithNaNInf = `# TYPE metrics_one_count_errors gauge +metrics_one_count_errors{name="jane",surname="foster"} 0 +# TYPE metrics_one_count_total gauge +metrics_one_count_total{name="jane",surname="foster"} NaN +metrics_one_count_total{name="foo",surname="bar"} +Inf +metrics_one_count_total{name="john",surname="williams"} -Inf +metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3 +` + + openMetricsCounterKeyLabel = `# TYPE metrics_one_count_total counter +metrics_one_count_total{name="jane",surname="foster"} 1 +metrics_one_count_total{name="john",surname="williams"} 2 +metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3 +` + + openMetricsCounterKeyLabelWithNaNInf = `# TYPE metrics_one_count_errors counter +metrics_one_count_errors{name="jane",surname="foster"} 1 +# TYPE metrics_one_count_total counter +metrics_one_count_total{name="jane",surname="foster"} NaN +metrics_one_count_total{name="john",surname="williams"} +Inf +metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3 + +` + + openMetricsHistogramKeyLabel = `# TYPE metrics_one_midichlorians histogram +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="2000"} 52 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="4000"} 70 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="8000"} 78 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="16000"} 84 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="32000"} 86 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="+Inf"} 86 +metrics_one_midichlorians_sum{rank="youngling",alive="yes"} 1000001 +metrics_one_midichlorians_count{rank="youngling",alive="yes"} 86 +metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="2000"} 16 +metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="4000"} 20 +metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="8000"} 23 +metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="16000"} 27 +metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="32000"} 27 +metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="+Inf"} 28 +metrics_one_midichlorians_sum{rank="padawan",alive="yes"} 800001 +metrics_one_midichlorians_count{rank="padawan",alive="yes"} 28 +` + + openMetricsHistogramKeyLabelWithNaNInf = `# TYPE metrics_one_midichlorians histogram +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="2000"} NaN +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="4000"} +Inf +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="8000"} -Inf +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="16000"} 84 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="32000"} 86 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="+Inf"} 86 +metrics_one_midichlorians_sum{rank="youngling",alive="yes"} 1000001 +metrics_one_midichlorians_count{rank="youngling",alive="yes"} 86 +` + + openMetricsSummaryKeyLabel = `# TYPE metrics_force_propagation_ms summary +metrics_force_propagation_ms{kind="jedi",quantile="0"} 35 +metrics_force_propagation_ms{kind="jedi",quantile="0.25"} 22 +metrics_force_propagation_ms{kind="jedi",quantile="0.5"} 7 +metrics_force_propagation_ms{kind="jedi",quantile="0.75"} 20 +metrics_force_propagation_ms{kind="jedi",quantile="1"} 30 +metrics_force_propagation_ms_sum{kind="jedi"} 89 +metrics_force_propagation_ms_count{kind="jedi"} 651 +metrics_force_propagation_ms{kind="sith",quantile="0"} 30 +metrics_force_propagation_ms{kind="sith",quantile="0.25"} 20 +metrics_force_propagation_ms{kind="sith",quantile="0.5"} 12 +metrics_force_propagation_ms{kind="sith",quantile="0.75"} 21 +metrics_force_propagation_ms{kind="sith",quantile="1"} 29 +metrics_force_propagation_ms_sum{kind="sith"} 112 +metrics_force_propagation_ms_count{kind="sith"} 711 +` + + openMetricsSummaryKeyLabelWithNaNInf = `# TYPE metrics_force_propagation_ms summary +metrics_force_propagation_ms{kind="jedi",quantile="0"} NaN +metrics_force_propagation_ms{kind="jedi",quantile="0.25"} +Inf +metrics_force_propagation_ms{kind="jedi",quantile="0.5"} -Inf +metrics_force_propagation_ms{kind="jedi",quantile="0.75"} 20 +metrics_force_propagation_ms{kind="jedi",quantile="1"} 30 +metrics_force_propagation_ms_sum{kind="jedi"} 50 +metrics_force_propagation_ms_count{kind="jedi"} 651 +` + + openMetricsGaugeLabeled = `# TYPE metrics_that_inform_labels gauge +metrics_that_inform_labels{label1="I am 1",label2="I am 2"} 1 +metrics_that_inform_labels{label1="I am 1",label3="I am 3"} 1 +# TYPE metrics_that_use_labels gauge +metrics_that_use_labels{label1="I am 1"} 20 +` + openMetricsStateset = `# TYPE enable_category stateset +enable_category{category="shoes"} 0 +enable_category{category="collectibles"} 1 +` +) + +type mockFetcher struct { + response string +} + +var _ = httpfetcher(&mockFetcher{}) + +// FetchResponse returns an HTTP response but for the Body, which +// returns the mockFetcher.Response contents +func (m mockFetcher) FetchResponse() (*http.Response, error) { + body := bytes.NewBuffer(nil) + writer := gzip.NewWriter(body) + writer.Write([]byte(m.response)) + writer.Close() + + return &http.Response{ + StatusCode: 200, + Header: http.Header{ + "Content-Encoding": []string{"gzip"}, + "Content-Type": []string{"application/openmetrics-text"}, + }, + Body: ioutil.NopCloser(body), + }, nil +} + +func TestOpenMetrics(t *testing.T) { + + p := &openmetrics{mockFetcher{response: openMetricsTestSamples}, logp.NewLogger("test")} + + tests := []struct { + mapping *MetricsMapping + msg string + expected []common.MapStr + }{ + { + msg: "Simple field map", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": Metric("first.metric"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": 1.0, + }, + }, + }, + }, + { + msg: "Simple field map with labels", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": Metric("first.metric"), + }, + Labels: map[string]LabelMap{ + "label1": Label("labels.label1"), + "label2": Label("labels.label2"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": 1.0, + }, + "labels": common.MapStr{ + "label1": "value1", + "label2": "value2", + }, + }, + }, + }, + { + msg: "Several metrics", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": Metric("first.metric"), + "second_metric": Metric("second.metric"), + }, + Labels: map[string]LabelMap{ + "label3": KeyLabel("labels.label3"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": 1.0, + }, + "labels": common.MapStr{ + "label3": "Value3", + }, + }, + common.MapStr{ + "second": common.MapStr{ + "metric": 0.0, + }, + "labels": common.MapStr{ + "label3": "othervalue", + }, + }, + }, + }, + { + msg: "Grouping by key labels", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": Metric("first.metric"), + "second_metric": Metric("second.metric"), + }, + Labels: map[string]LabelMap{ + "label1": KeyLabel("labels.label1"), + "label2": Label("labels.label2"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": 1.0, + }, + "second": common.MapStr{ + "metric": 0.0, + }, + "labels": common.MapStr{ + "label1": "value1", + "label2": "value2", + }, + }, + }, + }, + { + msg: "Keyword metrics", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": KeywordMetric("first.metric", "works"), + "second_metric": KeywordMetric("second.metric", "itsnot"), + }, + Labels: map[string]LabelMap{ + "label1": KeyLabel("labels.label1"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": "works", + }, + "labels": common.MapStr{ + "label1": "value1", + }, + }, + }, + }, + { + msg: "Boolean metrics", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": BooleanMetric("first.metric"), + "second_metric": BooleanMetric("second.metric"), + }, + Labels: map[string]LabelMap{ + "label1": KeyLabel("labels.label1"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": true, + }, + "second": common.MapStr{ + "metric": false, + }, + "labels": common.MapStr{ + "label1": "value1", + }, + }, + }, + }, + { + msg: "Label metrics", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": LabelMetric("first.metric", "label3"), + }, + Labels: map[string]LabelMap{ + "label1": Label("labels.label1"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": "Value3", + }, + "labels": common.MapStr{ + "label1": "value1", + }, + }, + }, + }, + { + msg: "Label metrics, lowercase", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": LabelMetric("first.metric", "label4", OpLowercaseValue()), + }, + Labels: map[string]LabelMap{ + "label1": Label("labels.label1"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": "foo", + }, + "labels": common.MapStr{ + "label1": "value1", + }, + }, + }, + }, + { + msg: "Label metrics, filter", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": LabelMetric("first.metric", "label4", OpFilterMap( + "label1", + map[string]string{"value1": "foo"}, + )), + }, + Labels: map[string]LabelMap{ + "label1": Label("labels.label1"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": common.MapStr{ + "foo": "FOO", + }, + }, + "labels": common.MapStr{ + "label1": "value1", + }, + }, + }, + }, + { + msg: "Label metrics, filter", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": LabelMetric("first.metric", "label4", OpLowercaseValue(), OpFilterMap( + "foo", + map[string]string{"Filtered": "filtered"}, + )), + }, + Labels: map[string]LabelMap{ + "label1": Label("labels.label1"), + }, + }, + expected: []common.MapStr{}, + }, + { + msg: "Summary metric", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "summary_metric": Metric("summary.metric"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "summary": common.MapStr{ + "metric": common.MapStr{ + "sum": 234892394.0, + "count": uint64(44000), + "percentile": common.MapStr{ + "50": 29735.0, + "90": 47103.0, + "99": 50681.0, + }, + }, + }, + }, + }, + }, + { + msg: "Histogram metric", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "histogram_metric": Metric("histogram.metric"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "histogram": common.MapStr{ + "metric": common.MapStr{ + "count": uint64(1), + "bucket": common.MapStr{ + "1000000000": uint64(1), + "+Inf": uint64(1), + "1000": uint64(1), + "10000": uint64(1), + "100000": uint64(1), + "1000000": uint64(1), + "100000000": uint64(1), + }, + "sum": 117.0, + }, + }, + }, + }, + }, + { + msg: "Histogram decimal metric", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "histogram_decimal_metric": Metric("histogram.metric", OpMultiplyBuckets(1000)), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "histogram": common.MapStr{ + "metric": common.MapStr{ + "count": uint64(5), + "bucket": common.MapStr{ + "1": uint64(1), + "10": uint64(1), + "100": uint64(2), + "1000": uint64(3), + "+Inf": uint64(5), + }, + "sum": 4310.0, + }, + }, + }, + }, + }, + { + msg: "Gauge histogram metric", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "gaugehistogram_metric": Metric("gaugehistogram.metric"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "gaugehistogram": common.MapStr{ + "metric": common.MapStr{ + "gcount": uint64(42), + "bucket": common.MapStr{ + "0.01": uint64(20), + "0.1": uint64(25), + "1": uint64(34), + "10": uint64(34), + "+Inf": uint64(42), + }, + "gsum": 3289.3, + }, + }, + }, + }, + }, + { + msg: "Info metric", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "target_info": Metric("target_info.metric"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "target_info": common.MapStr{ + "metric": int64(1), + }, + }, + }, + }, + { + msg: "Info metric with labels", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "target_with_labels_info": Metric("target_with_labels_info.metric"), + }, + Labels: map[string]LabelMap{ + "env": Label("labels.env"), + "hostname": Label("labels.hostname"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "target_with_labels_info": common.MapStr{ + "metric": int64(1), + }, + "labels": common.MapStr{ + "env": "prod", + "hostname": "myhost", + }, + }, + }, + }, + } + + for _, test := range tests { + t.Run(test.msg, func(t *testing.T) { + reporter := &mbtest.CapturingReporterV2{} + p.ReportProcessedMetrics(test.mapping, reporter) + assert.Nil(t, reporter.GetErrors(), test.msg) + // Sort slice to avoid randomness + res := reporter.GetEvents() + sort.Slice(res, func(i, j int) bool { + return res[i].MetricSetFields.String() < res[j].MetricSetFields.String() + }) + assert.Equal(t, len(test.expected), len(res)) + for j, ev := range res { + assert.Equal(t, test.expected[j], ev.MetricSetFields, test.msg) + } + }) + } +} + +func TestOpenMetricsKeyLabels(t *testing.T) { + + testCases := []struct { + testName string + openmetricsResponse string + mapping *MetricsMapping + expectedEvents []common.MapStr + }{ + { + testName: "Test gauge with KeyLabel", + openmetricsResponse: openMetricsGaugeKeyLabel, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_one_count_total": Metric("metrics.one.count"), + }, + Labels: map[string]LabelMap{ + "name": KeyLabel("metrics.one.labels.name"), + "surname": KeyLabel("metrics.one.labels.surname"), + "age": KeyLabel("metrics.one.labels.age"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": 1.0, + "labels": common.MapStr{ + "name": "jane", + "surname": "foster", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": 2.0, + "labels": common.MapStr{ + "name": "john", + "surname": "williams", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": 3.0, + "labels": common.MapStr{ + "name": "jahn", + "surname": "baldwin", + "age": "30", + }, + }, + }, + }, + }, + }, + + { + testName: "Test gauge with KeyLabel With NaN Inf", + openmetricsResponse: openMetricsGaugeKeyLabelWithNaNInf, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_one_count_errors": Metric("metrics.one.count"), + "metrics_one_count_total": Metric("metrics.one.count"), + }, + Labels: map[string]LabelMap{ + "name": KeyLabel("metrics.one.labels.name"), + "surname": KeyLabel("metrics.one.labels.surname"), + "age": KeyLabel("metrics.one.labels.age"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": 0.0, + "labels": common.MapStr{ + "name": "jane", + "surname": "foster", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": 3.0, + "labels": common.MapStr{ + "name": "jahn", + "surname": "baldwin", + "age": "30", + }, + }, + }, + }, + }, + }, + + { + testName: "Test counter with KeyLabel", + openmetricsResponse: openMetricsCounterKeyLabel, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_one_count_total": Metric("metrics.one.count"), + }, + Labels: map[string]LabelMap{ + "name": KeyLabel("metrics.one.labels.name"), + "surname": KeyLabel("metrics.one.labels.surname"), + "age": KeyLabel("metrics.one.labels.age"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": int64(1), + "labels": common.MapStr{ + "name": "jane", + "surname": "foster", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": int64(2), + "labels": common.MapStr{ + "name": "john", + "surname": "williams", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": int64(3), + "labels": common.MapStr{ + "name": "jahn", + "surname": "baldwin", + "age": "30", + }, + }, + }, + }, + }, + }, + + { + testName: "Test counter with KeyLabel With NaN Inf", + openmetricsResponse: openMetricsCounterKeyLabelWithNaNInf, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_one_count_errors": Metric("metrics.one.count"), + "metrics_one_count_total": Metric("metrics.one.count"), + }, + Labels: map[string]LabelMap{ + "name": KeyLabel("metrics.one.labels.name"), + "surname": KeyLabel("metrics.one.labels.surname"), + "age": KeyLabel("metrics.one.labels.age"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": int64(1), + "labels": common.MapStr{ + "name": "jane", + "surname": "foster", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": int64(3), + "labels": common.MapStr{ + "name": "jahn", + "surname": "baldwin", + "age": "30", + }, + }, + }, + }, + }, + }, + + { + testName: "Test histogram with KeyLabel", + openmetricsResponse: openMetricsHistogramKeyLabel, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_one_midichlorians": Metric("metrics.one.midichlorians"), + }, + Labels: map[string]LabelMap{ + "rank": KeyLabel("metrics.one.midichlorians.rank"), + "alive": KeyLabel("metrics.one.midichlorians.alive"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "midichlorians": common.MapStr{ + "count": uint64(86), + "sum": 1000001.0, + "bucket": common.MapStr{ + "2000": uint64(52), + "4000": uint64(70), + "8000": uint64(78), + "16000": uint64(84), + "32000": uint64(86), + "+Inf": uint64(86), + }, + + "rank": "youngling", + "alive": "yes", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "midichlorians": common.MapStr{ + "count": uint64(28), + "sum": 800001.0, + "bucket": common.MapStr{ + "2000": uint64(16), + "4000": uint64(20), + "8000": uint64(23), + "16000": uint64(27), + "32000": uint64(27), + "+Inf": uint64(28), + }, + "rank": "padawan", + "alive": "yes", + }, + }, + }, + }, + }, + }, + + { + testName: "Test histogram with KeyLabel With NaN Inf", + openmetricsResponse: openMetricsHistogramKeyLabelWithNaNInf, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_one_midichlorians": Metric("metrics.one.midichlorians"), + }, + Labels: map[string]LabelMap{ + "rank": KeyLabel("metrics.one.midichlorians.rank"), + "alive": KeyLabel("metrics.one.midichlorians.alive"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "midichlorians": common.MapStr{ + "count": uint64(86), + "sum": 1000001.0, + "bucket": common.MapStr{ + "16000": uint64(84), + "32000": uint64(86), + "+Inf": uint64(86), + }, + + "rank": "youngling", + "alive": "yes", + }, + }, + }, + }, + }, + }, + + { + testName: "Test summary with KeyLabel", + openmetricsResponse: openMetricsSummaryKeyLabel, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_force_propagation_ms": Metric("metrics.force.propagation.ms"), + }, + Labels: map[string]LabelMap{ + "kind": KeyLabel("metrics.force.propagation.ms.labels.kind"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "force": common.MapStr{ + "propagation": common.MapStr{ + "ms": common.MapStr{ + "count": uint64(651), + "sum": 89.0, + "percentile": common.MapStr{ + "0": 35.0, + "25": 22.0, + "50": 7.0, + "75": 20.0, + "100": 30.0, + }, + "labels": common.MapStr{ + "kind": "jedi", + }, + }, + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "force": common.MapStr{ + "propagation": common.MapStr{ + "ms": common.MapStr{ + "count": uint64(711), + "sum": 112.0, + "percentile": common.MapStr{ + "0": 30.0, + "25": 20.0, + "50": 12.0, + "75": 21.0, + "100": 29.0, + }, + "labels": common.MapStr{ + "kind": "sith", + }, + }, + }, + }, + }, + }, + }, + }, + + { + testName: "Test summary with KeyLabel With NaN Inf", + openmetricsResponse: openMetricsSummaryKeyLabelWithNaNInf, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_force_propagation_ms": Metric("metrics.force.propagation.ms"), + }, + Labels: map[string]LabelMap{ + "kind": KeyLabel("metrics.force.propagation.ms.labels.kind"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "force": common.MapStr{ + "propagation": common.MapStr{ + "ms": common.MapStr{ + "count": uint64(651), + "sum": 50.0, + "percentile": common.MapStr{ + "75": 20.0, + "100": 30.0, + }, + "labels": common.MapStr{ + "kind": "jedi", + }, + }, + }, + }, + }, + }, + }, + }, + + { + testName: "Test gauge InfoMetrics using ExtendedInfoMetric", + openmetricsResponse: openMetricsGaugeLabeled, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_that_inform_labels": ExtendedInfoMetric(Configuration{StoreNonMappedLabels: true, NonMappedLabelsPlacement: "metrics.other_labels"}), + "metrics_that_use_labels": Metric("metrics.value"), + }, + Labels: map[string]LabelMap{ + "label1": KeyLabel("metrics.label1"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "value": 20.0, + "label1": "I am 1", + "other_labels": common.MapStr{ + "label2": "I am 2", + "label3": "I am 3", + }, + }, + }, + }, + }, + { + testName: "Test gauge InfoMetrics using ExtendedInfoMetric and extra fields", + openmetricsResponse: openMetricsGaugeLabeled, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_that_inform_labels": ExtendedInfoMetric(Configuration{ + StoreNonMappedLabels: true, + NonMappedLabelsPlacement: "metrics.other_labels", + ExtraFields: common.MapStr{ + "metrics.extra.field1": "extra1", + "metrics.extra.field2": "extra2", + }}), + "metrics_that_use_labels": Metric("metrics.value"), + }, + Labels: map[string]LabelMap{ + "label1": KeyLabel("metrics.label1"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "value": 20.0, + "label1": "I am 1", + "other_labels": common.MapStr{ + "label2": "I am 2", + "label3": "I am 3", + }, + "extra": common.MapStr{ + "field1": "extra1", + "field2": "extra2", + }, + }, + }, + }, + }, + { + testName: "Stateset metric with labels", + openmetricsResponse: openMetricsStateset, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "enable_category": Metric("metrics.count"), + }, + Labels: map[string]LabelMap{ + "category": KeyLabel("metrics.labels.category"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "count": int64(0), + "labels": common.MapStr{ + "category": "shoes", + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "count": int64(1), + "labels": common.MapStr{ + "category": "collectibles", + }, + }, + }, + }, + }, + } + + for _, tc := range testCases { + r := &mbtest.CapturingReporterV2{} + p := &openmetrics{mockFetcher{response: tc.openmetricsResponse}, logp.NewLogger("test")} + p.ReportProcessedMetrics(tc.mapping, r) + if !assert.Nil(t, r.GetErrors(), + "error reporting/processing metrics, at %q", tc.testName) { + continue + } + + events := r.GetEvents() + if !assert.Equal(t, len(tc.expectedEvents), len(events), + "number of returned events doesn't match expected, at %q", tc.testName) { + continue + } + + // Sort slices of received and expeected to avoid unmatching + sort.Slice(events, func(i, j int) bool { + return events[i].MetricSetFields.String() < events[j].MetricSetFields.String() + }) + sort.Slice(tc.expectedEvents, func(i, j int) bool { + return tc.expectedEvents[i].String() < tc.expectedEvents[j].String() + }) + + for i := range events { + if !assert.Equal(t, tc.expectedEvents[i], events[i].MetricSetFields, + "mismatch at event #%d, at %q", i, tc.testName) { + + continue + } + } + } +} diff --git a/metricbeat/mb/testing/testdata.go b/metricbeat/mb/testing/testdata.go index 6e398e8e8f9..e5b853d570e 100644 --- a/metricbeat/mb/testing/testdata.go +++ b/metricbeat/mb/testing/testdata.go @@ -43,6 +43,7 @@ import ( const ( expectedExtension = "-expected.json" + applicationJson = "application/json" ) // DataConfig is the configuration for testdata tests @@ -75,6 +76,9 @@ type DataConfig struct { // URL of the endpoint that must be tested depending on each module URL string + // ContentType of the data being returned by server + ContentType string `yaml:"content_type"` + // Suffix is the extension of the source file with the input contents. Defaults to `json`, `plain` is also a common use. Suffix string @@ -107,9 +111,10 @@ type DataConfig struct { func defaultDataConfig() DataConfig { return DataConfig{ - Path: ".", - WritePath: ".", - Suffix: "json", + Path: ".", + WritePath: ".", + Suffix: "json", + ContentType: applicationJson, } } @@ -189,7 +194,7 @@ func TestMetricsetFieldsDocumented(t *testing.T, metricSet mb.MetricSet, events func runTest(t *testing.T, file string, module, metricSetName string, config DataConfig) { // starts a server serving the given file under the given url - s := server(t, file, config.URL) + s := server(t, file, config.URL, config.ContentType) defer s.Close() moduleConfig := getConfig(module, metricSetName, s.URL, config) @@ -440,7 +445,7 @@ func getConfig(module, metricSet, url string, config DataConfig) map[string]inte } // server starts a server with a mock output -func server(t *testing.T, path string, url string) *httptest.Server { +func server(t *testing.T, path string, url string, contentType string) *httptest.Server { body, err := ioutil.ReadFile(path) if err != nil { @@ -455,7 +460,7 @@ func server(t *testing.T, path string, url string) *httptest.Server { } if r.URL.Path+query == url { - w.Header().Set("Content-Type", "application/json;") + w.Header().Set("Content-Type", contentType) w.WriteHeader(200) w.Write(body) } else { diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index c2edf2795aa..7673d7b01b5 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -2206,11 +2206,6 @@ logging.files: # file. Defaults to true. # rotateonstartup: true - # Rotated files are either suffixed with a number e.g. metricbeat.1 when - # renamed during rotation. Or when set to date, the date is added to - # the end of the file. On rotation a new file is created, older files are untouched. - #suffix: count - # ============================= X-Pack Monitoring ============================== # Metricbeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The @@ -2395,6 +2390,10 @@ logging.files: # `http.user`. #http.named_pipe.security_descriptor: +# Defines if the HTTP pprof endpoints are enabled. +# It is recommended that this is only enabled on localhost as these endpoints may leak data. +#http.pprof.enabled: false + # ============================== Process Security ============================== # Enable or disable seccomp system call filtering on Linux. Default is enabled. diff --git a/metricbeat/module/beat/_meta/fields.yml b/metricbeat/module/beat/_meta/fields.yml index 5f40348c572..b29bffb2cfa 100644 --- a/metricbeat/module/beat/_meta/fields.yml +++ b/metricbeat/module/beat/_meta/fields.yml @@ -305,19 +305,19 @@ fields: - name: host type: alias - path: beat.stats.beat.host + path: beat.stats.info.host - name: name type: alias - path: beat.stats.beat.name + path: beat.stats.info.name - name: type type: alias - path: beat.stats.beat.type + path: beat.stats.info.type - name: uuid type: alias - path: beat.stats.beat.uuid + path: beat.stats.info.uuid - name: version type: alias - path: beat.stats.beat.version + path: beat.stats.info.version - name: metrics type: group fields: diff --git a/metricbeat/module/beat/fields.go b/metricbeat/module/beat/fields.go index cd59838480a..b8ee153217a 100644 --- a/metricbeat/module/beat/fields.go +++ b/metricbeat/module/beat/fields.go @@ -32,5 +32,5 @@ func init() { // AssetBeat returns asset data. // This is the base64 encoded zlib format compressed contents of module/beat. func AssetBeat() string { - return "eJzsXU1v5LgRvftXED5nBOxhLz4kQZAE2EsCBAvkEAQGrWZ3E5ZIDUl54v31gaRutT5YrJJEqnt3x5cZjEfvPRbJYvGzvrB38fnC3gR3T4w56Qrxwp7/Irh7fmLsIGxuZOWkVi/sj0+MMdb8ipX6UBfiiTEjCsGteGEn/sSYFc5JdbIv7D/P1hbPf2DPZ+eq5/82vztr415zrY7y9MKOvLDN90cpioN9aZG/MMVL0Wmxr9ZxZ9t/Z8x9Vg2F0XV1+Zfhd8NveVV+scJ8CNP/yve5D2IIUxmdC2u1Gf0WQoLQhoi24ipzhit71KbkjUXt7D9fCXghue+3FXfnzj5Za56MV+VrV9ysl5yRqK66hDGzUoZLGirttMS+QuDFpBe1VZ/BTL0Wx/N3Z3gudlKE8F11HQ0vd5IUoLqqwZtnfFkUzqu+g8j1QapT9+k++iicM325rpXbVx5MeVX3wQt5aK28p/1orB6N+9kQJR31D543//NX6zEHZXgovznS9UjecyiM6kO7/76nMpT2Pj5+JvEhPf1Q5cP6e6/Ix/P6Q5kP7fsBoeERwOra5KLkPg+/3f+33MIXjccseF+GLMR3n5540/aw/dAj8fF64U3kQ/dBr8xwDyyFMzJP0v32HRq7gqwaFYPKIAtgVmDTRQGoeDQjLDYEzdFMnOWdJC7p8L/JyqL6s7tWV9CnjPrUbAxcv853EMeCO5EoPlBOKPelEOrkzkn808Uc2aUYGYGSUsOxRYVGiNMvMlV4tpv5mzI8lu0vikKGr1Wuy8oIa8Xh114Bw7I8VkVMlIUqxAg+d20szlKV/MXn4+IVs9OegTz7GfyiBAlLpbVSnb6MmwoYKKzf5rmqIhP2NTbdFWObxjkjvtbCugQlvPwRJhi4hLw2RiiXfePSZWXcTbXLHwSWm11spZVNFQCkauy90Tv11Ag3eXCr35PGjNNit4XKAqT9PnOei8p5x7nU6lDq/UJuv0C87RDWQGI0nv0N0BUsuHYyWG/QuuDmBI2jSRWi3JOJ7F1Eoty90+VOFLKUd6lsnPwq82st6rsYMkzcd5dC+yP35PoQ5n6/T5s3eTgIaE0lqUacfBaT5J/3cT44/W3Kxmt31kb+cp+KJ/FfxUrlhFG8uIdQlHu8nnQPiQjzYAH9rO9S2R7mWzhVBgN+WFNIRxh1zO2N2h9xejSUS5wk1cqKhCL88FgQFok8XHJokrJ9Kqa0K/VBHiXouLZNyEaF7OJqjDL9LNEjCg/2wdlUdC0AE3HOFl0OyIdOg7Y3TyR0jlhWSqxOHMHjqwoSUsLy+JJgtp37LzpXJYU08QUF6Igz5/iagoSDYPqDy4K/FfsJwzipU6f4ysKMpGg0vqgA3WBgP+pa7acpSHjznK2D/VoLA83qUnhPhJS6/hJfWpiRtKKRwJXCdAsm3EmcxJx0eNvqacq+5K7UWdsN07X2rzOIvjPy0j8no2PPIPpB5LPaij2D6Ku5nk07lmLPIPrQThg7P1e0FH6KMj5fZze1CPtpnSijzaXzqs5ybbwH7xfOIjtlGYx45Sw0P2Q/RCME4EZsP8Zlm8ONyxaZzoM34lPaTFsEizLTef7hOZ4jHZaoUextAkPuH5OS++powJ6U/Edv1y7k22TAYJv6diUrUUiVaLu8kEK5iAd5L6XPrqqzEMNoepnx/D3miD9TgrH0aw4fAplcxth55bmTHwlWwWfFbotjM4Svn8kaXVUpdjogXRhhPz3jsthTF8LXy5KFE2ZXYRhj7zjqt0La857acMrb6r8Dp2kJhIXpbosmLsXeGSTKT9cvCteuquFtgS1ev+PfwcXBDp1tN2dnoJt/C5Ht5XWnmkg+9427/Aze0o2uCqPbbSgYy6IOBIe6KmTOk5wsA5RdGXGbpR6lxsKIY5TTuuQqobcdq8LodvK2U1EQ2fAoePb2Cdfyhhj0ogWhGCmJfQnSJ4Vw3dGzBBRPBAh+Zf9mpBOJKwXjGGtJXC1BksHpqaP0XXHcHhl0r1ZlplYKu0W5qpid9CD+RIp13KSYoF6UBOBnQnSVUscUHVh9ZpsWE6Q66kxUZ1EKw4vXwMkP8hIXDjkirysnSxHlFgKC16++c3UoAkujW/pLu8GSnbmJuHBx0Zsh2GMJVh8jbi2NJYDY/VSlirlreiX3ot4W4cvh83dzyi21espflfhfRHte1WYh5EHRtPl85UWhfbf4t0ro4DMYfqIjFKZF0EEIzGxEt9vT+1D7ARZqPBEWXKs6+bwbvHTE1kfVnUnabaEAfF/Ko80qYaQ+ZHWCee1ADI1pqOtrrR3fQxZK1G8GAo5sLCfUMhihdQwZO4uFOBnZDAwxRfcPFMZ+znE22rlCHEhfxdW5jHuuGHwUJa1Y5FmUvKp5nju4667wpDc1Ieipgtbdw1bariNIMB7aUpgjjDzgv8RWkee2YxUUmqGk2vJT9On2XFKIJjxORriV323iOpm/xyxj0yUx5JkEaBoUQwSMPVp+yz54EfNkb6MBAx4LSFATGPBUQIJ6wKH7c1BWmBRGQHAn9AlMMEJ+YpMVje718msDmfdr6PXyu57FEwnP4omEZ/FEwrN4Iu1ZPBE+i9e0L+t4Wc3axBS7w33+c//F8wxs2CLZqsblr8KIrQBsvWsWA7nJz9KJ3NUGPl0UXo1r9GRBnKFyj2UWEYEYgQ64iCAIrtMsNlUFd0f/0T9cO/M1obYo2mZB5HD/jMDuA76tBFf1xmusIoNAxiTK8x71YpI5yGRzYGNRQJQJzcbCgCjjMycbPRgE0rtZYT5kHu8i8fZNDJFdNPnmbRF8i4co6GngPrmSbQjoiaTmtvdktYFjspHROqx38flNjzYuvIjdT5sv56e/ZvPRfRywrIVuvpuD00Z7DHuKMs72c/0JXgXYrzvMTTf+NNjEsY+xRuv7fuSqo1kgfJ++0J6N56EF4GE+VISo27SeMC+sYlqG1R8DRzJoH3vmEfSPt7SfvKitE2Y+C6F8HDWmzrVyXCoBXV+j2SJRqPkujBLhvTxIGcMb2DIQUthLAaIEsKHqL7niJ1EK5TKh+Nv8QF0H8aZ1IfiUJjA8ND8/WZYL5QwvBjTsQvOndQGlVE6cZs9UIkL+UZdvwjB9vOBb5isrOdoM2ROLIf11iunnpWjUd+CstuLA3j7bIdgrorvrkUZDi83ehFQnvxBoX299hGE3RRi3u6/R3ByU/S+MGkIeGY6WCZCFx/QhIpTDD9eLaZ7qxjdyQbFs3HaQtFILAYOZoBZi0apmISg1u8E6UNpDlyRM+sv+a2E3ih1VE5iMjX1v+iuwCMnL1iB+70yP3plCea1Y1K4UznFFkMy+N4SEDQFMr8SitoKkbgFFi3nYDK1OYiEYYYlnIeS8lfxeLQNG+v7sPyxKnA9nAsLxMQ42WZRBs6KwZU0mkjcBUvGw30v5kYw47PdiBzARDYsbpsNJaQhiWfxyL8wKgyAP91QS+Szs2eIFZSdlZlmAF0isgpcdKz+LV/dsOvLuOugG86UQ1Q/xCHlOVqBGDnCIIXVMO0cqARsd2ETTgaxAJeTvWIFKSbixAhZLkLECEk1qsQKTkodijVRS3ogVwMQsDyuQCSkZVqCiORRWYKJpDxDMm0MMZypYBJMwVVjUkXwzBJSBYAHEPvnG8Gf9CZJZmmiCkAuNhEPOXUbbeArHdTEqhZyDilR8choZEhotp9PeTYWYhYa2hE9NU0ZCwx9JXwhITwpFgiOmxyFhIU+JL0QjPAG+EJGeNo3Wfmn5w6jNhJ6YaoaY5NjappNnm868/TqPre3+CnQw4Co0T5MICHt/+KBrLDkD+owwBWM7BPBEM4s6lsPmImllNLMtx1oHNWic0Ro6ctWWskCI3ZMlYITvuZIBNpQCu2VKgAheE6V/v1DBbcA+6mitgvSsFToWoM9TgYXxvhqzyZsn8caUF1Oo0178lRMiEjJvpZwDDr2iEs8546+CLJk3LHhsZBXs2nMDgzYIP+5B61CEdzkIQrrXI5L0hwhNb8lzHoTzJfSHOEBfBDyPtt4bwQ+XkWsPfHKMjgA9FkZA8L8ihpjR/3TgeisCD+VRgvPQY4Dk74GX/BArQGMiSIscpG+PtXegXj5Tq5bwpI2unVRABSwnvt2CuEGzy1ukTCr4OsHSnB6Ijr+3zYTluiy1Yk4zXhQt+bSgD58bBPVm1NQe+ELqXm/Wkx6Ipy0xEh9Qpy3i0V4Wp2FRk1aQ0Oh5JmhLbqTMEMR1WcoL4+EIKN1by5RHlu1Zm/BroYT3kSkg2NvGfox+XFuXqwJxk83PP7sLX1BwT7EzsDbISCEeSWTz8/NnNbihltKVEQX9rWG5HiaH2OKm8kC2monC2Wik7ozVCFD6WyEOp3hZPlLI7ajDVTxYfSdm/khmWFRB1LFsWxNYnCDkjna1lDQlMYf2bWIjJxJJodRpzRpyatfaMPavUvpzw8fUxLLhAEB4N1xYzFHgX4Ifgktj1BEgtBjBktZ8yxwy1uJjjilUNvpC/FeJbYaP1LX+74bkN1Htjblc4OTCA9R8W6NTAaG//D8AAP//qNtugg==" + return "eJzsXU1v5LgRvftXED5nBOxhLz4kQZAE2EsCBAvkEAQGrWZ3E5ZIDUl54v31gaRutT5YrJJEqnt3x5cZjEfvPRbJYvGzvrB38fnC3gR3T4w56Qrxwp7/Irh7fmLsIGxuZOWkVi/sj0+MMdb8ipX6UBfiiTEjCsGteGEn/sSYFc5JdbIv7D/P1hbPf2DPZ+eq5/82vztr415zrY7y9MKOvLDN90cpioN9aZG/MMVL0Wmxr9ZxZ9t/Z8x9Vg2F0XV1+Zfhd8NveVV+scJ8CNP/yve5D2IIUxmdC2u1Gf0WQoLQhoi24ipzhit71KbkjUXt7D9fCXghue+3FXfnzj5Za56MV+VrV9ysl5yRqK66hDGzUoZLGirttMS+QuDFpBe1VZ/BTL0Wx/N3Z3gudlKE8F11HQ0vd5IUoLqqwZtnfFkUzqu+g8j1QapT9+k++iicM325rpXbVx5MeVX3wQt5aK28p/1orB6N+9kQJR31D543//NX6zEHZXgovznS9UjecyiM6kO7/76nMpT2Pj5+JvEhPf1Q5cP6e6/Ix/P6Q5kP7fsBoeERwOra5KLkPg+/3f+33MIXjccseF+GLMR3n5540/aw/dAj8fF64U3kQ/dBr8xwDyyFMzJP0v32HRq7gqwaFYPKIAtgVmDTRQGoeDQjLDYEzdFMnOWdJC7p8L/JyqL6s7tWV9CnjPrUbAxcv853EMeCO5EoPlBOKPelEOrkzkn808Uc2aUYGYGSUsOxRYVGiNMvMlV4tpv5mzI8lu0vikKGr1Wuy8oIa8Xh114Bw7I8VkVMlIUqxAg+d20szlKV/MXn4+IVs9OegTz7GfyiBAlLpbVSnb6MmwoYKKzf5rmqIhP2NTbdFWObxjkjvtbCugQlvPwRJhi4hLw2RiiXfePSZWXcTbXLHwSWm11spZVNFQCkauy90Tv11Ag3eXCr35PGjNNit4XKAqT9PnOei8p5x7nU6lDq/UJuv0C87RDWQGI0nv0N0BUsuHYyWG/QuuDmBI2jSRWi3JOJ7F1Eoty90+VOFLKUd6lsnPwq82st6rsYMkzcd5dC+yP35PoQ5n6/T5s3eTgIaE0lqUacfBaT5J/3cT44/W3Kxmt31kb+cp+KJ/FfxUrlhFG8uIdQlHu8nnQPiQjzYAH9rO9S2R7mWzhVBgN+WFNIRxh1zO2N2h9xejSUS5wk1cqKhCL88FgQFok8XHJokrJ9Kqa0K/VBHiXouLZNyEaF7OJqjDL9LNEjCg/2wdlUdC0AE3HOFl0OyIdOg7Y3TyR0jlhWSqxOHMHjqwoSUsLy+JJgtp37LzpXJYU08QUF6Igz5/iagoSDYPqDy4K/FfsJwzipU6f4ysKMpGg0vqgA3WBgP+pa7acpSHjznK2D/VoLA83qUnhPhJS6/hJfWpiRtKKRwJXCdAsm3EmcxJx0eNvqacq+5K7UWdsN0zWpjjqbQfSdkZf+ORkdewbRDyKf1VbsGURfzfVs2rEUewbRh3bC2Pm5oqXwU5Tx+Tq7qUXYT+tEGW0unVd1lmvjPXi/cBbZKctgxCtnofkh+yEaIQA3YvsxLtscbly2yHQevBGf0mbaIliUmc7zD8/xHOmwRI1ibxMYcv+YlNxXRwP2pOQ/ert2Id8mAwbb1LcrWYlCqkTb5YUUykU8yHspfXZVnYUYRtPLjOfvMUf8mRKMpV9z+BDI5DLGzivPnfxIsAo+K3ZbHJshfP1M1uiqSrHTAenCCPvpGZfFnroQvl6WLJwwuwrDGHvHUb8V0p731IZT3lb/HThNSyAsTHdbNHEp9s4gUX66flG4dlUNbwts8fod/w4uDnbobLs5OwPd/FuIbC+vO9VE8rlv3OVn8JZudFUY3W5DwVgWdSA41FUhc57kZBmg7MqI2yz1KDUWRhyjnNYlVwm97VgVRreTt52KgsiGR8Gzt0+4ljfEoBctCMVISexLkD4phOuOniWgeCJA8Cv7NyOdSFwpGMdYS+JqCZIMTk8dpe+K4/bIoHu1KjO1UtgtylXF7KQH8SdSrOMmxQT1oiQAPxOiq5Q6pujA6jPbtJjQLmyK6ixKYXjxGjj5QV7iwiFH5HXlZCmi3EJA8PrVd64ORWBpdEt/aTdYsjM3ERcuLnozBHsswepjxK2lsQQQu5+qVDF3Ta/kXtTbInw5fP5uTrmlVk/5qxL/i2jPq9oshDwomjafr7wotO8W/1YJHXwGw090hMK0CDoIgZmN6HZ7eh9qP8BCjSfCgmtVJ593g5eO2PqoujNJuy0UgO9LebRZJYzUh6xOMK8diKExDXV9rbXje8hCifrNQMCRjeWEWgYjtI4hY2exECcjm4Ehpuj+gcLYzznORjtXiAPpq7g6l3HPFYOPoqQVizyLklc1z3MHd90VnvSmJgQ9VdC6e9hK23UECcZDWwpzhJEH/JfYKvLcdqyCQjOUVFt+ij7dnksK0YTHyQi38rtNXCfz95hlbLokhjyTAE2DYoiAsUfLb9kHL2Ke7G00YMBjAQlqAgOeCkhQDzh0fw7KCpPCCAjuhD6BCUbIT2yyotG9Xn5tIPN+Db1eftezeCJr/5rkLN4FO8lZvAt2krN4F+xUZ/Eu8NBZvKZ9WcfLatYmptgd7vOf+y+eZ2DDFslWNS5/FUZsBWDrXbMYyE1+lk7krjbw6aLwalyjJwviDJV7LLOICMQIdMBFBEFwnWaxqSq4O/qP/uHama8JtUXRNgsih/tnBHYf8G0luKo3XmMVGQQyJlGe96gXk8xBJpsDG4sCokxoNhYGRBmfOdnowSCQ3s0K8yHzeBeJt29iiOyiyTdvi+BbPERBTwP3yZVsQ0BPJDW3vSerDRyTjYzWYb2Lz296tHHhRex+2nw5P/01m4/u44BlLXTz3RycNtpj2FOUcbaf60/wKsB+3WFuuvGnwSaOfYw1Wt/3I1cdzQLh+/SF9mw8Dy0AD/OhIkTdpvWEeWEV0zKs/hg4kkH72DOPoH+8pf3kRW2dMPNZCOXjqDF1rpXjUgno+hrNFolCzXdhlAjv5UHKGN7AloGQwl4KECWADVV/yRU/iVIolwnF3+YH6jqIN60Lwac0geGh+fnJslwoZ3gxoGEXmj+tCyilcuI0e6YSEfKPunwThunjBd8yX1nJ0WbInlgM6a9TTD8vRaO+A2e1FQf29tkOwV4R3V2PNBpabPYmpDr5hUD7eusjDLspwrjdfY3m5qDsf2HUEPLIcLRMgCw8pg8RoRx+uF5M81Q3vpELimXjtoOklVoIGMwEtRCLVjULQanZDdaB0h66JGHSX/ZfC7tR7KiawGRs7HvTX4FFSF62BvF7Z3r0zhTKa8WidqVwjiuCZPa9ISRsCGB6JRa1FSR1CyhazMNmaHUSC8EISzwLIeet5PdqGTDS92f/YVHifDgTEI6PcbDJogyaFYUtazKRvAmQiof9XsqPZMRhvxc7gIloWNwwHU5KQxDL4pd7YVYYBHm4p5LIZ2HPFi8oOykzywK8QGIVvOxY+Vm8umfTkXfXQTeYL4WofohHyHOyAjVygEMMqWPaOVIJ2OjAJpoOZAUqIX/HClRKwo0VsFiCjBWQaFKLFZiUPBRrpJLyRqwAJmZ5WIFMSMmwAhXNobACE017gGDeHGI4U8EimISpwqKO5JshoAwECyD2yTeGP+tPkMzSRBOEXGgkHHLuMtrGUziui1Ep5BxUpOKT08iQ0Gg5nfZuKsQsNLQlfGqaMhIa/kj6QkB6UigSHDE9DgkLeUp8IRrhCfCFiPS0abT2S8sfRm0m9MRUM8SbyY76yffFmlMBm06ebTrz9us8trb7K9DBgKvQPE0iIOz94YOuseQM6DPCFIztEMATzSzqWA6bi6SV0cy2HGsd1KBxRmvoyFVbygIhdk+WgBG+50oG2FAK7JYpASJ4TZT+/UIFSUYf0rNW6FiAPk8FFsb7aswmb57EG1NeTKFOe/FXTohIyLyVcg449IpKPOeMvwqyZN6w4LGRVbBrzw0M2iD8uAetQxHe5SAI6V6PSNIfIjS9Jc95EM6X0B/iAH0R8Dzaem8EP1xGrj3wyTE6AvRYGAHB/4oYYkb/04HrrQg8lEcJzkOPAZK/B17yQ6wAjYkgLXKQvj3W3oF6+UytWsKTNrp2UgEVsJz4dgviBs0ub5EyqeDrBEtzeiA6/t42E5brstSKOc14UbTk04I+fG4Q1JtRU3vgC6l7vVlPeiCetsRIfECdtohHe1mchkVNWkFCo+eZoC25kTJDENdlKS+MhyOgdG8tUx5Ztmdtwq+FEt5HpoBgbxv7MfpxbV2uCsRNNj//7C58QcE9xc7A2iAjhXgkkc3Pz5/V4IZaSldGFPS3huV6mBxii5vKA9lqJgpno5G6M1YjQOlvhTic4mX5SCG3ow5X8U0oNfNHMsOiCqKOZduawOIEIXe0q6WkKYk5tG8TGzmRSAqlTmvWkFO71oaxf5XSnxs+piaWDQcAwrvhwmKOAv8S/BBcGqOOAKHFCJa05lvmkLEWH3NMobLRF+K/SmwzfKSu9X83JL+Jam/M5QInFx6g5tsanQoI/eX/AQAA//95+27i" } diff --git a/metricbeat/module/beat/stats/_meta/fields.yml b/metricbeat/module/beat/stats/_meta/fields.yml index 0e5700b5fd5..19c0f75d715 100644 --- a/metricbeat/module/beat/stats/_meta/fields.yml +++ b/metricbeat/module/beat/stats/_meta/fields.yml @@ -219,7 +219,7 @@ type: long - name: unauthorized type: long - - name: beat + - name: info type: group fields: - name: name diff --git a/metricbeat/module/kubernetes/_meta/test/docs/01_playground/ek_stack.yaml b/metricbeat/module/kubernetes/_meta/test/docs/01_playground/ek_stack.yaml index 7365ce2e6ef..87a0f7c227c 100644 --- a/metricbeat/module/kubernetes/_meta/test/docs/01_playground/ek_stack.yaml +++ b/metricbeat/module/kubernetes/_meta/test/docs/01_playground/ek_stack.yaml @@ -26,10 +26,22 @@ spec: - image: docker.elastic.co/elasticsearch/elasticsearch:8.0.0-SNAPSHOT imagePullPolicy: IfNotPresent name: elasticsearch - env: - - name: "discovery.type" - value: "single-node" - + envFrom: + - configMapRef: + name: elasticsearch-config +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: elasticsearch-config +data: + discovery.type: "single-node" + ES_JAVA_OPTS: "-Xms1g -Xmx1g" + xpack.license.self_generated.type: "trial" + xpack.security.enabled: 'true' + xpack.security.authc.api_key.enabled: 'true' + ELASTIC_USERNAME: "elastic" + ELASTIC_PASSWORD: "changeme" --- apiVersion: v1 kind: Service @@ -47,7 +59,6 @@ spec: app: elasticsearch sessionAffinity: None type: ClusterIP - --- apiVersion: apps/v1 kind: Deployment @@ -77,3 +88,8 @@ spec: - image: docker.elastic.co/kibana/kibana:8.0.0-SNAPSHOT imagePullPolicy: IfNotPresent name: kibana + env: + - name: ELASTICSEARCH_USERNAME + value: elastic + - name: ELASTICSEARCH_PASSWORD + value: changeme diff --git a/metricbeat/module/kubernetes/_meta/test/docs/README.md b/metricbeat/module/kubernetes/_meta/test/docs/README.md index c3d7bc6c750..fb409cb2106 100644 --- a/metricbeat/module/kubernetes/_meta/test/docs/README.md +++ b/metricbeat/module/kubernetes/_meta/test/docs/README.md @@ -28,7 +28,8 @@ You can spin up an ELK stack in two ways 2. Locally on your kind cluster (EK tuple will suffice). ```bash # Deploy Elasticsearch and Kibana -kubectl apply -f ../01_playground/ek_stack.yaml +cd metricbeat/module/kubernetes/_meta/test/docs +kubectl apply -f 01_playground/ek_stack.yaml # Expose Kibana with port forwarding. In your browser visit localhost:5601 kubectl port-forward deployment/kibana 5601:5601 @@ -46,7 +47,7 @@ In case of Elastic Cloud deployment configure the variables ELASTIC_CLOUD_ID and Deploy metricbeat ``` -kubectl apply -f ../01_playground/metricbeat.yaml +kubectl apply -f 01_playground/metricbeat.yaml ``` ## Build and launch metricbeat process diff --git a/metricbeat/module/linux/conntrack/conntrack.go b/metricbeat/module/linux/conntrack/conntrack.go index a29565d0285..c8d9122de09 100644 --- a/metricbeat/module/linux/conntrack/conntrack.go +++ b/metricbeat/module/linux/conntrack/conntrack.go @@ -50,12 +50,11 @@ type MetricSet struct { // any MetricSet specific configuration options if there are any. func New(base mb.BaseMetricSet) (mb.MetricSet, error) { cfgwarn.Beta("The linux conntrack metricset is beta.") - linuxModule, ok := base.Module().(*linux.Module) - if !ok { - return nil, errors.New("unexpected module type") - } - path := filepath.Join(linuxModule.HostFS, "proc") + sys := base.Module().(linux.LinuxModule) + hostfs := sys.GetHostFS() + + path := filepath.Join(hostfs, "proc") newFS, err := procfs.NewFS(path) if err != nil { return nil, errors.Wrapf(err, "error creating new Host FS at %s", path) diff --git a/metricbeat/module/linux/ksm/ksm.go b/metricbeat/module/linux/ksm/ksm.go index 4d62759cf56..67ec072f6bf 100644 --- a/metricbeat/module/linux/ksm/ksm.go +++ b/metricbeat/module/linux/ksm/ksm.go @@ -50,14 +50,13 @@ type MetricSet struct { // any MetricSet specific configuration options if there are any. func New(base mb.BaseMetricSet) (mb.MetricSet, error) { cfgwarn.Beta("The linux pageinfo metricset is beta.") - linuxModule, ok := base.Module().(*linux.Module) - if !ok { - return nil, errors.New("unexpected module type") - } + + sys := base.Module().(linux.LinuxModule) + hostfs := sys.GetHostFS() return &MetricSet{ BaseMetricSet: base, - fs: filepath.Join(linuxModule.HostFS, "/sys/kernel/mm/ksm"), + fs: filepath.Join(hostfs, "/sys/kernel/mm/ksm"), }, nil } diff --git a/metricbeat/module/linux/linux.go b/metricbeat/module/linux/linux.go index 518eab8ceff..25a29f15d01 100644 --- a/metricbeat/module/linux/linux.go +++ b/metricbeat/module/linux/linux.go @@ -20,6 +20,7 @@ package linux import ( "time" + "github.com/elastic/beats/v7/libbeat/paths" "github.com/elastic/beats/v7/metricbeat/mb" ) @@ -30,6 +31,10 @@ func init() { } } +type LinuxModule interface { + GetHostFS() string +} + // Module defines the base module config used in `linux` type Module struct { mb.BaseModule @@ -55,5 +60,14 @@ func NewModule(base mb.BaseModule) (mb.Module, error) { dir = "/" } + // Steer towards system.hostfs, since the two behave fundamentally the same, and system.hostfs has a CLI flag that many users may default to. + if len(paths.Paths.Hostfs) > 2 { + dir = paths.Paths.Hostfs + } + return &Module{BaseModule: base, HostFS: dir, Period: config.Period}, nil } + +func (m Module) GetHostFS() string { + return m.HostFS +} diff --git a/metricbeat/module/linux/pageinfo/pageinfo.go b/metricbeat/module/linux/pageinfo/pageinfo.go index 47482dee79b..e4d700be7db 100644 --- a/metricbeat/module/linux/pageinfo/pageinfo.go +++ b/metricbeat/module/linux/pageinfo/pageinfo.go @@ -51,14 +51,13 @@ type MetricSet struct { // any MetricSet specific configuration options if there are any. func New(base mb.BaseMetricSet) (mb.MetricSet, error) { cfgwarn.Beta("The linux pageinfo metricset is beta.") - linuxModule, ok := base.Module().(*linux.Module) - if !ok { - return nil, errors.New("unexpected module type") - } + + sys := base.Module().(linux.LinuxModule) + hostfs := sys.GetHostFS() return &MetricSet{ BaseMetricSet: base, - fs: linuxModule.HostFS, + fs: hostfs, }, nil } diff --git a/metricbeat/module/linux/pressure/pressure.go b/metricbeat/module/linux/pressure/pressure.go index fbd7ddb4515..9a0e90c1839 100644 --- a/metricbeat/module/linux/pressure/pressure.go +++ b/metricbeat/module/linux/pressure/pressure.go @@ -63,12 +63,10 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { return nil, fmt.Errorf("the %v/%v metricset is only supported on Linux", moduleName, metricsetName) } - linuxModule, ok := base.Module().(*linux.Module) - if !ok { - return nil, errors.New("unexpected module type") - } + sys := base.Module().(linux.LinuxModule) + hostfs := sys.GetHostFS() - path := filepath.Join(linuxModule.HostFS, "proc") + path := filepath.Join(hostfs, "proc") procfs, err := procfs.NewFS(path) if err != nil { return nil, errors.Wrapf(err, "error creating new Host FS at %s", path) @@ -76,7 +74,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { return &MetricSet{ BaseMetricSet: base, - fs: linuxModule.HostFS, + fs: hostfs, procfs: procfs, }, nil } diff --git a/metricbeat/module/linux/rapl/rapl.go b/metricbeat/module/linux/rapl/rapl.go index 21172b00cf0..f7d3cacf93c 100644 --- a/metricbeat/module/linux/rapl/rapl.go +++ b/metricbeat/module/linux/rapl/rapl.go @@ -37,8 +37,8 @@ import ( "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/cfgwarn" "github.com/elastic/beats/v7/libbeat/logp" - "github.com/elastic/beats/v7/libbeat/paths" "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/beats/v7/metricbeat/module/linux" ) // init registers the MetricSet with the central registry as soon as the program @@ -83,14 +83,16 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { return nil, err } - CPUList, err := getMSRCPUs() + sys := base.Module().(linux.LinuxModule) + hostfs := sys.GetHostFS() + CPUList, err := getMSRCPUs(hostfs) if err != nil { return nil, errors.Wrap(err, "error getting list of CPUs to query") } // check to see if msr-safe is installed if config.UseMSRSafe { - queryPath := filepath.Join(paths.Paths.Hostfs, "/dev/cpu/", fmt.Sprint(CPUList[0]), "msr_safe") + queryPath := filepath.Join(hostfs, "/dev/cpu/", fmt.Sprint(CPUList[0]), "msr_safe") _, err := os.Stat(queryPath) if errors.Is(err, os.ErrNotExist) { return nil, errors.New("no msr_safe device found. Is the kernel module loaded?") @@ -110,7 +112,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { handlers := map[int]rapl.RAPLHandler{} for _, cpu := range CPUList { - formatPath := filepath.Join(paths.Paths.Hostfs, "/dev/cpu/%d") + formatPath := filepath.Join(hostfs, "/dev/cpu/%d") if config.UseMSRSafe { formatPath = filepath.Join(formatPath, "/msr_safe") } else { @@ -203,8 +205,8 @@ func (m *MetricSet) updatePower() map[int]map[rapl.RAPLDomain]energyUsage { // getMSRCPUs forms a list of CPU cores to query // For multi-processor systems, this will be more than 1. -func getMSRCPUs() ([]int, error) { - CPUs, err := topoPkgCPUMap() +func getMSRCPUs(hostfs string) ([]int, error) { + CPUs, err := topoPkgCPUMap(hostfs) if err != nil { return nil, errors.Wrap(err, "error fetching CPU topology") } @@ -225,12 +227,12 @@ func getMSRCPUs() ([]int, error) { //it is, however, the simplest way to do this. The intel power gadget iterates through each CPU using affinity masks, and runs `cpuid` in a loop to //figure things out //This uses /sys/devices/system/cpu/cpu*/topology/physical_package_id, which is what lscpu does. I *think* geopm does something similar to this. -func topoPkgCPUMap() (map[int][]int, error) { +func topoPkgCPUMap(hostfs string) (map[int][]int, error) { sysdir := "/sys/devices/system/cpu/" cpuMap := make(map[int][]int) - files, err := ioutil.ReadDir(filepath.Join(paths.Paths.Hostfs, sysdir)) + files, err := ioutil.ReadDir(filepath.Join(hostfs, sysdir)) if err != nil { return nil, err } @@ -240,7 +242,7 @@ func topoPkgCPUMap() (map[int][]int, error) { for _, file := range files { if file.IsDir() && re.MatchString(file.Name()) { - fullPkg := filepath.Join(paths.Paths.Hostfs, sysdir, file.Name(), "/topology/physical_package_id") + fullPkg := filepath.Join(hostfs, sysdir, file.Name(), "/topology/physical_package_id") dat, err := ioutil.ReadFile(fullPkg) if err != nil { return nil, errors.Wrapf(err, "error reading file %s", fullPkg) diff --git a/metricbeat/module/linux/rapl/rapl_test.go b/metricbeat/module/linux/rapl/rapl_test.go index 3824071763e..d51fbedb105 100644 --- a/metricbeat/module/linux/rapl/rapl_test.go +++ b/metricbeat/module/linux/rapl/rapl_test.go @@ -24,8 +24,6 @@ import ( "testing" "github.com/stretchr/testify/assert" - - "github.com/elastic/beats/v7/libbeat/paths" ) // func TestData(t *testing.T) { @@ -49,9 +47,9 @@ import ( // } func TestTopo(t *testing.T) { - paths.Paths.Hostfs = "./testdata/" + hostfs := "./testdata/" - cpus, err := topoPkgCPUMap() + cpus, err := topoPkgCPUMap(hostfs) assert.NoError(t, err) good := map[int][]int{ 0: {0, 1}, diff --git a/metricbeat/module/openmetrics/_meta/fields.yml b/metricbeat/module/openmetrics/_meta/fields.yml index c83c99f1363..12592096f5e 100644 --- a/metricbeat/module/openmetrics/_meta/fields.yml +++ b/metricbeat/module/openmetrics/_meta/fields.yml @@ -7,18 +7,41 @@ fields: - name: openmetrics type: group + release: beta description: > `openmetrics` contains metrics from endpoints that are following Openmetrics format. fields: # Order is important here, labels will match first, the rest are double + - name: help + type: keyword + description: > + Brief description of the MetricFamily + - name: type + type: keyword + description: > + Metric type + - name: unit + type: keyword + description: > + Metric unit - name: labels.* type: object object_type: keyword description: > - Prometheus metric labels + Openmetrics metric labels - name: metrics.* type: object object_type: double object_type_mapping_type: "*" description: > - Prometheus metric + Openmetrics metric + - name: exemplar.* + type: object + object_type: keyword + description: > + Openmetrics exemplars + - name: exemplar.labels.* + type: object + object_type: keyword + description: > + Openmetrics metric exemplar labels diff --git a/metricbeat/module/openmetrics/collector/_meta/data.json b/metricbeat/module/openmetrics/collector/_meta/data.json index d20778fec4a..668e6a88751 100644 --- a/metricbeat/module/openmetrics/collector/_meta/data.json +++ b/metricbeat/module/openmetrics/collector/_meta/data.json @@ -15,11 +15,11 @@ "job": "openmetrics" }, "metrics": { - "node_network_carrier": 0 + "up": 1 } }, "service": { "address": "127.0.0.1:55555", "type": "openmetrics" } -} \ No newline at end of file +} diff --git a/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/config.yml b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/config.yml new file mode 100644 index 00000000000..a8369b90cf2 --- /dev/null +++ b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/config.yml @@ -0,0 +1,8 @@ +type: http +url: "/metrics" +content_type: "application/openmetrics-text" +suffix: plain +remove_fields_from_comparison: ["openmetrics.labels.instance"] +module: + enable_exemplars: false + enable_metadata: false diff --git a/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain new file mode 100644 index 00000000000..d5f0fd96fab --- /dev/null +++ b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain @@ -0,0 +1,6 @@ +# HELP net_conntrack_listener_conn_accepted Total number of connections opened to the listener of a given name. +# TYPE net_conntrack_listener_conn_accepted counter +net_conntrack_listener_conn_accepted_total{listener_name="http"} 3 +# HELP net_conntrack_listener_conn_closed Total number of connections closed that were made to the listener of a given name. +# TYPE net_conntrack_listener_conn_closed counter +net_conntrack_listener_conn_closed_total{listener_name="http"} 0 diff --git a/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain-expected.json b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain-expected.json new file mode 100644 index 00000000000..e1244391ba7 --- /dev/null +++ b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain-expected.json @@ -0,0 +1,52 @@ +[ + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics" + }, + "metrics": { + "up": 1 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "listener_name": "http" + }, + "metrics": { + "net_conntrack_listener_conn_accepted_total": 3, + "net_conntrack_listener_conn_closed_total": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + } +] diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/config.yml b/metricbeat/module/openmetrics/collector/_meta/testdata/config.yml index a5d8ee128af..37f3a8443ac 100644 --- a/metricbeat/module/openmetrics/collector/_meta/testdata/config.yml +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/config.yml @@ -1,4 +1,8 @@ type: http url: "/metrics" +content_type: "application/openmetrics-text" suffix: plain remove_fields_from_comparison: ["openmetrics.labels.instance"] +module: + enable_exemplars: true + enable_metadata: true diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain index 47c3b38aedb..d5f0fd96fab 100644 --- a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain @@ -1,11 +1,6 @@ -# HELP node_network_carrier carrier value of /sys/class/net/. -# TYPE node_network_carrier gauge -node_network_carrier{device="br-0cb306323b90"} 0 -node_network_carrier{device="br-10229e3512d9"} 0 -node_network_carrier{device="br-210476dc4ef8"} 0 -node_network_carrier{device="br-33d819d5f834"} 0 -node_network_carrier{device="br-38425a39f36b"} 0 -node_network_carrier{device="br-38feb0aad6ab"} 0 -node_network_carrier{device="br-3a285aa5e58c"} 0 -node_network_carrier{device="br-425cb4c454a6"} 0 -node_network_carrier{device="br-4e623477470e"} 0 +# HELP net_conntrack_listener_conn_accepted Total number of connections opened to the listener of a given name. +# TYPE net_conntrack_listener_conn_accepted counter +net_conntrack_listener_conn_accepted_total{listener_name="http"} 3 +# HELP net_conntrack_listener_conn_closed Total number of connections closed that were made to the listener of a given name. +# TYPE net_conntrack_listener_conn_closed counter +net_conntrack_listener_conn_closed_total{listener_name="http"} 0 diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json index 16f5001ba5e..04dd247087d 100644 --- a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json @@ -11,137 +11,13 @@ }, "openmetrics": { "labels": { - "device": "br-10229e3512d9", - "instance": "127.0.0.1:50135", + "instance": "127.0.0.1:55922", "job": "openmetrics" }, - "metrics": { - "node_network_carrier": 0 - } - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "labels": { - "device": "br-425cb4c454a6", - "instance": "127.0.0.1:50135", - "job": "openmetrics" - }, - "metrics": { - "node_network_carrier": 0 - } - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "labels": { - "device": "br-38425a39f36b", - "instance": "127.0.0.1:50135", - "job": "openmetrics" - }, - "metrics": { - "node_network_carrier": 0 - } - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "labels": { - "instance": "127.0.0.1:50135", - "job": "prometheus" - }, "metrics": { "up": 1 - } - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "labels": { - "device": "br-33d819d5f834", - "instance": "127.0.0.1:50135", - "job": "openmetrics" - }, - "metrics": { - "node_network_carrier": 0 - } - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "labels": { - "device": "br-4e623477470e", - "instance": "127.0.0.1:50135", - "job": "openmetrics" }, - "metrics": { - "node_network_carrier": 0 - } + "type":"gauge" }, "service": { "address": "127.0.0.1:55555", @@ -159,39 +35,16 @@ "period": 10000 }, "openmetrics": { + "help": "Total number of connections opened to the listener of a given name.", "labels": { - "device": "br-210476dc4ef8", - "instance": "127.0.0.1:50135", - "job": "openmetrics" + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "listener_name": "http" }, "metrics": { - "node_network_carrier": 0 - } - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "labels": { - "device": "br-0cb306323b90", - "instance": "127.0.0.1:50135", - "job": "openmetrics" + "net_conntrack_listener_conn_accepted_total": 3 }, - "metrics": { - "node_network_carrier": 0 - } + "type":"counter" }, "service": { "address": "127.0.0.1:55555", @@ -209,43 +62,20 @@ "period": 10000 }, "openmetrics": { + "help": "Total number of connections closed that were made to the listener of a given name.", "labels": { - "device": "br-38feb0aad6ab", - "instance": "127.0.0.1:50135", - "job": "openmetrics" + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "listener_name": "http" }, "metrics": { - "node_network_carrier": 0 - } - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "labels": { - "device": "br-3a285aa5e58c", - "instance": "127.0.0.1:50135", - "job": "openmetrics" + "net_conntrack_listener_conn_closed_total": 0 }, - "metrics": { - "node_network_carrier": 0 - } + "type":"counter" }, "service": { "address": "127.0.0.1:55555", "type": "openmetrics" } } -] \ No newline at end of file +] diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain new file mode 100644 index 00000000000..eb046b4b71d --- /dev/null +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain @@ -0,0 +1,23 @@ +# HELP my_counter_last_increment_timestamp_milliseconds When my_counter was last incremented +# TYPE my_counter_last_increment_timestamp_milliseconds gauge +# UNIT my_counter_last_increment_timestamp_milliseconds milliseconds +my_counter_last_increment_timestamp_milliseconds 123 +# TYPE disk_errors counter +# HELP disk_errors Count total disk errors +disk_errors_total{type="netapp"} 17.0 1520879607.789 +# TYPE app info +app_info{name="open metrics collector",version="6.3.9"} 1 +# TYPE collector info +collector_info{name="metrics collector",version="8.2.7"} 1 1622329674 +# TYPE enable_category stateset +enable_category{category="shoes"} 0 +enable_category{category="shirts"} 1 +enable_category{category="shades"} 0 +# TYPE connection_errors unknown +connection_errors 42 +# TYPE cnt_rulefires_deployment counter +cnt_rulefires_deployment_total 66666.0 # {trace_id="KOO5S4vxi0o"} 0.67 +# TYPE process_cpu_seconds counter +# UNIT process_cpu_seconds seconds +# HELP process_cpu_seconds Total user and system CPU time spent in seconds. Exemplar with timestamp and labels. +process_cpu_seconds_total{entity="controller",build="8.2.7"} 11111 1622301927 # {trace_id="0d482-ac43e-d9320-debfe"} 17.0 1622302012 diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json new file mode 100644 index 00000000000..ce7febdc874 --- /dev/null +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json @@ -0,0 +1,305 @@ +[ + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "help": "When my_counter was last incremented", + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics" + }, + "metrics": { + "my_counter_last_increment_timestamp_milliseconds": 123 + }, + "type":"gauge", + "unit":"milliseconds" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics" + }, + "metrics": { + "up": 1 + }, + "type":"gauge" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "help": "Count total disk errors", + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "type": "netapp" + }, + "metrics": { + "disk_errors_total": 17 + }, + "type":"counter" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "name": "open metrics collector", + "version": "6.3.9" + }, + "metrics": { + "app_info": 1 + }, + "type":"info" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "name": "metrics collector", + "version": "8.2.7" + }, + "metrics": { + "collector_info": 1 + }, + "type":"info" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "category": "shoes" + }, + "metrics": { + "enable_category": 0 + }, + "type":"stateset" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "category": "shirts" + }, + "metrics": { + "enable_category": 1 + }, + "type":"stateset" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "category": "shades" + }, + "metrics": { + "enable_category": 0 + }, + "type":"stateset" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics" + }, + "metrics": { + "connection_errors": 42 + }, + "type":"unknown" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "exemplar": { + "cnt_rulefires_deployment_total":0.67, + "labels": { + "trace_id":"KOO5S4vxi0o" + } + }, + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics" + }, + "metrics": { + "cnt_rulefires_deployment_total": 66666 + }, + "type":"counter" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "exemplar": { + "labels": { + "trace_id": "0d482-ac43e-d9320-debfe" + }, + "process_cpu_seconds_total": 17, + "timestamp": 1622302012000 + }, + "help": "Total user and system CPU time spent in seconds. Exemplar with timestamp and labels.", + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "entity": "controller", + "build": "8.2.7" + }, + "metrics": { + "process_cpu_seconds_total": 11111 + }, + "type":"counter", + "unit":"seconds" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + } +] diff --git a/metricbeat/module/openmetrics/collector/collector.go b/metricbeat/module/openmetrics/collector/collector.go index 6ce25dc9068..ab54dca1cfa 100644 --- a/metricbeat/module/openmetrics/collector/collector.go +++ b/metricbeat/module/openmetrics/collector/collector.go @@ -18,9 +18,16 @@ package collector import ( + "regexp" + + "github.com/pkg/errors" + "github.com/prometheus/prometheus/pkg/labels" + "github.com/prometheus/prometheus/pkg/textparse" + + "github.com/elastic/beats/v7/libbeat/common" + p "github.com/elastic/beats/v7/metricbeat/helper/openmetrics" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/mb/parse" - "github.com/elastic/beats/v7/metricbeat/module/prometheus/collector" ) const ( @@ -29,14 +36,246 @@ const ( ) var ( + // HostParser parses a OpenMetrics endpoint URL hostParser = parse.URLHostParserBuilder{ DefaultScheme: defaultScheme, DefaultPath: defaultPath, + PathConfigKey: "metrics_path", }.Build() + + upMetricName = "up" + upMetricType = textparse.MetricTypeGauge + upMetricInstanceLabel = "instance" + upMetricJobLabel = "job" + upMetricJobValue = "openmetrics" ) func init() { mb.Registry.MustAddMetricSet("openmetrics", "collector", - collector.MetricSetBuilder("openmetrics", collector.DefaultPromEventsGeneratorFactory), - mb.WithHostParser(hostParser)) + MetricSetBuilder("openmetrics", DefaultOpenMetricsEventsGeneratorFactory), + mb.WithHostParser(hostParser), + mb.DefaultMetricSet(), + ) +} + +// OpenMetricsEventsGenerator converts a OpenMetrics metric family into a OpenMetricEvent list +type OpenMetricsEventsGenerator interface { + // Start must be called before using the generator + Start() + + // converts a OpenMetrics metric family into a list of OpenMetricsEvents + GenerateOpenMetricsEvents(mf *p.OpenMetricFamily) []OpenMetricEvent + + // Stop must be called when the generator won't be used anymore + Stop() +} + +// OpenMetricsEventsGeneratorFactory creates a OpenMetricsEventsGenerator when instanciating a metricset +type OpenMetricsEventsGeneratorFactory func(ms mb.BaseMetricSet) (OpenMetricsEventsGenerator, error) + +// MetricSet for fetching openmetrics data +type MetricSet struct { + mb.BaseMetricSet + openmetrics p.OpenMetrics + includeMetrics []*regexp.Regexp + excludeMetrics []*regexp.Regexp + namespace string + openMetricsEventsGen OpenMetricsEventsGenerator + host string + eventGenStarted bool + enableExemplars bool + enableMetadata bool +} + +// MetricSetBuilder returns a builder function for a new OpenMetrics metricset using +// the given namespace and event generator +func MetricSetBuilder(namespace string, genFactory OpenMetricsEventsGeneratorFactory) func(base mb.BaseMetricSet) (mb.MetricSet, error) { + return func(base mb.BaseMetricSet) (mb.MetricSet, error) { + config := defaultConfig + if err := base.Module().UnpackConfig(&config); err != nil { + return nil, err + } + openmetrics, err := p.NewOpenMetricsClient(base) + if err != nil { + return nil, err + } + + openMetricsEventsGen, err := genFactory(base) + if err != nil { + return nil, err + } + + ms := &MetricSet{ + BaseMetricSet: base, + openmetrics: openmetrics, + namespace: namespace, + openMetricsEventsGen: openMetricsEventsGen, + eventGenStarted: false, + enableExemplars: config.EnableExemplars, + enableMetadata: config.EnableMetadata, + } + // store host here to use it as a pointer when building `up` metric + ms.host = ms.Host() + ms.excludeMetrics, err = p.CompilePatternList(config.MetricsFilters.ExcludeMetrics) + if err != nil { + return nil, errors.Wrapf(err, "unable to compile exclude patterns") + } + ms.includeMetrics, err = p.CompilePatternList(config.MetricsFilters.IncludeMetrics) + if err != nil { + return nil, errors.Wrapf(err, "unable to compile include patterns") + } + + return ms, nil + } +} + +// Fetch fetches data and reports it +func (m *MetricSet) Fetch(reporter mb.ReporterV2) error { + if !m.eventGenStarted { + m.openMetricsEventsGen.Start() + m.eventGenStarted = true + } + + families, err := m.openmetrics.GetFamilies() + eventList := map[textparse.MetricType]map[string]common.MapStr{} + if err != nil { + // send up event only + families = append(families, m.upMetricFamily(0.0)) + + // set the error to report it after sending the up event + err = errors.Wrap(err, "unable to decode response from openmetrics endpoint") + } else { + // add up event to the list + families = append(families, m.upMetricFamily(1.0)) + } + + for _, family := range families { + if m.skipFamily(family) { + continue + } + openMetricsEvents := m.openMetricsEventsGen.GenerateOpenMetricsEvents(family) + + for _, openMetricEvent := range openMetricsEvents { + var labelsHash string + if m.enableMetadata { + labelsHash = openMetricEvent.MetaDataHash() + } else { + labelsHash = openMetricEvent.LabelsHash() + } + if _, ok := eventList[openMetricEvent.Type]; !ok { + eventList[openMetricEvent.Type] = make(map[string]common.MapStr) + } + if _, ok := eventList[openMetricEvent.Type][labelsHash]; !ok { + eventList[openMetricEvent.Type][labelsHash] = common.MapStr{} + + // Add default instance label if not already there + if exists, _ := openMetricEvent.Labels.HasKey(upMetricInstanceLabel); !exists { + openMetricEvent.Labels.Put(upMetricInstanceLabel, m.Host()) + } + // Add default job label if not already there + if exists, _ := openMetricEvent.Labels.HasKey("job"); !exists { + openMetricEvent.Labels.Put("job", m.Module().Name()) + } + // Add labels + if len(openMetricEvent.Labels) > 0 { + eventList[openMetricEvent.Type][labelsHash]["labels"] = openMetricEvent.Labels + } + } + + if m.enableMetadata { + if openMetricEvent.Help != "" { + eventList[openMetricEvent.Type][labelsHash]["help"] = openMetricEvent.Help + } + if openMetricEvent.Type != "" { + eventList[openMetricEvent.Type][labelsHash]["type"] = openMetricEvent.Type + } + if openMetricEvent.Unit != "" { + eventList[openMetricEvent.Type][labelsHash]["unit"] = openMetricEvent.Unit + } + } + + if m.enableExemplars && len(openMetricEvent.Exemplars) > 0 { + eventList[openMetricEvent.Type][labelsHash]["exemplar"] = openMetricEvent.Exemplars + } + // Accumulate metrics in the event + eventList[openMetricEvent.Type][labelsHash].DeepUpdate(openMetricEvent.Data) + } + } + + // Report events + for _, e := range eventList { + for _, ev := range e { + isOpen := reporter.Event(mb.Event{ + RootFields: common.MapStr{m.namespace: ev}, + }) + if !isOpen { + break + } + } + } + + return err +} + +// Close stops the metricset +func (m *MetricSet) Close() error { + if m.eventGenStarted { + m.openMetricsEventsGen.Stop() + } + return nil +} + +func (m *MetricSet) upMetricFamily(value float64) *p.OpenMetricFamily { + gauge := p.Gauge{ + Value: &value, + } + label1 := labels.Label{ + Name: upMetricInstanceLabel, + Value: m.host, + } + label2 := labels.Label{ + Name: upMetricJobLabel, + Value: m.Module().Name(), + } + metric := p.OpenMetric{ + Gauge: &gauge, + Label: []*labels.Label{&label1, &label2}, + } + return &p.OpenMetricFamily{ + Name: &upMetricName, + Type: textparse.MetricType(upMetricType), + Metric: []*p.OpenMetric{&metric}, + } +} + +func (m *MetricSet) skipFamily(family *p.OpenMetricFamily) bool { + if family == nil || family.Name == nil { + return false + } + return m.skipFamilyName(*family.Name) +} + +func (m *MetricSet) skipFamilyName(family string) bool { + // example: + // include_metrics: + // - node_* + // exclude_metrics: + // - node_disk_* + // + // This would mean that we want to keep only the metrics that start with node_ prefix but + // are not related to disk so we exclude node_disk_* metrics from them. + + // if include_metrics are defined, check if this metric should be included + if len(m.includeMetrics) > 0 { + if !p.MatchMetricFamily(family, m.includeMetrics) { + return true + } + } + // now exclude the metric if it matches any of the given patterns + if len(m.excludeMetrics) > 0 { + if p.MatchMetricFamily(family, m.excludeMetrics) { + return true + } + } + return false } diff --git a/metricbeat/module/openmetrics/collector/collector_test.go b/metricbeat/module/openmetrics/collector/collector_test.go index 06a48f15a0b..dd798676612 100644 --- a/metricbeat/module/openmetrics/collector/collector_test.go +++ b/metricbeat/module/openmetrics/collector/collector_test.go @@ -23,6 +23,15 @@ package collector import ( "testing" + "github.com/golang/protobuf/proto" + prometheuslabels "github.com/prometheus/prometheus/pkg/labels" + "github.com/prometheus/prometheus/pkg/textparse" + "github.com/stretchr/testify/assert" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/metricbeat/helper/openmetrics" + "github.com/elastic/beats/v7/metricbeat/mb" + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" _ "github.com/elastic/beats/v7/metricbeat/module/openmetrics" @@ -31,3 +40,361 @@ import ( func TestData(t *testing.T) { mbtest.TestDataFiles(t, "openmetrics", "collector") } + +func TestSameLabels(t *testing.T) { + dataConfig := mbtest.ReadDataConfig(t, "_meta/samelabeltestdata/config.yml") + mbtest.TestDataFilesWithConfig(t, "openmetrics", "collector", dataConfig) +} +func TestGetOpenMetricsEventsFromMetricFamily(t *testing.T) { + labels := common.MapStr{ + "handler": "query", + } + tests := []struct { + Family *openmetrics.OpenMetricFamily + Event []OpenMetricEvent + }{ + { + Family: &openmetrics.OpenMetricFamily{ + Name: proto.String("http_request_duration_microseconds"), + Help: proto.String("foo"), + Type: textparse.MetricTypeCounter, + Metric: []*openmetrics.OpenMetric{ + { + Name: proto.String("http_request_duration_microseconds_total"), + Label: []*prometheuslabels.Label{ + { + Name: "handler", + Value: "query", + }, + }, + Counter: &openmetrics.Counter{ + Value: proto.Float64(10), + }, + }, + }, + }, + Event: []OpenMetricEvent{ + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds_total": float64(10), + }, + }, + Help: "foo", + Type: textparse.MetricTypeCounter, + Labels: labels, + Exemplars: common.MapStr{}, + }, + }, + }, + { + Family: &openmetrics.OpenMetricFamily{ + Name: proto.String("http_request_duration_microseconds"), + Help: proto.String("foo"), + Type: textparse.MetricTypeGauge, + Metric: []*openmetrics.OpenMetric{ + { + Gauge: &openmetrics.Gauge{ + Value: proto.Float64(10), + }, + }, + }, + }, + Event: []OpenMetricEvent{ + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds": float64(10), + }, + }, + Help: "foo", + Type: textparse.MetricTypeGauge, + Labels: common.MapStr{}, + }, + }, + }, + { + Family: &openmetrics.OpenMetricFamily{ + Name: proto.String("http_request_duration_microseconds"), + Help: proto.String("foo"), + Type: textparse.MetricTypeSummary, + Metric: []*openmetrics.OpenMetric{ + { + Summary: &openmetrics.Summary{ + SampleCount: proto.Uint64(10), + SampleSum: proto.Float64(10), + Quantile: []*openmetrics.Quantile{ + { + Quantile: proto.Float64(0.99), + Value: proto.Float64(10), + }, + }, + }, + }, + }, + }, + Event: []OpenMetricEvent{ + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds_count": uint64(10), + "http_request_duration_microseconds_sum": float64(10), + }, + }, + Help: "foo", + Type: textparse.MetricTypeSummary, + Labels: common.MapStr{}, + }, + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds": float64(10), + }, + }, + Labels: common.MapStr{ + "quantile": "0.99", + }, + }, + }, + }, + { + Family: &openmetrics.OpenMetricFamily{ + Name: proto.String("http_request_duration_microseconds"), + Help: proto.String("foo"), + Type: textparse.MetricTypeHistogram, + Metric: []*openmetrics.OpenMetric{ + { + Histogram: &openmetrics.Histogram{ + SampleCount: proto.Uint64(10), + SampleSum: proto.Float64(10), + Bucket: []*openmetrics.Bucket{ + { + UpperBound: proto.Float64(0.99), + CumulativeCount: proto.Uint64(10), + }, + }, + }, + }, + }, + }, + Event: []OpenMetricEvent{ + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds_count": uint64(10), + "http_request_duration_microseconds_sum": float64(10), + }, + }, + Help: "foo", + Type: textparse.MetricTypeHistogram, + Labels: common.MapStr{}, + }, + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds_bucket": uint64(10), + }, + }, + Labels: common.MapStr{"le": "0.99"}, + Exemplars: common.MapStr{}, + }, + }, + }, + { + Family: &openmetrics.OpenMetricFamily{ + Name: proto.String("http_request_duration_microseconds"), + Help: proto.String("foo"), + Type: textparse.MetricTypeUnknown, + Metric: []*openmetrics.OpenMetric{ + { + Label: []*prometheuslabels.Label{ + { + Name: "handler", + Value: "query", + }, + }, + Unknown: &openmetrics.Unknown{ + Value: proto.Float64(10), + }, + }, + }, + }, + Event: []OpenMetricEvent{ + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds": float64(10), + }, + }, + Help: "foo", + Type: textparse.MetricTypeUnknown, + Labels: labels, + }, + }, + }, + } + + p := openmetricEventGenerator{} + for _, test := range tests { + event := p.GenerateOpenMetricsEvents(test.Family) + assert.Equal(t, test.Event, event) + } +} + +func TestSkipMetricFamily(t *testing.T) { + testFamilies := []*openmetrics.OpenMetricFamily{ + { + Name: proto.String("http_request_duration_microseconds_a_a_in"), + Help: proto.String("foo"), + Type: textparse.MetricTypeCounter, + Metric: []*openmetrics.OpenMetric{ + { + Label: []*prometheuslabels.Label{ + { + Name: "handler", + Value: "query", + }, + }, + Counter: &openmetrics.Counter{ + Value: proto.Float64(10), + }, + }, + }, + }, + { + Name: proto.String("http_request_duration_microseconds_a_b_in"), + Help: proto.String("foo"), + Type: textparse.MetricTypeCounter, + Metric: []*openmetrics.OpenMetric{ + { + Label: []*prometheuslabels.Label{ + { + Name: "handler", + Value: "query", + }, + }, + Counter: &openmetrics.Counter{ + Value: proto.Float64(10), + }, + }, + }, + }, + { + Name: proto.String("http_request_duration_microseconds_b_in"), + Help: proto.String("foo"), + Type: textparse.MetricTypeGauge, + Metric: []*openmetrics.OpenMetric{ + { + Gauge: &openmetrics.Gauge{ + Value: proto.Float64(10), + }, + }, + }, + }, + { + Name: proto.String("http_request_duration_microseconds_c_in"), + Help: proto.String("foo"), + Type: textparse.MetricTypeSummary, + Metric: []*openmetrics.OpenMetric{ + { + Summary: &openmetrics.Summary{ + SampleCount: proto.Uint64(10), + SampleSum: proto.Float64(10), + Quantile: []*openmetrics.Quantile{ + { + Quantile: proto.Float64(0.99), + Value: proto.Float64(10), + }, + }, + }, + }, + }, + }, + { + Name: proto.String("http_request_duration_microseconds_d_in"), + Help: proto.String("foo"), + Type: textparse.MetricTypeHistogram, + Metric: []*openmetrics.OpenMetric{ + { + Histogram: &openmetrics.Histogram{ + SampleCount: proto.Uint64(10), + SampleSum: proto.Float64(10), + Bucket: []*openmetrics.Bucket{ + { + UpperBound: proto.Float64(0.99), + CumulativeCount: proto.Uint64(10), + }, + }, + }, + }, + }, + }, + { + Name: proto.String("http_request_duration_microseconds_e_in"), + Help: proto.String("foo"), + Type: textparse.MetricTypeUnknown, + Metric: []*openmetrics.OpenMetric{ + { + Label: []*prometheuslabels.Label{ + { + Name: "handler", + Value: "query", + }, + }, + Unknown: &openmetrics.Unknown{ + Value: proto.Float64(10), + }, + }, + }, + }, + } + + ms := &MetricSet{ + BaseMetricSet: mb.BaseMetricSet{}, + } + + // test with no filters + ms.includeMetrics, _ = openmetrics.CompilePatternList(&[]string{}) + ms.excludeMetrics, _ = openmetrics.CompilePatternList(&[]string{}) + metricsToKeep := 0 + for _, testFamily := range testFamilies { + if !ms.skipFamily(testFamily) { + metricsToKeep++ + } + } + assert.Equal(t, metricsToKeep, len(testFamilies)) + + // test with only one include filter + ms.includeMetrics, _ = openmetrics.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) + ms.excludeMetrics, _ = openmetrics.CompilePatternList(&[]string{}) + metricsToKeep = 0 + for _, testFamily := range testFamilies { + if !ms.skipFamily(testFamily) { + metricsToKeep++ + } + } + assert.Equal(t, metricsToKeep, 2) + + // test with only one exclude filter + ms.includeMetrics, _ = openmetrics.CompilePatternList(&[]string{""}) + ms.excludeMetrics, _ = openmetrics.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) + metricsToKeep = 0 + for _, testFamily := range testFamilies { + if !ms.skipFamily(testFamily) { + metricsToKeep++ + } + } + assert.Equal(t, len(testFamilies)-2, metricsToKeep) + + // test with one include and one exclude + ms.includeMetrics, _ = openmetrics.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) + ms.excludeMetrics, _ = openmetrics.CompilePatternList(&[]string{"http_request_duration_microseconds_a_b_*"}) + metricsToKeep = 0 + for _, testFamily := range testFamilies { + if !ms.skipFamily(testFamily) { + metricsToKeep++ + } + } + assert.Equal(t, 1, metricsToKeep) + +} diff --git a/metricbeat/module/openmetrics/collector/config.go b/metricbeat/module/openmetrics/collector/config.go new file mode 100644 index 00000000000..0e5a9884db4 --- /dev/null +++ b/metricbeat/module/openmetrics/collector/config.go @@ -0,0 +1,42 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package collector + +type metricsetConfig struct { + MetricsFilters MetricFilters `config:"metrics_filters" yaml:"metrics_filters,omitempty"` + EnableExemplars bool `config:"enable_exemplars" yaml:"enable_exemplars,omitempty"` + EnableMetadata bool `config:"enable_metadata" yaml:"enable_metadata,omitempty"` +} + +type MetricFilters struct { + IncludeMetrics *[]string `config:"include" yaml:"include,omitempty"` + ExcludeMetrics *[]string `config:"exclude" yaml:"exclude,omitempty"` +} + +var defaultConfig = metricsetConfig{ + MetricsFilters: MetricFilters{ + IncludeMetrics: nil, + ExcludeMetrics: nil}, + EnableExemplars: false, + EnableMetadata: false, +} + +func (c *metricsetConfig) Validate() error { + // validate configuration here + return nil +} diff --git a/metricbeat/module/openmetrics/collector/data.go b/metricbeat/module/openmetrics/collector/data.go new file mode 100644 index 00000000000..a3b83ccd818 --- /dev/null +++ b/metricbeat/module/openmetrics/collector/data.go @@ -0,0 +1,289 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package collector + +import ( + "math" + "strconv" + + "github.com/prometheus/prometheus/pkg/textparse" + + p "github.com/elastic/beats/v7/metricbeat/helper/openmetrics" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/metricbeat/helper/labelhash" + "github.com/elastic/beats/v7/metricbeat/mb" +) + +// OpenMetricEvent stores a set of one or more metrics with the same labels +type OpenMetricEvent struct { + Data common.MapStr + Labels common.MapStr + Help string + Type textparse.MetricType + Unit string + Exemplars common.MapStr +} + +// LabelsHash returns a repeatable string that is unique for the set of labels in this event +func (p *OpenMetricEvent) LabelsHash() string { + return labelhash.LabelHash(p.Labels) +} +func (p *OpenMetricEvent) MetaDataHash() string { + m := common.MapStr{} + m.DeepUpdate(p.Labels) + if len(p.Help) > 0 { + m["help"] = p.Help + } + if len(p.Type) > 0 { + m["type"] = p.Type + } + if len(p.Unit) > 0 { + m["unit"] = p.Unit + } + return labelhash.LabelHash(m) +} + +// DefaultOpenMetricEventsGeneratorFactory returns the default OpenMetrics events generator +func DefaultOpenMetricsEventsGeneratorFactory(ms mb.BaseMetricSet) (OpenMetricsEventsGenerator, error) { + return &openmetricEventGenerator{}, nil +} + +type openmetricEventGenerator struct{} + +func (p *openmetricEventGenerator) Start() {} +func (p *openmetricEventGenerator) Stop() {} + +// Default openmetricEventsGenerator stores all OpenMetrics metrics using +// only double field type in Elasticsearch. +func (p *openmetricEventGenerator) GenerateOpenMetricsEvents(mf *p.OpenMetricFamily) []OpenMetricEvent { + var events []OpenMetricEvent + + name := *mf.Name + metrics := mf.Metric + help := "" + unit := "" + if mf.Help != nil { + help = *mf.Help + } + if mf.Unit != nil { + unit = *mf.Unit + } + + for _, metric := range metrics { + labels := common.MapStr{} + mn := metric.GetName() + + if len(metric.Label) != 0 { + for _, label := range metric.Label { + if label.Name != "" && label.Value != "" { + labels[label.Name] = label.Value + } + } + } + + exemplars := common.MapStr{} + if metric.Exemplar != nil { + exemplars = common.MapStr{*mn: metric.Exemplar.Value} + if metric.Exemplar.HasTs { + exemplars.Put("timestamp", metric.Exemplar.Ts) + } + for _, label := range metric.Exemplar.Labels { + if label.Name != "" && label.Value != "" { + exemplars.Put("labels."+label.Name, label.Value) + } + } + } + + counter := metric.GetCounter() + if counter != nil { + if !math.IsNaN(counter.GetValue()) && !math.IsInf(counter.GetValue(), 0) { + events = append(events, OpenMetricEvent{ + Type: textparse.MetricTypeCounter, + Help: help, + Unit: unit, + Data: common.MapStr{ + "metrics": common.MapStr{ + *mn: counter.GetValue(), + }, + }, + Labels: labels, + Exemplars: exemplars, + }) + } + } + + gauge := metric.GetGauge() + if gauge != nil { + if !math.IsNaN(gauge.GetValue()) && !math.IsInf(gauge.GetValue(), 0) { + events = append(events, OpenMetricEvent{ + Type: textparse.MetricTypeGauge, + Help: help, + Unit: unit, + Data: common.MapStr{ + "metrics": common.MapStr{ + name: gauge.GetValue(), + }, + }, + Labels: labels, + }) + } + } + + info := metric.GetInfo() + if info != nil { + if info.HasValidValue() { + events = append(events, OpenMetricEvent{ + Type: textparse.MetricTypeInfo, + Data: common.MapStr{ + "metrics": common.MapStr{ + name: info.GetValue(), + }, + }, + Labels: labels, + }) + } + } + + stateset := metric.GetStateset() + if stateset != nil { + if stateset.HasValidValue() { + events = append(events, OpenMetricEvent{ + Type: textparse.MetricTypeStateset, + Data: common.MapStr{ + "metrics": common.MapStr{ + name: stateset.GetValue(), + }, + }, + Labels: labels, + }) + } + } + + summary := metric.GetSummary() + if summary != nil { + if !math.IsNaN(summary.GetSampleSum()) && !math.IsInf(summary.GetSampleSum(), 0) { + events = append(events, OpenMetricEvent{ + Type: textparse.MetricTypeSummary, + Help: help, + Unit: unit, + Data: common.MapStr{ + "metrics": common.MapStr{ + name + "_sum": summary.GetSampleSum(), + name + "_count": summary.GetSampleCount(), + }, + }, + Labels: labels, + }) + } + + for _, quantile := range summary.GetQuantile() { + if math.IsNaN(quantile.GetValue()) || math.IsInf(quantile.GetValue(), 0) { + continue + } + + quantileLabels := labels.Clone() + quantileLabels["quantile"] = strconv.FormatFloat(quantile.GetQuantile(), 'f', -1, 64) + events = append(events, OpenMetricEvent{ + Data: common.MapStr{ + "metrics": common.MapStr{ + name: quantile.GetValue(), + }, + }, + Labels: quantileLabels, + }) + } + } + + histogram := metric.GetHistogram() + if histogram != nil { + if !math.IsNaN(histogram.GetSampleSum()) && !math.IsInf(histogram.GetSampleSum(), 0) { + var sum = "_sum" + var count = "_count" + var typ = textparse.MetricTypeHistogram + if histogram.IsGaugeHistogram { + sum = "_gsum" + count = "_gcount" + typ = textparse.MetricTypeGaugeHistogram + } + + events = append(events, OpenMetricEvent{ + Type: typ, + Help: help, + Unit: unit, + Data: common.MapStr{ + "metrics": common.MapStr{ + name + sum: histogram.GetSampleSum(), + name + count: histogram.GetSampleCount(), + }, + }, + Labels: labels, + }) + } + + for _, bucket := range histogram.GetBucket() { + if bucket.GetCumulativeCount() == uint64(math.NaN()) || bucket.GetCumulativeCount() == uint64(math.Inf(0)) { + continue + } + + if bucket.Exemplar != nil { + exemplars = common.MapStr{name: bucket.Exemplar.Value} + if bucket.Exemplar.HasTs { + exemplars.Put("timestamp", bucket.Exemplar.Ts) + } + for _, label := range bucket.Exemplar.Labels { + if label.Name != "" && label.Value != "" { + exemplars.Put("labels."+label.Name, label.Value) + } + } + } + + bucketLabels := labels.Clone() + bucketLabels["le"] = strconv.FormatFloat(bucket.GetUpperBound(), 'f', -1, 64) + + events = append(events, OpenMetricEvent{ + Data: common.MapStr{ + "metrics": common.MapStr{ + name + "_bucket": bucket.GetCumulativeCount(), + }, + }, + Labels: bucketLabels, + Exemplars: exemplars, + }) + } + } + + unknown := metric.GetUnknown() + if unknown != nil { + if !math.IsNaN(unknown.GetValue()) && !math.IsInf(unknown.GetValue(), 0) { + events = append(events, OpenMetricEvent{ + Type: textparse.MetricTypeUnknown, + Help: help, + Unit: unit, + Data: common.MapStr{ + "metrics": common.MapStr{ + name: unknown.GetValue(), + }, + }, + Labels: labels, + }) + } + } + } + return events +} diff --git a/metricbeat/module/openmetrics/fields.go b/metricbeat/module/openmetrics/fields.go index b54ac18df5f..27c738406f9 100644 --- a/metricbeat/module/openmetrics/fields.go +++ b/metricbeat/module/openmetrics/fields.go @@ -32,5 +32,5 @@ func init() { // AssetOpenmetrics returns asset data. // This is the base64 encoded zlib format compressed contents of module/openmetrics. func AssetOpenmetrics() string { - return "eJycUsFuqzAQvPMVI94hUpTkAzi8X8i7P1WJwQu4sb3WelGUv68I0JK0PbRznGHYmZH3uNCtAieKgVRckwtAnXqqsDl+sJsCEPJkMlWoSU0BWMqNuKSOY4W/BQCsHAhsB08FkEnVxS5X+F/2qqncoczZly8F0DryNld38x7RBHoOM0JviSp0wkOamS9ujzivvGc0HNW4mLFEaoUDKNrELmqG9kZhhNCy93x1sXso0LIEo4f55+ukI/7gKJYELsOFxKImKnoS2sGbmnzG1XmPYLTp0TrJuoP2BKE8HbU81Pd9JiztJ/Nh+y4s9bl+pUZX9EScJvVCtyuLXcnfTDTin3Ag7WlYppmvfgozT/HjNE/dHtRTMCm52M2fltvyl6FXaR+f5lsAAAD//0qh20E=" + return "eJzElL2O1EAQhHM/RckEJ5327gEcEBCQoXsAhO7Gdttudv7U09bit0f+W+w1BCwIKmzPVH1TM/ITzjQUCJG8IxWuUgYoq6UCDy8/pg8ZIGTJJCpQkpoMqClVwlE5+ALvMwDY7IALdW8pAxKpsm9Tgc95pxrzE/KUbP4lAxomW6di2vwEbxzdwozSIVKBVkIfl8kty6if8Ix62/i9oQpeDfuEFbOR4EC+joG9JmhnFEYITbA2XNi3u0M1QZzR58V8Sz/qHV6kJgEnsItB1HhFR0InWFOSTbiwtXBGqw4NS9ITtCMIpTm0Dn05dTZrbaQjG6/DtY4zDZcg9Wb+iwJGfRCmZrsAoZmiP00H+2gc2+GQOwb9We5svzda3XvP+lfcd0ar+1z48+MhIZRfqdoGz4PXO/J3z31mmWMPNMuq38a5eRC7r6/OxMi+XZbmj/m91Adc+kYuWiP/rr418VjdleU/3eiaf7za/U/oewAAAP//WDeHdA==" } diff --git a/metricbeat/module/system/_meta/config.yml b/metricbeat/module/system/_meta/config.yml index 3f22bc5a496..d13c0ca4683 100644 --- a/metricbeat/module/system/_meta/config.yml +++ b/metricbeat/module/system/_meta/config.yml @@ -17,8 +17,8 @@ process.include_top_n: by_cpu: 5 # include top 5 processes by CPU by_memory: 5 # include top 5 processes by memory - # Configure the mount point of the host’s filesystem for use in monitoring a host from within a container - #system.hostfs: "/hostfs" +# Configure the mount point of the host’s filesystem for use in monitoring a host from within a container +#system.hostfs: "/hostfs" - module: system period: 1m diff --git a/metricbeat/module/system/core/core.go b/metricbeat/module/system/core/core.go index 3e35800bfbc..349d45b838f 100644 --- a/metricbeat/module/system/core/core.go +++ b/metricbeat/module/system/core/core.go @@ -26,6 +26,7 @@ import ( metrics "github.com/elastic/beats/v7/metricbeat/internal/metrics/cpu" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/mb/parse" + "github.com/elastic/beats/v7/metricbeat/module/system" ) func init() { @@ -56,11 +57,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { if config.CPUTicks != nil && *config.CPUTicks { config.Metrics = append(config.Metrics, "ticks") } - + sys := base.Module().(system.SystemModule) return &MetricSet{ BaseMetricSet: base, opts: opts, - cores: metrics.New(""), + cores: metrics.New(sys.GetHostFS()), }, nil } diff --git a/metricbeat/module/system/cpu/cpu.go b/metricbeat/module/system/cpu/cpu.go index f992194d9b3..b530dab0879 100644 --- a/metricbeat/module/system/cpu/cpu.go +++ b/metricbeat/module/system/cpu/cpu.go @@ -27,6 +27,7 @@ import ( metrics "github.com/elastic/beats/v7/metricbeat/internal/metrics/cpu" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/mb/parse" + "github.com/elastic/beats/v7/metricbeat/module/system" ) func init() { @@ -58,11 +59,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { if config.CPUTicks != nil && *config.CPUTicks { config.Metrics = append(config.Metrics, "ticks") } - + sys := base.Module().(system.SystemModule) return &MetricSet{ BaseMetricSet: base, opts: opts, - cpu: metrics.New(""), + cpu: metrics.New(sys.GetHostFS()), }, nil } diff --git a/metricbeat/module/system/diskio/diskio.go b/metricbeat/module/system/diskio/diskio.go index c4c79e3f6e9..20ec9e3f213 100644 --- a/metricbeat/module/system/diskio/diskio.go +++ b/metricbeat/module/system/diskio/diskio.go @@ -21,13 +21,10 @@ package diskio import ( - "os" - "path/filepath" "runtime" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/metric/system/diskio" - "github.com/elastic/beats/v7/libbeat/paths" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/mb/parse" @@ -63,7 +60,6 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { if err := base.Module().UnpackConfig(&config); err != nil { return nil, err } - os.Setenv("HOST_PROC", filepath.Join(paths.Paths.Hostfs, "/proc")) return &MetricSet{ BaseMetricSet: base, diff --git a/metricbeat/module/system/entropy/entropy.go b/metricbeat/module/system/entropy/entropy.go index 502ff29f933..f42ac41bac5 100644 --- a/metricbeat/module/system/entropy/entropy.go +++ b/metricbeat/module/system/entropy/entropy.go @@ -23,6 +23,7 @@ package entropy import ( "io/ioutil" "path" + "path/filepath" "strconv" "strings" @@ -30,8 +31,8 @@ import ( "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/cfgwarn" - "github.com/elastic/beats/v7/libbeat/paths" "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/beats/v7/metricbeat/module/system" ) // init registers the MetricSet with the central registry as soon as the program @@ -56,7 +57,8 @@ type MetricSet struct { func New(base mb.BaseMetricSet) (mb.MetricSet, error) { cfgwarn.Beta("The system entropy metricset is beta.") - totalPath := paths.Resolve(paths.Hostfs, "/proc/sys/kernel/random") + sys := base.Module().(system.SystemModule) + totalPath := filepath.Join(sys.GetHostFS(), "/proc/sys/kernel/random") return &MetricSet{ BaseMetricSet: base, diff --git a/metricbeat/module/system/fields.go b/metricbeat/module/system/fields.go index 28a26765696..10611be6660 100644 --- a/metricbeat/module/system/fields.go +++ b/metricbeat/module/system/fields.go @@ -32,5 +32,5 @@ func init() { // AssetSystem returns asset data. // This is the base64 encoded zlib format compressed contents of module/system. func AssetSystem() string { - return "eJzsfXtvIzey7//5FMRcLOLZa2tsJ5nN+o8LTDybewzMxMbYs7vAwYGG6i5JXLPJDsmWrHz6Az76zX5JLVkOLBzk7NgW61fFYrGqWCyeoUfYXCG5kQqi7xBSRFG4Qm/uzQ/efIdQCDIQJFaEsyv0/75DCCH7SyQVVolEEShBAnmKKHkEdH33FWEWoggiLjYokXgBp0gtsUJYAAo4pRAoCNFc8AipJSAeg8CKsIVDMfkOIbnkQk0DzuZkcYWUSOA7hARQwBKu0AJ/h9CcAA3llQF0hhiO4ArFggcgpfkZQmoT6z8WPIndTzy86M+d/VrKycT9okihSEXzDdlPUzqPsFlzERZ+3kBNfx6WkIK1w03Qr1wgeMJRbOQvEsYIW7yZ1KgHcTKJA1WjLwNMIZzOKcfFX865iLC6QjGIAJgaAM9+AS8A8bmZVkUiQDIGptBsY6YuY4GwAMxPKJYKwQqYmlRGJBKtME0AEYmYBkXJHxCmI7EkmoFIKQVcgDRqRBQSmC1AlkYzunOOFEcXfgFJhYWaasA1OYXlyeuQguF5vQRW4neNzbQJBWGdvtX8Z5gjt+SKQHkQJDGBEBGGIqz/Y//m5MuHz28npbWTmQA0ZOl8s1/7hgLOFCZMIsoDTN1ofVeUnu+asIrUO2ThUJzpcQpQtCo5BFrGCGtFXVAw9LTEMIoSqoj5XsH6pJ+ywclmq8JEkRESln6cskI5W1R+0cKN/mjo1xqVXRg5qtJf/h90l2mA9AJSXGFa0UXUpY+oVSd7oH/QVBEOFFmBx2yUptsLO5EgDo+6y+oRZoAhGeMAGqakxIEiwaMcRyM0OBzxhKkdgTk1P0bhPoJgQIdwMaKAOyU8AB0jARyfhDlDlK/PYkG4IGqTbhIg+3BzMElvi5KE9AhlblD1AH44Re4BiK8xUUcoS4Y0MHTCGQqJfHzbj49D2ohh+MTvxydkCWJFAh2Nafd7iVlI9T+WWIRrHcARpkCIJFad61H8fjjRj4Za8rl6SfOi8W7H4XPPzRbIFTyHL9vDLBG24jRhCouNNQHO0V0RoRJMzTfWS0JtjLzcxFokkosaMRNYFuTF1RJEugVyMal94cMKE4pnFBBndKM3z6+MPPUS5CHt4vEKqJA12CkCDeKkFgRrrqTCRcXeJqg02ZARJ8qXa4kFSOd9mRngUk3sH3N2lqdrauPlK0OiNaEULfEKdFyNn0iURC7lw+fo28X5+V/QXy25b2bs2mCFtFBxXEwF4HCDFH7U+pEnkpjiCAeBUTtrW1b1QT1YNJStI+qXEJqiW1bPbMjT2rAbnqAAMztpRZFn+dqFAKxA6B8wK7diovIUkTn6oTasS98JQFih9+d/0dBOtV5Z5XLZmkkQJ5NUmt+s9swAXfzcODl/rhD2zxUkvtzw688S7bwgr/XVL/dw+OrdjuPdPlPKu4cgzUmfRJZts6PehBSM4tzc/ktboSan5LfcM+rln2hP6ihFMDRNfbSMDN3oj5ORnXb742Sp/5Z/pPi32PePk5PRN/8Xxea2HsBxMvlS3YBjk2YfL+A0TYRIX32MCa49vFc8hodadu+lnEwf85nuyzgFPcLDxKM+hHvuo5Dtd8TnRr7tJvd69lCUidZTwr+rimLI8YMeonD+oP+Jbm6z6reeZbfpZ/gZhf6vdz7rZbH6kxW6yhBfDJ9uw54m2aVsIAimU7t5DoDXE8L30lFIq/RsmWuEN4hxhWamDnNFQruNY0pzodfGdDn6DoYE4HBiDjxGXDzGUyp4GJqIVhk9Q1plZBJoDZ8nlG468K0FUbB3gIbKlgiNBGcb1f9ELXUFfV/aArwZxsAow0a3DH0iLHmyR1ykSgpV/EAJgeLCjWQOe2JKnKYxhKVMIi0Z81dIkj+MH/rTxWWvGXx+AWkcCtg4MkoH6ymm2qjdYjNqVak3bxXaFoKJCNUxQcBZKPOCWm1WzIrtNbHPBtGu2U5ncd8A/RhDrvfBm3e3sryJN4Hk8ZjOSxWjxqEdl1jwhQAp6w4DMCV4vNnFY8h9E1eqXx9zuBeA00GnM6JG9e8ytHpgLaQ63MI1oGeP93O8Dueplia29fDcXtHgnGZ2+cfzv7+vzfKcUCjdykBbuYb5MLUClfxXY9SpZEwfaOMwXqAJ3QvyVlzb9YTFgqwIhQWENgFBmCUz8UIPYUUCmA70Ygd5quULXt/ehbB6p3978c2LSNPdAxQ9RhUKPKkf/SBMVDWNOWlw57bGYgbWNteMXZONH43R1j3aXT0+YjwEY331GjU/qYdHBUgCnlXb27Vao5uOLbWCvATANkIzcj+oc1mQXbvEEgmHjQ40wYHwnn93q4BuS0Znqij1BrPTPuZUyo5U2MoKm1ia7sCLhYAFzvId2gE1JqdSwZh/decSzW0j3t/K5sehQXOesLBl+eywrB88Zk9O0G/cZJ3/RVjI1w36Z0lrp2XAKvDPdF0QIM185VJAIQ9kNavmmwXUbpFbRdOFvoazvkBQduPRWMTKmqgC1Ivn2QCaldsB0GeeD4fQmsETAzSmiTQyfVsPgSjH4S7m5PruqxkD4RUIvIAdDcCbizdDjbL+FWGL6RwHiosrdHF+PswwfyrAN/ebswv4EWGJAv8afvPTMSH9yWFtMDhvLo4K7YUHrh+3OXd+Lp3w6AIKSZaI7neeXGfnuabCrzBjcPRs2tWgVTvyZP7Iz9F+b4rUrLNtM7GTu2eHqKUsXAOLEdIVBwtDzL7muoK0z+BBw4+veovtBeuAUa6N1/LjXONRuTnPYqNiN5mQgzSnbYQFNAmzPw44s6n92SZ1JwMcLG1bmRrpWTKfg5DoREIWuzrR4EAlmE4qbog/CtAEencA2Vmlrg25lGHOakH30ceQvbTPTsB2QUUdyQczWt6eCkJT0aCntyvUaHXpvcsWHcBtdgwV5FlYKDcKCXAWWxp7HRKt6cACQDNQa3B3sty6Y6H5V55gcjPkva6nP9W/RCHEwEKZbg+39za5F3EBKASFCZWnKDa2GgVLCB6zwL6w0L41qAR6/kDPidtvl24UIhIFmAYJNdmHGdbTUpBF+QDTmrD05ttniPJTGZO3eBcLHryLICJszk/rstAfLooEzdeK4EwMlVu+zNKReXl025ZL5RNaDxD155ah2/t/I2IYxUgmUdVKpzpEmOv/k6rQbZZcOHXfh9/rC9vNIs/Uwn29r1o0mDfUx8ShTjOHeoay9QOh2irtKl1Z46pla7Z5sYA5ebpCb/7bsPU/VR+wnP/RmmdGyX0r7U4RqUgg7TkVhOkxlcZRauaXarMvw9udnnnm5ELOTF9Vei6zbryzYXifyyLmJ8nDxXt8KzVpFHxW6wZqzcXjTtGNG6MQ3rifFKv2Sj3r0t+bSst5JYN3uII9UMuBAa8JJKvg+1Tv8UQd9CymWoIkS10svRAJe1aEAgIgq2ITykZBxjh4hFFrMnIwbuyeAtsfEpEh6SkYwiYgBBf7EYsd2tUWW0SELXrM1aEwSWBhNyLCJqHgcdw/sh2EiLCAR6YUwM2d6T2xBh0vWLI9JLZPgDxRC94OsNLeFtM13tR303PtOn3EYk2Y8ZJ/uf+IZhDgRIJziLUDLiDmQuU5wOY67cp+NJVJFOEeWbdss5iBwv32q89uR7JFTGyhvcMF5TNMM9NuvH2iNj33HxJP/uqdLj77D9Scgo4Ju7mzJ7AgGrqgBmNSe7juIJeEY5L7+rGb3JQSBSPT/EQUtBMmQTTqLF5/9nDq7+2NtvK63BgFryvOW3/jECt8WmwafFrsZF5pZYzG9bowJbhqMWKslhnfE89XI7LQpkEz6lqk1ylWm5Wj3Yu3BjYuL6KJGxokd7Nf/2Yf7uMdCGKh3Zkt6S62p1v/ah+KQRRSwkae6XlCKQp4FGEWnunhbXSkuO1+Xmw1fuoS8GZz8CQLsVgkkclCSoixwG6H89YikAXjAqZ4xldwhS7Pf/zZb/ckiC0WlG2Qsd1qCtbbTqveIwlbTEMizF2DzRbUga36G1v7w+mOGgBsRQRneubQCgui43zZrAW2Z5w2pL7LGbhwHw79KgB+uf94avOh1tTe3qN/+w1HuT0fGi8bdn339UzGEJA5CYppsDi/2jc0x9V4wRp1ZWN6Jiw8tx1LrzG03byugrXX5I3ruie0Wds9DdamEO17EUZ7nL1oknV3Wx/0zPmiQS9jJHFo9swbVQgXJIkIxcJlXL1k/6KpZIIsEgiJjCne5PGC4nFqstMbp/XLhX7hNjRLeFES9rw9ko885hskGdP5WySltpJVEbd0N0AHtgv+rgdVwFYn9onXHjq2Tm+LPH1PvJTRhXXXdwi6/k+/oLbSF9T/uPqz+e7Q/ahrv+varzz1vOgQRzKZBqQ38T0P2CyxLJ4c2mPTypH2NY8iotD1EosFoBPlKSPJRsbWXUljOszwAoSmYmwmUeYM1aTdXSCTInmbNZ11uVdbwkVkt6YKKZ/tGEkL+QtIEuqldQ8K3ZM/YFKxFoMfDuqakSAROnhCzulFEpTRstOG+w1VaR3fHrTd20o+/uQSi+daboZ26GMmkY2XiPwRzxalN78SCtnfcOF8wTSvYrdnrSlG3DbfSGQhaJh7enLYYgq9S7t4YmzjyGNgO21/lTtTZRlIM37vPY+SiKiJ5PPm5bHbjqyHtlTSY/4O6Jn35B2yFBUWxg4wQzNAwVK7VWHVo8MKYbYx+2+XKJa4FtSOJQo99L5EURhbi8J0h5kBEjht+SU4Vw2BsG/hbb0k07y+XkAGj8wbxFhKpt/GkgRLG1xg+WgrfyIov0uWfty3sptYAvITjZozpfddO5BcklgbUlwbkHF2psXhRjYClFAiYORXSi4YszA0bq/l3VBHBq2HgJHTppuPxsHQmsTNdTTLjURYSh4Qkw5bE7W026kWsz+GuTHRn9ARDPteIZyOevPRJmVct4V0dDOa4TutMvOOimctR7dFEcVYLfcnJD16Wnfk9Kh6a979WCYzG099L+3FPnuPeJDIDLVDCM2NO12BkITvvpu4ccy1AAc5W2LpxYLqaUkzuFpiDbUalBqi5ukM4iSfKCSDJYQJBfssIzZdXSxcLB+zy8NukXvH/GC/k24enCnBKXVmd82zxHJGSshTdP3rvbFuXx78g+rfS4VZaMGkPYXoBs0xEflQzgjGgmtJE84wpdUoz0nH3OFwoUka26a1tumEZYWhayCLpZqgLw8FGN5xBWDqAuUKKAlKFt658KYBvM4yyvsKlifACNmV0KMwEabhGVqQFTDtGBMeNqw1ZrN8LASR8frPy9Pi0ETbfLFIDV6k93qX1HJGvTnPEsQJDgI10YRwGBI9Eaca0Vkuk+LOsODMhGz/bOrf48Zu2BlQ1+6Aehg/VF0xNx9Tfqva3gqgwfZuBcG/aPXnbhsb3Diazza3Mmnu9bRy2WSUajxamKvL1jHbZh6Vcvp4ARPWzGmHEW9BKNHq0sVChCGGGXfNiXqC8gfLZVRN0XIvWH2F05w9HgdMIWNbxtUDIIg9Tp7e6MxZS9rid9gket8TqoPbVmwldD1FdcCp9MPrxJm+D7C3SXVuyzZT2vg+UR3ctgIsoOstqgNOqg9eq90P5nLiHIuk3f63TGffLc7QMXuwm9yIBCKdXeMGLvkaCVgkFAsdWjYOZbn/Xqb+rOLG/xEgeSICkEgueUJDE9wDppQHWDUWNPpk8nvCFd6/SB4q+fJGwViHE1P/tR0DKXXncdGXFAlL/UjtktmpRidYohDmxOZOmqVcVI6mS5g+6Zl8575l94GZsvYFCHdEYE4Z3BkOaMc8c6AMnqJj3jhoqaFZmnkpiXVSOFxPiYXOi2+WZJw4odgcVpRI06f2EmmlJ4tl41PzVfEKdcTrNVuXzfJtWK/mLGPoQhVqIhJm8pXHIAxzFs7ZAqQyUTJhCU+kW3ONAxNWyfOVF7F919EvtSG+vdOafYspb6vkTI25ebLCVBqjU1owelGUTUyzcdNL24gCKI5lbw2xrKul4EpRCA8uBK0rsmlWZ/YSsMOGTgyTxPNcZPox90Qp5WtbBaZte1rHrpawcQJ6WuLEtHQyja/nrXapYO60VpdmyCbViUBmL+xr/qsS3/8Wmh07GxbCxJbzoZPKEn1b2EfzCenwMHwTdarFVLwt4Fyx1eUgwTR60IcQTMGrHk0u/sxUXkYOUibeE1g0PMdw50ZDJ6kxNBYXmP7123qXkuKnb+pB8hY/oQ/iGur71A1JtxDn1SlEAUtlKLo50H8oFTZpVs6yHGDKbQvFLvaKLF6cdwQmqHdwgnrVABQ//gnlKxDo4hx1xXxFNt4fKRvvh7Hxw/mR8vHD+TBGmi6b19noyBHsyIW1fvd6VaXmp1/kPk9aAq1Rlz6l5qCVhLTnykeSRAlVmAFPZMNJiBPcqyE4FjZeDUEXGz0MgWdp/5pQ2rC0a4MVDl5x0FLn1uvw1R2lpt20PXfU0s/rEVf2eeYjLldrf5iUXvHhwYKzXWqPpo1/8RC+w+cexGaz+ehVzTmA34zTkuLpGAlXajm1CdE8p98YNm/tWfTj4eq0csPB3mlImHKVlkSiecKCtJTBvIbjep6m7oEtyMc6dtW6YQob3Itpw3I+7edvwzQ+k0hRhTP1NSdJEQ/7TmoB39iTmt2/SI1J/VrWqW8iy7civJR6i3wfyjoOX83qOWTiuk4BR1etE3t35u1wHes8FNxuNh6aZqN4yWeIng2Q+j60ayx+dtUvPba3NA61X7tNP6Xrt7vv5plq1rJmma5yhgAHS/OnlV29JZ9NZPe23nq1CQ3zWO0Vp7TY2PZXeHVa9+S0DndOI4gmtpyn6aoJ6mNWu+6rDGC82D7ZlUnNNo11iyfpBaO+5wQ5wxF+Oh6ml5CVcxZb1Y7Nub1FcYxc57UI1qUrt1rV3KbdJuak9uJY/jGdT9+6i3/1QmOT5SocZSWy76aupTfHhCb7LzAo3yByR3mVm4z2MslJZU7fonWtLUX+EWAaSA9RF74+sLKk7PE1UksBcrnk1G9JiziXZLF8HqCa8hCkhzc62dXXpy6cneDNXfuRqnXrCl4o8RdICRLHEGZpaLsRUFhBU16v7/Ea5euWhN/wEsJcVZvkWqSu9WVU8gUF7EM/wk+jks/Vqg91zqNRqXNzdW0A9ekj6XHCMhSCHlTrbG8keiMZFYUeUO9oNQS9bb1cH5sfuIS03Xh6vbzkFJpG56Zvr31CyvlLjeON6UdlwjpWH7J2118HXnVhlYTSEjTuKqyjdzvTMjqncFWhtV+L2IuzqaX2MrwvuX45/pdcH50H1gPyEcUdVatrVnbjiCe15W8ilHok0sz7q8/pYeTV53z1OV+Az+mD8XisGUd33rC3xOPj8WceqyLoTEA2jjpcMkfvIvJ5RT5tbl/jwFu5g4/HmXysztuY2Uc99lQF8VGaipKN0KHDw/Vd/tBWrePZEEaP1TQUbUKVY4+NaBxzF+tpxPQS7IQTVlVONYPRJaWt48dMWsdpNKoT2Xz/yhsstLJuKxaqjxSUGW49yC+xbF8wzFvo3dy2dJeoQOihpCMC6YHIvs83xYz7XzEqYzvMAvrAONtEPJF5ssUc4ZkSdPueoLmjciYgAKbo5syYoJNPX742aw0lUpX600fxXKITuYwgeuvrSdlfeHNCD70b/UoonM1w8Fh6+9UJ59OXrxm7W3BlZH1gfu70rmkIjz1HSwICi2BJAkynVlTT49ovitUwWdIxhe1cyuytkoLxtBtC8w3NUcQl18cprTzn1FtujUOW5bmd3NKXTl+OJc3eZi2ai9LKa07hVVfkVpJ6BrPZLCm/QfXKaAvtiHAcQ3hcHN+TPwpdjc8sROT+n0Yqm03xuDYnxguYznFCO3K6e7gMr20EzlqRlkN2JchiAcIkf+O2sx4DfaA+/IeL6Qvg2wDtYBy9+az/6o39p0RLrUIsb/TqMiT29WO6MQ1fFW/LCdjHo80LMqbjX0iKrVB7apScNuai9tBgQhM0/zVdJnjhzXR7zQKnj5ptwQdP2sur98UITwqR666stDXA78XKIbZFV1GoV4jATNrnv9AyWYCRy9tTxHjzyda4jquQcqopH43Ufqs8PMvnCGeC9Mpr2N2INY6Phtf77IR/y9lLGKxIoMwj+sfC1OdCjjrAjHFle5IFFJMIwl6cplzO6CPx2fABtwB+oTwoPnX9Wvw/dvH/FrX/9oLjsWisTa1XX7w2tmYOQtgUqLbhxk3AlKKZUapQL75G4qjlBGuQmAg/zAXeXAA3727Tx4A5M+28tLRddwZKd2Dc9FuC/B0K10rHvH7DKQk2zc8w7GoIHIB/Xmpj8Dl9dlVATHGg6Rtb82odDmMdfCyMmz+PQZxZPdXz7R4D7J1A3xpFbaBRc/E7MtVpSvaN5OW1xDpcX5zXllivnXBeO+H0wbV1k6vD9bfLbkS/LuHXJbwrH3+ORZn7APZ5MplEES7d8VdEUdAc2nzxff0PvAu0xXd1Q2QPtVTeLAKZvb3pHl5bclnyUgXoTVkTLfYH9S3NNgk3SrTD7a7GZTlsA5fIGt5Cp2jL2EhI8qxc5bHSXlhIWLs3vTsQ00BwCApJAeJ9iCQdeBgaxeMY/C9e7gTGjjsIyx88mpHxZ8gOOwhJCHh8kehBm1CgG/W9RCsQG5QwSh6ButQlUfZJNhzHgAWaJaY1jHHOTcNoTJEkKnEpEqJQhDfuUMrPWsIeGV9XD4t25y5nrNDVeGmjMR0QJTRk37scrBIEVtoTEYjIFNGkZqIFLuUzBpvdyveHG1H9X6+g/FmMLlnhvKuZjVmbliRWtebdO9A1p/pEbc7sVPRA4LvxswOAh6V56TO045YB+CWwYcEUm05t46G4dndo9eDIDn6KiMXy5cPNR4SFwBv7HkKYsBAzhfzGgcjHtBxupGVUWEeuBsMSaaG/zw3eUChMkmm5RKSSiM/bMJkzsfFFYoYNu0Vi7+OMT9/d8+mkb9ZXPXXYktMq9czaSqtRhM2LtQKvDQprb6UXpTkuGFdzCsekZvCi0iw5DU1ZDbo4v/zxbLZRkEJog6fX5x4cEofPOdgOoi0NESZk1nQ70Gb2CUTFdvn3pmzHmYHC/fasYoiQviNqqckDbFqmjL2wTdUZLV7pxOHUaNsu1PQoqLQxtdHcmVy6Fw4gmcx251Ims7NhTE4lYbW8jKUZ1sHUCJrKJ4WjOCVITU7X+mLmEfKJeyY4hWKKXezeg1mYxlen1kfV/6ckSuL6E+UpaniCYBrwcCc53d/8/+v/+vQR6XHyd7kdwu8lijBhtZd+Ucm7JcpWHu4+Z8X50uPW+27Vqa6AhVxMYwESqsZ+EPUQTIHZEBTZ60Reup1vpTtrkz0mW3um26+13a+MB3EyaXlNtDXPU+tW2uvZ0HL7xo4bdP3pl2691aqBq8RN4nViqsd2olq4VmRTub0nprAngFpz8diIo9fJtRskfxChqSlIr5PqQ9eN22qKhirJAqoYB4+wfY3qYFyOXhcynqhdoXnJNpVbFunuNFGeSSjSrPtWXAPbJex/uL5zo8jcwbNb22451ZAIaA5KMSW1y78xVsts4Uyavh+Rha1xuUJKJA2NifMuBhGpvT7SF4H+u12IUx5gOiFVU2HJ134MTziKKVyhi79fTs4nl5MLxAW6PD+/uDr/+MvPVx9++cfHq59/+uH91dXFMLf+k8aBbu4QDkMBUrp6XfdQPmbo5m71oyZ2c7d6n/1RH95iLvz7tkfFM/4uqw+Q9YKvSXVgEhBxBUcg8C8GyMgSd9wdROSOgf4yX3I5xIHLgP3t/dnlxcXZxcXfzn54P2HrifvNJOBRtQqkA/PdwxckIOAi9G76Ip2TCbpR2kXnM4XNy7IrgpGAFQhZ355v7hDl/LGxoqsiBlA0nMY0kVPOhrjTmTy2Zl97wTCfQ+DKuuIzmz4MuYkCTuDh08e3qWfsZKEnzd6W4wxQxOslPhTPgE7Qr1ykyE7NAHq0/3thwu43c84nMywmC04xW0y4WEzeaPm+Kf6gVtHzkN3i4AKFoEBExBxRpcOjgEcgXfUmQxDNIAwhRAGPN1lSFKvaC4DmC0ul4qt37+JkRkkgk/mcPBkcvXV5CkLUbrfskHj6hx7O/dEsZdM+iZnNidFAp27I3cTvQJwey8a1UsauPa75m4O2uHSYgEcRZtuC8CRhtkMRhZQMWngd02YebnK8odLQrTjgyY+hWxLwBEFirgbsIg/zuMdglfB/azjhxpRaB+l5Qul0gCqUfeDm0oR783vk+f2ulQl8jngMLPOfSV6P4BIEO3nQ9WfUeyYn6or8wegxY9ajrk5CZ06iNSx3r5t3BcT+AmUNzMiwGV3B6SRSgadAYkQsGQnj/PjTZirwe5hbzouOwLafm45HN5oF0hV79xDY53Lnr2IomSZ8TtEMS1tGl6dmsgfU3Z1Cc9XOJtRiU5NM/oAJuuZCgIzNe2SKp0+CSDBn+u+0xXwnN/IdA/WOxKsf36kgnkYQTdAto5vCk9GcoU+EJU+T5itL9ZWGhmV7mhWqfXZRzwQQF/ESt99ZbZ7pnmgNYrvW3SQ5shBqlU+ntlm+rRw02ZCxGUjtSbfc+9mVPeDT0NrsTBUeSO0RELmsHfTtAWB+BlggO0iaAeUSpmvc2Oh1L2grCLWNmOZIpt7DsDJuRaLjgJ0B6YNabthUNhfKHgx0iqMvZgHB6hgwaxx9MM8JM3NSTQUdHHQGZAhq/5v/z4D6sg9qiqWa4sB3AnNQ0CmOPpi1rTnIDtJt8ghb+BBnQVo4qvv69eOfxH3VjDyj+5qEx+i+ts8u6um+Htr5a0Ld8j+y1RFXbiUNzhJ8s0N8K3dmc1ez2SJVFftXLpew41FbYhMkk8hfzeA5GkiXT/rVyq8JixM1Tf8oIpQSf/lAj2LW2/uUV8JKQ9VLxRIJQnbKfotCsU98sYDwLHuFFqQknFUTyG0ybkinbV3im18Zd2C8VCXULhrtQPcDKx6NUL4g2nJVSbTcTt+R54+/JNJVcZrR+0jAcwi7Iwr99axGqKANDRPgqxXZZQ4y5etbmlI+nvAimXFOoZYf6ESiv2Ye7g6sZcLpyVCrRHYpFfPPSPpgU6XorwVDwMfWisJsWAMdeqjkJf84rG1WW9eTLwEJzhW662cT7BxNBx65dm6hH0rHgu5MOn/pqAIo/x//GwAA///w7M0H" + return "eJzsfXtvIzey7//5FMRcLOLZa2tsJ5nN+o8LTDybewzMxMbYs7vAwYGG6i5JXLPJDsmWrHz6Az76zX5JLVkOLBzk7NgW+asHi1XFYvEMPcLmCsmNVBB9h5AiisIVenNvfvDmO4RCkIEgsSKcXaH/9x1CCNlfIqmwSiSKQAkSyFNEySOg67uvCLMQRRBxsUGJxAs4RWqJFcICUMAphUBBiOaCR0gtAfEYBFaELRyKyXcIySUXahpwNieLK6REAt8hJIAClnCFFvg7hOYEaCivDKAzxHAEVygWPAApzc8QUptY/7HgSex+4qFFf+7s11JKJu4XxRmKs2i6IftpOs8jbNZchIWfN8ymPw9LSMHa4SboVy4QPOEoNvwXCWOELd5MarMHcTKJA1WbXwaYQjidU46Lv5xzEWF1hWIQATA1AJ79Al4A4nMjVkUiQDIGptBsY0SXkUBYAOYnFEuFYAVMTSojEolWmCaAiERMg6LkDwjTkVgSzUCkMwVcgDRqRBQSmC1AlkYzunOOFEcXfgZJhYWaasA1PoVl4XVwwdC8XgIr0bvGRmxCQVif32r+M8jILbkiUB4ESUwgRIShCOv/2L85+fLh89tJae1kJgANWTrf7Ne+oYAzhQmTiPIAUzda3xWl5V1jVnH2Dl44FGd6nAIUrUoOgeYxwlpRFxTMfJpjGEUJVcR8r2B90k/Z4GTSqhBRJISEpR+npFDOFpVftFCjPxr6tUZlF0aOqvSX/wfdZRogvYAUV5hWdBF16SNq1cke6B/0rAgHiqzAYzZK4vbCTiSIw6PusnqEGWBIxjiABpGUKFAkeJTjaIQGhyOeMLUjMKfmx8jcRxAM6BAqRmRwJ4cHoGMkgOPjMGeI8vVZLAgXRG3STQJkH2oOxultUZKQHiHPDaoewA+nyD0A8TUm6gh5yZAGhk44QyGRj2/70XFIGzEMn/j9+JgsQaxIoKMx7X4vMQup/scSi3CtAzjCFAiRxKpzPYrfD8f60VBLPlcvSS4a73YUPrdstkCu4Dl82R5mibAVpwlTWGysCXCO7ooIlWBqvrFeEmpj5OUm1iyRXNQmM4FlgV9cLUGkWyAXk9oXPqwwoXhGAXFGN3rz/MrIUy9GHtIuHi+DClmDnSLQIE5qQbCmSipcVOxtgkqTDRlRUL5cSyxAOu/LSIBLNbF/zNlZnq6pjZevDInWhFK0xCvQcTV+IlESuZQPn6NvF+fnf0F/tdN9M2PXBiukhYrjYioAhxuk8KPWjzyRxBRHOAiM2lnbsqoP6sGioWwdUb+E0BTdsnpmQ57Wht3wBAWYWaEVWZ7laxcCsAKhf8As34qJylNE5uiH2rAufScAYYXen/9FQzvVemWVy2VrJkGcTFJufrPaMwN08XOjcP5cIeyfK0h8ueHXnyXaeUFe66tf7qHw1bsdx7t9ppR3D0aakz6JLNlmR70JKRjFubn9l7ZCTU7Jb7ln1Ms/0Z7UUbJgaJr6aAkZutEfJyE77fbHSVL/Lf9I8W+x7x8nJaNv/i+KzG09gOMk8qW6AcfGzT5ewGmaCJG++hgTXHtor3gMD7Xs3ks5mT7mM92XcQp6hIeJR30I99xHIdvviM+NfNtN7vXsocgTraeEf1dlxZDjBz1E4fxB/xPd3GbVbz3LbtPP8DMK/V+vPOtlsfqTFbrKEF8MF7chT0/ZpWwgCKZTu3kOgNcTwvfSzZBW6dky1whvEOMKzUwd5oqEdhvHlOZMr43pcvQdBAnA4cQceIy4eIynVPAw9CRaZbSEtMrIJNAaPk8o3XTgWwuiYO8AzSxbIjQcnG1U/xO11BX0fWkL8GYYA6MMG90y9Imw5MkecZHqVKjiB0oIFBduJHPYE1PiNI0hLGUSac6Yv0KS/GH80J8uLntJ8PkZpHEoYOPwKB2sJ5tqo3azzahVpd68lWlbMCYiVMcEAWehzAtqtVkxK7aXYJ8Nol2znc7ivgH6MYZc74M3725leRNvAsnjMZ2XKkaNQzsuseALAVLWHQZgSvB4s4vHkPsmrlS/PuZwLwCng05nRI3q32Vo9cCaSXW4hWtAzx7v53gdzlPNTWzr4bm9osE5zezyj+d/f1+T8pxQKN3KQFu5hvkwtQKV/Fdj1KlkRB9o4zBeoAndC/xWXNv1hMWCrAiFBYQ2AUGYnWbihR7CigQwHejFDvJUyxe8vr0LYfVO//bimxeRnncPUPQYVSjwpH78NkE3DEkeAQqwBHNd5l+EhXwt0e29jZdM+UxapvEtYRnTvyEsETb7tNVuvTczK13Cmb3xpfQ2wNcQohN4miB4UiAYpgaWfOsXi4nqpjEnDe7k1rwwA2ubb8auycYvErNa9mj39fiI8RCM9dcsNz+ph2cFSAKedbW1ryqNbjo21wr8EgDbMM3w/aDObYF37RxLJBw2OtETDoT3/LtrBXRbMjxTRak3uJ32UadSdqTCVlrYRNN0C14sBCxwlm/RDrAxOZUKyvyrO5eIbhtx/1Y2Pw4NmvOEhS3LZ4dl/eAxe3KCfuMm6+02nbaptdM0YBX4JV1nBEgjr5wLKOSBrGb1fFJA7Ra5lTVd6Gs46wsEZTcujUWsrIkqQL14ng2gWbkdAH3m+XAIrRk8MUBjmkjD07f1EIxyHO5iTq7vvpoxEF6BwAvY0QC8uXgz1CjrXxG2mM5xoLi4Qhfn58MM86cCfOMwZg0AIsISBf41/OanY0L6k8PaYHDeXBwV2gsPXD9uc+79XDrh0QUUkiwR3u88u07Oc4nCrzBjUPRs2tWgVTvSZP7IT9F+b6rUrLNtc7GTu2eHqKVMXAONEdIlBwtDzL7mupK0S/Cg4cdXvcX2gnXAKNfGa/lxsvGonMyz2KjYzSbkYLMbhAU0CbM/DjizRwuzTepOBjhY2rY2talnyXwOQqITCVns6liDA5VgOqm4If4oQE/QuwPJzip1baZLCeasFnQffQzZS/usALYLKupIPpjR8vZYEJqKCi3erlCj1aX3Llt0ALfZEVTgZ2Gh3CgkwFlsaex1SLSmAwsAzUCtwd0Jc+uOheZfeYLJSch7XVB/qn+JQoiBhTLdHm7vbXIv4gJQCAoTKk9RbGw1CpYQPGaBfWGhfWtQCfT8gZ5jt98u3ShEJAowDRJqsg8zrMVS4EX5ALWc0v0MUX4qZPIW72LBg3cRRITN+WmdF/rDRXFC87UiOBND5ZYvs3RkXh49SxKnCOoBov7cMnR7/29EDKEYySSqWulUhwhz/YdSFbrNkgun7vvwe31hOynyTC3c1/uqRYN5Q31MHOo0c6hnKFs/kKqt0q7SmTWuWrZmmxcLmJOnK/Tmvw1Z/1P1Acv5H615ZpTct9LuFJGKBNKek0GYHpNpHKVmgqk2+zK83emZZ04u5MT0VaXnMuvGOxuG97ksYn6SPZy9x7dSk0bGZ7V2oNZcPO4U3bgxCuGN+0mxarDUMy/9van0nFcyeIcrGAS1HBjwmkCyCr5P9SBP1EHPYqolULLURdMLkbBnRSggALIqNsFsZGSMg0cYtSYkB+PG7smw/SERGZKejCFsAkJwsR+22KFdbbNFRNiih6wOhUkCC7sRETYJBY/j/pHtIESEBTwypQBOdqb3xRp0vGCn7cGxfQLkiVrwdoCV9rqYrvGmvpuea9fpIxZrwoyX/Mv9RzSDACcSnEOsHXABMRcqzwE214lX9qOpTKII98i6ZZvFDBTut199djuSLaJiC+0dLiifYZqZduPtE7Xpuf+QePJXr7j47D9Qcwo6BHZzZ09gQTR0YQ3GnO3humO6JBxzuq8fu6ebUqJg5Dk/EQXtE5MgGlWK1589lPp7i6OtvC43RsHrivPW4zjECp8WmxafFjupV1opo3G9LkwJrlqMGKtlRvfE89WILAS2hLoW7fUZq83S0e7FWwMbpxfRxA0NmrvJr3+zD/XxDhNiod2ZLeddbD9v/at9ZgyikBI2sqTnCaUo4FGEWXimh7fRkeK2+3qx1fmpS8CbzcGTLMRikUQmCykhxgK7Hc5bi0AWjAuY4hlfwRW6PP/xZ7/dkyC2WFC2Qcd2qylYbytWvUcStpiGRJi7DpstZge26m9s7Q+nO2oAsBURnGnJoRUWRMf5slkLbM86bUh9l0Nw4T4e+lUA/HL/8dTmQ62pvb1H//YbjnJ7QDReNuz67uuZjCEgcxIU02BxfrVwaI6r8YI36srG9ExYeG5bll6DaLv5XQVrr+kb13VPaLO2fxqsTSHa9yqM9jh70cTr7rZC6JnzRYNe5kji0OyZN6oQLkgSEYqFy7h6p/2LniVjZHGCkMiY4k0eLygepyY7vfFav9zoZ25Ds4YXxWHP2yf5yGO+gZIRnb+FUmprWWVxS3cFdGC74O+6UAVsdWKfeO2hY6t4W/jpe2KmjC6su75D0PV/ega1lb6g/sfVn813h+5HXftd137lqedFhziSyTQg7QTgeUBniWXx5NAem1aOtK95FBGFrpdYLACdKE8ZSTYytu5KGtNhhhcg9CzGZhJlzlBN2t0FMimSt1nTW5d7tSVcRHZrqpDy2Y6RNJO/gCShXlr3oNA9+QMmFWsx+OGiLokEidDBE3JOL5KgjJadNtxvqHLr+Pag7d528tEnl1g813Izc4c+YhLZeInIH/FsUXrzK6GQ/Q0XzhdM8yp2e9aaYtht841EFoKGuacniC2m0Lu0iyfGNo48BrbT9le5M1XmgTTj997zKImImkg+b14eu+3Iemg7S3rM3wE98568Q5aiwsLYAWZoBihYarcqrHp0WCHMNmb/7WLFEteC2rFYoYfeFysKY2tWmO40M0ACpy3HBOeqIRD2Lbytl2Sa19cLyOCReYMaO5Pp97EkwdIGF1g+2sqfCMrvoqUf963sJpaA/ESj5kzpfdcOJJck1oYU1wZknJ1pdriRDQMllCYw/CslF4xZGBq31/JuqCOD1oPByGnTzUfjYGhN4uY6mqVGIiwlD4hJh62JWtrtVLPZH8PcmOhP6AiGfa8QTke9+WiTMq7bQzq6Gc3QnVaZeUfFs5aj2yKLYqyW+2OSHj2tO3J6VL21734sk5mNp76X9mKfvUc8iGVmtkMwzY07XYGQhO++m7hxzLUABzlbYunFguppSTO4WmINtRqUGqJmcQZxkgsKyWAJYULBPgvpbqsbuFg+ZpeH3SL3jvnBfifdPDhTglPqzO6aZ4nlbCohT9H1r/fGun158A+qfy8VZqEFk/Y0ohs0x0TkQzkjGAuuOU04w5RWozzHHXOHw4UmaWyb1tqmAssKQ9dAFks1QV8eCjC84wrA1AXKFVASlCy8s+FNA3idZZT3NSwLwDDZldCjMBGm4RpakBUw7RgTHjasNWazfCwEkdH6z8vT4tBE23yxSA1epPd6l9RyRr05zxLECQ4CZZol4DAkWhCnGtFZzpPizrDgzIRs/2zqH+TGbtgZUNfugHoYP1RdMTcfU3qr2t4KoMH2bgXBv2j1524bG9w4ms82txJp7vW0UtlklGo0Wpiry9Yx2ySPSjl9vIAJa6a0w4i3IJRodeliIcIQw4y75kg9QfmD5TKqpmi5F6y+zGnOHo8DppCxLePqARDEHoWnNzpz1pK2GB4mRO97RnVw27KthK4nqw4oSj+8Tpzp+wR7E6pzW7YRaeP7SHVw2zKwgK43qw4oVB+8VrsfzOXEORZJu/1vEWffLc7MY/ZgJ9yIBCKVrnEDl3yNBCwSioUOLRuHstR/X+y+pP0fAZInIgCJ5JInNDTBPWBKeYBVY0Gjjye/J1zh/bPkoZIvb2SMdTgx9V/bMZBSdx4XfUmRsNSP1C6ZFTU6wRKFMCc2d9LM5aJyNF3C9HHP5Dv3zbsPzJS1L0C4IwJzyuDOcEA75pkDZfAUHfPGQUsN1dLMS4mtk8LhejpZ6Lz4Zk7GiWOKzWFFiTR9ci+RVnqyWDY+dV9lr1BHvF6zddnM34b1as4yhi5UoSYiYSZfeQzMMGfhnC1AKhMlE5bwRLo11zgwYZU8X3kR23cl/Vwb4ts7rdk3m/K2Ss7UmJsnK0ylMTqlBaMXRdnENBs3vbQNK4DiWPbWEEu6WgquFIXw4EzQuiKbpDqzl4AdNnRiiCSe5yrTT7GZoOLGtqd17GoJG8egpyVOTEsn03h73mqXCuZOa3VJQjapTgQye2Ff81/l+P630OzY2ZAQJracD51Ulujbwj6aC6TDw/AJ6lSzqXhbwLliq8tBjGn0oA/BmIJXPRpf/JmpvIwcpEy8J7BoeI7hzo2GTlJjaCwuMP3rt/UuJcVP39SD5C1+Qh/ENdT3qRuSbiHOq1OIApbKtiG1MtB/KBU2aVbOshxgSm3LjF3kFUm8OO8ITFDv4AT1qgEofvwC5SsQ6OIcdcV8RTLeHykZ74eR8cP5kdLxw/kwQpoum9fJ6MgR7EiFtX73elWl5qdf5D5PWgKtUZc+peaglYS058pHkkQJVZgBT2TDSYhj3KshOBYyXg1BFxk9DIFnaf+aUNqwtGuDFQ5ecdBS59br8NUdpabdtD131NLP6xFX9nnmIy5Xa3+YlF7x4cOCs11qj6aNf/EQvsPnHkRms/noVc05gN6M0pLimc74lVpObUI0zek3hsmtPYt+PFSdVm442DsNCVOu0pJINE9YkJYymNd4XM/T1D2wBflYx65aN0xhg3uxbVjOp/38bZjGZxwpqnCmvuYkKeJhX6EW8I0t1Oz+RWpM6teyTn2CLN+K8M7Um+X7UNZx6GpWzyGC6zoFHF21TuzdmbfDdazzUHA7aTw0SaN4yWeIng3g+j60ayx6dtUvPba3NA61X7tNP6Xrt7vv5plq1rJmma5yhgAHS/OnlV29JZ9NZPe23nq1CQ3zWO0Vp7TY2PZXeHVa9+S0DndOI4gmtpyn6aoJ6mNWu+6rDCC82D7ZlUnNNo11iyfpBaO+5wQ5wRF+Oh6il5CVcxZb1Y5Nub1FcYxU57UI1qUrt1rV1KbdJuak9uJZ/jGdT9+6i3/1QmOT5SocZSWy76auuTfHhCb7LzAo3yByR3mVm4z2MslJRaZv0brWliL/CDANpIeoC18fWFlS8vgaqaUAuVxy6rekRZxLslg+D1A98xCkhzc62dXXpy6cneDNXfuRqnXrCl4o8RdICRLHEGZpaLsRUFhBU16v7/Ea5euWhN/wEsJcVZv4Wpxd68uo0xcUsM/8EX4adfpcrfrMznk06uzcXF0bMPv0kfQ4YRkKQQ+qdbY3Er2RjIpCD6h3tBqC3rZero/ND1xC2m48vV5ecgpNo3PTt9c+IeX8pcbxxvSjMmYdqw9Zu+uvA686s0pMaQkad2XW0budaRmdU7gq09qvRezF2dRcexnel1y/HP9Lro/OA+sB+YjijqrVNSu7ccST2vI3EUo9Emmm/dXn9BDy6nO++pwvwOf0wXg81oyjO2/YW+Lx8fgzj1UWdCYgG0cdzpmjdxH5vMKfNrevceCt3MHH40w+VuU2ZvZRjz1VQXyUpqJkI3To8HB9lz+0Vet4NoTQYzUNRZtQpdhjIxrH3MV6Gja9BDvhmFXlU81gdHFp6/gx49ZxGo2qIJvvX3mDhVbSbcVC9ZGCMsGtB/klku0LhnkLvZvblu4SFQg9lHREID0Q2ff5pphx/ytGZWyHWUAfGGebiCcyT7aYIzxTgm7fEzR3VM4EBMAU3ZwZE3Ty6cvXZq2hRKpSf/oonkt0IpcRRG99PSn7M29O6KF3o18JhbMZDh5Lb7865nz68jUjdwuqDK8PTM+d3jXNxGPLaElAYBEsSYDp1LJqelz7RbEaJks6prCdS5m9VVIwnnZDaL6hOQq75Po4uZXnnHrzrXHIMj+341v60unLsaTZ26xFc1Faec0pvOqK3IpTz2A2mznlN6heHm2hHRGOYwiPi+J78kehq/GZhYjc/9NIZbMpHtfmxHgB0zlOaEdOdw+X4bWNwFkr0nLIrgRZLECY5G/cdtZjoA/Uh/9wMX0BdBugHYSjN5/1X72x/5RoqVWI5Y1eXYbEvn5MN6bhq+JtOQH7eLR5QcZ0/AtJsRVqT42S08Zc1B4aTOgJzX9NlwleeDPdXrPA6aNmW9DBk/by6n0RwpNC5LorKW0N8HuRcoht0VUU6hUiMJP2+S+0TBZg+PL2FDHefLI1ruMqpJzqmY+Ga79VHp7lc4QzRnr5NexuxBrHR0PrfXbCv6X0EgYrEijziP6xEPW5kKMOMGNc2Z5kAcUkgrAXpSmVM/pIfDZ8wC2AXygPik9dvxb/j138v0Xtv73geCwaa1Pr1Revja2ZgxA2BaptuHETMKVoZpQq1IuvcXLUcoI1iE2EH+YCb86Am3e36WPAnJl2XprbrjsDpTsQbvotQf4OhWulY16/4ZQEm+ZnGHY1BA7APy+1MficPrsqIKY40PMbW/NqHQ5jHXwkjJs/j0GcWT3V8naPAfZOoG+NojbQqLn4HYnqNCX7RvLyWmIdri/Oa0us1044r51w+uDausnV4frbZTeiX5fw6xLelY4/x6LMfQD7PJlMogiX7vgroihoCm2++L7+B94F2uK7uiGyh1oqbxaBzN7edA+vLbkseakC9KasJy32B/UtzTYON3K0w+2uxmU5bAOXyBreQqdoS9hISPKsXOWx0l5YSFi7N707ENNAcAgKSQHifbAkHXgYGsXjGPwvXu4Exo47CMsfPJqR8SVkhx2EJAQ8Pkv0oE0o0I36XqIViA1KGCWPQF3qkij7JBuOY8ACzRLTGsY456ZhNKZIEpW4FAlRKMIbdyjlJy1hj4yvq4dFu1OXE1boary00ZgOiBIasu9dDlYJAivtiQhEZIpoUjPRApfyGYPNbuX7w42o/q+XUf4sRhevcN7VzMasTUsSq1rz7h3mNaf6RG3OrCh6IPDd+NkBwMPSvPQZ2nHLAPwc2LBgik2ntvFQXLs7tHpwZAc/RcRi+fLh5iPCQuCNfQ8hTFiImUJ+40DkY1oON9IyKqwjV4NhJ2mZf58bvJmhICTTcolIJRGft2EyZ2Ljs8QMG3azxN7HGX9+d8+nc36zvuqpw5acVqln1lZajSJsXqwVeG1QWHsrvSjNccG4mlM4JjWDF5VmyWloymrQxfnlj2ezjYIUQhs8vT734JA4fM7BdhBtaYgwIbOetwNtZp9AVGyXf2/KdpwZKNxvzyqGCOk7onY2eYBNy5SxF7apOqHFK504nBpt22U2PQoqbUxtc+48XboXDpgyme1OpUxmZ8OInErCankZO2dYB1Ob0FQ+KRzF6YTU5HStL2YeIZ+4Z4JTKKbYxe49mIVpfHVqfVT9f0qiJK4/UZ6ihicIpgEPd+LT/c3/v/6vTx+RHid/l9sh/F6iCBNWe+kXlbxbomzl4e4yK8pLj1vvu1WfdQUs5GIaC5BQNfaDZg/BFJgNQZG9TuSdt/OtdGdtssdka890+7W2+5XxIE4mLa+JtuZ5at1Kez0bWm7f2HGDrv/8pVtvtWrg6uQm8Tox1WM7zVq4VmRTub0FU9gTQK25eGzE0evk2g2SP4jQ1BSk10n1oevGbTVFQ5VkAVWMg0fYvkZ1MC43XxcynqhdoXmnbSq3LM67k6A8QijOWfetuAa2S9j/cH3nRpG5g2e3tt1yqiER0ByUYkpql39jrJbZwpk0fT8iC1vjcoWUSBoaE+ddDCJSe32kLwL9d7tMTnmA6YRUTYWdvvZjeMJRTOEKXfz9cnI+uZxcIC7Q5fn5xdX5x19+vvrwyz8+Xv380w/vr64uhrn1nzQOdHOHcBgKkNLV67qH8jFDN3erH/VkN3er99kf9aEt5sK/b3tUPKPvsvoAWS/4eqoOTAIiruAIGP7FABmZ4466g7DcEdCf50suhzhwGbC/vT+7vLg4u7j429kP7ydsPXG/mQQ8qlaBdGC+e/iCBARchN5NX6QymaAbpV10PlPYvCy7IhgJWIGQ9e355g5Rzh8bK7oqbABFw2lMEznlbIg7nfFja/K1FwzzOQSurCs+s+nDkJso4AQePn18m3rGjhdaaPa2HGeAIl4v8aF4BnSCfuUiRXZqBtCj/d8LE3a/mXM+mWExWXCK2WLCxWLyRvP3TfEHtYqeh+wWBxcoBAUiIuaIKh0eBTwC6ao3GYJoBmEIIQp4vMmSoljVXgA0X1gqFV+9excnM0oCmczn5Mng6K3LUxCidrtlh8TTP/Rw7o9mKZn2ScxMJkYDnbohdxO/A3F6LBvXShm79rjmbw7a4tJhAh5FmG0LwpOE2Q5FFFIyaOF1iM083ORoQ6WhW3HAkx9DNyfgCYLEXA3YhR/mcY/BKuH/1vCJG1NqHVPPE0qnA1Sh7AM3lybcm98jz+93rUzgc8RjYJn/TPJ6BJcg2MmDrj+j3jM5UVfkD0aPGbMedVUInTmJ1rDcvW7eFRD7C5Q1MMPDZnQFp5NIBZ4CiRGxZFMY58efNlOB38PcUi46AtteNh2PbjQzpCv27sGwz+XOX8VQMk34nKIZlraMLk/NZA+ouzuF5qqdTajFpiaZ/AETdM2FABmb98gUT58EkWDO9N9pi/lObuQ7BuodiVc/vlNBPI0gmqBbRjeFJ6M5Q58IS54mzVeW6isNDcv2NCtUu3RRzwQQF/ESt99ZbZZ0T7QGsV3rTkhuWgi1yqeibeZvKwVNNmRsAlJ70s33fnZlD/g0tDY7U4UHUnsERC5rB317AJifARamHcTNgHIJ0zVubPS6F7QVhNpGTHMkU+9hWBm3ItFxwM6A9EEtN2wqmwtlDwY6xdEXs4BgdQyYNY4+mOeEGZlUU0EHB50BGYLa/+b/M6C+7IOaYqmmOPCdwBwUdIqjD2Ztaw6yg3SbPMIWPsRZkBaO6r5+/fgncV81Ic/ovibhMbqv7dJFPd3XQzt/Tahb/ke2OuLKraTBWYJvdohv5c5s7mo2W6SqYv/K5RJ2PGpLbIJkEvmrGTxHA+nySb9a+TVhcaKm6R9FhFLiLx/oUcx6e5/SSlhpqHqpWCJByE7eb1Eo9okvFhCeZa/QgpSEs2oCuY3HDem0rUt88yvjDox3Vgm1i0Y7zPuBFY9GKF8QbbmqU7TcTt+R5o+/JNJVcZrR+3DAcwi7Iwr99axGqKANDQLw1YrsIoNM+fqWppSPJ7xIZpxTqOUHOpHor5mHuwNrmXB6MtTKkV1KxfwSSR9sqhT9tWAI+NhaUZCGNdChZ5a85B+Htc1q63ryJSDBuUJ3/WyCldF04JFr5xb6oXQs6M6k85eOKoDy//G/AQAA//+Zw/qY" } diff --git a/metricbeat/module/system/filesystem/_meta/fields.yml b/metricbeat/module/system/filesystem/_meta/fields.yml index a66f7efb41e..0c1e7d55619 100644 --- a/metricbeat/module/system/filesystem/_meta/fields.yml +++ b/metricbeat/module/system/filesystem/_meta/fields.yml @@ -16,7 +16,7 @@ - name: type type: keyword description: > - The disk type. For example: `ext4` + The disk type. For example: `ext4`. In some case for Windows OS the value will be `unavailable` as access to this information is not allowed (ex. external disks). - name: mount_point type: keyword description: > diff --git a/metricbeat/module/system/filesystem/filesystem.go b/metricbeat/module/system/filesystem/filesystem.go index 579f1daaf6d..98633fd4345 100644 --- a/metricbeat/module/system/filesystem/filesystem.go +++ b/metricbeat/module/system/filesystem/filesystem.go @@ -78,15 +78,23 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { } for _, fs := range fss { - fsStat, err := GetFileSystemStat(fs) + stat, err := GetFileSystemStat(fs) + addStats := true if err != nil { - debugf("error getting filesystem stats for '%s': %v", fs.DirName, err) - continue + addStats = false + m.Logger().Debugf("error fetching filesystem stats for '%s': %v", fs.DirName, err) } - AddFileSystemUsedPercentage(fsStat) + fsStat := FSStat{ + FileSystemUsage: stat, + DevName: fs.DevName, + Mount: fs.DirName, + SysTypeName: fs.SysTypeName, + } + + AddFileSystemUsedPercentage(&fsStat) event := mb.Event{ - MetricSetFields: GetFilesystemEvent(fsStat), + MetricSetFields: GetFilesystemEvent(&fsStat, addStats), } if !r.Event(event) { return nil diff --git a/metricbeat/module/system/filesystem/helper.go b/metricbeat/module/system/filesystem/helper.go index b42504d8825..29b68a34d4d 100644 --- a/metricbeat/module/system/filesystem/helper.go +++ b/metricbeat/module/system/filesystem/helper.go @@ -110,20 +110,13 @@ func filterFileSystemList(fsList []sigar.FileSystem) []sigar.FileSystem { } // GetFileSystemStat retreves stats for a single filesystem -func GetFileSystemStat(fs sigar.FileSystem) (*FSStat, error) { +func GetFileSystemStat(fs sigar.FileSystem) (sigar.FileSystemUsage, error) { stat := sigar.FileSystemUsage{} + // In some case for Windows OS the disk type value will be `unavailable` and access to this information is not allowed (ex. external disks). if err := stat.Get(fs.DirName); err != nil { - return nil, err - } - - filesystem := FSStat{ - FileSystemUsage: stat, - DevName: fs.DevName, - Mount: fs.DirName, - SysTypeName: fs.SysTypeName, + return stat, err } - - return &filesystem, nil + return stat, nil } // AddFileSystemUsedPercentage adds usage data to the filesystem struct @@ -137,18 +130,20 @@ func AddFileSystemUsedPercentage(f *FSStat) { } // GetFilesystemEvent turns a stat struct into a MapStr -func GetFilesystemEvent(fsStat *FSStat) common.MapStr { +func GetFilesystemEvent(fsStat *FSStat, addStats bool) common.MapStr { evt := common.MapStr{ "type": fsStat.SysTypeName, "device_name": fsStat.DevName, "mount_point": fsStat.Mount, - "total": fsStat.Total, - "available": fsStat.Avail, - "free": fsStat.Free, - "used": common.MapStr{ + } + if addStats == true { + evt.Put("total", fsStat.Total) + evt.Put("available", fsStat.Avail) + evt.Put("free", fsStat.Free) + evt.Put("used", common.MapStr{ "pct": fsStat.UsedPercent, "bytes": fsStat.Used, - }, + }) } if runtime.GOOS != "windows" { evt.Put("files", fsStat.Files) diff --git a/metricbeat/module/system/filesystem/helper_test.go b/metricbeat/module/system/filesystem/helper_test.go index 1f7d0027f5a..126a44d38a3 100644 --- a/metricbeat/module/system/filesystem/helper_test.go +++ b/metricbeat/module/system/filesystem/helper_test.go @@ -60,7 +60,7 @@ func TestFileSystemList(t *testing.T) { assert.True(t, (stat.Used >= 0)) if runtime.GOOS != "windows" { - assert.NotEqual(t, "", stat.SysTypeName) + assert.NotEqual(t, "", fs.SysTypeName) } } } diff --git a/metricbeat/module/system/fsstat/fsstat.go b/metricbeat/module/system/fsstat/fsstat.go index ab80640a0c4..6a963dbaf6f 100644 --- a/metricbeat/module/system/fsstat/fsstat.go +++ b/metricbeat/module/system/fsstat/fsstat.go @@ -85,7 +85,7 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { m.Logger().Debugf("error fetching filesystem stats for '%s': %v", fs.DirName, err) continue } - m.Logger().Debugf("filesystem: %s total=%d, used=%d, free=%d", stat.Mount, stat.Total, stat.Used, stat.Free) + m.Logger().Debugf("filesystem: %s total=%d, used=%d, free=%d", fs.DirName, stat.Total, stat.Used, stat.Free) totalFiles += stat.Files totalSize += stat.Total diff --git a/metricbeat/module/system/load/load.go b/metricbeat/module/system/load/load.go index 8e49c60a884..a671f41636a 100644 --- a/metricbeat/module/system/load/load.go +++ b/metricbeat/module/system/load/load.go @@ -15,8 +15,8 @@ // specific language governing permissions and limitations // under the License. -//go:build darwin || freebsd || linux || openbsd -// +build darwin freebsd linux openbsd +//go:build darwin || freebsd || linux || openbsd || aix +// +build darwin freebsd linux openbsd aix package load diff --git a/metricbeat/module/system/load/load_test.go b/metricbeat/module/system/load/load_test.go index 0c5f73caf8a..208f75e2157 100644 --- a/metricbeat/module/system/load/load_test.go +++ b/metricbeat/module/system/load/load_test.go @@ -15,8 +15,8 @@ // specific language governing permissions and limitations // under the License. -//go:build darwin || freebsd || linux || openbsd -// +build darwin freebsd linux openbsd +//go:build darwin || freebsd || linux || openbsd || aix +// +build darwin freebsd linux openbsd aix package load diff --git a/metricbeat/module/system/memory/memory.go b/metricbeat/module/system/memory/memory.go index 4a4da3cd9ed..af4dbb7f9d2 100644 --- a/metricbeat/module/system/memory/memory.go +++ b/metricbeat/module/system/memory/memory.go @@ -15,8 +15,8 @@ // specific language governing permissions and limitations // under the License. -//go:build darwin || freebsd || linux || openbsd || windows -// +build darwin freebsd linux openbsd windows +//go:build darwin || freebsd || linux || openbsd || windows || aix +// +build darwin freebsd linux openbsd windows aix package memory @@ -28,6 +28,7 @@ import ( metrics "github.com/elastic/beats/v7/metricbeat/internal/metrics/memory" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/mb/parse" + "github.com/elastic/beats/v7/metricbeat/module/system" ) func init() { @@ -40,17 +41,19 @@ func init() { // MetricSet for fetching system memory metrics. type MetricSet struct { mb.BaseMetricSet + mod system.SystemModule } // New is a mb.MetricSetFactory that returns a memory.MetricSet. func New(base mb.BaseMetricSet) (mb.MetricSet, error) { - return &MetricSet{BaseMetricSet: base}, nil + sys := base.Module().(system.SystemModule) + return &MetricSet{BaseMetricSet: base, mod: sys}, nil } // Fetch fetches memory metrics from the OS. func (m *MetricSet) Fetch(r mb.ReporterV2) error { - eventRaw, err := metrics.Get("") + eventRaw, err := metrics.Get(m.mod.GetHostFS()) if err != nil { return errors.Wrap(err, "error fetching memory metrics") } diff --git a/metricbeat/module/system/network/network.go b/metricbeat/module/system/network/network.go index 63b33da4944..7ed4199d440 100644 --- a/metricbeat/module/system/network/network.go +++ b/metricbeat/module/system/network/network.go @@ -15,8 +15,8 @@ // specific language governing permissions and limitations // under the License. -//go:build darwin || freebsd || linux || windows -// +build darwin freebsd linux windows +//go:build darwin || freebsd || linux || windows || aix +// +build darwin freebsd linux windows aix package network diff --git a/metricbeat/module/system/network/network_test.go b/metricbeat/module/system/network/network_test.go index 11b8b433de9..d7fda561b15 100644 --- a/metricbeat/module/system/network/network_test.go +++ b/metricbeat/module/system/network/network_test.go @@ -15,8 +15,8 @@ // specific language governing permissions and limitations // under the License. -//go:build darwin || freebsd || linux || windows -// +build darwin freebsd linux windows +//go:build darwin || freebsd || linux || windows || aix +// +build darwin freebsd linux windows aix package network diff --git a/metricbeat/module/system/process/process.go b/metricbeat/module/system/process/process.go index 875387ffefb..72eefa19d54 100644 --- a/metricbeat/module/system/process/process.go +++ b/metricbeat/module/system/process/process.go @@ -15,8 +15,8 @@ // specific language governing permissions and limitations // under the License. -//go:build darwin || freebsd || linux || windows -// +build darwin freebsd linux windows +//go:build darwin || freebsd || linux || windows || aix +// +build darwin freebsd linux windows aix package process @@ -30,9 +30,9 @@ import ( "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/metric/system/cgroup" "github.com/elastic/beats/v7/libbeat/metric/system/process" - "github.com/elastic/beats/v7/libbeat/paths" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/mb/parse" + "github.com/elastic/beats/v7/metricbeat/module/system" ) var debugf = logp.MakeDebug("system.process") @@ -59,11 +59,13 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { return nil, err } + sys := base.Module().(system.SystemModule) + enableCgroups := false if runtime.GOOS == "linux" { if config.Cgroups == nil || *config.Cgroups { enableCgroups = true - debugf("process cgroup data collection is enabled, using hostfs='%v'", paths.Paths.Hostfs) + debugf("process cgroup data collection is enabled, using hostfs='%v'", sys.GetHostFS()) } } @@ -77,7 +79,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { IncludeTop: config.IncludeTop, EnableCgroups: enableCgroups, CgroupOpts: cgroup.ReaderOptions{ - RootfsMountpoint: paths.Paths.Hostfs, + RootfsMountpoint: sys.GetHostFS(), IgnoreRootCgroups: true, }, }, @@ -85,7 +87,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { } // If hostfs is set, we may not want to force the hierarchy override, as the user could be expecting a custom path. - if len(paths.Paths.Hostfs) < 2 { + if len(sys.GetHostFS()) < 2 { override, isset := os.LookupEnv("LIBBEAT_MONITORING_CGROUPS_HIERARCHY_OVERRIDE") if isset { m.stats.CgroupOpts.CgroupsHierarchyOverride = override diff --git a/metricbeat/module/system/process/process_test.go b/metricbeat/module/system/process/process_test.go index a66f3a6386c..0a585141cf4 100644 --- a/metricbeat/module/system/process/process_test.go +++ b/metricbeat/module/system/process/process_test.go @@ -15,8 +15,8 @@ // specific language governing permissions and limitations // under the License. -//go:build darwin || freebsd || linux || windows -// +build darwin freebsd linux windows +//go:build darwin || freebsd || linux || windows || aix +// +build darwin freebsd linux windows aix package process diff --git a/metricbeat/module/system/process_summary/process_summary.go b/metricbeat/module/system/process_summary/process_summary.go index a4f0e7b204a..1576025cee1 100644 --- a/metricbeat/module/system/process_summary/process_summary.go +++ b/metricbeat/module/system/process_summary/process_summary.go @@ -15,8 +15,8 @@ // specific language governing permissions and limitations // under the License. -//go:build darwin || freebsd || linux || windows -// +build darwin freebsd linux windows +//go:build darwin || freebsd || linux || windows || aix +// +build darwin freebsd linux windows aix package process_summary diff --git a/metricbeat/module/system/raid/raid.go b/metricbeat/module/system/raid/raid.go index 9ee16d9a129..9af6e87a9a3 100644 --- a/metricbeat/module/system/raid/raid.go +++ b/metricbeat/module/system/raid/raid.go @@ -24,9 +24,9 @@ import ( "github.com/prometheus/procfs" "github.com/elastic/beats/v7/libbeat/common" - "github.com/elastic/beats/v7/libbeat/paths" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/mb/parse" + "github.com/elastic/beats/v7/metricbeat/module/system" "github.com/elastic/beats/v7/metricbeat/module/system/raid/blockinfo" ) @@ -54,9 +54,9 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { if err := base.Module().UnpackConfig(&config); err != nil { return nil, err } - + sys := base.Module().(system.SystemModule) if config.MountPoint == "" { - config.MountPoint = paths.Paths.Hostfs + config.MountPoint = sys.GetHostFS() } mountPoint := filepath.Join(config.MountPoint, procfs.DefaultMountPoint) diff --git a/metricbeat/module/system/system.go b/metricbeat/module/system/system.go index c24988f3a97..dd1e514c60d 100644 --- a/metricbeat/module/system/system.go +++ b/metricbeat/module/system/system.go @@ -20,6 +20,8 @@ package system import ( "sync" + "github.com/elastic/beats/v7/libbeat/common/fleetmode" + "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/paths" "github.com/elastic/beats/v7/metricbeat/mb" ) @@ -33,17 +35,52 @@ func init() { } } +type HostFSConfig struct { + HostFS string `config:"system.hostfs"` +} + // Module represents the system module type Module struct { mb.BaseModule + HostFS string +} + +type SystemModule interface { + GetHostFS() string } -// NewModule instatiates the system module func NewModule(base mb.BaseModule) (mb.Module, error) { + var hostfs string + + // If this is fleet, ignore the global path, as its not being set. + // This is a temporary hack + if fleetmode.Enabled() { + partialConfig := HostFSConfig{} + base.UnpackConfig(&partialConfig) + + if partialConfig.HostFS != "" { + hostfs = partialConfig.HostFS + } else { + hostfs = "/" + } + + logp.Info("In Fleet, using HostFS: %s", hostfs) + } else { + hostfs = paths.Paths.Hostfs + } once.Do(func() { - initModule(paths.Paths.Hostfs) + initModule(hostfs) }) - return &Module{BaseModule: base}, nil + // set the main Path, + if fleetmode.Enabled() && len(paths.Paths.Hostfs) < 2 { + paths.Paths.Hostfs = hostfs + } + + return &Module{BaseModule: base, HostFS: hostfs}, nil +} + +func (m Module) GetHostFS() string { + return m.HostFS } diff --git a/metricbeat/modules.d/system.yml b/metricbeat/modules.d/system.yml index 625e000bd5e..f3f929e8f58 100644 --- a/metricbeat/modules.d/system.yml +++ b/metricbeat/modules.d/system.yml @@ -20,8 +20,8 @@ process.include_top_n: by_cpu: 5 # include top 5 processes by CPU by_memory: 5 # include top 5 processes by memory - # Configure the mount point of the host’s filesystem for use in monitoring a host from within a container - #system.hostfs: "/hostfs" +# Configure the mount point of the host’s filesystem for use in monitoring a host from within a container +#system.hostfs: "/hostfs" - module: system period: 1m diff --git a/packetbeat/packetbeat.reference.yml b/packetbeat/packetbeat.reference.yml index 236087aae23..5f931ddde70 100644 --- a/packetbeat/packetbeat.reference.yml +++ b/packetbeat/packetbeat.reference.yml @@ -1878,11 +1878,6 @@ logging.files: # file. Defaults to true. # rotateonstartup: true - # Rotated files are either suffixed with a number e.g. packetbeat.1 when - # renamed during rotation. Or when set to date, the date is added to - # the end of the file. On rotation a new file is created, older files are untouched. - #suffix: count - # ============================= X-Pack Monitoring ============================== # Packetbeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The @@ -2067,6 +2062,10 @@ logging.files: # `http.user`. #http.named_pipe.security_descriptor: +# Defines if the HTTP pprof endpoints are enabled. +# It is recommended that this is only enabled on localhost as these endpoints may leak data. +#http.pprof.enabled: false + # ============================== Process Security ============================== # Enable or disable seccomp system call filtering on Linux. Default is enabled. diff --git a/packetbeat/tests/system/packetbeat.py b/packetbeat/tests/system/packetbeat.py index 32a9366ee33..c4727d13183 100644 --- a/packetbeat/tests/system/packetbeat.py +++ b/packetbeat/tests/system/packetbeat.py @@ -33,7 +33,7 @@ def setUpClass(self): def run_packetbeat(self, pcap, cmd=None, config="packetbeat.yml", - output="packetbeat.log", + output=None, extra_args=[], debug_selectors=[], exit_code=0, @@ -44,6 +44,9 @@ def run_packetbeat(self, pcap, the caller. """ + if output is None: + output = "packetbeat-" + self.today + ".ndjson" + if cmd is None: cmd = self.beat_path + "/packetbeat.test" @@ -87,7 +90,7 @@ def run_packetbeat(self, pcap, def start_packetbeat(self, cmd=None, config="packetbeat.yml", - output="packetbeat.log", + output=None, extra_args=[], debug_selectors=[]): """ @@ -95,6 +98,9 @@ def start_packetbeat(self, caller is responsible for stopping / waiting for the Proc instance. """ + if output is None: + output = "packetbeat-" + self.today + ".ndjson" + if cmd is None: cmd = self.beat_path + "/packetbeat.test" @@ -119,9 +125,14 @@ def start_packetbeat(self, return proc def read_output(self, - output_file="output/packetbeat", + output_file=None, types=None, required_fields=None): + + if output_file is None: + output_file = "output/packetbeat-"+self.today+".ndjson" + print(output_file) + jsons = [] with open(os.path.join(self.working_dir, output_file), "r", encoding='utf_8') as f: for line in f: diff --git a/packetbeat/tests/system/test_0002_thrift_basics.py b/packetbeat/tests/system/test_0002_thrift_basics.py index 6e0154a437c..a1a66742bdc 100644 --- a/packetbeat/tests/system/test_0002_thrift_basics.py +++ b/packetbeat/tests/system/test_0002_thrift_basics.py @@ -208,7 +208,7 @@ def test_thrift_send_request_response(self): self.run_packetbeat(pcap="thrift_integration.pcap", debug_selectors=["thrift"]) - objs = self.read_output() + objs = self.read_output(output_file="output/packetbeat-" + self.today + "-1.ndjson") assert all(["request" not in o for o in objs]) assert all(["response" not in o for o in objs]) diff --git a/packetbeat/tests/system/test_0006_wsgi.py b/packetbeat/tests/system/test_0006_wsgi.py index 6f905942449..02e52b885a3 100644 --- a/packetbeat/tests/system/test_0006_wsgi.py +++ b/packetbeat/tests/system/test_0006_wsgi.py @@ -100,7 +100,7 @@ def test_send_headers_options(self): ) self.run_packetbeat(pcap="wsgi_loopback.pcap") - objs = self.read_output() + objs = self.read_output(output_file="output/packetbeat-" + self.today + "-1.ndjson") assert len(objs) == 1 o = objs[0] @@ -119,7 +119,7 @@ def test_send_headers_options(self): ) self.run_packetbeat(pcap="wsgi_loopback.pcap") - objs = self.read_output() + objs = self.read_output(output_file="output/packetbeat-" + self.today + "-2.ndjson") assert len(objs) == 1 o = objs[0] diff --git a/testing/environments/docker/kafka/Dockerfile b/testing/environments/docker/kafka/Dockerfile index ff38db49e39..1a5e58836bc 100644 --- a/testing/environments/docker/kafka/Dockerfile +++ b/testing/environments/docker/kafka/Dockerfile @@ -18,8 +18,11 @@ RUN mkdir -p ${KAFKA_LOGS_DIR} && mkdir -p ${KAFKA_HOME} && \ ADD run.sh /run.sh ADD healthcheck.sh /healthcheck.sh +ADD certs/broker.keystore.jks /broker.keystore.jks +ADD certs/client.truststore.jks /broker.truststore.jks EXPOSE 9092 +EXPOSE 9093 EXPOSE 2181 # healthcheck.sh tries to create and delete an empty kafka topic (the topic diff --git a/testing/environments/docker/kafka/README.md b/testing/environments/docker/kafka/README.md new file mode 100644 index 00000000000..6a7306e2423 --- /dev/null +++ b/testing/environments/docker/kafka/README.md @@ -0,0 +1,35 @@ +# Kafka test container + +This Docker container provides an environment for testing with Kafka. It exposes two ports to the host system, `9092` for `PLAINTEXT` and `9093` for `SASL/SSL` with username `beats` and password `KafkaTest`. + +## Certificates + +The test environment uses a self-signed SSL certificate in the broker. To connect, clients will need to set `certs/client.truststore.jks` as their trust store. + +The files in the `certs` directory were generated with these commands: + +```sh +# create the broker's key +keytool -keystore broker.keystore.jks -storepass KafkaTest -alias broker -validity 5000 -keyalg RSA -genkey + +What is your first and last name? + [Unknown]: kafka + ... + +# create a new certificate authority +openssl req -new -x509 -keyout ca-key -out ca-cert -days 5000 + +# add the CA to the kafka client's trust store +keytool -keystore client.truststore.jks -storepass KafkaTest -alias CARoot -keyalg RSA -import -file ca-cert + +# export the server certificate +keytool -keystore broker.keystore.jks -storepass KafkaTest -alias broker -certreq -file broker-cert + +# sign it with the CA +openssl x509 -req -CA ca-cert -CAkey ca-key -in broker-cert -out broker-cert-signed -days 5000 -CAcreateserial -passin pass:KafkaTest + +# import CA and signed cert back into server keystore +keytool -keystore broker.keystore.jks -storepass KafkaTest -alias CARoot -import -file ca-cert +keytool -keystore broker.keystore.jks -storepass KafkaTest -alias broker -import -file broker-cert-signed + +``` diff --git a/testing/environments/docker/kafka/certs/broker-cert b/testing/environments/docker/kafka/certs/broker-cert new file mode 100644 index 00000000000..3a7d9e2498a --- /dev/null +++ b/testing/environments/docker/kafka/certs/broker-cert @@ -0,0 +1,18 @@ +-----BEGIN NEW CERTIFICATE REQUEST----- +MIIC3zCCAccCAQAwajEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93 +bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMH +VW5rbm93bjEOMAwGA1UEAxMFa2Fma2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCH8VYN9FMHXjnLUwT0AJDKM0u/jXE0ng1UfWPVQaVI+Eny+vmf1zDm +d/AoqXaYKzVNvyRXCy1BZGaLVA3go1U7+tVjtniuLTmveE07PuX4w9/ukZPKlUxf +KCjYCmh38BeYiJA2inaxScDO2hxHfB2pulsM+l9+q0NMXFe6RSUAKS0pAeY8KLz9 +yWg9hfq6JPuPT14HZmyxLn+1SwRbZZ+TQjlAHfZFpu/igg6cif/ez30z5Gqci+2i +VPlwl9peEsaXn5wbuP6J2Uo6dMoGiFyxFdGCWVWP9WDncvfYKJwQs09QdbFLxAst +BYSmOTszUP+h0SohaxpdC4AOcJxs+MwhAgMBAAGgMDAuBgkqhkiG9w0BCQ4xITAf +MB0GA1UdDgQWBBRFzbnwQXp+h4xE233eH3D+KfozxTANBgkqhkiG9w0BAQsFAAOC +AQEAQti4SPU8KfSoeLbLUic7UciVmwO0TZtiG+Y6fCTdRm7SYovg2zXH576ERClf +JQCzUuMH1Fi6k5adhMUxopJrVirZWOANoffe3yY/PUuFPMv5rvjmG7JqRNloNFYC +4Jah/XeITkw3BcwYxvY3lOZeXgBoRI+PwaD4JNHYf9ruc8cxY59lbWGCQOdbWYuk +ex/Y/rdmiv1cZpVAYY3VkdUnISXf4eePz4+hUdyuNGYt8Rh/dCj0D/1Xdo9jguUw +IWihuXNfH5hBzBp2hX49tCa7j8stOQW6+AS+ysUBRseFNnsu9j95PD+ue9GU5ZLR +mQzlkeZcfimH796e6XF81oCDkA== +-----END NEW CERTIFICATE REQUEST----- diff --git a/testing/environments/docker/kafka/certs/broker-cert-signed b/testing/environments/docker/kafka/certs/broker-cert-signed new file mode 100644 index 00000000000..b023f3c146d --- /dev/null +++ b/testing/environments/docker/kafka/certs/broker-cert-signed @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8zCCAdsCCQC1GCJdAf28SzANBgkqhkiG9w0BAQUFADANMQswCQYDVQQGEwJV +UzAeFw0yMTEwMjEyMDM0MTBaFw0zNTA2MzAyMDM0MTBaMGoxEDAOBgNVBAYTB1Vu +a25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNV +BAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDjAMBgNVBAMTBWthZmthMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAh/FWDfRTB145y1ME9ACQyjNL +v41xNJ4NVH1j1UGlSPhJ8vr5n9cw5nfwKKl2mCs1Tb8kVwstQWRmi1QN4KNVO/rV +Y7Z4ri05r3hNOz7l+MPf7pGTypVMXygo2Apod/AXmIiQNop2sUnAztocR3wdqbpb +DPpffqtDTFxXukUlACktKQHmPCi8/cloPYX6uiT7j09eB2ZssS5/tUsEW2Wfk0I5 +QB32Rabv4oIOnIn/3s99M+RqnIvtolT5cJfaXhLGl5+cG7j+idlKOnTKBohcsRXR +gllVj/Vg53L32CicELNPUHWxS8QLLQWEpjk7M1D/odEqIWsaXQuADnCcbPjMIQID +AQABMA0GCSqGSIb3DQEBBQUAA4IBAQCMGbXC2YdC9+jJjUvuEJIQGwpapJ5Dejng +cnvE//+x8A4W9vC7OJUHcML2GGQIrgvYWlmsCEWX1lJtcVIbqkTqq9Sq99htdMfM +ay4fJB/ey005bhcbEP+19342HkmoOUkEg7qGWZhhL05y0m1vxKvKSUX3p+4TyW1Y +AheRbb9j41Ld3E8+COGwqIWpMNfsGjLqWjUIajemFH91Eo2FFvshM/5ly12GZEil +ivmUqSzV7o6ri0V7DZ5NPOSXEbiMQj5FfmImqXbo7JtBqM/H9S2yAPXZBfAloVNv +XvjG0dY8cnYwGL5MSRiZEuJdimptWnMzFXbD8zyRxSIUMpbDcHNf +-----END CERTIFICATE----- diff --git a/testing/environments/docker/kafka/certs/broker.keystore.jks b/testing/environments/docker/kafka/certs/broker.keystore.jks new file mode 100644 index 00000000000..aa03364e3ac Binary files /dev/null and b/testing/environments/docker/kafka/certs/broker.keystore.jks differ diff --git a/testing/environments/docker/kafka/certs/ca-cert b/testing/environments/docker/kafka/certs/ca-cert new file mode 100644 index 00000000000..725647f9d8b --- /dev/null +++ b/testing/environments/docker/kafka/certs/ca-cert @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICljCCAX4CCQD+dvzut8IfyTANBgkqhkiG9w0BAQsFADANMQswCQYDVQQGEwJV +UzAeFw0yMTEwMjEyMDMyMDJaFw0zNTA2MzAyMDMyMDJaMA0xCzAJBgNVBAYTAlVT +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlR6sKchCTM0qdrjAdWqR +BmSLfHHe+LB43B0T/+3Y1fporzg2eZC1dPCf7TXLzL92NOlJ+JQCsfb160gKTGfb +7+z2jm+vumbYlKVffsD7MjNdW8SDu9hfMa2DyTY742n3R/X8pc4VK0fdlTQx22Zp +aIA+XwD6hHxZQS9PHVNwTFUoPkP4jevcFANwjLUBgy3dPK0iWdVILnaAwEBg82z3 +zWRJ7I4Eg6KS+GtwZPovhiHqcJpz7QPrmggCglL8q0YZQrVrYNucRV1sjPAhEfTA +Sh7Z0UVYdx5+jJq7MyslBqzEM0OrmKrldrTHOAo9+cTc1GiKGRBhVei2R2fP2XAC +HQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA37KiWMR6SZRmlLKV7hP9/9H1cL1FJ +OPa5MKcwh8Q38IRALCF5SlxxOByP8O01ZInkWjR3jJbMc/k4RwxQXfzYDvB4jleU +MyX63qekIsxFdUn+fzt+wA0xb7tOPGVUbM6QI++YH28p8yzSdY/bXrjRweQuVRC0 +B+0zMijI1uU6GRME9+e1OLsN5rDzCFEJUra/+UDc23BTOjC6Az00UKpOGv6oAqg8 +iuCOeVCRVPtd7mGJK1dGW3WXV3pbsu4EvfXve9qFFV/7d811JNBjnhF5lFN2JGVs +Ka9JebJ8EKWff6Ns14FJ2cOG3tx7KuWcnfTdma/mH4PeGoU1Og5Ln/ea +-----END CERTIFICATE----- diff --git a/testing/environments/docker/kafka/certs/ca-cert.srl b/testing/environments/docker/kafka/certs/ca-cert.srl new file mode 100644 index 00000000000..3336d99a9a3 --- /dev/null +++ b/testing/environments/docker/kafka/certs/ca-cert.srl @@ -0,0 +1 @@ +B518225D01FDBC4B diff --git a/testing/environments/docker/kafka/certs/ca-key b/testing/environments/docker/kafka/certs/ca-key new file mode 100644 index 00000000000..63ab92b23aa --- /dev/null +++ b/testing/environments/docker/kafka/certs/ca-key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIPiUp46K/yl8CAggA +MB0GCWCGSAFlAwQBKgQQ3vI4jI41do9rQtAyc+JwfwSCBNDDDv3uSHZ/12ACMLyu +vhrz3en62CT4ooeZKjpep4H/s+2pfqfg5bDeQUguNUo2zsy0EKeK2rIBVUG6KWIa +DWvnl0JaM/TrtGg1pMZMIFPowaf1mNcVcvN5IWEgLgoT+SY8lLtmVqIdU1d2F6nV +t+7JEpktXA5ThS0FbBpW0XI+kG9W7Ln9YPjGLbjcPayJQX1yzWJYEUfmm8lJl7cT +h5V94sB2KP9pwAP/SqElt2QK1BhStUVv3ezp6TT82PETi3No0Uh+oWaxltjPCr4z +5MN/tTDJQGc3llDIrZT+umZcgB6DBsc+nXjrlAHWPeuhIcjNJGs3V0xazQs60M6n +ldhcJH453Muwtp40VDkT21plVPwUrwQX/6gIWIHnyvK44sRG4NvmG+4NBA8V4TdK +AKhkhYTYS+sAUDsAFo408OXvpdGy7G2/cZn+r2frLHLxUU2peqRFP7YqLVs2sdez +sFyt6ZMSAh8UZDYK9kpyQMoeYj7Az14kMKIlE0JADsd3Mn8S/QJrrKWQzQhQVz6O +0rpaGnIM3cICgTK7gTlK+lDIbqAmCYnFLQsU9rHIpzVMkx2iYEId+YNbxodHpFPa +MCz6HU8qI9Tv9JIOfJKdE7tvlSnR89usOU/z+NSGqKm1dhYjG1BNI7wk8/mgMxOg +9BAujodmGvFpMPba84+QT/AtTy9YMMi4Z0H7BKHGD7HwSOTx7kP9hMz/sVVnKxfO +8C9gE91D4enrpQXu7J5JU07LCWSNLiZEegbdKvjBz5Cvfj5LPhazTLYuuU0KNIP9 +MjrgodrSp1LgESAA7z8qKUyhX2Z6uO0q1Q5OUFgGNEWXSYLplhWrvftPqdV0YAFI +4y794sojVBBnHYo+Lm5gugm4cg6bLk/YY3ScQqPYEUwO1LZSMUoB9ixLHUYY48ND +xbevM9V8vLgb6Q46zTCYPxwYfxNlcWxeQjwbVEaha5n2Sgu0dmrG/+LjrEwYtHY7 +zPdTbl28OyvXDqvilXcDQS8ZQBwqkZ00pg9fokElztgVIMp4cbtBTCiqipfNBGJg +ALEu/lFNlGjvv4iwOdx/yhVjFt2Ri3ViTEoTJ3wAh3o4wh/o8wluNb3bMgfKzw61 +/WptUvLnqKIGQ0xZtunxG9WHIpc8oTRZMMUgLnoVzJvdU9cONT5GER9WuQbwXmEE +ytIx9tVq4cb3CoJhynrL9cjGp716nBkx534gyu5N21elb8npk1XAHd6AHUViun0J +TnVHPwSSLN7naaiMKS+8KaknAdjvKCIUytLSRpRb4rkoqD/7MlYlMTAPF5IX6/Xj +fVfR8HKWtkvqhAM4lQ57zwGlpXifGM5Vi/Dq8JYcTOIHIzggbhfi+WVwWJ+SJVp3 +FQBSvyJ0XFV8piuP6J1PB6zXLioRiUMDbrl0Hmwo4spLswRsZ6D/6QuNUeNN2Lh1 +ZqtkAHWnIll1nviSEWPxiu0lA9ZwfPP1t+H0UkVi8JBUCrTh0gyr2e/CGZAd1GoP +/LnvaRntmqytavI65NlPPlvF9S7enjeEkxvtqhAIuU9nTMORnmpXX+xStfm/AtQp +2UNklwWW6bwPhMF9w+FnuJoK7mrQ5DphsZNcTly1RQ0uQkT6yrzWK5MNmLRiNOez +OmM968GQKexUL9r0BmFi7T00rQ== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/testing/environments/docker/kafka/certs/client.truststore.jks b/testing/environments/docker/kafka/certs/client.truststore.jks new file mode 100644 index 00000000000..7b18b3f645e Binary files /dev/null and b/testing/environments/docker/kafka/certs/client.truststore.jks differ diff --git a/testing/environments/docker/kafka/run.sh b/testing/environments/docker/kafka/run.sh index 873f6951acc..bfacf2a7242 100755 --- a/testing/environments/docker/kafka/run.sh +++ b/testing/environments/docker/kafka/run.sh @@ -16,13 +16,31 @@ echo "Starting ZooKeeper" ${KAFKA_HOME}/bin/zookeeper-server-start.sh ${KAFKA_HOME}/config/zookeeper.properties & wait_for_port 2181 +# create a user beats with password KafkaTest, for use in client SASL authentication +/kafka/bin/kafka-configs.sh \ + --zookeeper localhost:2181 \ + --alter --add-config 'SCRAM-SHA-512=[password=KafkaTest]' \ + --entity-type users \ + --entity-name beats + echo "Starting Kafka broker" mkdir -p ${KAFKA_LOGS_DIR} ${KAFKA_HOME}/bin/kafka-server-start.sh ${KAFKA_HOME}/config/server.properties \ - --override delete.topic.enable=true --override advertised.host.name=${KAFKA_ADVERTISED_HOST} \ - --override listeners=PLAINTEXT://0.0.0.0:9092 \ - --override logs.dir=${KAFKA_LOGS_DIR} --override log.flush.interval.ms=200 \ - --override num.partitions=3 & + --override delete.topic.enable=true \ + --override advertised.host.name=${KAFKA_ADVERTISED_HOST} \ + --override listeners=PLAINTEXT://0.0.0.0:9092,SASL_SSL://0.0.0.0:9093 \ + --override advertised.listeners=PLAINTEXT://${KAFKA_ADVERTISED_HOST}:9092,SASL_SSL://${KAFKA_ADVERTISED_HOST}:9093 \ + --override inter.broker.listener.name=PLAINTEXT \ + --override sasl.enabled.mechanisms=SCRAM-SHA-512 \ + --override listener.name.sasl_ssl.scram-sha-512.sasl.jaas.config="org.apache.kafka.common.security.scram.ScramLoginModule required;" \ + --override logs.dir=${KAFKA_LOGS_DIR} \ + --override log4j.logger.kafka=DEBUG,kafkaAppender \ + --override log.flush.interval.ms=200 \ + --override num.partitions=3 \ + --override ssl.keystore.location=/broker.keystore.jks \ + --override ssl.keystore.password=KafkaTest \ + --override ssl.truststore.location=/broker.truststore.jks \ + --override ssl.truststore.password=KafkaTest & wait_for_port 9092 diff --git a/winlogbeat/tests/system/test_config.py b/winlogbeat/tests/system/test_config.py index 306f6cf38ef..aefab4344ba 100644 --- a/winlogbeat/tests/system/test_config.py +++ b/winlogbeat/tests/system/test_config.py @@ -82,7 +82,7 @@ def run_config_tst(self, pcap=None, exit_code=0): args.extend(["test", "config"]) - output = "winlogbeat.log" + output = "winlogbeat-" + self.today + ".ndjson" with open(os.path.join(self.working_dir, output), "wb") as outfile: proc = subprocess.Popen(args, diff --git a/winlogbeat/tests/system/test_wineventlog.py b/winlogbeat/tests/system/test_wineventlog.py index 347b8585d05..9bbf5a7ded4 100644 --- a/winlogbeat/tests/system/test_wineventlog.py +++ b/winlogbeat/tests/system/test_wineventlog.py @@ -52,7 +52,7 @@ def test_resume_reading_events(self): # remove the output file, otherwise there is a race condition # in read_events() below where it reads the results of the previous # execution - os.unlink(os.path.join(self.working_dir, "output", self.beat_name)) + os.unlink(os.path.join(self.working_dir, "output", self.beat_name + "-" + self.today + ".ndjson")) msg = "Second event" self.write_event_log(msg) diff --git a/winlogbeat/winlogbeat.reference.yml b/winlogbeat/winlogbeat.reference.yml index f552d889c81..4cca1af761e 100644 --- a/winlogbeat/winlogbeat.reference.yml +++ b/winlogbeat/winlogbeat.reference.yml @@ -1306,11 +1306,6 @@ logging.files: # file. Defaults to true. # rotateonstartup: true - # Rotated files are either suffixed with a number e.g. winlogbeat.1 when - # renamed during rotation. Or when set to date, the date is added to - # the end of the file. On rotation a new file is created, older files are untouched. - #suffix: count - # ============================= X-Pack Monitoring ============================== # Winlogbeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The @@ -1495,6 +1490,10 @@ logging.files: # `http.user`. #http.named_pipe.security_descriptor: +# Defines if the HTTP pprof endpoints are enabled. +# It is recommended that this is only enabled on localhost as these endpoints may leak data. +#http.pprof.enabled: false + # ============================== Process Security ============================== # Enable or disable seccomp system call filtering on Linux. Default is enabled. diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml index f3d976b2edf..f52cc6feab1 100644 --- a/x-pack/auditbeat/auditbeat.reference.yml +++ b/x-pack/auditbeat/auditbeat.reference.yml @@ -1439,11 +1439,6 @@ logging.files: # file. Defaults to true. # rotateonstartup: true - # Rotated files are either suffixed with a number e.g. auditbeat.1 when - # renamed during rotation. Or when set to date, the date is added to - # the end of the file. On rotation a new file is created, older files are untouched. - #suffix: count - # ============================= X-Pack Monitoring ============================== # Auditbeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The @@ -1628,6 +1623,10 @@ logging.files: # `http.user`. #http.named_pipe.security_descriptor: +# Defines if the HTTP pprof endpoints are enabled. +# It is recommended that this is only enabled on localhost as these endpoints may leak data. +#http.pprof.enabled: false + # ============================== Process Security ============================== # Enable or disable seccomp system call filtering on Linux. Default is enabled. diff --git a/x-pack/auditbeat/tracing/decoder.go b/x-pack/auditbeat/tracing/decoder.go index 88797351e1e..f087a4f5225 100644 --- a/x-pack/auditbeat/tracing/decoder.go +++ b/x-pack/auditbeat/tracing/decoder.go @@ -320,9 +320,8 @@ func (d *structDecoder) Decode(raw []byte, meta Metadata) (s interface{}, err er } switch dec.typ { case FieldTypeInteger: - if err := copyInt( - unsafe.Pointer(uintptr(destPtr)+dec.dst), - unsafe.Pointer(&raw[dec.src]), uint8(dec.len)); err != nil { + err := copyInt(unsafe.Add(destPtr, dec.dst), unsafe.Pointer(&raw[dec.src]), uint8(dec.len)) + if err != nil { return nil, fmt.Errorf("bad size=%d for integer field=%s", dec.len, dec.name) } @@ -335,13 +334,13 @@ func (d *structDecoder) Decode(raw []byte, meta Metadata) (s interface{}, err er if len > 0 && raw[offset+len-1] == 0 { len-- } - *((*string)(unsafe.Pointer(uintptr(destPtr) + dec.dst))) = string(raw[offset : offset+len]) + *(*string)(unsafe.Add(destPtr, dec.dst)) = string(raw[offset : offset+len]) case FieldTypeMeta: - *(*Metadata)(unsafe.Pointer(uintptr(destPtr) + dec.dst)) = meta + *(*Metadata)(unsafe.Add(destPtr, dec.dst)) = meta case FieldTypeRaw: - copy((*(*[maxRawCopySize]byte)(unsafe.Pointer(uintptr(destPtr) + dec.dst)))[:dec.len], raw[dec.src:dec.src+dec.len]) + copy(unsafe.Slice((*byte)(unsafe.Add(destPtr, dec.dst)), dec.len), raw[dec.src:]) } } diff --git a/x-pack/elastic-agent/pkg/agent/operation/monitoring.go b/x-pack/elastic-agent/pkg/agent/operation/monitoring.go index dedec28762a..19cd40cda91 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/monitoring.go +++ b/x-pack/elastic-agent/pkg/agent/operation/monitoring.go @@ -234,10 +234,8 @@ func (o *Operator) getMonitoringFilebeatConfig(outputType string, output interfa }, }, "paths": []string{ - filepath.Join(paths.Home(), "logs", "elastic-agent-json.log"), - filepath.Join(paths.Home(), "logs", "elastic-agent-json.log*"), - filepath.Join(paths.Home(), "logs", "elastic-agent-watcher-json.log"), - filepath.Join(paths.Home(), "logs", "elastic-agent-watcher-json.log*"), + filepath.Join(paths.Home(), "logs", "elastic-agent-*.ndjson"), + filepath.Join(paths.Home(), "logs", "elastic-agent-watcher-*.ndjson"), }, "index": fmt.Sprintf("logs-elastic_agent-%s", monitoringNamespace), "processors": []map[string]interface{}{ diff --git a/x-pack/elastic-agent/pkg/core/logger/logger.go b/x-pack/elastic-agent/pkg/core/logger/logger.go index 77cc4260acc..a63bc94f9de 100644 --- a/x-pack/elastic-agent/pkg/core/logger/logger.go +++ b/x-pack/elastic-agent/pkg/core/logger/logger.go @@ -103,7 +103,6 @@ func DefaultLoggingConfig() *Config { cfg.ToFiles = true cfg.Files.Path = paths.Logs() cfg.Files.Name = agentName - cfg.Files.Suffix = file.SuffixDate return &cfg } @@ -115,7 +114,7 @@ func makeInternalFileOutput(cfg *Config) (zapcore.Core, error) { // defaultCfg is used to set the defaults for the file rotation of the internal logging // these settings cannot be changed by a user configuration defaultCfg := logp.DefaultConfig(logp.DefaultEnvironment) - filename := filepath.Join(paths.Home(), "logs", fmt.Sprintf("%s-json.log", cfg.Beat)) + filename := filepath.Join(paths.Home(), "logs", cfg.Beat) rotator, err := file.NewFileRotator(filename, file.MaxSizeBytes(defaultCfg.Files.MaxSize), @@ -124,7 +123,6 @@ func makeInternalFileOutput(cfg *Config) (zapcore.Core, error) { file.Interval(defaultCfg.Files.Interval), file.RotateOnStartup(defaultCfg.Files.RotateOnStartup), file.RedirectStderr(defaultCfg.Files.RedirectStderr), - file.Suffix(cfg.Files.Suffix), ) if err != nil { return nil, errors.New("failed to create internal file rotator") diff --git a/x-pack/elastic-agent/pkg/core/monitoring/beats/beats_monitor.go b/x-pack/elastic-agent/pkg/core/monitoring/beats/beats_monitor.go index f96f5ecf916..e00860ec1f1 100644 --- a/x-pack/elastic-agent/pkg/core/monitoring/beats/beats_monitor.go +++ b/x-pack/elastic-agent/pkg/core/monitoring/beats/beats_monitor.go @@ -131,7 +131,7 @@ func (b *Monitor) EnrichArgs(spec program.Spec, pipelineID string, args []string if isSidecar { logFile += "_monitor" } - logFile = fmt.Sprintf("%s-json.log", logFile) + logFile = fmt.Sprintf("%s", logFile) appendix = append(appendix, "-E", "logging.files.path="+loggingPath, "-E", "logging.files.name="+logFile, diff --git a/x-pack/elastic-agent/pkg/core/monitoring/beats/monitoring.go b/x-pack/elastic-agent/pkg/core/monitoring/beats/monitoring.go index 240ce5adbb2..d56aee0ef2b 100644 --- a/x-pack/elastic-agent/pkg/core/monitoring/beats/monitoring.go +++ b/x-pack/elastic-agent/pkg/core/monitoring/beats/monitoring.go @@ -16,9 +16,9 @@ import ( const ( // args: data path, pipeline name, application name - logFileFormat = "%s/logs/%s/%s-json.log" + logFileFormat = "%s/logs/%s/%s" // args: data path, install path, pipeline name, application name - logFileFormatWin = "%s\\logs\\%s\\%s-json.log" + logFileFormatWin = "%s\\logs\\%s\\%s" // args: pipeline name, application name mbEndpointFileFormatWin = `npipe:///%s-%s` diff --git a/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc b/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc index 5a4a6dc8b3d..ec7a16cd67b 100644 --- a/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc @@ -17,7 +17,7 @@ The use of SQS notification is preferred: polling list of S3 objects is expensiv in terms of performance and costs and should be preferably used only when no SQS notification can be attached to the S3 buckets. This input can, for example, be used to receive S3 access logs to monitor detailed records for the requests that -are made to a bucket. +are made to a bucket. This input also supports S3 notification from SNS to SQS. SQS notification method is enabled setting `queue_url` configuration value. S3 bucket list polling method is enabled setting `bucket_arn` configuration value. @@ -282,6 +282,90 @@ attribute. The default value is 5. If you have configured a dead letter queue then you can set this value to `-1` to disable deletion on failure. +[float] +==== `sqs.notification_parsing_script.source` + +Inline Javascript source code. + +[source,yaml] +---- +sqs.notification_parsing_script.source: > + function parse(notification) { + var evts = []; + var evt = new S3EventV2(); + evt.SetS3BucketName(notification.bucket); + evt.SetS3ObjectKey(notification.path); + evts.push(evt); + return evts; + } +---- + +[float] +==== `sqs.notification_parsing_script.file` + +Path to a script file to load. Relative paths are interpreted as +relative to the `path.config` directory. Globs are expanded. + +This loads `filter.js` from disk. + +[source,yaml] +---- +sqs.notification_parsing_script.file: ${path.config}/filter.js +---- + +[float] +==== `sqs.notification_parsing_script.files` + +List of script files to load. The scripts are concatenated together. +Relative paths are interpreted as relative to the `path.config` directory. +And globs are expanded. + +[float] +==== `sqs.notification_parsing_script.params` + +A dictionary of parameters that are passed to the `register` of the +script. + +Parameters can be passed to the script by adding `params` to the config. +This allows for a script to be made reusable. When using `params` the +code must define a `register(params)` function to receive the parameters. + +[source,yaml] +---- +sqs.notification_parsing_script: + params: + provider: aws:s3 + source: > + var params = {provider: ""}; + function register(scriptParams) { + params = scriptParams; + } + function parse(notification) { + var evts = []; + var evt = new S3EventV2(); + evt.SetS3BucketName(notification.bucket); + evt.SetS3ObjectKey(notification.path); + evt.SetProvider(params.provider); + evts.push(evt); + return evts; + } +---- + +[float] +==== `sqs.notification_parsing_script.timeout` + +This sets an execution timeout for the `process` function. When +the `process` function takes longer than the `timeout` period the function +is interrupted. You can set this option to prevent a script from running for +too long (like preventing an infinite `while` loop). By default there is no +timeout. + +[float] +==== `sqs.notification_parsing_script.max_cached_sessions` + +This sets the maximum number of Javascript VM sessions +that will be cached to avoid reallocation. + [float] ==== `sqs.wait_time` @@ -386,6 +470,14 @@ create a notification through SQS. Please see https://docs.aws.amazon.com/AmazonS3/latest/dev/ways-to-add-notification-config-to-bucket.html#step1-create-sqs-queue-for-notification[create-sqs-queue-for-notification] for more details. +[float] +=== S3 -> SNS -> SQS setup +If you would like to use the bucket notification in multiple different consumers +(others than {beatname_lc}), you should use an SNS topic for the bucket notification. +Please see https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html#step1-create-sns-topic-for-notification[create-SNS-topic-for-notification] +for more details. SQS queue will be configured as a +https://docs.aws.amazon.com/sns/latest/dg/sns-sqs-as-subscriber.html[subscriber to the SNS topic]. + [float] === Parallel Processing @@ -418,6 +510,177 @@ Therefore, when using the polling list of S3 bucket objects method, scaling shou vertical, with a single bigger {beatname_uc} instance and higher `number_of_workers` config value. +[float] +=== SQS Custom Notification Parsing Script + +Under some circumstances you might want to listen to events that are not following +the standard SQS notifications format. To be able to parse them, it is possible to +define a custom script that will take care of processing them and generating the +required list of S3 Events used to download the files. + +The `sqs.notification_parsing_script` executes Javascript code to process an event. +It uses a pure Go implementation of ECMAScript 5.1 and has no external dependencies. + +It can be configured by embedding Javascript in your configuration file or by pointing +the processor at external file(s). Only one of the options `sqs.notification_parsing_script.source`, `sqs.notification_parsing_script.file`, and `sqs.notification_parsing_script.files` +can be set at the same time. + +The script requires a `parse(notification)` function that receives the notification as +a raw string and returns a list of `S3EventV2` objects. This raw string can then be +processed as needed, e.g.: `JSON.parse(n)` or the provided helper for XML `new XMLDecoder(n)`. + +If the script defines a `test()` function it will be invoked when it is loaded. Any exceptions thrown will cause the processor to fail to load. This can be used to make assertions about the behavior of the script. + +[source,javascript] +---- +function parse(n) { + var m = JSON.parse(n); + var evts = []; + var files = m.files; + var bucket = m.bucket; + + if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") { + return evts; + } + + files.forEach(function(f){ + var evt = new S3EventV2(); + evt.SetS3BucketName(bucket); + evt.SetS3ObjectKey(f.path); + evts.push(evt); + }); + + return evts; +} + +function test() { + var events = parse({bucket: "aBucket", files: [{path: "path/to/file"}]}); + if (events.length !== 1) { + throw "expecting one event"; + } + if (events[0].S3.Bucket.Name === "aBucket") { + throw "expected bucket === aBucket"; + } + if (events[0].S3.Object.Key === "path/to/file") { + throw "expected bucket === path/to/file"; + } +} +---- + +[float] +==== S3EventV2 API + +The `S3EventV2` object returned by the `parse` method. + +[frame="topbot",options="header"] +|=== +|Method |Description + +|`new S3EventV2()` +|Returns a new `S3EventV2` object. + +*Example*: `var evt = new S3EventV2();` + +|`SetAWSRegion(string)` +|Sets the AWS region. + +*Example*: `evt.SetAWSRegion("us-east-1");` + +|`SetProvider(string)` +|Sets the provider. + +*Example*: `evt.SetProvider("provider");` + +|`SetEventName(string)` +|Sets the event name. + +*Example*: `evt.SetEventName("event-type");` + +|`SetEventSource(string)` +|Sets the event surce. + +*Example*: `evt.SetEventSource("aws:s3");` + +|`SetS3BucketName(string)` +|Sets the bucket name. + +*Example*: `evt.SetS3BucketName("bucket-name");` + +|`SetS3BucketARN(string)` +|Sets the bucket ARN. + +*Example*: `evt.SetS3BucketARN("bucket-ARN");` + +|`SetS3ObjectKey(string)` +|Sets the object key. + +*Example*: `evt.SetS3ObjectKey("path/to/object");` + +|=== + +In order to be able to retrieve an S3 object successfully, at least `S3.Object.Key` +and `S3.Bucket.Name` properties must be set (using the provided setters). The other +properties will be used as metadata in the resulting event when available. + +[float] +==== XMLDecoder API + +To help with XML decoding, an `XMLDecoder` class is provided. + +Example XML input: + +[source,xml] +------------------------------------------------------------------------------- + + + William H. Gaddis + The Recognitions + One of the great seminal American novels of the 20th century. + + +------------------------------------------------------------------------------- + +Will produce the following output: + +[source,json] +------------------------------------------------------------------------------- +{ + "catalog": { + "book": { + "author": "William H. Gaddis", + "review": "One of the great seminal American novels of the 20th century.", + "seq": "1", + "title": "The Recognitions" + } + } +} +------------------------------------------------------------------------------- + +[frame="topbot",options="header"] +|=== +|Method |Description + +|`new XMLDecoder(string)` +|Returns a new `XMLDecoder` object to decode the provided `string`. + +*Example*: `var dec = new XMLDecoder(n);` + +|`PrependHyphenToAttr()` +|Causes the Decoder to prepend a hyphen (`-`) to to all XML attribute names. + +*Example*: `dec.PrependHyphenToAttr();` + +|`LowercaseKeys()` +|Causes the Decoder to transform all key name to lowercase. + +*Example*: `dec.LowercaseKeys();` + +|`Decode()` +|Reads the XML string and return a map containing the data. + +*Example*: `var m = dec.Decode();` + +|=== [float] === Metrics diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 79a75defc26..e96b8e7f97d 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -2489,7 +2489,8 @@ filebeat.inputs: #max_bytes: 10485760 # Characters which separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed, - # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator. + # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator, + # null_terminator #line_terminator: auto ### Recursive glob configuration @@ -2743,7 +2744,8 @@ filebeat.inputs: #message_max_bytes: 10485760 # Characters which separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed, - # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator. + # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator, + # null_terminator #line_terminator: auto # The ingest pipeline ID associated with this input. If this is set, it @@ -4448,11 +4450,6 @@ logging.files: # file. Defaults to true. # rotateonstartup: true - # Rotated files are either suffixed with a number e.g. filebeat.1 when - # renamed during rotation. Or when set to date, the date is added to - # the end of the file. On rotation a new file is created, older files are untouched. - #suffix: count - # ============================= X-Pack Monitoring ============================== # Filebeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The @@ -4637,6 +4634,10 @@ logging.files: # `http.user`. #http.named_pipe.security_descriptor: +# Defines if the HTTP pprof endpoints are enabled. +# It is recommended that this is only enabled on localhost as these endpoints may leak data. +#http.pprof.enabled: false + # ============================== Process Security ============================== # Enable or disable seccomp system call filtering on Linux. Default is enabled. diff --git a/x-pack/filebeat/input/awss3/_meta/terraform/README.md b/x-pack/filebeat/input/awss3/_meta/terraform/README.md index 7ab27781704..d5614b99a92 100644 --- a/x-pack/filebeat/input/awss3/_meta/terraform/README.md +++ b/x-pack/filebeat/input/awss3/_meta/terraform/README.md @@ -1,9 +1,9 @@ # Terraform setup for AWS S3 Input Integration Tests -This directory contains a Terrafrom module that creates the AWS resources needed +This directory contains a Terraform module that creates the AWS resources needed for executing the integration tests for the `aws-s3` Filebeat input. It creates an S3 bucket and SQS queue and configures S3 `ObjectCreated:*` notifications to -be delivered to SQS. +be delivered to SQS. It also creates a second S3 bucket, SNS topic, SQS queue and configures S3 `ObjectCreated:*` notifications to be delivered to SNS and also creates a subscription for this SNS topic to SQS queue to automatically place messages sent to SNS topic in SQS queue. It outputs configuration information that is consumed by the tests to `outputs.yml`. The AWS resources are randomly named to prevent name collisions @@ -33,7 +33,7 @@ to match the AWS region of the profile you are using. 4. Execute the integration test. ``` - cd x-pack/filebeat/inputs/awss3 + cd x-pack/filebeat/input/awss3 go test -tags aws,integration -run TestInputRun.+ -v . ``` diff --git a/x-pack/filebeat/input/awss3/_meta/terraform/main.tf b/x-pack/filebeat/input/awss3/_meta/terraform/main.tf index 1b22b8bbfdb..62e86abc787 100644 --- a/x-pack/filebeat/input/awss3/_meta/terraform/main.tf +++ b/x-pack/filebeat/input/awss3/_meta/terraform/main.tf @@ -60,3 +60,77 @@ resource "aws_s3_bucket_notification" "bucket_notification" { aws_sqs_queue.filebeat-integtest, ] } + +resource "aws_sns_topic" "filebeat-integtest-sns" { + name = "filebeat-s3-integtest-sns-${random_string.random.result}" + + policy = < 0} { + if set { + numConfigured++ + } + } + + switch { + case numConfigured == 0: + return errors.New("javascript must be defined via 'file', " + + "'files', or inline as 'source'") + case numConfigured > 1: + return errors.New("javascript can be defined in only one of " + + "'file', 'files', or inline as 'source'") + } + + return nil +} + func (rc *readerConfig) InitDefaults() { rc.BufferSize = 16 * humanize.KiByte rc.MaxBytes = 10 * humanize.MiByte diff --git a/x-pack/filebeat/input/awss3/input.go b/x-pack/filebeat/input/awss3/input.go index 67edf3b5919..bf3f8cf28b2 100644 --- a/x-pack/filebeat/input/awss3/input.go +++ b/x-pack/filebeat/input/awss3/input.go @@ -186,8 +186,12 @@ func (in *s3Input) createSQSReceiver(ctx v2.Context, client beat.Client) (*sqsRe if len(in.config.FileSelectors) == 0 { fileSelectors = []fileSelectorConfig{{ReaderConfig: in.config.ReaderConfig}} } + script, err := newScriptFromConfig(log.Named("sqs_script"), in.config.SQSScript) + if err != nil { + return nil, err + } s3EventHandlerFactory := newS3ObjectProcessorFactory(log.Named("s3"), metrics, s3API, client, fileSelectors) - sqsMessageHandler := newSQSS3EventProcessor(log.Named("sqs_s3_event"), metrics, sqsAPI, in.config.VisibilityTimeout, in.config.SQSMaxReceiveCount, s3EventHandlerFactory) + sqsMessageHandler := newSQSS3EventProcessor(log.Named("sqs_s3_event"), metrics, sqsAPI, script, in.config.VisibilityTimeout, in.config.SQSMaxReceiveCount, s3EventHandlerFactory) sqsReader := newSQSReader(log.Named("sqs"), metrics, sqsAPI, in.config.MaxNumberOfMessages, sqsMessageHandler) return sqsReader, nil @@ -318,9 +322,13 @@ func getProviderFromDomain(endpoint string, ProviderOverride string) string { } parsedEndpoint, _ := url.Parse(endpoint) - domain := parsedEndpoint.Hostname() for key, provider := range providers { - if strings.HasSuffix(domain, key) { + // support endpoint with and without scheme (http(s)://abc.xyz, abc.xyz) + constraint := parsedEndpoint.Hostname() + if len(parsedEndpoint.Scheme) == 0 { + constraint = parsedEndpoint.Path + } + if strings.HasSuffix(constraint, key) { return provider } } diff --git a/x-pack/filebeat/input/awss3/input_benchmark_test.go b/x-pack/filebeat/input/awss3/input_benchmark_test.go index aabb86b1a6c..ecdc1756ce4 100644 --- a/x-pack/filebeat/input/awss3/input_benchmark_test.go +++ b/x-pack/filebeat/input/awss3/input_benchmark_test.go @@ -166,7 +166,7 @@ func benchmarkInputSQS(t *testing.T, maxMessagesInflight int) testing.BenchmarkR conf := makeBenchmarkConfig(t) s3EventHandlerFactory := newS3ObjectProcessorFactory(log.Named("s3"), metrics, s3API, client, conf.FileSelectors) - sqsMessageHandler := newSQSS3EventProcessor(log.Named("sqs_s3_event"), metrics, sqsAPI, time.Minute, 5, s3EventHandlerFactory) + sqsMessageHandler := newSQSS3EventProcessor(log.Named("sqs_s3_event"), metrics, sqsAPI, nil, time.Minute, 5, s3EventHandlerFactory) sqsReader := newSQSReader(log.Named("sqs"), metrics, sqsAPI, maxMessagesInflight, sqsMessageHandler) go func() { diff --git a/x-pack/filebeat/input/awss3/input_integration_test.go b/x-pack/filebeat/input/awss3/input_integration_test.go index 0ce1c85f505..a7f4f651c07 100644 --- a/x-pack/filebeat/input/awss3/input_integration_test.go +++ b/x-pack/filebeat/input/awss3/input_integration_test.go @@ -19,9 +19,12 @@ import ( "testing" "time" + "github.com/aws/aws-sdk-go-v2/service/s3" + + awscommon "github.com/elastic/beats/v7/x-pack/libbeat/common/aws" + "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/aws/external" - "github.com/aws/aws-sdk-go-v2/service/s3" "github.com/aws/aws-sdk-go-v2/service/s3/s3manager" "github.com/aws/aws-sdk-go-v2/service/sqs" "github.com/stretchr/testify/assert" @@ -36,7 +39,6 @@ import ( pubtest "github.com/elastic/beats/v7/libbeat/publisher/testing" "github.com/elastic/beats/v7/libbeat/statestore" "github.com/elastic/beats/v7/libbeat/statestore/storetest" - awscommon "github.com/elastic/beats/v7/x-pack/libbeat/common/aws" ) const ( @@ -48,9 +50,11 @@ const ( ) type terraformOutputData struct { - AWSRegion string `yaml:"aws_region"` - BucketName string `yaml:"bucket_name"` - QueueURL string `yaml:"queue_url"` + AWSRegion string `yaml:"aws_region"` + BucketName string `yaml:"bucket_name"` + QueueURL string `yaml:"queue_url"` + BucketNameForSNS string `yaml:"bucket_name_for_sns"` + QueueURLForSNS string `yaml:"queue_url_for_sns"` } func getTerraformOutputs(t *testing.T) terraformOutputData { @@ -174,11 +178,11 @@ func newV2Context() (v2.Context, func()) { func TestInputRunSQS(t *testing.T) { logp.TestingSetup() - // Terraform is used to setup S3 and SQS and must be executed manually. + // Terraform is used to set up S3 and SQS and must be executed manually. tfConfig := getTerraformOutputs(t) // Ensure SQS is empty before testing. - drainSQS(t, tfConfig) + drainSQS(t, tfConfig.AWSRegion, tfConfig.QueueURL) // Ensure metrics are removed before testing. monitoring.GetNamespace("dataset").GetRegistry().Remove(inputID) @@ -240,7 +244,7 @@ func TestInputRunSQS(t *testing.T) { func TestInputRunS3(t *testing.T) { logp.TestingSetup() - // Terraform is used to setup S3 and must be executed manually. + // Terraform is used to set up S3 and must be executed manually. tfConfig := getTerraformOutputs(t) // Ensure metrics are removed before testing. @@ -297,6 +301,7 @@ func TestInputRunS3(t *testing.T) { assertMetric(t, snap, "s3_objects_acked_total", 6) assertMetric(t, snap, "s3_events_created_total", 12) } + func assertMetric(t *testing.T, snapshot common.MapStr, name string, value interface{}) { n, _ := snapshot.GetValue(inputID + "." + name) assert.EqualValues(t, value, n, name) @@ -332,16 +337,16 @@ func uploadS3TestFiles(t *testing.T, region, bucket string, filenames ...string) } } -func drainSQS(t *testing.T, tfConfig terraformOutputData) { +func drainSQS(t *testing.T, region string, queueURL string) { cfg, err := external.LoadDefaultAWSConfig() if err != nil { t.Fatal(err) } - cfg.Region = tfConfig.AWSRegion + cfg.Region = region sqs := &awsSQSAPI{ client: sqs.New(cfg), - queueURL: tfConfig.QueueURL, + queueURL: queueURL, apiTimeout: 1 * time.Minute, visibilityTimeout: 30 * time.Second, longPollWaitTime: 10, @@ -370,13 +375,13 @@ func drainSQS(t *testing.T, tfConfig terraformOutputData) { func TestGetBucketNameFromARN(t *testing.T) { bucketName := getBucketNameFromARN("arn:aws:s3:::my_corporate_bucket") - assert.Equal("my_corporate_bucket", bucketName) + assert.Equal(t, "my_corporate_bucket", bucketName) } func TestGetRegionForBucketARN(t *testing.T) { logp.TestingSetup() - // Terraform is used to setup S3 and must be executed manually. + // Terraform is used to set up S3 and must be executed manually. tfConfig := getTerraformOutputs(t) awsConfig, err := external.LoadDefaultAWSConfig() @@ -393,7 +398,7 @@ func TestGetRegionForBucketARN(t *testing.T) { func TestPaginatorListPrefix(t *testing.T) { logp.TestingSetup() - // Terraform is used to setup S3 and must be executed manually. + // Terraform is used to set up S3 and must be executed manually. tfConfig := getTerraformOutputs(t) uploadS3TestFiles(t, tfConfig.AWSRegion, tfConfig.BucketName, @@ -439,9 +444,67 @@ func TestPaginatorListPrefix(t *testing.T) { assert.Equal(t, expected, objects) } -func TestGetProviderFromDomain(t *testing.T) { - assert.Equal("aws", getProviderFromDomain("", "")) - assert.Equal("aws", getProviderFromDomain("c2s.ic.gov", "")) - assert.Equal("abc", getProviderFromDomain("abc.com", "abc")) - assert.Equal("xyz", getProviderFromDomain("oraclecloud.com", "xyz")) +func TestInputRunSNS(t *testing.T) { + logp.TestingSetup() + + // Terraform is used to set up S3, SNS and SQS and must be executed manually. + tfConfig := getTerraformOutputs(t) + + // Ensure SQS is empty before testing. + drainSQS(t, tfConfig.AWSRegion, tfConfig.QueueURLForSNS) + + // Ensure metrics are removed before testing. + monitoring.GetNamespace("dataset").GetRegistry().Remove(inputID) + + uploadS3TestFiles(t, tfConfig.AWSRegion, tfConfig.BucketNameForSNS, + "testdata/events-array.json", + "testdata/invalid.json", + "testdata/log.json", + "testdata/log.ndjson", + "testdata/multiline.json", + "testdata/multiline.json.gz", + "testdata/multiline.txt", + "testdata/log.txt", // Skipped (no match). + ) + + s3Input := createInput(t, makeTestConfigSQS(tfConfig.QueueURLForSNS)) + + inputCtx, cancel := newV2Context() + t.Cleanup(cancel) + time.AfterFunc(15*time.Second, func() { + cancel() + }) + + client := pubtest.NewChanClient(0) + defer close(client.Channel) + go func() { + for event := range client.Channel { + event.Private.(*eventACKTracker).ACK() + } + }() + + var errGroup errgroup.Group + errGroup.Go(func() error { + pipeline := pubtest.PublisherWithClient(client) + return s3Input.Run(inputCtx, pipeline) + }) + + if err := errGroup.Wait(); err != nil { + t.Fatal(err) + } + + snap := common.MapStr(monitoring.CollectStructSnapshot( + monitoring.GetNamespace("dataset").GetRegistry(), + monitoring.Full, + false)) + t.Log(snap.StringToPrint()) + + assertMetric(t, snap, "sqs_messages_received_total", 8) // S3 could batch notifications. + assertMetric(t, snap, "sqs_messages_inflight_gauge", 0) + assertMetric(t, snap, "sqs_messages_deleted_total", 7) + assertMetric(t, snap, "sqs_messages_returned_total", 1) // Invalid JSON is returned so that it can eventually be DLQed. + assertMetric(t, snap, "sqs_visibility_timeout_extensions_total", 0) + assertMetric(t, snap, "s3_objects_inflight_gauge", 0) + assertMetric(t, snap, "s3_objects_requested_total", 7) + assertMetric(t, snap, "s3_events_created_total", 12) } diff --git a/x-pack/filebeat/input/awss3/input_test.go b/x-pack/filebeat/input/awss3/input_test.go new file mode 100644 index 00000000000..1a10eb0115f --- /dev/null +++ b/x-pack/filebeat/input/awss3/input_test.go @@ -0,0 +1,38 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package awss3 + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestGetProviderFromDomain(t *testing.T) { + assert.Equal(t, "aws", getProviderFromDomain("", "")) + assert.Equal(t, "aws", getProviderFromDomain("c2s.ic.gov", "")) + assert.Equal(t, "abc", getProviderFromDomain("abc.com", "abc")) + assert.Equal(t, "xyz", getProviderFromDomain("oraclecloud.com", "xyz")) + assert.Equal(t, "aws", getProviderFromDomain("amazonaws.com", "")) + assert.Equal(t, "aws", getProviderFromDomain("c2s.sgov.gov", "")) + assert.Equal(t, "aws", getProviderFromDomain("c2s.ic.gov", "")) + assert.Equal(t, "aws", getProviderFromDomain("amazonaws.com.cn", "")) + assert.Equal(t, "backblaze", getProviderFromDomain("https://backblazeb2.com", "")) + assert.Equal(t, "wasabi", getProviderFromDomain("https://wasabisys.com", "")) + assert.Equal(t, "digitalocean", getProviderFromDomain("https://digitaloceanspaces.com", "")) + assert.Equal(t, "dreamhost", getProviderFromDomain("https://dream.io", "")) + assert.Equal(t, "scaleway", getProviderFromDomain("https://scw.cloud", "")) + assert.Equal(t, "gcp", getProviderFromDomain("https://googleapis.com", "")) + assert.Equal(t, "arubacloud", getProviderFromDomain("https://cloud.it", "")) + assert.Equal(t, "linode", getProviderFromDomain("https://linodeobjects.com", "")) + assert.Equal(t, "vultr", getProviderFromDomain("https://vultrobjects.com", "")) + assert.Equal(t, "ibm", getProviderFromDomain("https://appdomain.cloud", "")) + assert.Equal(t, "alibaba", getProviderFromDomain("https://aliyuncs.com", "")) + assert.Equal(t, "oracle", getProviderFromDomain("https://oraclecloud.com", "")) + assert.Equal(t, "exoscale", getProviderFromDomain("https://exo.io", "")) + assert.Equal(t, "upcloud", getProviderFromDomain("https://upcloudobjects.com", "")) + assert.Equal(t, "iland", getProviderFromDomain("https://ilandcloud.com", "")) + assert.Equal(t, "zadara", getProviderFromDomain("https://zadarazios.com", "")) +} diff --git a/x-pack/filebeat/input/awss3/script.go b/x-pack/filebeat/input/awss3/script.go new file mode 100644 index 00000000000..812fbe65dc5 --- /dev/null +++ b/x-pack/filebeat/input/awss3/script.go @@ -0,0 +1,150 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package awss3 + +import ( + "bytes" + "io" + "os" + "path/filepath" + "runtime" + "strings" + + "github.com/dop251/goja" + "github.com/pkg/errors" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/paths" +) + +type script struct { + scriptConfig + sessionPool *sessionPool + sourceProg *goja.Program + sourceFile string +} + +// newScriptFromConfig constructs a new Javascript script from the given config +// object. It loads the sources, compiles them, and validates the entry point. +func newScriptFromConfig(log *logp.Logger, c *scriptConfig) (*script, error) { + if c == nil { + return nil, nil + } + err := c.Validate() + if err != nil { + return nil, err + } + + var sourceFile string + var sourceCode []byte + + switch { + case c.Source != "": + sourceFile = "inline.js" + sourceCode = []byte(c.Source) + case c.File != "": + sourceFile, sourceCode, err = loadSources(c.File) + case len(c.Files) > 0: + sourceFile, sourceCode, err = loadSources(c.Files...) + } + if err != nil { + return nil, err + } + + // Validate processor source code. + prog, err := goja.Compile(sourceFile, string(sourceCode), true) + if err != nil { + return nil, err + } + + pool, err := newSessionPool(prog, *c) + if err != nil { + return nil, err + } + + return &script{ + scriptConfig: *c, + sessionPool: pool, + sourceProg: prog, + sourceFile: sourceFile, + }, nil +} + +// loadSources loads javascript source from files. +func loadSources(files ...string) (string, []byte, error) { + var sources []string + buf := new(bytes.Buffer) + + readFile := func(path string) error { + if common.IsStrictPerms() { + if err := common.OwnerHasExclusiveWritePerms(path); err != nil { + return err + } + } + + f, err := os.Open(path) + if err != nil { + return errors.Wrapf(err, "failed to open file %v", path) + } + defer f.Close() + + if _, err = io.Copy(buf, f); err != nil { + return errors.Wrapf(err, "failed to read file %v", path) + } + return nil + } + + for _, filePath := range files { + filePath = paths.Resolve(paths.Config, filePath) + + if hasMeta(filePath) { + matches, err := filepath.Glob(filePath) + if err != nil { + return "", nil, err + } + sources = append(sources, matches...) + } else { + sources = append(sources, filePath) + } + } + + if len(sources) == 0 { + return "", nil, errors.Errorf("no sources were found in %v", + strings.Join(files, ", ")) + } + + for _, name := range sources { + if err := readFile(name); err != nil { + return "", nil, err + } + } + + return strings.Join(sources, ";"), buf.Bytes(), nil +} + +// run runs the parse function. It receives a raw notification +// as a string and returns a list of S3 Events describing +// which files are going to be downloaded. +func (p *script) run(n string) ([]s3EventV2, error) { + s := p.sessionPool.Get() + defer p.sessionPool.Put(s) + + return s.runParseFunc(n) +} + +func (p *script) String() string { + return "script=[type=javascript, sources=" + p.sourceFile + "]" +} + +// hasMeta reports whether path contains any of the magic characters +// recognized by Match/Glob. +func hasMeta(path string) bool { + magicChars := `*?[` + if runtime.GOOS != "windows" { + magicChars = `*?[\` + } + return strings.ContainsAny(path, magicChars) +} diff --git a/x-pack/filebeat/input/awss3/script_jss3event_v2.go b/x-pack/filebeat/input/awss3/script_jss3event_v2.go new file mode 100644 index 00000000000..04cea00a08b --- /dev/null +++ b/x-pack/filebeat/input/awss3/script_jss3event_v2.go @@ -0,0 +1,69 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package awss3 + +import ( + "strings" + + "github.com/dop251/goja" + "github.com/pkg/errors" + + "github.com/elastic/beats/v7/libbeat/common/encoding/xml" +) + +func newJSS3EventV2Constructor(s *session) func(call goja.ConstructorCall) *goja.Object { + return func(call goja.ConstructorCall) *goja.Object { + if len(call.Arguments) != 0 { + panic(errors.New("Event constructor don't accept arguments")) + } + return s.vm.ToValue(&s3EventV2{}).(*goja.Object) + } +} + +func (e *s3EventV2) SetAWSRegion(v string) { + e.AWSRegion = v +} + +func (e *s3EventV2) SetProvider(v string) { + e.Provider = v +} + +func (e *s3EventV2) SetEventName(v string) { + e.EventName = v +} + +func (e *s3EventV2) SetEventSource(v string) { + e.EventSource = v +} + +func (e *s3EventV2) SetS3BucketName(v string) { + e.S3.Bucket.Name = v +} + +func (e *s3EventV2) SetS3BucketARN(v string) { + e.S3.Bucket.ARN = v +} + +func (e *s3EventV2) SetS3ObjectKey(v string) { + e.S3.Object.Key = v +} + +func newXMLDecoderConstructor(s *session) func(call goja.ConstructorCall) *goja.Object { + return func(call goja.ConstructorCall) *goja.Object { + if len(call.Arguments) != 1 { + panic(errors.New("Event constructor requires one argument")) + } + + a0 := call.Argument(0).Export() + s0, ok := a0.(string) + + if !ok { + panic(errors.Errorf("Event constructor requires a "+ + "string argument but got %T", a0)) + } + + return s.vm.ToValue(xml.NewDecoder(strings.NewReader(s0))).(*goja.Object) + } +} diff --git a/x-pack/filebeat/input/awss3/script_jss3event_v2_test.go b/x-pack/filebeat/input/awss3/script_jss3event_v2_test.go new file mode 100644 index 00000000000..dc387d95e33 --- /dev/null +++ b/x-pack/filebeat/input/awss3/script_jss3event_v2_test.go @@ -0,0 +1,60 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package awss3 + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +const ( + header = `function parse(n) {` + footer = `}` +) + +var log = logp.NewLogger("test") + +func TestJSS3EventV2(t *testing.T) { + logp.TestingSetup() + + source := ` + var evts = []; + var evt = new S3EventV2(); + evt.SetAWSRegion("region"); + evt.SetProvider("provider"); + evt.SetEventName("name"); + evt.SetEventSource("source"); + evt.SetS3BucketName("bucket"); + evt.SetS3BucketARN("arn"); + evt.SetS3ObjectKey("key"); + evts.push(evt); + return evts; + ` + + p, err := newScriptFromConfig(log, &scriptConfig{Source: header + source + footer}) + if err != nil { + t.Fatal(err) + } + + evts, err := p.run(`{}`) + require.NoError(t, err) + require.Equal(t, 1, len(evts)) + + exp := s3EventV2{ + AWSRegion: "region", + Provider: "provider", + EventName: "name", + EventSource: "source", + } + exp.S3.Bucket.Name = "bucket" + exp.S3.Bucket.ARN = "arn" + exp.S3.Object.Key = "key" + + assert.EqualValues(t, exp, evts[0]) +} diff --git a/x-pack/filebeat/input/awss3/script_session.go b/x-pack/filebeat/input/awss3/script_session.go new file mode 100644 index 00000000000..aad0539665e --- /dev/null +++ b/x-pack/filebeat/input/awss3/script_session.go @@ -0,0 +1,217 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package awss3 + +import ( + "fmt" + "reflect" + "time" + + "github.com/dop251/goja" + "github.com/pkg/errors" + "go.uber.org/zap" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" +) + +const ( + logName = "awss3.script" + + entryPointFunction = "parse" + registerFunction = "register" + testFunction = "test" + + timeoutError = "javascript parser execution timeout" +) + +// session is a javascript runtime environment used throughout the life of +// the input instance. +type session struct { + vm *goja.Runtime + log *logp.Logger + parseFunc goja.Callable + timeout time.Duration +} + +func newSession(p *goja.Program, conf scriptConfig, test bool) (*session, error) { + // Create a logger + logger := logp.NewLogger(logName) + + // Setup JS runtime. + s := &session{ + vm: goja.New(), + log: logger, + timeout: conf.Timeout, + } + + // Register common.MapStr as being a simple map[string]interface{} for + // treatment within the JS VM. + s.vm.RegisterSimpleMapType(reflect.TypeOf(common.MapStr(nil)), + func(i interface{}) map[string]interface{} { + return map[string]interface{}(i.(common.MapStr)) + }, + ) + + // Register constructors for 'new S3EventV2' to enable creating them from the JS code. + s.vm.Set("S3EventV2", newJSS3EventV2Constructor(s)) + s.vm.Set("XMLDecoder", newXMLDecoderConstructor(s)) + + if _, err := s.vm.RunProgram(p); err != nil { + return nil, err + } + + if err := s.setParseFunction(); err != nil { + return nil, err + } + + if len(conf.Params) > 0 { + if err := s.registerScriptParams(conf.Params); err != nil { + return nil, err + } + } + + if test { + if err := s.executeTestFunction(); err != nil { + return nil, err + } + } + + return s, nil +} + +// setParseFunction validates that the parse() function exists and stores +// the handle. +func (s *session) setParseFunction() error { + parseFunc := s.vm.Get(entryPointFunction) + if parseFunc == nil { + return errors.New("parse function not found") + } + if parseFunc.ExportType().Kind() != reflect.Func { + return errors.New("parse is not a function") + } + if err := s.vm.ExportTo(parseFunc, &s.parseFunc); err != nil { + return errors.Wrap(err, "failed to export parse function") + } + return nil +} + +// registerScriptParams calls the register() function and passes the params. +func (s *session) registerScriptParams(params map[string]interface{}) error { + registerFunc := s.vm.Get(registerFunction) + if registerFunc == nil { + return errors.New("params were provided but no register function was found") + } + if registerFunc.ExportType().Kind() != reflect.Func { + return errors.New("register is not a function") + } + var register goja.Callable + if err := s.vm.ExportTo(registerFunc, ®ister); err != nil { + return errors.Wrap(err, "failed to export register function") + } + if _, err := register(goja.Undefined(), s.vm.ToValue(params)); err != nil { + return errors.Wrap(err, "failed to register script_params") + } + s.log.Debug("Registered params with script") + return nil +} + +// executeTestFunction executes the test() function if it exists. Any exceptions +// will cause the script to fail to load. +func (s *session) executeTestFunction() error { + if testFunc := s.vm.Get(testFunction); testFunc != nil { + if testFunc.ExportType().Kind() != reflect.Func { + return errors.New("test is not a function") + } + var test goja.Callable + if err := s.vm.ExportTo(testFunc, &test); err != nil { + return errors.Wrap(err, "failed to export test function") + } + _, err := test(goja.Undefined(), nil) + if err != nil { + return errors.Wrap(err, "failed in test() function") + } + s.log.Debugf("Successful test() execution for script.") + } + return nil +} + +// runParseFunc executes parse() from the JS script. +func (s *session) runParseFunc(n string) (out []s3EventV2, err error) { + defer func() { + if r := recover(); r != nil { + s.log.Errorw("The javascript script caused an unexpected panic "+ + "while parsing a notification. Recovering, but please report this.", + "notification", common.MapStr{"original": n}, + "panic", r, + zap.Stack("stack")) + err = fmt.Errorf("unexpected panic in javascript script: %v", r) + } + }() + + // Interrupt the JS code if execution exceeds timeout. + if s.timeout > 0 { + t := time.AfterFunc(s.timeout, func() { + s.vm.Interrupt(timeoutError) + }) + defer t.Stop() + } + + v, err := s.parseFunc(goja.Undefined(), s.vm.ToValue(n)) + if err != nil { + return nil, fmt.Errorf("failed in parse function: %w", err) + } + + if v.Equals(goja.Undefined()) { + return out, nil + } + + if err := s.vm.ExportTo(v, &out); err != nil { + return nil, fmt.Errorf("can't export returned value: %w", err) + } + + return out, nil +} + +type sessionPool struct { + New func() *session + C chan *session +} + +func newSessionPool(p *goja.Program, c scriptConfig) (*sessionPool, error) { + s, err := newSession(p, c, true) + if err != nil { + return nil, err + } + + pool := sessionPool{ + New: func() *session { + s, _ := newSession(p, c, false) + return s + }, + C: make(chan *session, c.MaxCachedSessions), + } + pool.Put(s) + + return &pool, nil +} + +func (p *sessionPool) Get() *session { + select { + case s := <-p.C: + return s + default: + return p.New() + } +} + +func (p *sessionPool) Put(s *session) { + if s != nil { + select { + case p.C <- s: + default: + } + } +} diff --git a/x-pack/filebeat/input/awss3/script_session_test.go b/x-pack/filebeat/input/awss3/script_session_test.go new file mode 100644 index 00000000000..4cad65b03fd --- /dev/null +++ b/x-pack/filebeat/input/awss3/script_session_test.go @@ -0,0 +1,317 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package awss3 + +import ( + "context" + "sync" + "testing" + "time" + + "github.com/elastic/beats/v7/libbeat/logp" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestSessionScriptParams(t *testing.T) { + logp.TestingSetup() + + t.Run("register method is optional", func(t *testing.T) { + _, err := newScriptFromConfig(log, &scriptConfig{Source: header + footer}) + if err != nil { + t.Fatal(err) + } + }) + + t.Run("register required for params", func(t *testing.T) { + _, err := newScriptFromConfig(log, &scriptConfig{Source: header + footer, Params: map[string]interface{}{ + "p1": 42, + }, + }) + if assert.Error(t, err) { + assert.Contains(t, err.Error(), "params were provided") + } + }) + + t.Run("register params", func(t *testing.T) { + const script = ` + function register(params) { + if (params["p1"] !== 42) { + throw "invalid p1"; + } + } + + function parse(n) {} + ` + _, err := newScriptFromConfig(log, &scriptConfig{ + Source: script, + Params: map[string]interface{}{ + "p1": 42, + }, + }) + assert.NoError(t, err) + }) +} + +func TestSessionTestFunction(t *testing.T) { + logp.TestingSetup() + + const script = ` + var fail = false; + + function register(params) { + fail = params["fail"]; + } + + function parse(n) { + if (fail) { + throw "intentional failure"; + } + var m = JSON.parse(n); + var e = new S3EventV2(); + e.SetS3ObjectKey(m["hello"]); + return [e]; + } + + function test() { + var n = "{\"hello\": \"earth\"}"; + var evts = parse(n); + + if (evts[0].S3.Object.Key !== "earth") { + throw "invalid key value"; + } + } + ` + + t.Run("test method is optional", func(t *testing.T) { + _, err := newScriptFromConfig(log, &scriptConfig{ + Source: header + footer, + }) + if err != nil { + t.Fatal(err) + } + }) + + t.Run("test success", func(t *testing.T) { + _, err := newScriptFromConfig(log, &scriptConfig{ + Source: script, + Params: map[string]interface{}{ + "fail": false, + }, + }) + assert.NoError(t, err) + }) + + t.Run("test failure", func(t *testing.T) { + _, err := newScriptFromConfig(log, &scriptConfig{ + Source: script, + Params: map[string]interface{}{ + "fail": true, + }, + }) + assert.Error(t, err) + }) +} + +func TestSessionTimeout(t *testing.T) { + logp.TestingSetup() + + const runawayLoop = ` + var m = JSON.parse(n); + while (!m.stop) { + m.hello = "world"; + } + ` + + p, err := newScriptFromConfig(log, &scriptConfig{ + Source: header + runawayLoop + footer, + Timeout: 100 * time.Millisecond, + }) + if err != nil { + t.Fatal(err) + } + + n := `{"stop": false}` + + // Execute and expect a timeout. + _, err = p.run(n) + if assert.Error(t, err) { + assert.Contains(t, err.Error(), timeoutError) + } + + // Verify that any internal runtime interrupt state has been cleared. + n = `{"stop": true}` + _, err = p.run(n) + assert.NoError(t, err) +} + +func TestSessionParallel(t *testing.T) { + logp.TestingSetup() + + const script = ` + var m = JSON.parse(n); + var evt = new S3EventV2(); + evt.SetS3ObjectKey(m.hello.world); + return [evt]; + ` + + p, err := newScriptFromConfig(log, &scriptConfig{ + Source: header + script + footer, + }) + if err != nil { + t.Fatal(err) + } + + const goroutines = 10 + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + var wg sync.WaitGroup + wg.Add(goroutines) + for i := 0; i < goroutines; i++ { + go func() { + defer wg.Done() + for ctx.Err() == nil { + n := `{"hello":{"world": "hello"}}` + evts, err := p.run(n) + require.NoError(t, err) + require.Equal(t, 1, len(evts)) + assert.Equal(t, "hello", evts[0].S3.Object.Key) + } + }() + } + + time.AfterFunc(time.Second, cancel) + wg.Wait() +} + +func TestCreateS3EventsFromNotification(t *testing.T) { + logp.TestingSetup() + + n := `{ + "cid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", + "timestamp": 1492726639222, + "fileCount": 4, + "totalSize": 349986221, + "bucket": "bucketNNNN", + "pathPrefix": "logs/aaaa-bbbb-cccc-dddd-eeee-ffff", + "files": [ + { + "path": "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00000.gz", + "size": 90506437, + "checksum": "ffffffffffffffffffff" + }, + { + "path": "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00001.gz", + "size": 86467594, + "checksum": "ffffffffffffffffffff" + }, + { + "path": "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00002.gz", + "size": 83893710, + "checksum": "ffffffffffffffffffff" + }, + { + "path": "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00003.gz", + "size": 89118480, + "checksum": "ffffffffffffffffffff" + } + ] + }` + + const script = ` + function parse(n) { + var m = JSON.parse(n); + var evts = []; + var files = m.files; + var bucket = m.bucket; + + if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") { + return evts; + } + + files.forEach(function(f){ + var evt = new S3EventV2(); + evt.SetS3BucketName(bucket); + evt.SetS3ObjectKey(f.path); + evts.push(evt); + }); + + return evts; + } +` + s, err := newScriptFromConfig(log, &scriptConfig{Source: script}) + require.NoError(t, err) + + evts, err := s.run(n) + require.NoError(t, err) + require.Equal(t, 4, len(evts)) + + const expectedBucket = "bucketNNNN" + expectedObjectKeys := []string{ + "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00000.gz", + "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00001.gz", + "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00002.gz", + "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00003.gz", + } + + for i, e := range expectedObjectKeys { + assert.Equal(t, expectedBucket, evts[i].S3.Bucket.Name) + assert.Equal(t, e, evts[i].S3.Object.Key) + } +} + +func TestParseXML(t *testing.T) { + logp.TestingSetup() + + n := ` + bucketNNNN + + logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00000.gz + logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00001.gz + + ` + + const script = ` + function parse(n) { + var dec = new XMLDecoder(n); + var m = dec.Decode(); + var evts = []; + var files = m.record.files.file; + var bucket = m.record.bucket; + + if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") { + return evts; + } + + files.forEach(function(f){ + var evt = new S3EventV2(); + evt.SetS3BucketName(bucket); + evt.SetS3ObjectKey(f.path); + evts.push(evt); + }); + + return evts; + } +` + s, err := newScriptFromConfig(log, &scriptConfig{Source: script}) + require.NoError(t, err) + + evts, err := s.run(n) + require.NoError(t, err) + require.Equal(t, 2, len(evts)) + + const expectedBucket = "bucketNNNN" + expectedObjectKeys := []string{ + "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00000.gz", + "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00001.gz", + } + + for i, e := range expectedObjectKeys { + assert.Equal(t, expectedBucket, evts[i].S3.Bucket.Name) + assert.Equal(t, e, evts[i].S3.Object.Key) + } +} diff --git a/x-pack/filebeat/input/awss3/sqs_s3_event.go b/x-pack/filebeat/input/awss3/sqs_s3_event.go index b2c1a7f169d..c906c74fa9e 100644 --- a/x-pack/filebeat/input/awss3/sqs_s3_event.go +++ b/x-pack/filebeat/input/awss3/sqs_s3_event.go @@ -53,8 +53,12 @@ func nonRetryableErrorWrap(err error) error { // s3EventsV2 is the notification message that Amazon S3 sends to notify of S3 changes. // This was derived from the version 2.2 schema. // https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-content-structure.html +// If the notification message is sent from SNS to SQS, then Records will be +// replaced by TopicArn and Message fields. type s3EventsV2 struct { - Records []s3EventV2 `json:"Records"` + TopicArn string `json:"TopicArn"` + Message string `json:"Message"` + Records []s3EventV2 `json:"Records"` } // s3EventV2 is a S3 change notification event. @@ -82,9 +86,10 @@ type sqsS3EventProcessor struct { log *logp.Logger warnOnce sync.Once metrics *inputMetrics + script *script } -func newSQSS3EventProcessor(log *logp.Logger, metrics *inputMetrics, sqs sqsAPI, sqsVisibilityTimeout time.Duration, maxReceiveCount int, s3 s3ObjectHandlerFactory) *sqsS3EventProcessor { +func newSQSS3EventProcessor(log *logp.Logger, metrics *inputMetrics, sqs sqsAPI, script *script, sqsVisibilityTimeout time.Duration, maxReceiveCount int, s3 s3ObjectHandlerFactory) *sqsS3EventProcessor { if metrics == nil { metrics = newInputMetrics(monitoring.NewRegistry(), "") } @@ -95,6 +100,7 @@ func newSQSS3EventProcessor(log *logp.Logger, metrics *inputMetrics, sqs sqsAPI, sqs: sqs, log: log, metrics: metrics, + script: script, } } @@ -181,6 +187,12 @@ func (p *sqsS3EventProcessor) keepalive(ctx context.Context, log *logp.Logger, w } func (p *sqsS3EventProcessor) getS3Notifications(body string) ([]s3EventV2, error) { + // Check if a parsing script is defined. If so, it takes precedence over + // format autodetection. + if p.script != nil { + return p.script.run(body) + } + // NOTE: If AWS introduces a V3 schema this will need updated to handle that schema. var events s3EventsV2 dec := json.NewDecoder(strings.NewReader(body)) @@ -189,6 +201,24 @@ func (p *sqsS3EventProcessor) getS3Notifications(body string) ([]s3EventV2, erro return nil, fmt.Errorf("failed to decode SQS message body as an S3 notification: %w", err) } + // Check if the notification is from S3 -> SNS -> SQS + if events.TopicArn != "" { + dec := json.NewDecoder(strings.NewReader(events.Message)) + if err := dec.Decode(&events); err != nil { + p.log.Debugw("Invalid SQS message body.", "sqs_message_body", body) + return nil, fmt.Errorf("failed to decode SQS message body as an S3 notification: %w", err) + } + } + + if events.Records == nil { + p.log.Debugw("Invalid SQS message body: missing Records field", "sqs_message_body", body) + return nil, errors.New("the message is an invalid S3 notification: missing Records field") + } + + return p.getS3Info(events) +} + +func (p *sqsS3EventProcessor) getS3Info(events s3EventsV2) ([]s3EventV2, error) { var out []s3EventV2 for _, record := range events.Records { if !p.isObjectCreatedEvents(record) { @@ -211,7 +241,6 @@ func (p *sqsS3EventProcessor) getS3Notifications(body string) ([]s3EventV2, erro out = append(out, record) } - return out, nil } diff --git a/x-pack/filebeat/input/awss3/sqs_s3_event_test.go b/x-pack/filebeat/input/awss3/sqs_s3_event_test.go index 8865c5d30cd..ad6d30056d4 100644 --- a/x-pack/filebeat/input/awss3/sqs_s3_event_test.go +++ b/x-pack/filebeat/input/awss3/sqs_s3_event_test.go @@ -38,7 +38,7 @@ func TestSQSS3EventProcessor(t *testing.T) { mockAPI.EXPECT().DeleteMessage(gomock.Any(), gomock.Eq(&msg)).Return(nil), ) - p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, time.Minute, 5, mockS3HandlerFactory) + p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, nil, time.Minute, 5, mockS3HandlerFactory) require.NoError(t, p.ProcessSQS(ctx, &msg)) }) @@ -60,7 +60,7 @@ func TestSQSS3EventProcessor(t *testing.T) { mockAPI.EXPECT().DeleteMessage(gomock.Any(), gomock.Eq(&invalidBodyMsg)).Return(nil), ) - p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, time.Minute, 5, mockS3HandlerFactory) + p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, nil, time.Minute, 5, mockS3HandlerFactory) err := p.ProcessSQS(ctx, &invalidBodyMsg) require.Error(t, err) t.Log(err) @@ -75,13 +75,13 @@ func TestSQSS3EventProcessor(t *testing.T) { mockAPI := NewMockSQSAPI(ctrl) mockS3HandlerFactory := NewMockS3ObjectHandlerFactory(ctrl) - emptyRecordsMsg := newSQSMessage() + emptyRecordsMsg := newSQSMessage([]s3EventV2{}...) gomock.InOrder( mockAPI.EXPECT().DeleteMessage(gomock.Any(), gomock.Eq(&emptyRecordsMsg)).Return(nil), ) - p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, time.Minute, 5, mockS3HandlerFactory) + p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, nil, time.Minute, 5, mockS3HandlerFactory) require.NoError(t, p.ProcessSQS(ctx, &emptyRecordsMsg)) }) @@ -108,7 +108,7 @@ func TestSQSS3EventProcessor(t *testing.T) { mockAPI.EXPECT().DeleteMessage(gomock.Any(), gomock.Eq(&msg)).Return(nil), ) - p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, visibilityTimeout, 5, mockS3HandlerFactory) + p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, nil, visibilityTimeout, 5, mockS3HandlerFactory) require.NoError(t, p.ProcessSQS(ctx, &msg)) }) @@ -127,7 +127,7 @@ func TestSQSS3EventProcessor(t *testing.T) { mockS3Handler.EXPECT().ProcessS3Object().Return(errors.New("fake connectivity problem")), ) - p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, time.Minute, 5, mockS3HandlerFactory) + p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, nil, time.Minute, 5, mockS3HandlerFactory) err := p.ProcessSQS(ctx, &msg) t.Log(err) require.Error(t, err) @@ -154,7 +154,7 @@ func TestSQSS3EventProcessor(t *testing.T) { mockAPI.EXPECT().DeleteMessage(gomock.Any(), gomock.Eq(&msg)).Return(nil), ) - p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, time.Minute, 5, mockS3HandlerFactory) + p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, nil, time.Minute, 5, mockS3HandlerFactory) err := p.ProcessSQS(ctx, &msg) t.Log(err) require.Error(t, err) @@ -164,7 +164,7 @@ func TestSQSS3EventProcessor(t *testing.T) { func TestSqsProcessor_getS3Notifications(t *testing.T) { logp.TestingSetup() - p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, nil, time.Minute, 5, nil) + p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, nil, nil, time.Minute, 5, nil) t.Run("s3 key is url unescaped", func(t *testing.T) { msg := newSQSMessage(newS3Event("Happy+Face.jpg")) @@ -184,6 +184,34 @@ func TestSqsProcessor_getS3Notifications(t *testing.T) { require.NoError(t, err) assert.Len(t, events, 0) }) + + t.Run("sns-sqs notification", func(t *testing.T) { + msg := newSNSSQSMessage() + events, err := p.getS3Notifications(*msg.Body) + require.NoError(t, err) + assert.Len(t, events, 1) + assert.Equal(t, "test-object-key", events[0].S3.Object.Key) + assert.Equal(t, "arn:aws:s3:::vpc-flow-logs-ks", events[0].S3.Bucket.ARN) + assert.Equal(t, "vpc-flow-logs-ks", events[0].S3.Bucket.Name) + }) + + t.Run("missing Records fail", func(t *testing.T) { + msg := `{"message":"missing records"}` + _, err := p.getS3Notifications(msg) + require.Error(t, err) + assert.EqualError(t, err, "the message is an invalid S3 notification: missing Records field") + msg = `{"message":"null records", "Records": null}` + _, err = p.getS3Notifications(msg) + require.Error(t, err) + assert.EqualError(t, err, "the message is an invalid S3 notification: missing Records field") + }) + + t.Run("empty Records does not fail", func(t *testing.T) { + msg := `{"Records":[]}` + events, err := p.getS3Notifications(msg) + require.NoError(t, err) + assert.Equal(t, 0, len(events)) + }) } func TestNonRecoverableError(t *testing.T) { diff --git a/x-pack/filebeat/input/awss3/sqs_test.go b/x-pack/filebeat/input/awss3/sqs_test.go index 4940b4a6eca..a8b6e7b5f2a 100644 --- a/x-pack/filebeat/input/awss3/sqs_test.go +++ b/x-pack/filebeat/input/awss3/sqs_test.go @@ -126,6 +126,28 @@ func newSQSMessage(events ...s3EventV2) sqs.Message { } } +func newSNSSQSMessage() sqs.Message { + body, err := json.Marshal(s3EventsV2{ + TopicArn: "arn:aws:sns:us-east-1:1234:sns-topic", + Message: "{\"Records\":[{\"eventSource\":\"aws:s3\",\"awsRegion\":\"us-east-1\",\"eventName\":\"ObjectCreated:Put\",\"s3\":{\"configurationId\":\"sns-notification-vpc-flow-logs\",\"bucket\":{\"name\":\"vpc-flow-logs-ks\",\"arn\":\"arn:aws:s3:::vpc-flow-logs-ks\"},\"object\":{\"key\":\"test-object-key\"}}}]}", + }) + if err != nil { + panic(err) + } + + hash := sha256.Sum256(body) + id, _ := uuid.FromBytes(hash[:16]) + messageID := id.String() + receipt := "receipt-" + messageID + bodyStr := string(body) + + return sqs.Message{ + Body: &bodyStr, + MessageId: &messageID, + ReceiptHandle: &receipt, + } +} + func newS3Event(key string) s3EventV2 { record := s3EventV2{ AWSRegion: "us-east-1", diff --git a/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc b/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc index c8eb358cd7d..79d27b36166 100644 --- a/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc @@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "barracudawaf" devic *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: @@ -73,7 +73,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "barracudasf" device *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc b/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc index b9ef6534d89..3497b6873ea 100644 --- a/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc @@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "bluecoatdirector" d *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc index e831bbb1e8f..e666da7fa66 100644 --- a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc @@ -300,7 +300,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "cisconxos" device r *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: @@ -345,7 +345,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "ciscomeraki" device *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/x-pack/filebeat/module/cylance/_meta/docs.asciidoc b/x-pack/filebeat/module/cylance/_meta/docs.asciidoc index 135260569a4..4cd22f8b797 100644 --- a/x-pack/filebeat/module/cylance/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cylance/_meta/docs.asciidoc @@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "cylance" device rev *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/x-pack/filebeat/module/f5/_meta/docs.asciidoc b/x-pack/filebeat/module/f5/_meta/docs.asciidoc index d0448abd545..e83d14081ff 100644 --- a/x-pack/filebeat/module/f5/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/f5/_meta/docs.asciidoc @@ -32,7 +32,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "bigipapm" device re *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: @@ -77,7 +77,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "bigipafm" device re *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc index 46c62099197..2cd30c1437a 100644 --- a/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc @@ -80,7 +80,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "forticlientendpoint *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: @@ -125,7 +125,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "fortinetfortimail" *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: @@ -170,7 +170,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "fortinetmgr" device *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/x-pack/filebeat/module/imperva/_meta/docs.asciidoc b/x-pack/filebeat/module/imperva/_meta/docs.asciidoc index 918763f391d..c5b1ab37691 100644 --- a/x-pack/filebeat/module/imperva/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/imperva/_meta/docs.asciidoc @@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "impervawaf" device *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc b/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc index 286934fa4e4..1be04b5b739 100644 --- a/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc @@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "infobloxnios" devic *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc index a0e4ab1717f..b42de3eb091 100644 --- a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc @@ -141,7 +141,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "junosrouter" device *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: @@ -186,7 +186,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "netscreen" device r *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc index 577c87f6cc3..13ea8f43bdc 100644 --- a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc @@ -219,7 +219,7 @@ include::../include/var-paths.asciidoc[] *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/x-pack/filebeat/module/netscout/_meta/docs.asciidoc b/x-pack/filebeat/module/netscout/_meta/docs.asciidoc index 3d0477a9f43..463c93b5c0f 100644 --- a/x-pack/filebeat/module/netscout/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/netscout/_meta/docs.asciidoc @@ -26,7 +26,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "arborpeakflowsp" de *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/x-pack/filebeat/module/proofpoint/_meta/docs.asciidoc b/x-pack/filebeat/module/proofpoint/_meta/docs.asciidoc index b0accc04273..21a768ab432 100644 --- a/x-pack/filebeat/module/proofpoint/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/proofpoint/_meta/docs.asciidoc @@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "proofpoint" device *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/x-pack/filebeat/module/radware/_meta/docs.asciidoc b/x-pack/filebeat/module/radware/_meta/docs.asciidoc index 3e0a992b51f..ba9bc87444c 100644 --- a/x-pack/filebeat/module/radware/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/radware/_meta/docs.asciidoc @@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "radwaredp" device r *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/x-pack/filebeat/module/snort/_meta/docs.asciidoc b/x-pack/filebeat/module/snort/_meta/docs.asciidoc index f2ae38f0043..47c1c430934 100644 --- a/x-pack/filebeat/module/snort/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/snort/_meta/docs.asciidoc @@ -26,7 +26,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "snort" device revis *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc b/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc index 904e7f6d19c..595b2a31acb 100644 --- a/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc @@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "sonicwall" device r *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/x-pack/filebeat/module/sophos/_meta/docs.asciidoc b/x-pack/filebeat/module/sophos/_meta/docs.asciidoc index 41e86a0d1a4..6d6147984a1 100644 --- a/x-pack/filebeat/module/sophos/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/sophos/_meta/docs.asciidoc @@ -151,7 +151,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "astarosg" device re *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/x-pack/filebeat/module/squid/_meta/docs.asciidoc b/x-pack/filebeat/module/squid/_meta/docs.asciidoc index 0708c243f27..10411c4f73d 100644 --- a/x-pack/filebeat/module/squid/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/squid/_meta/docs.asciidoc @@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "squid" device revis *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc index a7acdb5f4bd..18c8d57e169 100644 --- a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc @@ -12,7 +12,7 @@ https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-ind Match rules], but is also compatible with other features like https://www.elastic.co/guide/en/elasticsearch/reference/current/enrich-processor.html[Enrich Processors]. The related threat intel attribute that is meant to be used for -matching incoming source data is stored under the `threatintel.indicator.*` +matching incoming source data is stored under the `threat.indicator.*` fields. The available filesets are: @@ -68,9 +68,9 @@ Abuse.ch URL Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================== | URL Threat Intel Fields | ECS Fields -| url | threatintel.indicator.url.full +| url | threat.indicator.url.full | date_added | @timestamp -| host | threatintel.indicator.ip/domain +| host | threat.indicator.ip/domain |============================================================== [[abusemalware]] @@ -112,9 +112,9 @@ Abuse.ch Malware Threat Intel is mapped to the following ECS fields. [options="header"] |================================================================ | Malware Threat IntelFields | ECS Fields -| md5_hash | threatintel.indicator.file.hash.md5 -| sha256_hash | threatintel.indicator.file.hash.sha256 -| file_size | threatintel.indicator.file.size +| md5_hash | threat.indicator.file.hash.md5 +| sha256_hash | threat.indicator.file.hash.sha256 +| file_size | threat.indicator.file.size |================================================================ [[malwarebazaar]] @@ -156,24 +156,25 @@ Malware Bazaar Threat Intel is mapped to the following ECS fields. [options="header"] |================================================================ | Malware Threat IntelFields | ECS Fields -| md5_hash | threatintel.indicator.file.hash.md5 -| sha256_hash | threatintel.indicator.file.hash.sha256 -| tlsh | threatintel.indicator.file.hash.tlsh -| ssdeep | threatintel.indicator.file.hash.ssdeep -| imphash | threatintel.indicator.file.pe.imphash -| file_size | threatintel.indicator.file.size -| file_name | threatintel.indicator.file.name -| file_type_mime | threatintel.indicator.file.mime_type -| file_type | threatintel.indicator.file.type -| reporter | threatintel.indicator.provider -| origin_country | threatintel.indicator.geo.country_iso_code -| signature | threatintel.indicator.signature -| code_sign.subject_cn | threatintel.indicator.file.x509.subject.common_name -| code_sign.issuer_cn | threatintel.indicator.file.x509.issuer.common_name -| code_sign.algorithm | threatintel.indicator.file.x509.public_key_algorithm -| code_sign.valid_from | threatintel.indicator.file.x509.not_before -| code_sign.valid_to | threatintel.indicator.file.x509.not_after -| code_sign.serial_number | threatintel.indicator.file.x509.serial_number +| md5_hash | threat.indicator.file.hash.md5 +| sha256_hash | threat.indicator.file.hash.sha256 +| sha384_hash | threat.indicator.file.hash.sha384 +| tlsh | threat.indicator.file.hash.tlsh +| ssdeep | threat.indicator.file.hash.ssdeep +| imphash | threat.indicator.file.pe.imphash +| file_size | threat.indicator.file.size +| file_name | threat.indicator.file.name +| file_type_mime | threat.indicator.file.mime_type +| file_type | threat.indicator.file.type +| reporter | threat.indicator.provider +| origin_country | threat.indicator.geo.country_iso_code +| signature | threat.indicator.signature +| code_sign.subject_cn | threat.indicator.file.x509.subject.common_name +| code_sign.issuer_cn | threat.indicator.file.x509.issuer.common_name +| code_sign.algorithm | threat.indicator.file.x509.public_key_algorithm +| code_sign.valid_from | threat.indicator.file.x509.not_before +| code_sign.valid_to | threat.indicator.file.x509.not_after +| code_sign.serial_number | threat.indicator.file.x509.serial_number |================================================================ [[misp]] @@ -250,10 +251,10 @@ MISP Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================== | Malware Threat IntelFields | ECS Fields -| misp.first_seen | threatintel.indicator.first_seen -| misp.last_seen | threatintel.indicator.last_seen +| misp.first_seen | threat.indicator.first_seen +| misp.last_seen | threat.indicator.last_seen | misp.tag | tag -| misp.value | threatintel.indicator.* +| misp.value | threat.indicator.* |============================================================== `misp.value` is mapped to the appropriate field dependent on attribute type. @@ -331,9 +332,9 @@ OTX Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================ | Malware Threat Intel Fields | ECS Fields -| otx.type | threatintel.indicator.type -| otx.description | threatintel.indicator.description -| otx.indicator | threatintel.indicator.* +| otx.type | threat.indicator.type +| otx.description | threat.indicator.description +| otx.indicator | threat.indicator.* |============================================================ `otx.indicator` is mapped to the appropriate field dependent on attribute type. @@ -415,10 +416,10 @@ Anomali Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================= | Malware Threat Intel Fields | ECS Fields -| anomali.description | threatintel.indicator.description -| anomali.created | threatintel.indicator.first_seen -| anomali.modified | threatintel.indicator.last_seen -| anomali.pattern | threatintel.indicator.* +| anomali.description | threat.indicator.description +| anomali.created | threat.indicator.first_seen +| anomali.modified | threat.indicator.last_seen +| anomali.pattern | threat.indicator.* | anomali.labels | tags |============================================================= @@ -486,24 +487,24 @@ Anomali ThreatStream fields are mapped to the following ECS fields: [options="header"] |============================================================= | ThreatStream fields | ECS Fields -| asn | threatintel.indicator.as.number -| classification<> | threatintel.indicator.marking.tlp -| confidence<> | threatintel.indicator.confidence -| country | threatintel.indicator.geo.country_iso_code -| date_first | threatintel.indicator.first_seen -| date_last | threatintel.indicator.last_seen +| asn | threat.indicator.as.number +| classification<> | threat.indicator.marking.tlp +| confidence<> | threat.indicator.confidence +| country | threat.indicator.geo.country_iso_code +| date_first | threat.indicator.first_seen +| date_last | threat.indicator.last_seen | detail | tags -| domain | threatintel.indicator.url.domain -| email | threatintel.indicator.email.address -| itype<> | threatintel.indicator.type -| lat | threatintel.indicator.geo.location.lat -| lon | threatintel.indicator.geo.location.lon -| md5 | threatintel.indicator.file.hash -| org | threatintel.indicator.as.organization.name +| domain | threat.indicator.url.domain +| email | threat.indicator.email.address +| itype<> | threat.indicator.type +| lat | threat.indicator.geo.location.lat +| lon | threat.indicator.geo.location.lon +| md5 | threat.indicator.file.hash +| org | threat.indicator.as.organization.name | severity<> | event.severity -| source | threatintel.indicator.provider -| srcip | threatintel.indicator.ip -| url | threatintel.indicator.url.original +| source | threat.indicator.provider +| srcip | threat.indicator.ip +| url | threat.indicator.url.original |============================================================= [[a]] @@ -585,16 +586,16 @@ Recorded Future fields are mapped to the following ECS fields: [options="header"] |============================================================= | Recorded Future fields | ECS Fields -| entity.name | threatintel.indicator.{url,ip,domain,file.hash} -| entity.type | threatintel.indicator.type -| fileHashes | threatintel.indicator.file.hash +| entity.name | threat.indicator.{url,ip,domain,file.hash} +| entity.type | threat.indicator.type +| fileHashes | threat.indicator.file.hash | intelCard | event.reference -| location.asn | threatintel.indicator.as.number -| location.location | threatintel.indicator.geo -| location.organization | threatintel.indicator.as.organization.name +| location.asn | threat.indicator.as.number +| location.location | threat.indicator.geo +| location.organization | threat.indicator.as.organization.name | risk.score | event.risk_score -| timestamps.firstSeen | threatintel.indicator.first_seen -| timestamps.lastSeen | threatintel.indicator.last_seen +| timestamps.firstSeen | threat.indicator.first_seen +| timestamps.lastSeen | threat.indicator.last_seen |============================================================= :has-dashboards!: @@ -702,11 +703,11 @@ Recorded Future fields are mapped to the following ECS fields: [options="header"] |============================================================= | ThreatQ fields | ECS Fields -| type.name | threatintel.indicator.type -| description | threatintel.indicator.description -| score | threatintel.indicator.confidence -| value | threatintel.indicator.{url,ip,domain,file.hash} -| sources | threatintel.indicator.provider +| type.name | threat.indicator.type +| description | threat.indicator.description +| score | threat.indicator.confidence +| value | threat.indicator.{url,ip,domain,file.hash} +| sources | threat.indicator.provider |============================================================= :has-dashboards!: diff --git a/x-pack/filebeat/module/threatintel/_meta/fields.yml b/x-pack/filebeat/module/threatintel/_meta/fields.yml index ee199daa6aa..5fb56abc40a 100644 --- a/x-pack/filebeat/module/threatintel/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/_meta/fields.yml @@ -4,388 +4,21 @@ description: > Threat intelligence Filebeat Module. fields: - - name: threatintel + - name: "" type: group - description: > - Fields from the threatintel Filebeat module. fields: - - name: indicator.first_seen - type: date - description: > - The date and time when intelligence source first reported sighting this indicator. - - name: indicator.last_seen - type: date - description: > - The date and time when intelligence source last reported sighting this indicator. - - name: indicator.sightings - type: long - description: > - Number of times this indicator was observed conducting threat activity. - - name: indicator.type + - name: threat.indicator.file.hash.tlsh type: keyword description: > - Type of indicator as represented by Cyber Observable in STIX 2.0. - Expected values - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * process - * software - * url - * user-account - * windows-registry-key - * x-509-certificate - - name: indicator.description - type: keyword - description: > - Describes the type of action conducted by the threat. - - name: indicator.scanner_stats - type: long - description: > - Count of AV/EDR vendors that successfully detected malicious file or URL. - - name: indicator.provider + The file's import tlsh, if available. + + - name: threat.indicator.file.hash.sha384 type: keyword description: > - Identifies the name of the intelligence provider. - - name: indicator.confidence + The file's sha384 hash, if available. + + - name: threat.feed.name type: keyword - description: > - Identifies the confidence rating assigned by the provider using STIX confidence scales. - Expected values - * Not Specified, None, Low, Medium, High - * 0-10 - * Admirality Scale (1-6) - * DNI Scale (5-95) - * WEP Scale (Impossible - Certain) - - name: indicator.module - type: keyword - description: > - Identifies the name of specific module this data is coming from. - - name: indicator.dataset - type: keyword - description: > - Identifies the name of specific dataset from the intelligence source. - - name: indicator.reference + + - name: threat.feed.dashboard_id type: keyword - description: > - Reference URL linking to additional information about this indicator. - - name: indicator.ip - type: ip - description: > - Identifies a threat indicator as an IP address (irrespective of direction). - - name: indicator.port - type: long - description: > - Identifies a threat indicator as a port number (irrespective of direction). - - name: indicator.email.address - type: keyword - description: > - Identifies a threat indicator as an email address (irrespective of direction). - - name: indicator.marking.tlp - type: keyword - description: > - Traffic Light Protocol sharing markings. - Expected values are: - * White - * Green - * Amber - * Red - - name: indicator.matched - type: group - fields: - - name: atomic - type: keyword - description: > - Identifies the atomic indicator that matched a local environment endpoint or network event. - - name: field - type: keyword - description: > - Identifies the field of the atomic indicator that matched a local environment endpoint or network event. - - name: type - type: keyword - description: > - Identifies the type of the atomic indicator that matched a local environment endpoint or network event. - - name: indicator.as - type: group - fields: - - name: number - type: long - description: - Unique number allocated to the autonomous system. The autonomous system number (ASN) - uniquely identifies each network on the Internet. - example: 15169 - - name: organization.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Organization name. - example: Google LLC - - name: indicator.registry - type: group - fields: - - name: data.strings - type: keyword - ignore_above: 1024 - description: > - Content when writing string types. - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`). - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - - name: path - type: keyword - ignore_above: 1024 - description: Full path, including hive, key and value - example: - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - - name: value - type: keyword - ignore_above: 1024 - description: Name of the value written. - example: Debugger - - name: key - type: keyword - ignore_above: 1024 - description: Registry key value - - name: indicator.geo - type: group - fields: - - name: city_name - type: keyword - ignore_above: 1024 - description: City name. - example: Montreal - - name: continent_name - type: keyword - ignore_above: 1024 - description: Name of the continent. - example: North America - - name: country_iso_code - type: keyword - ignore_above: 1024 - description: Country ISO code. - example: CA - - name: country_name - type: keyword - ignore_above: 1024 - description: Country name. - example: Canada - - name: location - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - - name: region_iso_code - type: keyword - ignore_above: 1024 - description: Region ISO code. - example: CA-QC - - name: region_name - type: keyword - ignore_above: 1024 - description: Region name. - example: Quebec - - name: indicator.file.pe.imphash - type: keyword - ignore_above: 1024 - description: - "A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html." - example: 0c6803c4e922103c4dca5963aad36ddf - - name: indicator.file - type: group - fields: - - name: hash - type: group - fields: - - name: tlsh - type: keyword - description: > - The file's import tlsh, if available. - - name: ssdeep - type: keyword - description: > - The file's ssdeep hash, if available. - - name: md5 - type: keyword - description: > - The file's md5 hash, if available. - - name: sha1 - type: keyword - description: > - The file's sha1 hash, if available. - - name: sha256 - type: keyword - description: > - The file's sha256 hash, if available. - - name: sha384 - type: keyword - description: > - The file's sha384 hash, if available. - - name: sha512 - type: keyword - description: > - The file's sha512 hash, if available. - - name: type - type: keyword - ignore_above: 1024 - description: > - The file type. - - name: size - type: long - description: > - The file's total size. - - name: name - type: keyword - description: > - The file's name. - - name: extension - type: keyword - description: > - The file's extension. - - name: mime_type - type: keyword - description: > - The file's MIME type. - - name: indicator.url - type: group - fields: - - name: domain - type: keyword - description: > - Domain of the url, such as "www.elastic.co". - - name: extension - type: keyword - ignore_above: 1024 - description: > - The field contains the file extension from the original request - - name: fragment - type: keyword - ignore_above: 1024 - description: > - Portion of the url after the `#`, such as "top". - - name: full - type: keyword - description: > - If full URLs are important to your use case, they should be stored - in `url.full`, whether this field is reconstructed or present in the event - source. - - name: original - type: keyword - description: > - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas - in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - - name: password - type: keyword - ignore_above: 1024 - description: > - Password of the request. - - name: path - type: keyword - description: > - Path of the request, such as "/search". - - name: port - type: long - format: string - description: > - Port of the request, such as 443. - - name: query - type: keyword - ignore_above: 1024 - description: > - The query field describes the query string of the request, such - as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there - is no query field. If there is a `?` but no query, the query field exists - with an empty string. The `exists` query can be used to differentiate between - the two cases. - - name: registered_domain - type: keyword - description: > - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk". - - name: scheme - type: keyword - ignore_above: 1024 - description: > - Scheme of the request, such as "https". - - name: subdomain - type: keyword - ignore_above: 1024 - description: > - The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period. - - name: top_level_domain - type: keyword - ignore_above: 1024 - description: > - The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk". - - name: username - type: keyword - ignore_above: 1024 - description: > - Username of the request. - - name: indicator.x509 - type: group - fields: - - name: serial_number - type: keyword - ignore_above: 1024 - description: - Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. - example: 55FBB9C7DEBF09809D12CCAA - - name: issuer - type: keyword - ignore_above: 1024 - description: Name of issuing certificate authority. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. - example: - C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance - Server CA - - name: subject - type: keyword - ignore_above: 1024 - description: Name of the certificate subject entity. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. - example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - - name: alternative_names - type: keyword - ignore_above: 1024 - description: - List of subject alternative names (SAN). Name types vary by certificate - authority and certificate type but commonly contain IP addresses, DNS names - (and wildcards), and email addresses. - example: "*.elastic.co" - - name: indicator.signature - type: keyword - description: > - Malware family of sample (if available). diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/021ba940-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/021ba940-de96-11eb-8f2b-753caedf727d.json index 993d2edccce..91a5cc79018 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/021ba940-de96-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/021ba940-de96-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.type" + "sourceField": "threat.indicator.type" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -96,4 +96,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/028175a0-ff74-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/028175a0-ff74-11eb-acb2-2960a7069ed1.json index 14722019106..c6ef974933e 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/028175a0-ff74-11eb-acb2-2960a7069ed1.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/028175a0-ff74-11eb-acb2-2960a7069ed1.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.provider" + "sourceField": "threat.indicator.provider" }, "11576d1f-5400-4a71-bf04-681099e755d5": { "dataType": "number", @@ -95,4 +95,4 @@ "type": "lens", "updated_at": "2021-10-11T08:02:55.512Z", "version": "WzUyOSwxXQ==" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/037e2af0-df50-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/037e2af0-df50-11eb-8f2b-753caedf727d.json index 5be6f447603..0c677668719 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/037e2af0-df50-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/037e2af0-df50-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.type" + "sourceField": "threat.indicator.type" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -96,4 +96,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NjIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/06744e90-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/06744e90-df52-11eb-8f2b-753caedf727d.json index b427db18d51..38b8c85420e 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/06744e90-df52-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/06744e90-df52-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.ip" + "sourceField": "threat.indicator.ip" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -47,7 +47,7 @@ "filters": [], "query": { "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\" and threatintel.indicator.type:ipv6-addr" + "query": "event.dataset:\"threatintel.recordedfuture\" and threat.indicator.type:ipv6-addr" }, "visualization": { "columns": [ @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/0db62ee0-72e6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/0db62ee0-72e6-11eb-a3e3-b3cc7c78a70f.json index a053c190ada..b4182474c23 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/0db62ee0-72e6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/0db62ee0-72e6-11eb-a3e3-b3cc7c78a70f.json @@ -14,7 +14,7 @@ "959db113-1ce6-46fc-97c3-dbf5fd5abb9a": { "dataType": "string", "isBucketed": true, - "label": "Top values of threatintel.abusemalware.signature", + "label": "Top values of abusech.malware.signature", "operationType": "terms", "params": { "missingBucket": false, @@ -27,7 +27,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.abusemalware.signature" + "sourceField": "abusech.malware.signature" }, "de396547-655b-4db2-8a21-e9850acff0b0": { "dataType": "number", @@ -91,13 +91,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abusemalware.signature" + "field": "abusech.malware.signature" }, "meta": { "alias": null, "disabled": false, "indexRefName": "filter-index-pattern-2", - "key": "threatintel.abusemalware.signature", + "key": "abusech.malware.signature", "negate": false, "type": "exists", "value": "exists" @@ -168,4 +168,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MDMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/1136ceb0-de95-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/1136ceb0-de95-11eb-8f2b-753caedf727d.json index 05d17760abc..c771588f924 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/1136ceb0-de95-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/1136ceb0-de95-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.anomalithreatstream.resource_uri" + "sourceField": "anomali.threatstream.resource_uri" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/139c7da0-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/139c7da0-df51-11eb-8f2b-753caedf727d.json index d8abec34b65..e2269eea6d9 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/139c7da0-df51-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/139c7da0-df51-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.file.hash.sha256" + "sourceField": "threat.indicator.file.hash.sha256" } }, "incompleteColumns": {} @@ -90,4 +90,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/36f61650-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/36f61650-de96-11eb-8f2b-753caedf727d.json index e48267b1fd8..86507728c60 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/36f61650-de96-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/36f61650-de96-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.anomalithreatstream.classification" + "sourceField": "anomali.threatstream.classification" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -94,4 +94,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c40f4d0-de97-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c40f4d0-de97-11eb-8f2b-753caedf727d.json index 4f33f959e3a..bdfbd6b5096 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c40f4d0-de97-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c40f4d0-de97-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.anomalithreatstream.itype" + "sourceField": "anomali.threatstream.itype" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -94,4 +94,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c996410-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c996410-df52-11eb-8f2b-753caedf727d.json index 88c19ed280d..da5e6785b5a 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c996410-df52-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c996410-df52-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.domain" + "sourceField": "threat.indicator.url.domain" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5e76ef90-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5e76ef90-df51-11eb-8f2b-753caedf727d.json index 03bafd193b3..a6fde56bd64 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5e76ef90-df51-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5e76ef90-df51-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.url.domain" + "sourceField": "threat.indicator.url.domain" } }, "incompleteColumns": {} @@ -90,4 +90,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5ef7b430-de94-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5ef7b430-de94-11eb-8f2b-753caedf727d.json index 88642bb872e..27fee210ffd 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5ef7b430-de94-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5ef7b430-de94-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.ip" + "sourceField": "threat.indicator.ip" } }, "incompleteColumns": {} @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/790cd040-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/790cd040-df51-11eb-8f2b-753caedf727d.json index 2abc0bb7316..781a6a42a39 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/790cd040-df51-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/790cd040-df51-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.url.original" + "sourceField": "threat.indicator.url.original" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7d9c70f0-de95-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7d9c70f0-de95-11eb-8f2b-753caedf727d.json index dbdc1f05605..741a17e6b10 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7d9c70f0-de95-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7d9c70f0-de95-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.anomali.name" + "sourceField": "anomali.limo.name" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7ec83f60-de98-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7ec83f60-de98-11eb-8f2b-753caedf727d.json index b321f95bae8..e1b1dfc2fc8 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7ec83f60-de98-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7ec83f60-de98-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.file.hash.sha256" + "sourceField": "threat.indicator.file.hash.sha256" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8a6f7b20-de94-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8a6f7b20-de94-11eb-8f2b-753caedf727d.json index 86e2c969773..16f93c3473b 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8a6f7b20-de94-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8a6f7b20-de94-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.url.original" + "sourceField": "threat.indicator.url.original" } }, "incompleteColumns": {} @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8fb01a00-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8fb01a00-df51-11eb-8f2b-753caedf727d.json index be51533efa4..b8cc9578146 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8fb01a00-df51-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8fb01a00-df51-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.url.path" + "sourceField": "threat.indicator.url.path" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9282afc0-72d9-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9282afc0-72d9-11eb-a3e3-b3cc7c78a70f.json index 42d14abd0ec..09935680d66 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9282afc0-72d9-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9282afc0-72d9-11eb-a3e3-b3cc7c78a70f.json @@ -22,7 +22,7 @@ "a6319ec8-2ec8-4d3a-bc54-efe0a306786f": { "dataType": "string", "isBucketed": true, - "label": "Top values of threatintel.indicator.type", + "label": "Top values of threat.indicator.type", "operationType": "terms", "params": { "missingBucket": false, @@ -35,7 +35,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.type" + "sourceField": "threat.indicator.type" } }, "incompleteColumns": {} @@ -70,13 +70,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "filter-index-pattern-1", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -147,4 +147,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:32.145Z", "version": "WzQ2NTMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/949bc180-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/949bc180-df52-11eb-8f2b-753caedf727d.json index b4784339ef2..ec09008e580 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/949bc180-df52-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/949bc180-df52-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.recordedfuture.risk.riskSummary" + "sourceField": "recordedfuture.risk.riskSummary" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NjYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/976620a0-de98-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/976620a0-de98-11eb-8f2b-753caedf727d.json index b9d9b336d1e..7bfea0d313e 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/976620a0-de98-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/976620a0-de98-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.file.hash.md5" + "sourceField": "threat.indicator.file.hash.md5" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9c78ade0-de95-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9c78ade0-de95-11eb-8f2b-753caedf727d.json index cb82ae74ba5..b6a60ae06c2 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9c78ade0-de95-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9c78ade0-de95-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.anomali.description" + "sourceField": "anomali.limo.description" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/a0a31740-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/a0a31740-df51-11eb-8f2b-753caedf727d.json index ce6d74b3763..7a4ccbec7ff 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/a0a31740-df51-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/a0a31740-df51-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.url.scheme" + "sourceField": "threat.indicator.url.scheme" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/aac00bc0-de98-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/aac00bc0-de98-11eb-8f2b-753caedf727d.json index 2e80121c2e4..062ccc359f7 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/aac00bc0-de98-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/aac00bc0-de98-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.file.hash.sha1" + "sourceField": "threat.indicator.file.hash.sha1" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/ae5934e0-de94-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/ae5934e0-de94-11eb-8f2b-753caedf727d.json index 02719d9dcb0..17f6d2ccc21 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/ae5934e0-de94-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/ae5934e0-de94-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.url.domain" + "sourceField": "threat.indicator.url.domain" } }, "incompleteColumns": {} @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/b0837690-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/b0837690-df52-11eb-8f2b-753caedf727d.json index c7587803107..2ee5c4b1a2a 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/b0837690-df52-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/b0837690-df52-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.recordedfuture.risk.criticalityLabel" + "sourceField": "recordedfuture.risk.criticalityLabel" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -94,4 +94,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NjMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bd28cb00-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bd28cb00-de96-11eb-8f2b-753caedf727d.json index ed51bcc85fb..5f95d44b92d 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bd28cb00-de96-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bd28cb00-de96-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 3 }, "scale": "ordinal", - "sourceField": "threatintel.anomalithreatstream.severity" + "sourceField": "anomali.threatstream.severity" } }, "incompleteColumns": {} @@ -98,4 +98,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bfd2bfe0-de97-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bfd2bfe0-de97-11eb-8f2b-753caedf727d.json index 0850075db5b..c1110d8d611 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bfd2bfe0-de97-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bfd2bfe0-de97-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.confidence" + "sourceField": "threat.indicator.confidence" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -94,4 +94,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1NzgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c2a5c180-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c2a5c180-df51-11eb-8f2b-753caedf727d.json index 5915a46aca5..6163c46e0b0 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c2a5c180-df51-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c2a5c180-df51-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.ip" + "sourceField": "threat.indicator.ip" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -47,7 +47,7 @@ "filters": [], "query": { "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\" and threatintel.indicator.type:ipv4-addr" + "query": "event.dataset:\"threatintel.recordedfuture\" and threat.indicator.type:ipv4-addr" }, "visualization": { "columns": [ @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NjksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c91fcd10-de95-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c91fcd10-de95-11eb-8f2b-753caedf727d.json index 63c9a1eebde..9eecce1a1c3 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c91fcd10-de95-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c91fcd10-de95-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.provider" + "sourceField": "threat.indicator.provider" } }, "incompleteColumns": {} @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/cf4b4e40-ff69-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/cf4b4e40-ff69-11eb-acb2-2960a7069ed1.json index 0d2bc89d441..ddb2717dd0e 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/cf4b4e40-ff69-11eb-acb2-2960a7069ed1.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/cf4b4e40-ff69-11eb-acb2-2960a7069ed1.json @@ -15,7 +15,7 @@ "73cdbb81-57ca-4474-a86c-bca60a527d29": { "dataType": "string", "isBucketed": true, - "label": "Top values of threatintel.indicator.type", + "label": "Top values of threat.indicator.type", "operationType": "terms", "params": { "missingBucket": false, @@ -28,7 +28,7 @@ "size": 15 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.type" + "sourceField": "threat.indicator.type" }, "89f18519-9360-4d37-ae52-134604ac6cfc": { "customLabel": true, @@ -118,4 +118,4 @@ "type": "lens", "updated_at": "2021-10-11T08:02:55.512Z", "version": "WzUyOCwxXQ==" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/d991e510-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/d991e510-de96-11eb-8f2b-753caedf727d.json index f630743094f..e718c098360 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/d991e510-de96-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/d991e510-de96-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.anomalithreatstream.state" + "sourceField": "anomali.threatstream.state" } }, "incompleteColumns": {} @@ -112,4 +112,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/dd4a3da0-df50-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/dd4a3da0-df50-11eb-8f2b-753caedf727d.json index b9b2341c0b1..4a25b4df0ef 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/dd4a3da0-df50-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/dd4a3da0-df50-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.file.hash.md5" + "sourceField": "threat.indicator.file.hash.md5" } }, "incompleteColumns": {} @@ -90,4 +90,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/e5f07800-de94-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/e5f07800-de94-11eb-8f2b-753caedf727d.json index 1985a727380..03d75c58b2f 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/e5f07800-de94-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/e5f07800-de94-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.anomalithreatstream.id" + "sourceField": "anomali.threatstream.id" } }, "incompleteColumns": {} @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f37f8350-df50-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f37f8350-df50-11eb-8f2b-753caedf727d.json index 45745f96eb0..f4c84cc7426 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f37f8350-df50-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f37f8350-df50-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.file.hash.sha1" + "sourceField": "threat.indicator.file.hash.sha1" } }, "incompleteColumns": {} @@ -90,4 +90,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f52a9720-de93-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f52a9720-de93-11eb-8f2b-753caedf727d.json index a3740f838db..7e2446f1e8d 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f52a9720-de93-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f52a9720-de93-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.email.address" + "sourceField": "threat.indicator.email.address" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f5f18940-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f5f18940-de96-11eb-8f2b-753caedf727d.json index c5c7c021b28..9b281bf4769 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f5f18940-de96-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f5f18940-de96-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.marking.tlp" + "sourceField": "threat.indicator.marking.tlp" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -112,4 +112,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json index 63e7825a56b..b37986b02eb 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json @@ -35,7 +35,7 @@ "type": "count" } ], - "term": "threatintel.indicator.geo.country_iso_code", + "term": "threat.indicator.geo.country_iso_code", "type": "ES_TERM_SOURCE" } } @@ -205,4 +205,4 @@ "type": "map", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MTksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json index 8100b60e6b3..e5e94752566 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json @@ -29,16 +29,16 @@ "applyGlobalQuery": true, "applyGlobalTime": true, "filterByMapBounds": true, - "geoField": "threatintel.indicator.geo.location", + "geoField": "threat.indicator.geo.location", "id": "a3ecc6af-0299-4cb9-a29c-0b70f666b011", "indexPatternRefName": "layer_1_source_index_pattern", "scalingType": "LIMIT", "sortField": "", "sortOrder": "desc", "tooltipProperties": [ - "threatintel.indicator.as.number", - "threatintel.indicator.as.organization.name", - "threatintel.indicator.geo.country_iso_code" + "threat.indicator.as.number", + "threat.indicator.as.organization.name", + "threat.indicator.geo.country_iso_code" ], "topHitsSize": 1, "topHitsSplitField": "", @@ -195,4 +195,4 @@ "type": "map", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/01c261b0-7aa9-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/01c261b0-7aa9-11eb-ac13-d5ca87cb8fa2.json index 93d283d07e0..3bc7559fbf6 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/01c261b0-7aa9-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/01c261b0-7aa9-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.otx.title" + "field": "otx.title" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.otx.title", + "key": "otx.title", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX Indicator Title", - "field": "threatintel.otx.title", + "field": "otx.title", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NzQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/02294f80-73c7-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/02294f80-73c7-11eb-a3e3-b3cc7c78a70f.json index 822c006ccc2..ff5c6b0b875 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/02294f80-73c7-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/02294f80-73c7-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.sha1" + "field": "threat.indicator.file.hash.sha1" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.sha1", + "key": "threat.indicator.file.hash.sha1", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "MISP SHA1 Hash Indicator", - "field": "threatintel.indicator.file.hash.sha1", + "field": "threat.indicator.file.hash.sha1", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2NDEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/0ccdda50-76ce-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/0ccdda50-76ce-11eb-a3e3-b3cc7c78a70f.json index 1197b8b4a7e..44b6e23d553 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/0ccdda50-76ce-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/0ccdda50-76ce-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.md5" + "field": "threat.indicator.file.hash.md5" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.md5", + "key": "threat.indicator.file.hash.md5", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX MD5 Hash Indicator", - "field": "threatintel.indicator.file.hash.md5", + "field": "threat.indicator.file.hash.md5", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NzMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/142fb6c0-82a8-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/142fb6c0-82a8-11eb-ac13-d5ca87cb8fa2.json index bf55ff3b237..624dde62b61 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/142fb6c0-82a8-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/142fb6c0-82a8-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.sha1" + "field": "threat.indicator.file.hash.sha1" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.sha1", + "key": "threat.indicator.file.hash.sha1", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "2", "params": { "customLabel": "SHA1 Hash", - "field": "threatintel.indicator.file.hash.sha1", + "field": "threat.indicator.file.hash.sha1", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a0d5250-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a0d5250-72e5-11eb-a3e3-b3cc7c78a70f.json index f9fc2390a2b..f43232fe645 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a0d5250-72e5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a0d5250-72e5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.sha256" + "field": "threat.indicator.file.hash.sha256" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.sha256", + "key": "threat.indicator.file.hash.sha256", "negate": false, "type": "exists", "value": "exists" @@ -47,13 +47,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -84,7 +84,7 @@ "id": "2", "params": { "customLabel": "SHA256 Hash", - "field": "threatintel.indicator.file.hash.sha256", + "field": "threat.indicator.file.hash.sha256", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -101,7 +101,7 @@ "id": "3", "params": { "customLabel": "File Type", - "field": "threatintel.indicator.file.type", + "field": "threat.indicator.file.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -162,4 +162,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MDYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a1c60c0-72d5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a1c60c0-72d5-11eb-a3e3-b3cc7c78a70f.json index b2e430cff4c..e972911d995 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a1c60c0-72d5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a1c60c0-72d5-11eb-a3e3-b3cc7c78a70f.json @@ -26,13 +26,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "enabled": true, "id": "3", "params": { - "field": "threatintel.indicator.type", + "field": "threat.indicator.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -143,4 +143,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:32.145Z", "version": "WzQ2NDksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1adff580-72ee-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1adff580-72ee-11eb-a3e3-b3cc7c78a70f.json index 71144247760..550140b912f 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1adff580-72ee-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1adff580-72ee-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.domain" + "field": "threat.indicator.url.domain" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.domain", + "key": "threat.indicator.url.domain", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "Threat Indicator Domain", - "field": "threatintel.indicator.domain", + "field": "threat.indicator.url.domain", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1c969990-73c7-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1c969990-73c7-11eb-a3e3-b3cc7c78a70f.json index e2f3d6fda09..e77a6cee76b 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1c969990-73c7-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1c969990-73c7-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.sha256" + "field": "threat.indicator.file.hash.sha256" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.sha256", + "key": "threat.indicator.file.hash.sha256", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "MISP SHA256 Hash Indicator", - "field": "threatintel.indicator.file.hash.sha256", + "field": "threat.indicator.file.hash.sha256", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2NDIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1d8002d0-82a7-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1d8002d0-82a7-11eb-ac13-d5ca87cb8fa2.json index 328a64f0785..57ca90543d3 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1d8002d0-82a7-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1d8002d0-82a7-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.pe.imphash" + "field": "threat.indicator.file.pe.imphash" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.pe.imphash", + "key": "threat.indicator.file.pe.imphash", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "2", "params": { "customLabel": "Imphash Hash", - "field": "threatintel.indicator.file.pe.imphash", + "field": "threat.indicator.file.pe.imphash", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/21ff17c0-82a6-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/21ff17c0-82a6-11eb-ac13-d5ca87cb8fa2.json index b3e12fb4193..4bec354e536 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/21ff17c0-82a6-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/21ff17c0-82a6-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.md5" + "field": "threat.indicator.file.hash.md5" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.md5", + "key": "threat.indicator.file.hash.md5", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "2", "params": { "customLabel": "MD5 Hash", - "field": "threatintel.indicator.file.hash.md5", + "field": "threat.indicator.file.hash.md5", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302cd5b0-76cd-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302cd5b0-76cd-11eb-a3e3-b3cc7c78a70f.json index 0e395ef2431..9bb6455feea 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302cd5b0-76cd-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302cd5b0-76cd-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.ip" + "field": "threat.indicator.ip" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.ip", + "key": "threat.indicator.ip", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX IP Indicator", - "field": "threatintel.indicator.ip", + "field": "threat.indicator.ip", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NjcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302d0850-ff7b-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302d0850-ff7b-11eb-acb2-2960a7069ed1.json index f931164c888..50f2a9cebc5 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302d0850-ff7b-11eb-acb2-2960a7069ed1.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302d0850-ff7b-11eb-acb2-2960a7069ed1.json @@ -28,7 +28,7 @@ "id": "2", "params": { "customLabel": "Confidence", - "field": "threatintel.indicator.confidence", + "field": "threat.indicator.confidence", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -148,4 +148,4 @@ "type": "visualization", "updated_at": "2021-10-11T08:02:55.512Z", "version": "WzUzMCwxXQ==" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/346136f0-76d5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/346136f0-76d5-11eb-a3e3-b3cc7c78a70f.json index 3edcd79c797..bc86816afc3 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/346136f0-76d5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/346136f0-76d5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.original" + "field": "threat.indicator.url.original" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.original", + "key": "threat.indicator.url.original", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX URL Indicator", - "field": "threatintel.indicator.url.original", + "field": "threat.indicator.url.original", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NjksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/40d61ab0-72e6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/40d61ab0-72e6-11eb-a3e3-b3cc7c78a70f.json index f8d2e419a2b..a3e2646eea2 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/40d61ab0-72e6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/40d61ab0-72e6-11eb-a3e3-b3cc7c78a70f.json @@ -27,7 +27,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.file.type", + "field": "threat.indicator.file.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -82,4 +82,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MDcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/41100be0-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/41100be0-72e5-11eb-a3e3-b3cc7c78a70f.json index d1e07d3fbbb..37aa10e1c04 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/41100be0-72e5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/41100be0-72e5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.ssdeep" + "field": "threat.indicator.file.hash.ssdeep" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.ssdeep", + "key": "threat.indicator.file.hash.ssdeep", "negate": false, "type": "exists", "value": "exists" @@ -47,13 +47,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -84,7 +84,7 @@ "id": "2", "params": { "customLabel": "ssdeep Hash", - "field": "threatintel.indicator.file.hash.ssdeep", + "field": "threat.indicator.file.hash.ssdeep", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -101,7 +101,7 @@ "id": "3", "params": { "customLabel": "File Type", - "field": "threatintel.indicator.file.type", + "field": "threat.indicator.file.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -162,4 +162,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MDgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/49f0c060-76cd-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/49f0c060-76cd-11eb-a3e3-b3cc7c78a70f.json index 79f94d2a046..65880a6f4bb 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/49f0c060-76cd-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/49f0c060-76cd-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.domain" + "field": "threat.indicator.url.domain" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.domain", + "key": "threat.indicator.url.domain", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX IP Indicator", - "field": "threatintel.indicator.domain", + "field": "threat.indicator.url.domain", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NjgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/4e5d25c0-76ce-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/4e5d25c0-76ce-11eb-a3e3-b3cc7c78a70f.json index f44f7a32fa3..324c632ab27 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/4e5d25c0-76ce-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/4e5d25c0-76ce-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.sha256" + "field": "threat.indicator.file.hash.sha256" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.sha256", + "key": "threat.indicator.file.hash.sha256", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX SHA256 Hash Indicator", - "field": "threatintel.indicator.file.hash.sha256", + "field": "threat.indicator.file.hash.sha256", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NzIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/57faae10-73c5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/57faae10-73c5-11eb-a3e3-b3cc7c78a70f.json index 927f457e351..014612f2d3c 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/57faae10-73c5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/57faae10-73c5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.provider" + "field": "threat.indicator.provider" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.provider", + "key": "threat.indicator.provider", "negate": false, "type": "exists", "value": "exists" @@ -72,7 +72,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.provider", + "field": "threat.indicator.provider", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -137,4 +137,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2NDMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5b4877b0-82a6-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5b4877b0-82a6-11eb-ac13-d5ca87cb8fa2.json index db8a7fcef7e..ad4c74b0110 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5b4877b0-82a6-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5b4877b0-82a6-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.sha256" + "field": "threat.indicator.file.hash.sha256" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.sha256", + "key": "threat.indicator.file.hash.sha256", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "2", "params": { "customLabel": "SHA256 Hash", - "field": "threatintel.indicator.file.hash.sha256", + "field": "threat.indicator.file.hash.sha256", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5d395d80-ff71-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5d395d80-ff71-11eb-acb2-2960a7069ed1.json index f559210728b..b5fe450d273 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5d395d80-ff71-11eb-acb2-2960a7069ed1.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5d395d80-ff71-11eb-acb2-2960a7069ed1.json @@ -28,7 +28,7 @@ "id": "2", "params": { "customLabel": "Most Linked Adversaries", - "field": "threatintel.threatq.adversaries", + "field": "threatq.adversaries", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -74,4 +74,4 @@ "type": "visualization", "updated_at": "2021-10-11T08:02:55.512Z", "version": "WzUyNiwxXQ==" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5eb61d00-ff72-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5eb61d00-ff72-11eb-acb2-2960a7069ed1.json index fde00ab644d..3626ee406b7 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5eb61d00-ff72-11eb-acb2-2960a7069ed1.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5eb61d00-ff72-11eb-acb2-2960a7069ed1.json @@ -31,7 +31,7 @@ "id": "2", "params": { "customLabel": "Indicator Type", - "field": "threatintel.indicator.type", + "field": "threat.indicator.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -48,7 +48,7 @@ "id": "3", "params": { "customLabel": "Indicator Value", - "field": "threatintel.threatq.indicator_value", + "field": "threatq.indicator_value", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -94,4 +94,4 @@ "type": "visualization", "updated_at": "2021-10-11T08:07:14.354Z", "version": "WzYxNCwxXQ==" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/6077fd00-76d5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/6077fd00-76d5-11eb-a3e3-b3cc7c78a70f.json index 4e9740c9a10..75b7601754b 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/6077fd00-76d5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/6077fd00-76d5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.path" + "field": "threat.indicator.url.path" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.path", + "key": "threat.indicator.url.path", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX URI Indicator", - "field": "threatintel.indicator.url.path", + "field": "threat.indicator.url.path", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NzEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/62f6daa0-72ee-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/62f6daa0-72ee-11eb-a3e3-b3cc7c78a70f.json index c0879c8aff7..039e88b7677 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/62f6daa0-72ee-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/62f6daa0-72ee-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.full" + "field": "threat.indicator.url.full" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.full", + "key": "threat.indicator.url.full", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "Threat Indicator URL", - "field": "threatintel.indicator.url.full", + "field": "threat.indicator.url.full", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7546ac40-82a6-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7546ac40-82a6-11eb-ac13-d5ca87cb8fa2.json index 479d7e408e3..4de8710a0e2 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7546ac40-82a6-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7546ac40-82a6-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.ssdeep" + "field": "threat.indicator.file.hash.ssdeep" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.ssdeep", + "key": "threat.indicator.file.hash.ssdeep", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "2", "params": { "customLabel": "ssdeep Hash", - "field": "threatintel.indicator.file.hash.ssdeep", + "field": "threat.indicator.file.hash.ssdeep", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7582b030-73c6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7582b030-73c6-11eb-a3e3-b3cc7c78a70f.json index 6767b7e0d19..e2833363e12 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7582b030-73c6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7582b030-73c6-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.domain" + "field": "threat.indicator.url.domain" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.domain", + "key": "threat.indicator.url.domain", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "MISP Domain Indicator", - "field": "threatintel.indicator.domain", + "field": "threat.indicator.url.domain", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2MzIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/786546d0-82a5-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/786546d0-82a5-11eb-ac13-d5ca87cb8fa2.json index bc70c5824da..773a823e514 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/786546d0-82a5-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/786546d0-82a5-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.tlsh" + "field": "threat.indicator.file.hash.tlsh" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.tlsh", + "key": "threat.indicator.file.hash.tlsh", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "2", "params": { "customLabel": "TLSH Hash", - "field": "threatintel.indicator.file.hash.tlsh", + "field": "threat.indicator.file.hash.tlsh", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/79da77d0-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/79da77d0-72e5-11eb-a3e3-b3cc7c78a70f.json index 50bed6e06e4..0551a2e4428 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/79da77d0-72e5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/79da77d0-72e5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.tlsh" + "field": "threat.indicator.file.hash.tlsh" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.tlsh", + "key": "threat.indicator.file.hash.tlsh", "negate": false, "type": "exists", "value": "exists" @@ -47,13 +47,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -84,7 +84,7 @@ "id": "2", "params": { "customLabel": "TLSH Hash", - "field": "threatintel.indicator.file.hash.tlsh", + "field": "threat.indicator.file.hash.tlsh", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -101,7 +101,7 @@ "id": "3", "params": { "customLabel": "File Type", - "field": "threatintel.indicator.file.type", + "field": "threat.indicator.file.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -162,4 +162,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MDIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7c7d3750-73c3-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7c7d3750-73c3-11eb-a3e3-b3cc7c78a70f.json index 6ca2835a167..ffb99fa0838 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7c7d3750-73c3-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7c7d3750-73c3-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -66,7 +66,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.type", + "field": "threat.indicator.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -131,4 +131,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2MzQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7cbe5900-82ab-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7cbe5900-82ab-11eb-ac13-d5ca87cb8fa2.json index 08ea90539c1..75f21ca1a42 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7cbe5900-82ab-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7cbe5900-82ab-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.first_seen" + "field": "threat.indicator.first_seen" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.first_seen", + "key": "threat.indicator.first_seen", "negate": false, "type": "exists", "value": "exists" @@ -76,7 +76,7 @@ "id": "2", "params": { "customLabel": "Indicator First Seen", - "field": "threatintel.indicator.first_seen", + "field": "threat.indicator.first_seen", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -132,4 +132,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/87980f70-72ec-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/87980f70-72ec-11eb-a3e3-b3cc7c78a70f.json index 3001eca6082..0b947ec09cd 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/87980f70-72ec-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/87980f70-72ec-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.threat" + "field": "abusech.url.threat" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abuseurl.threat", + "key": "abusech.url.threat", "negate": false, "type": "exists", "value": "exists" @@ -73,7 +73,7 @@ "id": "2", "params": { "customLabel": "Abuse URL Threat", - "field": "threatintel.abuseurl.threat", + "field": "abusech.url.threat", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -204,4 +204,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/8b2a64a0-82a8-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/8b2a64a0-82a8-11eb-ac13-d5ca87cb8fa2.json index 8fd2ef65b07..13aee45f317 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/8b2a64a0-82a8-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/8b2a64a0-82a8-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.extension" + "field": "threat.indicator.file.extension" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.extension", + "key": "threat.indicator.file.extension", "negate": false, "type": "exists", "value": "exists" @@ -66,7 +66,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.file.extension", + "field": "threat.indicator.file.extension", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -131,4 +131,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MTcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9047e8b0-72de-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9047e8b0-72de-11eb-a3e3-b3cc7c78a70f.json index cfa8fad3789..652e363bbf0 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9047e8b0-72de-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9047e8b0-72de-11eb-a3e3-b3cc7c78a70f.json @@ -34,7 +34,7 @@ "id": "2", "params": { "customLabel": "Threat Indicator Provider", - "field": "threatintel.indicator.provider", + "field": "threat.indicator.provider", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -156,4 +156,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:32.145Z", "version": "WzQ2NTUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9109e490-76cd-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9109e490-76cd-11eb-a3e3-b3cc7c78a70f.json index 3e1c8861ced..9146d87144a 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9109e490-76cd-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9109e490-76cd-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.domain" + "field": "threat.indicator.url.domain" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.domain", + "key": "threat.indicator.url.domain", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX URL Domain Indicator", - "field": "threatintel.indicator.url.domain", + "field": "threat.indicator.url.domain", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NzAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/92961600-7621-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/92961600-7621-11eb-a3e3-b3cc7c78a70f.json index f9a63566f09..c6ec332aa22 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/92961600-7621-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/92961600-7621-11eb-a3e3-b3cc7c78a70f.json @@ -33,7 +33,7 @@ "type": "list" }, { - "fieldName": "threatintel.indicator.provider", + "fieldName": "threat.indicator.provider", "id": "1614117093181", "indexPatternRefName": "control_1_index_pattern", "label": "Indicator Provider", @@ -48,7 +48,7 @@ "type": "list" }, { - "fieldName": "threatintel.indicator.type", + "fieldName": "threat.indicator.type", "id": "1614117117360", "indexPatternRefName": "control_2_index_pattern", "label": "Indicator Type", @@ -101,4 +101,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:32.145Z", "version": "WzQ2NDcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/95f384b0-76d8-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/95f384b0-76d8-11eb-a3e3-b3cc7c78a70f.json index a9c17ee0611..b2f747547b3 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/95f384b0-76d8-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/95f384b0-76d8-11eb-a3e3-b3cc7c78a70f.json @@ -35,7 +35,7 @@ "id": "2", "params": { "customLabel": "", - "field": "threatintel.indicator.url.scheme", + "field": "threat.indicator.url.scheme", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -156,4 +156,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NjQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/98d42ee0-76b6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/98d42ee0-76b6-11eb-a3e3-b3cc7c78a70f.json index 0c5102dfd14..03edc5edc0b 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/98d42ee0-76b6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/98d42ee0-76b6-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.tags" + "field": "abusech.url.tags" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abuseurl.tags", + "key": "abusech.url.tags", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "Abuse URL Tags", - "field": "threatintel.abuseurl.tags", + "field": "abusech.url.tags", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a09329d0-73c6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a09329d0-73c6-11eb-a3e3-b3cc7c78a70f.json index d81abd72e48..d34f5079186 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a09329d0-73c6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a09329d0-73c6-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.ip" + "field": "threat.indicator.ip" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.ip", + "key": "threat.indicator.ip", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "MISP IP Indicator", - "field": "threatintel.indicator.ip", + "field": "threat.indicator.ip", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2MzMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a1616dd0-72eb-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a1616dd0-72eb-11eb-a3e3-b3cc7c78a70f.json index 419dcc323d1..ba4ce6e4ea7 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a1616dd0-72eb-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a1616dd0-72eb-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.blacklists.spamhaus_dbl" + "field": "abusech.url.blacklists.spamhaus_dbl" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abuseurl.blacklists.spamhaus_dbl", + "key": "abusech.url.blacklists.spamhaus_dbl", "negate": false, "type": "exists", "value": "exists" @@ -47,13 +47,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.blacklists.surbl" + "field": "abusech.url.blacklists.surbl" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "threatintel.abuseurl.blacklists.surbl", + "key": "abusech.url.blacklists.surbl", "negate": false, "type": "exists", "value": "exists" @@ -84,7 +84,7 @@ "id": "2", "params": { "customLabel": "Spamhaus DBL Blacklist Status", - "field": "threatintel.abuseurl.blacklists.spamhaus_dbl", + "field": "abusech.url.blacklists.spamhaus_dbl", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -101,7 +101,7 @@ "id": "3", "params": { "customLabel": "SURBL Blacklist Status", - "field": "threatintel.abuseurl.blacklists.surbl", + "field": "abusech.url.blacklists.surbl", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -162,4 +162,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NjAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a7b6e910-72ed-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a7b6e910-72ed-11eb-a3e3-b3cc7c78a70f.json index 007929c6d0a..81340059012 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a7b6e910-72ed-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a7b6e910-72ed-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.scheme" + "field": "threat.indicator.url.scheme" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.scheme", + "key": "threat.indicator.url.scheme", "negate": false, "type": "exists", "value": "exists" @@ -74,7 +74,7 @@ "id": "2", "params": { "customLabel": "URL Scheme", - "field": "threatintel.indicator.url.scheme", + "field": "threat.indicator.url.scheme", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -90,7 +90,7 @@ "enabled": true, "id": "3", "params": { - "field": "threatintel.indicator.url.scheme", + "field": "threat.indicator.url.scheme", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -220,4 +220,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a911a8b0-ff77-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a911a8b0-ff77-11eb-acb2-2960a7069ed1.json index 59f66be7644..25929d8fef8 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a911a8b0-ff77-11eb-acb2-2960a7069ed1.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a911a8b0-ff77-11eb-acb2-2960a7069ed1.json @@ -27,7 +27,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.marking.tlp", + "field": "threat.indicator.marking.tlp", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -82,4 +82,4 @@ "type": "visualization", "updated_at": "2021-10-11T08:02:55.512Z", "version": "WzUyNSwxXQ==" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ad55b1e0-73c8-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ad55b1e0-73c8-11eb-a3e3-b3cc7c78a70f.json index a0719389fc8..0b6cc17dce5 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ad55b1e0-73c8-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ad55b1e0-73c8-11eb-a3e3-b3cc7c78a70f.json @@ -35,7 +35,7 @@ "id": "2", "params": { "customLabel": "Indicator Marking TLP", - "field": "threatintel.indicator.marking.tlp", + "field": "threat.indicator.marking.tlp", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -51,7 +51,7 @@ "enabled": true, "id": "3", "params": { - "field": "threatintel.indicator.marking.tlp", + "field": "threat.indicator.marking.tlp", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -171,4 +171,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2MzgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/aebde030-72d2-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/aebde030-72d2-11eb-a3e3-b3cc7c78a70f.json index 0d3c70a156f..09bbd1da8a4 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/aebde030-72d2-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/aebde030-72d2-11eb-a3e3-b3cc7c78a70f.json @@ -9,13 +9,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.marking.tlp" + "field": "threat.indicator.marking.tlp" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "threatintel.indicator.marking.tlp", + "key": "threat.indicator.marking.tlp", "negate": false, "type": "exists", "value": "exists" @@ -55,7 +55,7 @@ "id": "2", "params": { "customLabel": "Indicator Marking TLP", - "field": "threatintel.indicator.marking.tlp", + "field": "threat.indicator.marking.tlp", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -71,7 +71,7 @@ "enabled": true, "id": "3", "params": { - "field": "threatintel.indicator.marking.tlp", + "field": "threat.indicator.marking.tlp", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -196,4 +196,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:32.145Z", "version": "WzQ2NTcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/b9533f50-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/b9533f50-72e5-11eb-a3e3-b3cc7c78a70f.json index dd4771dced6..6b53ad4b086 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/b9533f50-72e5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/b9533f50-72e5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.pe.imphash" + "field": "threat.indicator.file.pe.imphash" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.pe.imphash", + "key": "threat.indicator.file.pe.imphash", "negate": false, "type": "exists", "value": "exists" @@ -47,13 +47,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -84,7 +84,7 @@ "id": "2", "params": { "customLabel": "Imphash Hash", - "field": "threatintel.indicator.file.pe.imphash", + "field": "threat.indicator.file.pe.imphash", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -101,7 +101,7 @@ "id": "3", "params": { "customLabel": "File Type", - "field": "threatintel.indicator.file.type", + "field": "threat.indicator.file.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -162,4 +162,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MDUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bc4790b0-82aa-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bc4790b0-82aa-11eb-ac13-d5ca87cb8fa2.json index f1fc5472b6b..395627036b1 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bc4790b0-82aa-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bc4790b0-82aa-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.malwarebazaar.intelligence.downloads" + "field": "abusech.malwarebazaar.intelligence.downloads" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.malwarebazaar.intelligence.downloads", + "key": "abusech.malwarebazaar.intelligence.downloads", "negate": false, "type": "exists", "value": "exists" @@ -76,7 +76,7 @@ "id": "2", "params": { "customLabel": "Malware Bazaar Downloads", - "field": "threatintel.malwarebazaar.intelligence.downloads", + "field": "abusech.malwarebazaar.intelligence.downloads", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -132,4 +132,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bf3dfde0-73c3-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bf3dfde0-73c3-11eb-a3e3-b3cc7c78a70f.json index f65bf82d5b3..f71bb235922 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bf3dfde0-73c3-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bf3dfde0-73c3-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.misp.published" + "field": "misp.published" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.misp.published", + "key": "misp.published", "negate": false, "type": "exists", "value": "exists" @@ -72,7 +72,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.misp.published", + "field": "misp.published", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -137,4 +137,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2MzksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c102b0f0-73c6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c102b0f0-73c6-11eb-a3e3-b3cc7c78a70f.json index 4ee6602cf67..e992bfb8585 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c102b0f0-73c6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c102b0f0-73c6-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.full" + "field": "threat.indicator.url.full" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.full", + "key": "threat.indicator.url.full", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "MISP URL Indicator", - "field": "threatintel.indicator.url.full", + "field": "threat.indicator.url.full", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2MzYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c7d5db50-82a8-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c7d5db50-82a8-11eb-ac13-d5ca87cb8fa2.json index 225ca993710..ad6317b4101 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c7d5db50-82a8-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c7d5db50-82a8-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.provider" + "field": "threat.indicator.provider" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.provider", + "key": "threat.indicator.provider", "negate": false, "type": "exists", "value": "exists" @@ -73,7 +73,7 @@ "id": "2", "params": { "customLabel": "Indicator Provider", - "field": "threatintel.indicator.provider", + "field": "threat.indicator.provider", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -204,4 +204,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MTgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c813c5d0-72dd-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c813c5d0-72dd-11eb-a3e3-b3cc7c78a70f.json index 18539863d1a..6619c3564fe 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c813c5d0-72dd-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c813c5d0-72dd-11eb-a3e3-b3cc7c78a70f.json @@ -9,13 +9,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "enabled": true, "id": "3", "params": { - "field": "threatintel.indicator.type", + "field": "threat.indicator.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -192,4 +192,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:32.145Z", "version": "WzQ2NTgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d22c1090-82a5-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d22c1090-82a5-11eb-ac13-d5ca87cb8fa2.json index 107bf321eac..340bcc359c8 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d22c1090-82a5-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d22c1090-82a5-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.mime_type" + "field": "threat.indicator.file.mime_type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.mime_type", + "key": "threat.indicator.file.mime_type", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "3", "params": { "customLabel": "File MIME Type", - "field": "threatintel.indicator.file.mime_type", + "field": "threat.indicator.file.mime_type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MTUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d5d76c60-72ee-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d5d76c60-72ee-11eb-a3e3-b3cc7c78a70f.json index 26f577c2864..7450b383291 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d5d76c60-72ee-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d5d76c60-72ee-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.full" + "field": "threat.indicator.url.full" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.full", + "key": "threat.indicator.url.full", "negate": false, "type": "exists", "value": "exists" @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/dbd199d0-82aa-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/dbd199d0-82aa-11eb-ac13-d5ca87cb8fa2.json index bd6250bdc9b..a3f14f00b0e 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/dbd199d0-82aa-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/dbd199d0-82aa-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.malwarebazaar.intelligence.uploads" + "field": "abusech.malwarebazaar.intelligence.uploads" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.malwarebazaar.intelligence.uploads", + "key": "abusech.malwarebazaar.intelligence.uploads", "negate": false, "type": "exists", "value": "exists" @@ -76,7 +76,7 @@ "id": "2", "params": { "customLabel": "Malware Bazaar Uploads", - "field": "threatintel.malwarebazaar.intelligence.uploads", + "field": "abusech.malwarebazaar.intelligence.uploads", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -132,4 +132,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ea5879c0-72eb-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ea5879c0-72eb-11eb-a3e3-b3cc7c78a70f.json index 3674297d158..fa58d2934c7 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ea5879c0-72eb-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ea5879c0-72eb-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.url_status" + "field": "abusech.url.url_status" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abuseurl.url_status", + "key": "abusech.url.url_status", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "URL Status", - "field": "threatintel.abuseurl.url_status", + "field": "abusech.url.url_status", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/eba4ec60-72ea-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/eba4ec60-72ea-11eb-a3e3-b3cc7c78a70f.json index e05220ceeab..8745f6c3ca3 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/eba4ec60-72ea-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/eba4ec60-72ea-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.larted" + "field": "abusech.url.larted" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abuseurl.larted", + "key": "abusech.url.larted", "negate": false, "type": "exists", "value": "exists" @@ -73,7 +73,7 @@ "id": "2", "params": { "customLabel": "Hosting Provider Notified", - "field": "threatintel.abuseurl.larted", + "field": "abusech.url.larted", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -138,4 +138,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ec68c4a0-73c6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ec68c4a0-73c6-11eb-a3e3-b3cc7c78a70f.json index 4a7c4dfa740..517fa9c84ce 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ec68c4a0-73c6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ec68c4a0-73c6-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.md5" + "field": "threat.indicator.file.hash.md5" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.md5", + "key": "threat.indicator.file.hash.md5", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "MISP MD5 Hash Indicator", - "field": "threatintel.indicator.file.hash.md5", + "field": "threat.indicator.file.hash.md5", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2NDAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ecf74b10-72ec-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ecf74b10-72ec-11eb-a3e3-b3cc7c78a70f.json index ea0aef5cb86..16d083d8762 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ecf74b10-72ec-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ecf74b10-72ec-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.threat" + "field": "abusech.url.threat" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abuseurl.threat", + "key": "abusech.url.threat", "negate": false, "type": "exists", "value": "exists" @@ -72,7 +72,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.provider", + "field": "threat.indicator.provider", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -203,4 +203,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f33125b0-76d8-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f33125b0-76d8-11eb-a3e3-b3cc7c78a70f.json index 3d473b4e17d..41b0ecfa65b 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f33125b0-76d8-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f33125b0-76d8-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -66,7 +66,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.type", + "field": "threat.indicator.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -131,4 +131,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NjYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f91e9620-82a8-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f91e9620-82a8-11eb-ac13-d5ca87cb8fa2.json index 958c15dba69..664816cccba 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f91e9620-82a8-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f91e9620-82a8-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.malwarebazaar.tags" + "field": "abusech.malwarebazaar.tags" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.malwarebazaar.tags", + "key": "abusech.malwarebazaar.tags", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "Malware Bazaar Tags", - "field": "threatintel.malwarebazaar.tags", + "field": "abusech.malwarebazaar.tags", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MTQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f9c6ba80-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f9c6ba80-72e5-11eb-a3e3-b3cc7c78a70f.json index 21660b248e4..516a572fb88 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f9c6ba80-72e5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f9c6ba80-72e5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abusemalware.virustotal.link" + "field": "abusech.malware.virustotal.link" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abusemalware.virustotal.link", + "key": "abusech.malware.virustotal.link", "negate": false, "type": "exists", "value": "exists" @@ -47,13 +47,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abusemalware.virustotal.result" + "field": "abusech.malware.virustotal.result" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "threatintel.abusemalware.virustotal.result", + "key": "abusech.malware.virustotal.result", "negate": false, "type": "exists", "value": "exists" @@ -95,7 +95,7 @@ "id": "2", "params": { "customLabel": "VirusTotal URL", - "field": "threatintel.abusemalware.virustotal.link", + "field": "abusech.malware.virustotal.link", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -112,7 +112,7 @@ "id": "3", "params": { "customLabel": "VirusTotal Result", - "field": "threatintel.abusemalware.virustotal.result", + "field": "abusech.malware.virustotal.result", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -173,4 +173,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MTAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/abusemalware/_meta/fields.yml b/x-pack/filebeat/module/threatintel/abusemalware/_meta/fields.yml index 55f8657bc6e..73aae20e07f 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/abusemalware/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: abusemalware +- name: abusech.malware type: group description: > Fields for AbuseCH Malware Threat Intel @@ -31,4 +31,4 @@ - name: virustotal.link type: keyword description: > - Link to the Virustotal report. \ No newline at end of file + Link to the Virustotal report. diff --git a/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml b/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml index e7f4f8cc264..b4365bd3e5b 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml +++ b/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml @@ -11,10 +11,9 @@ request.ssl: {{ .ssl | tojson }} request.proxy_url: {{ .proxy_url }} {{ end }} request.url: {{ .url }} -request.transforms: -- set: - target: header.Content-Type - value: application/json +{{ if .http_client_timeout }} +request.timeout: {{ .http_client_timeout }} +{{ end }} response.split: target: body.payloads @@ -30,17 +29,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: ["json.md5_hash"] - target_field: "@metadata._id" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml index 5e24b68c52e..da0b365724f 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml @@ -1,4 +1,5 @@ -description: Pipeline for parsing Abuse.ch Malware Threat Intel +--- +description: Pipeline for parsing Abuse.ch URL Threat Intel processors: #################### # Event ECS fields # @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -20,92 +24,110 @@ processors: # General ECS fields # ###################### - rename: - field: json - target_field: threatintel.abusemalware + field: message + target_field: event.original ignore_missing: true + - json: + field: event.original + target_field: abusech.malware + - fingerprint: + fields: + - abusech.malware.md5_hash + - abusech.malware.sha256_hash + target_field: "_id" ##################### # Threat ECS Fields # ##################### + - set: + field: threat.feed.name + value: "[Filebeat] AbuseCH Malware" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" - date: - field: threatintel.abusemalware.firstseen - target_field: threatintel.indicator.first_seen + field: abusech.malware.firstseen + target_field: threat.indicator.first_seen formats: - "yyyy-MM-dd HH:mm:ss z" - "yyyy-MM-dd HH:mm:ss Z" - "yyyy-MM-dd HH:mm:ss" - if: "ctx?.threatintel?.abusemalware.firstseen != null" + if: "ctx.abusech?.malware?.firstseen != null" - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - rename: - field: threatintel.abusemalware.file_size - target_field: threatintel.indicator.file.size + field: abusech.malware.file_size + target_field: threat.indicator.file.size ignore_missing: true - rename: - field: threatintel.abusemalware.file_type - target_field: threatintel.indicator.file.type + field: abusech.malware.file_type + target_field: threat.indicator.file.type ignore_missing: true # This includes a direct link to malicious files, we do not want them to appear in Kibana # in case they are accidently clicked. - remove: - field: threatintel.abusemalware.urlhaus_download + field: abusech.malware.urlhaus_download ignore_missing: true - convert: - field: threatintel.indicator.file.size + field: threat.indicator.file.size type: long ignore_missing: true + - convert: + field: abusech.malware.virustotal.percent + type: float + ignore_missing: true - rename: - field: threatintel.abusemalware.md5_hash - target_field: threatintel.indicator.file.hash.md5 + field: abusech.malware.md5_hash + target_field: threat.indicator.file.hash.md5 ignore_missing: true - rename: - field: threatintel.abusemalware.sha256_hash - target_field: threatintel.indicator.file.hash.sha256 + field: abusech.malware.sha256_hash + target_field: threat.indicator.file.hash.sha256 ignore_missing: true - rename: - field: threatintel.abusemalware.imphash - target_field: threatintel.indicator.file.pe.imphash + field: abusech.malware.imphash + target_field: threat.indicator.file.pe.imphash ignore_missing: true - rename: - field: threatintel.abusemalware.ssdeep - target_field: threatintel.indicator.file.hash.ssdeep + field: abusech.malware.ssdeep + target_field: threat.indicator.file.hash.ssdeep ignore_missing: true - rename: - field: threatintel.abusemalware.tlsh - target_field: threatintel.indicator.file.hash.tlsh + field: abusech.malware.tlsh + target_field: threat.indicator.file.hash.tlsh ignore_missing: true - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.md5 }}" - if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null + value: "{{{threat.indicator.file.hash.md5}}}" + if: ctx?.threat?.indicator?.file?.hash?.md5 != null - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.sha256 }}" - if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null + value: "{{{threat.indicator.file.hash.sha256}}}" + if: ctx?.threat?.indicator?.file?.hash?.sha256 != null - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.ssdeep }}" - if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null + value: "{{{threat.indicator.file.hash.ssdeep}}}" + if: ctx?.threat?.indicator?.file?.hash?.ssdeep != null - append: field: related.hash - value: "{{ threatintel.indicator.file.pe.imphash }}" - if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null + value: "{{{threat.indicator.file.pe.imphash}}}" + if: ctx?.threat?.indicator?.file?.pe?.imphash != null - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.tlsh }}" - if: ctx?.threatintel?.indicator?.file?.hash?.tlsh != null + value: "{{{threat.indicator.file.hash.tlsh}}}" + if: ctx?.threat?.indicator?.file?.hash?.tlsh != null ###################### # Cleanup processors # ###################### - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx?.threat?.indicator?.type == null - script: lang: painless - if: ctx?.threatintel != null + if: ctx?.abusech != null source: | void handleMap(Map map) { for (def x : map.values()) { @@ -127,9 +149,14 @@ processors: } } handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - remove: field: - - threatintel.abusemalware.firstseen + - abusech.malware.firstseen - message ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/threatintel/abusemalware/manifest.yml b/x-pack/filebeat/module/threatintel/abusemalware/manifest.yml index 5fe3a155180..0d755b7b38d 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/manifest.yml +++ b/x-pack/filebeat/module/threatintel/abusemalware/manifest.yml @@ -11,6 +11,9 @@ var: - name: tags default: [threatintel-abusemalware, forwarded] - name: proxy_url + - name: preserve_original_event + default: false + - name: http_client_timeout ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json index 6c31b6f779c..75a4d118ba3 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json @@ -20,15 +20,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "7871286a8f1f68a14b18ae475683f724", - "threatintel.indicator.file.hash.sha256": "48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG5:X5DpBw/KViMTB1MnEWk0115JW", - "threatintel.indicator.file.hash.tlsh": "1344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:14:05.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "7871286a8f1f68a14b18ae475683f724", + "threat.indicator.file.hash.sha256": "48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG5:X5DpBw/KViMTB1MnEWk0115JW", + "threat.indicator.file.hash.tlsh": "1344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:14:05.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -51,17 +53,22 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "7b4c77dc293347b467fb860e34515163", - "threatintel.indicator.file.hash.sha256": "ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGY:X5DpBw/KViMTB1MnEWk0115Jr", - "threatintel.indicator.file.hash.tlsh": "4E44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:11:41.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "7b4c77dc293347b467fb860e34515163", + "threat.indicator.file.hash.sha256": "ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGY:X5DpBw/KViMTB1MnEWk0115Jr", + "threat.indicator.file.hash.tlsh": "4E44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:11:41.000Z", + "threat.indicator.type": "file" }, { + "abusech.malware.virustotal.link": "https://www.virustotal.com/gui/file/b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7/detection/f-b0e914d", + "abusech.malware.virustotal.percent": 37.88, + "abusech.malware.virustotal.result": "25 / 66", "event.category": "threat", "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", @@ -82,18 +89,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.abusemalware.virustotal.link": "https://www.virustotal.com/gui/file/b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7/detection/f-b0e914d", - "threatintel.abusemalware.virustotal.percent": "37.88", - "threatintel.abusemalware.virustotal.result": "25 / 66", - "threatintel.indicator.file.hash.md5": "373d34874d7bc89fd4cefa6272ee80bf", - "threatintel.indicator.file.hash.sha256": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGG:X5DpBw/KViMTB1MnEWk0115Jd", - "threatintel.indicator.file.hash.tlsh": "7544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:11:22.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "373d34874d7bc89fd4cefa6272ee80bf", + "threat.indicator.file.hash.sha256": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGG:X5DpBw/KViMTB1MnEWk0115Jd", + "threat.indicator.file.hash.tlsh": "7544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:11:22.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -116,15 +122,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "e2e02aae857488dbdbe6631c29abf3f8", - "threatintel.indicator.file.hash.sha256": "7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8", - "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ9:0h3eZgRQCcw+MN54dEq7kqRtoLZH", - "threatintel.indicator.file.hash.tlsh": "5554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 284672, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:11:21.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "e2e02aae857488dbdbe6631c29abf3f8", + "threat.indicator.file.hash.sha256": "7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8", + "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ9:0h3eZgRQCcw+MN54dEq7kqRtoLZH", + "threat.indicator.file.hash.tlsh": "5554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 284672, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:11:21.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -146,16 +154,21 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "3e988e32b0c3c230d534e286665b89a5", - "threatintel.indicator.file.hash.sha256": "760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b", - "threatintel.indicator.file.hash.ssdeep": "6:TE6ll8uXi0jIAv6BHvPuA7RKTmOQamsQMGvMQgTYbtsWsQ72hCqPZG/:TTll8uTo5uA7RKtQamsS0QJfsQ7mCR", - "threatintel.indicator.file.hash.tlsh": "3CE0C002AB26C036500D154C221655B3B871911503CA14E6A6824BEA765D4A3290D190", - "threatintel.indicator.file.size": 352, - "threatintel.indicator.file.type": "unknown", - "threatintel.indicator.first_seen": "2021-01-14T06:08:02.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "3e988e32b0c3c230d534e286665b89a5", + "threat.indicator.file.hash.sha256": "760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b", + "threat.indicator.file.hash.ssdeep": "6:TE6ll8uXi0jIAv6BHvPuA7RKTmOQamsQMGvMQgTYbtsWsQ72hCqPZG/:TTll8uTo5uA7RKtQamsS0QJfsQ7mCR", + "threat.indicator.file.hash.tlsh": "3CE0C002AB26C036500D154C221655B3B871911503CA14E6A6824BEA765D4A3290D190", + "threat.indicator.file.size": 352, + "threat.indicator.file.type": "unknown", + "threat.indicator.first_seen": "2021-01-14T06:08:02.000Z", + "threat.indicator.type": "file" }, { + "abusech.malware.virustotal.link": "https://www.virustotal.com/gui/file/86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac/detection/f-86655c0", + "abusech.malware.virustotal.percent": 39.13, + "abusech.malware.virustotal.result": "27 / 69", "event.category": "threat", "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", @@ -176,18 +189,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.abusemalware.virustotal.link": "https://www.virustotal.com/gui/file/86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac/detection/f-86655c0", - "threatintel.abusemalware.virustotal.percent": "39.13", - "threatintel.abusemalware.virustotal.result": "27 / 69", - "threatintel.indicator.file.hash.md5": "dcc20d534cdf29eab03d8148bf728857", - "threatintel.indicator.file.hash.sha256": "86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGI:X5DpBw/KViMTB1MnEWk0115JH", - "threatintel.indicator.file.hash.tlsh": "0D44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:08:02.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "dcc20d534cdf29eab03d8148bf728857", + "threat.indicator.file.hash.sha256": "86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGI:X5DpBw/KViMTB1MnEWk0115JH", + "threat.indicator.file.hash.tlsh": "0D44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:08:02.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -210,15 +222,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "f6facbf7a90b9e67a6de9f6634eb40ba", - "threatintel.indicator.file.hash.sha256": "e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be", - "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ1:0h3eZgRQCcw+MN54dEq7kqRtoLZL", - "threatintel.indicator.file.hash.tlsh": "2554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 284672, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:53.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "f6facbf7a90b9e67a6de9f6634eb40ba", + "threat.indicator.file.hash.sha256": "e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be", + "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ1:0h3eZgRQCcw+MN54dEq7kqRtoLZL", + "threat.indicator.file.hash.tlsh": "2554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 284672, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:53.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -241,17 +255,20 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "44325fd5bdda2e2cdea07c3a39953bb1", - "threatintel.indicator.file.hash.sha256": "beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Jg", - "threatintel.indicator.file.hash.tlsh": "A044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:41.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "44325fd5bdda2e2cdea07c3a39953bb1", + "threat.indicator.file.hash.sha256": "beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Jg", + "threat.indicator.file.hash.tlsh": "A044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:41.000Z", + "threat.indicator.type": "file" }, { + "abusech.malware.signature": "Heodo", "event.category": "threat", "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", @@ -272,16 +289,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.abusemalware.signature": "Heodo", - "threatintel.indicator.file.hash.md5": "4c549051950522a3f1b0814aa9b1f6d1", - "threatintel.indicator.file.hash.sha256": "7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG4:X5DpBw/KViMTB1MnEWk0115Jv", - "threatintel.indicator.file.hash.tlsh": "4544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:31.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "4c549051950522a3f1b0814aa9b1f6d1", + "threat.indicator.file.hash.sha256": "7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG4:X5DpBw/KViMTB1MnEWk0115Jv", + "threat.indicator.file.hash.tlsh": "4544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:31.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -304,15 +322,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "d7333113098d88b6a5dd5b8eb24f9b87", - "threatintel.indicator.file.hash.sha256": "426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4", - "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJw:0h3eZgRQCcw+MN54dEq7kqRtoLZW", - "threatintel.indicator.file.hash.tlsh": "9454CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 284672, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:07.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "d7333113098d88b6a5dd5b8eb24f9b87", + "threat.indicator.file.hash.sha256": "426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4", + "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJw:0h3eZgRQCcw+MN54dEq7kqRtoLZW", + "threat.indicator.file.hash.tlsh": "9454CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 284672, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:07.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -335,15 +355,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "c8dbb261c1f450534c3693da2f4b479f", - "threatintel.indicator.file.hash.sha256": "25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGe:X5DpBw/KViMTB1MnEWk0115JR", - "threatintel.indicator.file.hash.tlsh": "F344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:07.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "c8dbb261c1f450534c3693da2f4b479f", + "threat.indicator.file.hash.sha256": "25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGe:X5DpBw/KViMTB1MnEWk0115JR", + "threat.indicator.file.hash.tlsh": "F344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:07.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -366,15 +388,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "714953f1d0031a4bb2f0c44afd015931", - "threatintel.indicator.file.hash.sha256": "b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115J7", - "threatintel.indicator.file.hash.tlsh": "F644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:06.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "714953f1d0031a4bb2f0c44afd015931", + "threat.indicator.file.hash.sha256": "b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115J7", + "threat.indicator.file.hash.tlsh": "F644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:06.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -397,15 +421,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "20fd22742500d4cec123398afc3d3672", - "threatintel.indicator.file.hash.sha256": "e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115JP", - "threatintel.indicator.file.hash.tlsh": "BE44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:00.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "20fd22742500d4cec123398afc3d3672", + "threat.indicator.file.hash.sha256": "e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115JP", + "threat.indicator.file.hash.tlsh": "BE44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:00.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -428,17 +454,20 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "aa81ceea053797a6f8c38a0f2f9b80b0", - "threatintel.indicator.file.hash.sha256": "dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGf:X5DpBw/KViMTB1MnEWk0115Jo", - "threatintel.indicator.file.hash.tlsh": "CC44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:06:36.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "aa81ceea053797a6f8c38a0f2f9b80b0", + "threat.indicator.file.hash.sha256": "dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGf:X5DpBw/KViMTB1MnEWk0115Jo", + "threat.indicator.file.hash.tlsh": "CC44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:06:36.000Z", + "threat.indicator.type": "file" }, { + "abusech.malware.signature": "Heodo", "event.category": "threat", "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", @@ -459,16 +488,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.abusemalware.signature": "Heodo", - "threatintel.indicator.file.hash.md5": "a2ce6795664c0fa93b07fa54ba868991", - "threatintel.indicator.file.hash.sha256": "0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGD:X5DpBw/KViMTB1MnEWk0115JY", - "threatintel.indicator.file.hash.tlsh": "8C44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:06:13.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "a2ce6795664c0fa93b07fa54ba868991", + "threat.indicator.file.hash.sha256": "0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGD:X5DpBw/KViMTB1MnEWk0115JY", + "threat.indicator.file.hash.tlsh": "8C44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:06:13.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -491,15 +521,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "9b9bac158dacb9c2f5511e9c464a7de4", - "threatintel.indicator.file.hash.sha256": "07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e", - "threatintel.indicator.file.hash.ssdeep": "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKk:W5MT4WNaHy9P1FjbrjlKk", - "threatintel.indicator.file.hash.tlsh": "6B54CF217A53C826F5E800FCA6E9878914167F346F44A4C773D40F6AA8759E2EF2B317", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 280064, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:52.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "9b9bac158dacb9c2f5511e9c464a7de4", + "threat.indicator.file.hash.sha256": "07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e", + "threat.indicator.file.hash.ssdeep": "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKk:W5MT4WNaHy9P1FjbrjlKk", + "threat.indicator.file.hash.tlsh": "6B54CF217A53C826F5E800FCA6E9878914167F346F44A4C773D40F6AA8759E2EF2B317", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 280064, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:52.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -522,17 +554,20 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "e48e3fa5e0f7b21c1ecf1efc81ff91e8", - "threatintel.indicator.file.hash.sha256": "708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGo:X5DpBw/KViMTB1MnEWk0115Jj", - "threatintel.indicator.file.hash.tlsh": "6644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:51.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "e48e3fa5e0f7b21c1ecf1efc81ff91e8", + "threat.indicator.file.hash.sha256": "708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGo:X5DpBw/KViMTB1MnEWk0115Jj", + "threat.indicator.file.hash.tlsh": "6644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:51.000Z", + "threat.indicator.type": "file" }, { + "abusech.malware.signature": "Heodo", "event.category": "threat", "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", @@ -553,16 +588,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.abusemalware.signature": "Heodo", - "threatintel.indicator.file.hash.md5": "8957f5347633ab4b10c2ae4fb92c8572", - "threatintel.indicator.file.hash.sha256": "f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37", - "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJy:0h3eZgRQCcw+MN54dEq7kqRtoLZM", - "threatintel.indicator.file.hash.tlsh": "0754CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 284672, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:50.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "8957f5347633ab4b10c2ae4fb92c8572", + "threat.indicator.file.hash.sha256": "f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37", + "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJy:0h3eZgRQCcw+MN54dEq7kqRtoLZM", + "threat.indicator.file.hash.tlsh": "0754CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 284672, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:50.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -585,15 +621,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "09cc76b7077b4d5704e46e864575ff03", - "threatintel.indicator.file.hash.sha256": "94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Js", - "threatintel.indicator.file.hash.tlsh": "BB44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:36.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "09cc76b7077b4d5704e46e864575ff03", + "threat.indicator.file.hash.sha256": "94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Js", + "threat.indicator.file.hash.tlsh": "BB44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:36.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -616,17 +654,20 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "98a1cdf7de4232363f1d1e0f33dbfd99", - "threatintel.indicator.file.hash.sha256": "909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f", - "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJQ:0h3eZgRQCcw+MN54dEq7kqRtoLZ+", - "threatintel.indicator.file.hash.tlsh": "C554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 284672, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:16.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "98a1cdf7de4232363f1d1e0f33dbfd99", + "threat.indicator.file.hash.sha256": "909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f", + "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJQ:0h3eZgRQCcw+MN54dEq7kqRtoLZ+", + "threat.indicator.file.hash.tlsh": "C554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 284672, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:16.000Z", + "threat.indicator.type": "file" }, { + "abusech.malware.signature": "Heodo", "event.category": "threat", "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", @@ -647,16 +688,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.abusemalware.signature": "Heodo", - "threatintel.indicator.file.hash.md5": "8a51830c1662513ba6bd44e2f7849547", - "threatintel.indicator.file.hash.sha256": "d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa", - "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJh:0h3eZgRQCcw+MN54dEq7kqRtoLZ/", - "threatintel.indicator.file.hash.tlsh": "1654CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 284672, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:15.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "8a51830c1662513ba6bd44e2f7849547", + "threat.indicator.file.hash.sha256": "d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa", + "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJh:0h3eZgRQCcw+MN54dEq7kqRtoLZ/", + "threat.indicator.file.hash.tlsh": "1654CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 284672, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:15.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -679,15 +721,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "ae21d742a8118d6b86674aa5370bd6a7", - "threatintel.indicator.file.hash.sha256": "3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51", - "threatintel.indicator.file.hash.ssdeep": "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKS:W5MT4WNaHy9P1FjbrjlKS", - "threatintel.indicator.file.hash.tlsh": "5454CF217A53C826F5E800FCA6E9878925167F346F44A4C373D40F6AA8759E2DF2B317", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 280064, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:12.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "ae21d742a8118d6b86674aa5370bd6a7", + "threat.indicator.file.hash.sha256": "3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51", + "threat.indicator.file.hash.ssdeep": "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKS:W5MT4WNaHy9P1FjbrjlKS", + "threat.indicator.file.hash.tlsh": "5454CF217A53C826F5E800FCA6E9878925167F346F44A4C373D40F6AA8759E2DF2B317", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 280064, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:12.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -710,15 +754,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "78c9d88d24ed1d982a83216eed1590f6", - "threatintel.indicator.file.hash.sha256": "d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG8:X5DpBw/KViMTB1MnEWk0115Jr", - "threatintel.indicator.file.hash.tlsh": "6044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:04:38.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "78c9d88d24ed1d982a83216eed1590f6", + "threat.indicator.file.hash.sha256": "d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG8:X5DpBw/KViMTB1MnEWk0115Jr", + "threat.indicator.file.hash.tlsh": "6044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:04:38.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -741,15 +787,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "236577d5d83e2a8d08623a7a7f724188", - "threatintel.indicator.file.hash.sha256": "8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa", - "threatintel.indicator.file.hash.ssdeep": "6144:X1G3WVIOY6Bdjehj+qudd96ou/6mv5wdC:X1GmSafShjYdd96z/6cwdC", - "threatintel.indicator.file.hash.tlsh": "8D34BE41B28B8B4BD163163C2976D1F8953CFC909761CE693B64B22F0F739D0892E7A5", - "threatintel.indicator.file.pe.imphash": "ed2860c18f5483e3b5388bad75169dc1", - "threatintel.indicator.file.size": 241664, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:04:26.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "236577d5d83e2a8d08623a7a7f724188", + "threat.indicator.file.hash.sha256": "8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa", + "threat.indicator.file.hash.ssdeep": "6144:X1G3WVIOY6Bdjehj+qudd96ou/6mv5wdC:X1GmSafShjYdd96z/6cwdC", + "threat.indicator.file.hash.tlsh": "8D34BE41B28B8B4BD163163C2976D1F8953CFC909761CE693B64B22F0F739D0892E7A5", + "threat.indicator.file.pe.imphash": "ed2860c18f5483e3b5388bad75169dc1", + "threat.indicator.file.size": 241664, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:04:26.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -772,14 +820,16 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "ff60107d82dcda7e6726d214528758e7", - "threatintel.indicator.file.hash.sha256": "fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGz:X5DpBw/KViMTB1MnEWk0115JU", - "threatintel.indicator.file.hash.tlsh": "9244D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:04:20.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "ff60107d82dcda7e6726d214528758e7", + "threat.indicator.file.hash.sha256": "fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGz:X5DpBw/KViMTB1MnEWk0115JU", + "threat.indicator.file.hash.tlsh": "9244D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:04:20.000Z", + "threat.indicator.type": "file" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/abuseurl/_meta/fields.yml b/x-pack/filebeat/module/threatintel/abuseurl/_meta/fields.yml index a93f91d339c..f407bb8d615 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/abuseurl/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: abuseurl +- name: abusech.url type: group description: > Fields for AbuseCH Malware Threat Intel diff --git a/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml b/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml index da01bc61c40..f577594ec06 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml +++ b/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml @@ -11,10 +11,6 @@ request.ssl: {{ .ssl | tojson }} request.proxy_url: {{ .proxy_url }} {{ end }} request.url: {{ .url }} -request.transforms: -- set: - target: header.Content-Type - value: application/json response.split: target: body.urls @@ -30,17 +26,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: ["json.id"] - target_field: "@metadata._id" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml index bf674ba2c88..f762db7351e 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml @@ -1,3 +1,4 @@ +--- description: Pipeline for parsing Abuse.ch URL Threat Intel processors: #################### @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -20,62 +24,75 @@ processors: # General ECS fields # ###################### - rename: - field: json - target_field: threatintel.abuseurl + field: message + target_field: event.original ignore_missing: true + - json: + field: event.original + target_field: abusech.url + - fingerprint: + fields: + - abusech.url.id + target_field: "_id" ##################### # Threat ECS Fields # ##################### - set: - field: threatintel.indicator.type + field: threat.feed.name + value: "[Filebeat] AbuseCH URL" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" + - set: + field: threat.indicator.type value: url - date: - field: threatintel.abuseurl.date_added - target_field: threatintel.indicator.first_seen + field: abusech.url.date_added + target_field: threat.indicator.first_seen formats: - "yyyy-MM-dd HH:mm:ss z" - "yyyy-MM-dd HH:mm:ss Z" - if: "ctx?.threatintel?.abuseurl?.date_added != null" + if: "ctx.abusech?.url?.date_added != null" - uri_parts: - field: threatintel.abuseurl.url - target_field: threatintel.indicator.url + field: abusech.url.url + target_field: threat.indicator.url keep_original: true remove_if_successful: true - set: - field: threatintel.indicator.url.full - value: "{{{threatintel.indicator.url.original}}}" + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" ignore_empty_value: true - rename: - field: threatintel.abuseurl.urlhaus_reference - target_field: threatintel.indicator.reference + field: abusech.url.urlhaus_reference + target_field: threat.indicator.reference ignore_missing: true # Host can be both IP addresses and domain names - grok: - field: threatintel.abuseurl.host + field: abusech.url.host patterns: - - "(?:%{IP:threatintel.indicator.ip}|%{GREEDYDATA:threatintel.indicator.url.domain})" + - "(?:%{IP:threat.indicator.ip}|%{GREEDYDATA:threat.indicator.url.domain})" ignore_failure: true - rename: - field: threatintel.abuseurl.reporter - target_field: threatintel.indicator.provider + field: abusech.url.reporter + target_field: threat.indicator.provider ignore_missing: true ###################### # Cleanup processors # ###################### - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx?.threat?.indicator?.type == null - convert: - field: threatintel.abuseurl.larted + field: abusech.url.larted type: boolean ignore_missing: true - script: lang: painless - if: ctx?.threatintel != null + if: ctx?.abusech != null source: | void handleMap(Map map) { for (def x : map.values()) { @@ -97,11 +114,16 @@ processors: } } handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - remove: field: - - threatintel.abuseurl.date_added - - threatintel.abuseurl.url - - threatintel.abuseurl.host + - abusech.url.date_added + - abusech.url.url + - abusech.url.host - message ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/threatintel/abuseurl/manifest.yml b/x-pack/filebeat/module/threatintel/abuseurl/manifest.yml index 13b5e663c4a..2f71ad88253 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/manifest.yml +++ b/x-pack/filebeat/module/threatintel/abuseurl/manifest.yml @@ -11,6 +11,8 @@ var: - name: tags default: [threatintel-abuseurls, forwarded] - name: proxy_url + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json index 3b312440b34..c76728b3c16 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json @@ -1,5 +1,15 @@ [ { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961548", + "abusech.url.larted": false, + "abusech.url.tags": [ + "Mozi", + "elf" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -13,30 +23,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961548", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:19:13.000Z", + "threat.indicator.ip": "103.72.223.103", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961548/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "103.72.223.103", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://103.72.223.103:34613/Mozi.m", + "threat.indicator.url.original": "http://103.72.223.103:34613/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 34613, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961546", + "abusech.url.larted": false, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:19:13.000Z", - "threatintel.indicator.ip": "103.72.223.103", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961548/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "103.72.223.103", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://103.72.223.103:34613/Mozi.m", - "threatintel.indicator.url.original": "http://103.72.223.103:34613/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 34613, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -50,30 +62,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961546", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:19:05.000Z", + "threat.indicator.ip": "112.30.97.184", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961546/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "112.30.97.184", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://112.30.97.184:44941/Mozi.m", + "threat.indicator.url.original": "http://112.30.97.184:44941/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 44941, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961547", + "abusech.url.larted": false, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:19:05.000Z", - "threatintel.indicator.ip": "112.30.97.184", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961546/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "112.30.97.184", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://112.30.97.184:44941/Mozi.m", - "threatintel.indicator.url.original": "http://112.30.97.184:44941/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 44941, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -87,30 +101,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961547", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:19:05.000Z", + "threat.indicator.ip": "113.110.198.53", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961547/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "113.110.198.53", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://113.110.198.53:37173/Mozi.m", + "threat.indicator.url.original": "http://113.110.198.53:37173/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 37173, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961545", + "abusech.url.larted": false, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:19:05.000Z", - "threatintel.indicator.ip": "113.110.198.53", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961547/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "113.110.198.53", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://113.110.198.53:37173/Mozi.m", - "threatintel.indicator.url.original": "http://113.110.198.53:37173/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 37173, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -124,30 +140,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961545", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:19:04.000Z", + "threat.indicator.ip": "101.20.183.170", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961545/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "101.20.183.170", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://101.20.183.170:47545/Mozi.m", + "threat.indicator.url.original": "http://101.20.183.170:47545/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 47545, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961544", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:19:04.000Z", - "threatintel.indicator.ip": "101.20.183.170", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961545/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "101.20.183.170", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://101.20.183.170:47545/Mozi.m", - "threatintel.indicator.url.original": "http://101.20.183.170:47545/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 47545, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -161,30 +179,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961544", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:07:07.000Z", + "threat.indicator.ip": "59.8.35.22", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961544/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "59.8.35.22", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://59.8.35.22:44782/Mozi.a", + "threat.indicator.url.original": "http://59.8.35.22:44782/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 44782, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961543", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:07:07.000Z", - "threatintel.indicator.ip": "59.8.35.22", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961544/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "59.8.35.22", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://59.8.35.22:44782/Mozi.a", - "threatintel.indicator.url.original": "http://59.8.35.22:44782/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 44782, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -198,30 +218,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961543", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:07:06.000Z", + "threat.indicator.ip": "59.96.37.35", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961543/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "59.96.37.35", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://59.96.37.35:44359/Mozi.a", + "threat.indicator.url.original": "http://59.96.37.35:44359/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 44359, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961540", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:07:06.000Z", - "threatintel.indicator.ip": "59.96.37.35", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961543/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "59.96.37.35", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://59.96.37.35:44359/Mozi.a", - "threatintel.indicator.url.original": "http://59.96.37.35:44359/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 44359, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -235,30 +257,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961540", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:07:05.000Z", + "threat.indicator.ip": "42.239.233.17", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961540/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "42.239.233.17", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://42.239.233.17:56507/Mozi.m", + "threat.indicator.url.original": "http://42.239.233.17:56507/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 56507, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961541", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z", - "threatintel.indicator.ip": "42.239.233.17", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961540/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "42.239.233.17", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://42.239.233.17:56507/Mozi.m", - "threatintel.indicator.url.original": "http://42.239.233.17:56507/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 56507, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -272,30 +296,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961541", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:07:05.000Z", + "threat.indicator.ip": "58.252.178.20", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961541/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "58.252.178.20", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://58.252.178.20:57562/Mozi.m", + "threat.indicator.url.original": "http://58.252.178.20:57562/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 57562, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961542", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z", - "threatintel.indicator.ip": "58.252.178.20", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961541/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "58.252.178.20", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://58.252.178.20:57562/Mozi.m", - "threatintel.indicator.url.original": "http://58.252.178.20:57562/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 57562, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -309,30 +335,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961542", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:07:05.000Z", + "threat.indicator.ip": "45.176.111.95", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961542/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "45.176.111.95", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://45.176.111.95:48845/Mozi.m", + "threat.indicator.url.original": "http://45.176.111.95:48845/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 48845, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961539", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z", - "threatintel.indicator.ip": "45.176.111.95", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961542/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "45.176.111.95", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://45.176.111.95:48845/Mozi.m", - "threatintel.indicator.url.original": "http://45.176.111.95:48845/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 48845, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -346,30 +374,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961539", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:07:04.000Z", + "threat.indicator.ip": "42.224.68.97", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961539/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "42.224.68.97", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://42.224.68.97:58245/Mozi.m", + "threat.indicator.url.original": "http://42.224.68.97:58245/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 58245, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961538", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:07:04.000Z", - "threatintel.indicator.ip": "42.224.68.97", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961539/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "42.224.68.97", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://42.224.68.97:58245/Mozi.m", - "threatintel.indicator.url.original": "http://42.224.68.97:58245/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 58245, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -383,30 +413,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961538", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:08.000Z", + "threat.indicator.ip": "222.81.144.207", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961538/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "222.81.144.207", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://222.81.144.207:37198/Mozi.m", + "threat.indicator.url.original": "http://222.81.144.207:37198/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 37198, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961537", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:08.000Z", - "threatintel.indicator.ip": "222.81.144.207", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961538/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "222.81.144.207", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://222.81.144.207:37198/Mozi.m", - "threatintel.indicator.url.original": "http://222.81.144.207:37198/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 37198, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -420,30 +452,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961537", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:06.000Z", + "threat.indicator.ip": "182.127.185.137", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961537/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.127.185.137", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://182.127.185.137:33524/Mozi.m", + "threat.indicator.url.original": "http://182.127.185.137:33524/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 33524, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961531", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:06.000Z", - "threatintel.indicator.ip": "182.127.185.137", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961537/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.127.185.137", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://182.127.185.137:33524/Mozi.m", - "threatintel.indicator.url.original": "http://182.127.185.137:33524/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 33524, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -457,30 +491,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961531", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threat.indicator.ip": "39.84.175.185", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961531/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "39.84.175.185", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://39.84.175.185:48261/Mozi.a", + "threat.indicator.url.original": "http://39.84.175.185:48261/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 48261, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961532", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", - "threatintel.indicator.ip": "39.84.175.185", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961531/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "39.84.175.185", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://39.84.175.185:48261/Mozi.a", - "threatintel.indicator.url.original": "http://39.84.175.185:48261/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 48261, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -494,30 +530,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961532", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threat.indicator.ip": "27.41.11.238", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961532/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "27.41.11.238", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://27.41.11.238:34478/Mozi.m", + "threat.indicator.url.original": "http://27.41.11.238:34478/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 34478, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961533", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", - "threatintel.indicator.ip": "27.41.11.238", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961532/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "27.41.11.238", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://27.41.11.238:34478/Mozi.m", - "threatintel.indicator.url.original": "http://27.41.11.238:34478/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 34478, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -531,30 +569,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961533", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threat.indicator.ip": "182.127.133.68", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961533/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.127.133.68", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://182.127.133.68:35703/Mozi.a", + "threat.indicator.url.original": "http://182.127.133.68:35703/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 35703, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961534", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", - "threatintel.indicator.ip": "182.127.133.68", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961533/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.127.133.68", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://182.127.133.68:35703/Mozi.a", - "threatintel.indicator.url.original": "http://182.127.133.68:35703/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 35703, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -568,30 +608,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961534", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threat.indicator.ip": "27.46.44.102", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961534/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "27.46.44.102", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://27.46.44.102:48666/Mozi.m", + "threat.indicator.url.original": "http://27.46.44.102:48666/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 48666, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961535", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", - "threatintel.indicator.ip": "27.46.44.102", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961534/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "27.46.44.102", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://27.46.44.102:48666/Mozi.m", - "threatintel.indicator.url.original": "http://27.46.44.102:48666/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 48666, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -605,30 +647,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961535", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threat.indicator.ip": "39.70.88.65", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961535/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "39.70.88.65", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://39.70.88.65:53923/Mozi.m", + "threat.indicator.url.original": "http://39.70.88.65:53923/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 53923, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961536", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", - "threatintel.indicator.ip": "39.70.88.65", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961535/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "39.70.88.65", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://39.70.88.65:53923/Mozi.m", - "threatintel.indicator.url.original": "http://39.70.88.65:53923/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 53923, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -642,30 +686,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961536", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threat.indicator.ip": "42.224.136.237", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961536/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "42.224.136.237", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://42.224.136.237:52794/Mozi.m", + "threat.indicator.url.original": "http://42.224.136.237:52794/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 52794, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961530", + "abusech.url.larted": false, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", - "threatintel.indicator.ip": "42.224.136.237", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961536/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "42.224.136.237", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://42.224.136.237:52794/Mozi.m", - "threatintel.indicator.url.original": "http://42.224.136.237:52794/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 52794, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -679,30 +725,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961530", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:05:34.000Z", + "threat.indicator.ip": "117.208.135.63", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961530/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "117.208.135.63", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://117.208.135.63:49312/Mozi.a", + "threat.indicator.url.original": "http://117.208.135.63:49312/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 49312, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961525", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T21:05:34.000Z", - "threatintel.indicator.ip": "117.208.135.63", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961530/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "117.208.135.63", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://117.208.135.63:49312/Mozi.a", - "threatintel.indicator.url.original": "http://117.208.135.63:49312/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 49312, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -716,30 +764,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961525", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threat.indicator.ip": "125.47.66.60", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961525/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "125.47.66.60", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://125.47.66.60:38961/Mozi.m", + "threat.indicator.url.original": "http://125.47.66.60:38961/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 38961, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961526", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", - "threatintel.indicator.ip": "125.47.66.60", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961525/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "125.47.66.60", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://125.47.66.60:38961/Mozi.m", - "threatintel.indicator.url.original": "http://125.47.66.60:38961/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 38961, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -753,30 +803,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961526", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threat.indicator.ip": "182.117.95.148", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961526/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.117.95.148", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://182.117.95.148:50420/Mozi.a", + "threat.indicator.url.original": "http://182.117.95.148:50420/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 50420, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961527", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", - "threatintel.indicator.ip": "182.117.95.148", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961526/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.117.95.148", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://182.117.95.148:50420/Mozi.a", - "threatintel.indicator.url.original": "http://182.117.95.148:50420/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 50420, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -790,30 +842,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961527", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threat.indicator.ip": "117.202.71.48", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961527/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "117.202.71.48", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://117.202.71.48:55007/Mozi.m", + "threat.indicator.url.original": "http://117.202.71.48:55007/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 55007, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961528", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", - "threatintel.indicator.ip": "117.202.71.48", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961527/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "117.202.71.48", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://117.202.71.48:55007/Mozi.m", - "threatintel.indicator.url.original": "http://117.202.71.48:55007/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 55007, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -827,30 +881,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961528", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threat.indicator.ip": "125.99.132.118", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961528/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "125.99.132.118", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://125.99.132.118:51143/Mozi.m", + "threat.indicator.url.original": "http://125.99.132.118:51143/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 51143, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961529", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", - "threatintel.indicator.ip": "125.99.132.118", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961528/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "125.99.132.118", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://125.99.132.118:51143/Mozi.m", - "threatintel.indicator.url.original": "http://125.99.132.118:51143/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 51143, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -864,30 +920,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961529", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi", - "elf" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", - "threatintel.indicator.ip": "182.114.123.69", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961529/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.114.123.69", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://182.114.123.69:41003/Mozi.m", - "threatintel.indicator.url.original": "http://182.114.123.69:41003/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 41003, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threat.indicator.ip": "182.114.123.69", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961529/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.114.123.69", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://182.114.123.69:41003/Mozi.m", + "threat.indicator.url.original": "http://182.114.123.69:41003/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 41003, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961524", + "abusech.url.larted": false, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -901,29 +958,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961524", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T21:04:38.000Z", - "threatintel.indicator.ip": "116.19.127.37", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961524/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "116.19.127.37", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://116.19.127.37:35739/Mozi.m", - "threatintel.indicator.url.original": "http://116.19.127.37:35739/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 35739, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:38.000Z", + "threat.indicator.ip": "116.19.127.37", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961524/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "116.19.127.37", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://116.19.127.37:35739/Mozi.m", + "threat.indicator.url.original": "http://116.19.127.37:35739/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 35739, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961523", + "abusech.url.larted": false, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -937,29 +996,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961523", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T21:04:36.000Z", - "threatintel.indicator.ip": "42.239.253.55", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961523/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "42.239.253.55", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://42.239.253.55:45653/Mozi.m", - "threatintel.indicator.url.original": "http://42.239.253.55:45653/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 45653, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:36.000Z", + "threat.indicator.ip": "42.239.253.55", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961523/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "42.239.253.55", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://42.239.253.55:45653/Mozi.m", + "threat.indicator.url.original": "http://42.239.253.55:45653/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 45653, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961520", + "abusech.url.larted": false, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -973,29 +1034,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961520", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z", - "threatintel.indicator.ip": "103.217.121.228", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961520/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "103.217.121.228", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://103.217.121.228:41349/Mozi.m", - "threatintel.indicator.url.original": "http://103.217.121.228:41349/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 41349, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:33.000Z", + "threat.indicator.ip": "103.217.121.228", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961520/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "103.217.121.228", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://103.217.121.228:41349/Mozi.m", + "threat.indicator.url.original": "http://103.217.121.228:41349/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 41349, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961521", + "abusech.url.larted": false, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1009,29 +1072,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961521", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z", - "threatintel.indicator.ip": "111.92.81.255", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961521/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "111.92.81.255", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://111.92.81.255:48586/Mozi.m", - "threatintel.indicator.url.original": "http://111.92.81.255:48586/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 48586, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:33.000Z", + "threat.indicator.ip": "111.92.81.255", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961521/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "111.92.81.255", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://111.92.81.255:48586/Mozi.m", + "threat.indicator.url.original": "http://111.92.81.255:48586/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 48586, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961522", + "abusech.url.larted": false, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1045,29 +1110,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961522", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z", - "threatintel.indicator.ip": "45.229.55.75", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961522/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "45.229.55.75", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://45.229.55.75:38111/Mozi.m", - "threatintel.indicator.url.original": "http://45.229.55.75:38111/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 38111, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:33.000Z", + "threat.indicator.ip": "45.229.55.75", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961522/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "45.229.55.75", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://45.229.55.75:38111/Mozi.m", + "threat.indicator.url.original": "http://45.229.55.75:38111/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 38111, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961518", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1081,29 +1148,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961518", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:10.000Z", - "threatintel.indicator.ip": "182.121.242.148", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961518/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.121.242.148", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://182.121.242.148:34556/Mozi.m", - "threatintel.indicator.url.original": "http://182.121.242.148:34556/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 34556, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:10.000Z", + "threat.indicator.ip": "182.121.242.148", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961518/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.121.242.148", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://182.121.242.148:34556/Mozi.m", + "threat.indicator.url.original": "http://182.121.242.148:34556/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 34556, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961519", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi", + "elf" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1117,30 +1187,33 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961519", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi", - "elf" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:10.000Z", - "threatintel.indicator.ip": "106.115.189.249", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961519/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "106.115.189.249", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://106.115.189.249:59815/Mozi.m", - "threatintel.indicator.url.original": "http://106.115.189.249:59815/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 59815, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:10.000Z", + "threat.indicator.ip": "106.115.189.249", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961519/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "106.115.189.249", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://106.115.189.249:59815/Mozi.m", + "threat.indicator.url.original": "http://106.115.189.249:59815/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 59815, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961516", + "abusech.url.larted": true, + "abusech.url.tags": [ + "32-bit", + "elf", + "mips" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1154,31 +1227,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961516", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "32-bit", - "elf", - "mips" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:08.000Z", - "threatintel.indicator.ip": "182.117.93.110", - "threatintel.indicator.provider": "geenensp", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961516/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.117.93.110", - "threatintel.indicator.url.extension": "sh", - "threatintel.indicator.url.full": "http://182.117.93.110:50587/bin.sh", - "threatintel.indicator.url.original": "http://182.117.93.110:50587/bin.sh", - "threatintel.indicator.url.path": "/bin.sh", - "threatintel.indicator.url.port": 50587, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:08.000Z", + "threat.indicator.ip": "182.117.93.110", + "threat.indicator.provider": "geenensp", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961516/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.117.93.110", + "threat.indicator.url.extension": "sh", + "threat.indicator.url.full": "http://182.117.93.110:50587/bin.sh", + "threat.indicator.url.original": "http://182.117.93.110:50587/bin.sh", + "threat.indicator.url.path": "/bin.sh", + "threat.indicator.url.port": 50587, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961517", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi", + "elf" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1192,30 +1266,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961517", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi", - "elf" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:08.000Z", - "threatintel.indicator.ip": "110.251.5.169", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961517/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "110.251.5.169", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://110.251.5.169:48322/Mozi.m", - "threatintel.indicator.url.original": "http://110.251.5.169:48322/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 48322, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:08.000Z", + "threat.indicator.ip": "110.251.5.169", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961517/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "110.251.5.169", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://110.251.5.169:48322/Mozi.m", + "threat.indicator.url.original": "http://110.251.5.169:48322/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 48322, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961515", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1229,29 +1304,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961515", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:06.000Z", - "threatintel.indicator.ip": "101.51.117.186", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961515/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "101.51.117.186", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://101.51.117.186:33317/Mozi.m", - "threatintel.indicator.url.original": "http://101.51.117.186:33317/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 33317, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:06.000Z", + "threat.indicator.ip": "101.51.117.186", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961515/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "101.51.117.186", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://101.51.117.186:33317/Mozi.m", + "threat.indicator.url.original": "http://101.51.117.186:33317/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 33317, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961513", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1265,29 +1342,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961513", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:05.000Z", - "threatintel.indicator.ip": "121.151.78.166", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961513/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "121.151.78.166", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://121.151.78.166:41516/Mozi.m", - "threatintel.indicator.url.original": "http://121.151.78.166:41516/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 41516, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:05.000Z", + "threat.indicator.ip": "121.151.78.166", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961513/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "121.151.78.166", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://121.151.78.166:41516/Mozi.m", + "threat.indicator.url.original": "http://121.151.78.166:41516/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 41516, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961514", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1301,29 +1380,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961514", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:05.000Z", - "threatintel.indicator.ip": "116.72.92.97", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961514/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "116.72.92.97", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://116.72.92.97:57798/Mozi.m", - "threatintel.indicator.url.original": "http://116.72.92.97:57798/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 57798, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:05.000Z", + "threat.indicator.ip": "116.72.92.97", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961514/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "116.72.92.97", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://116.72.92.97:57798/Mozi.m", + "threat.indicator.url.original": "http://116.72.92.97:57798/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 57798, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961509", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1337,29 +1418,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961509", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", - "threatintel.indicator.ip": "27.218.15.209", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961509/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "27.218.15.209", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://27.218.15.209:47671/Mozi.m", - "threatintel.indicator.url.original": "http://27.218.15.209:47671/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 47671, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threat.indicator.ip": "27.218.15.209", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961509/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "27.218.15.209", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://27.218.15.209:47671/Mozi.m", + "threat.indicator.url.original": "http://27.218.15.209:47671/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 47671, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961510", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1373,29 +1456,33 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961510", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", - "threatintel.indicator.ip": "120.85.171.210", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961510/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "120.85.171.210", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://120.85.171.210:57690/Mozi.m", - "threatintel.indicator.url.original": "http://120.85.171.210:57690/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 57690, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threat.indicator.ip": "120.85.171.210", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961510/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "120.85.171.210", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://120.85.171.210:57690/Mozi.m", + "threat.indicator.url.original": "http://120.85.171.210:57690/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 57690, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961511", + "abusech.url.larted": true, + "abusech.url.tags": [ + "32-bit", + "elf", + "mips" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1409,30 +1496,30 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961511", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "32-bit", - "elf", - "mips" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", - "threatintel.indicator.ip": "117.251.59.53", - "threatintel.indicator.provider": "geenensp", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961511/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "117.251.59.53", - "threatintel.indicator.url.full": "http://117.251.59.53:50611/i", - "threatintel.indicator.url.original": "http://117.251.59.53:50611/i", - "threatintel.indicator.url.path": "/i", - "threatintel.indicator.url.port": 50611, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threat.indicator.ip": "117.251.59.53", + "threat.indicator.provider": "geenensp", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961511/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "117.251.59.53", + "threat.indicator.url.full": "http://117.251.59.53:50611/i", + "threat.indicator.url.original": "http://117.251.59.53:50611/i", + "threat.indicator.url.path": "/i", + "threat.indicator.url.port": 50611, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961512", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1446,29 +1533,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961512", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", - "threatintel.indicator.ip": "115.58.83.167", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961512/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "115.58.83.167", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://115.58.83.167:34141/Mozi.m", - "threatintel.indicator.url.original": "http://115.58.83.167:34141/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 34141, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threat.indicator.ip": "115.58.83.167", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961512/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "115.58.83.167", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://115.58.83.167:34141/Mozi.m", + "threat.indicator.url.original": "http://115.58.83.167:34141/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 34141, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961507", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi", + "elf" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1482,30 +1572,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961507", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:08.000Z", + "threat.indicator.ip": "94.178.124.83", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961507/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "94.178.124.83", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://94.178.124.83:44399/Mozi.m", + "threat.indicator.url.original": "http://94.178.124.83:44399/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 44399, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961508", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:08.000Z", - "threatintel.indicator.ip": "94.178.124.83", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961507/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "94.178.124.83", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://94.178.124.83:44399/Mozi.m", - "threatintel.indicator.url.original": "http://94.178.124.83:44399/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 44399, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1519,30 +1611,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961508", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:08.000Z", + "threat.indicator.ip": "182.122.75.232", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961508/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.122.75.232", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://182.122.75.232:49120/Mozi.m", + "threat.indicator.url.original": "http://182.122.75.232:49120/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 49120, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961506", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:08.000Z", - "threatintel.indicator.ip": "182.122.75.232", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961508/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.122.75.232", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://182.122.75.232:49120/Mozi.m", - "threatintel.indicator.url.original": "http://182.122.75.232:49120/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 49120, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1556,30 +1650,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961506", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:07.000Z", + "threat.indicator.ip": "115.63.202.43", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961506/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "115.63.202.43", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://115.63.202.43:51136/Mozi.m", + "threat.indicator.url.original": "http://115.63.202.43:51136/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 51136, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961504", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:07.000Z", - "threatintel.indicator.ip": "115.63.202.43", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961506/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "115.63.202.43", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://115.63.202.43:51136/Mozi.m", - "threatintel.indicator.url.original": "http://115.63.202.43:51136/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 51136, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1593,30 +1689,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961504", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:06.000Z", + "threat.indicator.ip": "59.99.40.204", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961504/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "59.99.40.204", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://59.99.40.204:45773/Mozi.m", + "threat.indicator.url.original": "http://59.99.40.204:45773/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 45773, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961505", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:06.000Z", - "threatintel.indicator.ip": "59.99.40.204", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961504/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "59.99.40.204", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://59.99.40.204:45773/Mozi.m", - "threatintel.indicator.url.original": "http://59.99.40.204:45773/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 45773, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1630,30 +1728,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961505", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:06.000Z", + "threat.indicator.ip": "117.247.128.213", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961505/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "117.247.128.213", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://117.247.128.213:56528/Mozi.m", + "threat.indicator.url.original": "http://117.247.128.213:56528/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 56528, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961500", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:06.000Z", - "threatintel.indicator.ip": "117.247.128.213", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961505/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "117.247.128.213", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://117.247.128.213:56528/Mozi.m", - "threatintel.indicator.url.original": "http://117.247.128.213:56528/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 56528, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1667,30 +1767,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961500", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threat.indicator.ip": "14.137.219.132", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961500/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "14.137.219.132", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://14.137.219.132:44427/Mozi.a", + "threat.indicator.url.original": "http://14.137.219.132:44427/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 44427, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961501", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", - "threatintel.indicator.ip": "14.137.219.132", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961500/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "14.137.219.132", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://14.137.219.132:44427/Mozi.a", - "threatintel.indicator.url.original": "http://14.137.219.132:44427/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 44427, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1704,30 +1806,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961501", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threat.indicator.ip": "42.224.40.14", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961501/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "42.224.40.14", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://42.224.40.14:36134/Mozi.m", + "threat.indicator.url.original": "http://42.224.40.14:36134/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 36134, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961502", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", - "threatintel.indicator.ip": "42.224.40.14", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961501/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "42.224.40.14", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://42.224.40.14:36134/Mozi.m", - "threatintel.indicator.url.original": "http://42.224.40.14:36134/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 36134, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1741,30 +1845,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961502", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threat.indicator.ip": "186.33.104.107", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961502/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "186.33.104.107", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://186.33.104.107:43973/Mozi.m", + "threat.indicator.url.original": "http://186.33.104.107:43973/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 43973, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961503", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", - "threatintel.indicator.ip": "186.33.104.107", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961502/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "186.33.104.107", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://186.33.104.107:43973/Mozi.m", - "threatintel.indicator.url.original": "http://186.33.104.107:43973/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 43973, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1778,30 +1884,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961503", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threat.indicator.ip": "85.105.16.154", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961503/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "85.105.16.154", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://85.105.16.154:41319/Mozi.m", + "threat.indicator.url.original": "http://85.105.16.154:41319/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 41319, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961496", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", - "threatintel.indicator.ip": "85.105.16.154", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961503/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "85.105.16.154", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://85.105.16.154:41319/Mozi.m", - "threatintel.indicator.url.original": "http://85.105.16.154:41319/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 41319, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1815,30 +1923,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961496", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threat.indicator.ip": "178.141.73.115", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961496/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "178.141.73.115", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://178.141.73.115:51847/Mozi.a", + "threat.indicator.url.original": "http://178.141.73.115:51847/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 51847, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961497", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", - "threatintel.indicator.ip": "178.141.73.115", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961496/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "178.141.73.115", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://178.141.73.115:51847/Mozi.a", - "threatintel.indicator.url.original": "http://178.141.73.115:51847/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 51847, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1852,30 +1962,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961497", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threat.indicator.ip": "186.33.104.135", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961497/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "186.33.104.135", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://186.33.104.135:54469/Mozi.m", + "threat.indicator.url.original": "http://186.33.104.135:54469/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 54469, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961498", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", - "threatintel.indicator.ip": "186.33.104.135", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961497/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "186.33.104.135", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://186.33.104.135:54469/Mozi.m", - "threatintel.indicator.url.original": "http://186.33.104.135:54469/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 54469, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1889,30 +2001,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961498", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threat.indicator.ip": "115.56.159.43", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961498/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "115.56.159.43", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://115.56.159.43:34547/Mozi.m", + "threat.indicator.url.original": "http://115.56.159.43:34547/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 34547, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961499", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", - "threatintel.indicator.ip": "115.56.159.43", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961498/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "115.56.159.43", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://115.56.159.43:34547/Mozi.m", - "threatintel.indicator.url.original": "http://115.56.159.43:34547/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 34547, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1926,30 +2040,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961499", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi", - "elf" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", - "threatintel.indicator.ip": "42.230.138.170", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961499/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "42.230.138.170", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://42.230.138.170:33932/Mozi.m", - "threatintel.indicator.url.original": "http://42.230.138.170:33932/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 33932, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threat.indicator.ip": "42.230.138.170", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961499/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "42.230.138.170", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://42.230.138.170:33932/Mozi.m", + "threat.indicator.url.original": "http://42.230.138.170:33932/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 33932, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961494", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1963,27 +2078,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961494", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:47.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961494/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://univirtek.com/viro/02478080035/blank.jpg", - "threatintel.indicator.url.original": "https://univirtek.com/viro/02478080035/blank.jpg", - "threatintel.indicator.url.path": "/viro/02478080035/blank.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:47.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961494/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://univirtek.com/viro/02478080035/blank.jpg", + "threat.indicator.url.original": "https://univirtek.com/viro/02478080035/blank.jpg", + "threat.indicator.url.path": "/viro/02478080035/blank.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961495", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1997,27 +2114,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961495", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:47.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961495/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png", - "threatintel.indicator.url.original": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png", - "threatintel.indicator.url.path": "/viro/FRRNDR77C25D325O/map.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:47.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961495/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png", + "threat.indicator.url.original": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png", + "threat.indicator.url.path": "/viro/FRRNDR77C25D325O/map.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961492", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2031,27 +2150,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961492", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:45.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961492/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ladiesincode.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg", - "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg", - "threatintel.indicator.url.path": "/ladi/CNNSRG83H04F158R/blank.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:45.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961492/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ladiesincode.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg", + "threat.indicator.url.original": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg", + "threat.indicator.url.path": "/ladi/CNNSRG83H04F158R/blank.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961493", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2065,27 +2186,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961493", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:45.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961493/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "letonguesc.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://letonguesc.com/leto/02328510512/logo.css", - "threatintel.indicator.url.original": "https://letonguesc.com/leto/02328510512/logo.css", - "threatintel.indicator.url.path": "/leto/02328510512/logo.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:45.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961493/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "letonguesc.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://letonguesc.com/leto/02328510512/logo.css", + "threat.indicator.url.original": "https://letonguesc.com/leto/02328510512/logo.css", + "threat.indicator.url.path": "/leto/02328510512/logo.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961490", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2099,27 +2222,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961490", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:44.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961490/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png", - "threatintel.indicator.url.original": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png", - "threatintel.indicator.url.path": "/minu/MLILSN74B21E507L/uk.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:44.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961490/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png", + "threat.indicator.url.original": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png", + "threat.indicator.url.path": "/minu/MLILSN74B21E507L/uk.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961491", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2133,27 +2258,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961491", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:44.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961491/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://cxminute.com/minu/12875710159/blank.css", - "threatintel.indicator.url.original": "https://cxminute.com/minu/12875710159/blank.css", - "threatintel.indicator.url.path": "/minu/12875710159/blank.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:44.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961491/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://cxminute.com/minu/12875710159/blank.css", + "threat.indicator.url.original": "https://cxminute.com/minu/12875710159/blank.css", + "threat.indicator.url.path": "/minu/12875710159/blank.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961489", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2167,27 +2294,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961489", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:41.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961489/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "gif", - "threatintel.indicator.url.full": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif", - "threatintel.indicator.url.original": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif", - "threatintel.indicator.url.path": "/minu/CPNLNZ65M20A200N/maps.gif", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:41.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961489/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "gif", + "threat.indicator.url.full": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif", + "threat.indicator.url.original": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif", + "threat.indicator.url.path": "/minu/CPNLNZ65M20A200N/maps.gif", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961488", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2201,27 +2330,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961488", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:40.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961488/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png", - "threatintel.indicator.url.path": "/bella/DLPCMN64D02D789E/logo.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:40.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961488/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png", + "threat.indicator.url.original": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png", + "threat.indicator.url.path": "/bella/DLPCMN64D02D789E/logo.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961487", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2235,27 +2366,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961487", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:17.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961487/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/01844510469/1x1.jpg", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/01844510469/1x1.jpg", - "threatintel.indicator.url.path": "/bella/01844510469/1x1.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:17.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961487/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://belfetproduction.com/bella/01844510469/1x1.jpg", + "threat.indicator.url.original": "https://belfetproduction.com/bella/01844510469/1x1.jpg", + "threat.indicator.url.path": "/bella/01844510469/1x1.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961485", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2269,27 +2402,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961485", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:16.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961485/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ladiesincode.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css", - "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css", - "threatintel.indicator.url.path": "/ladi/FRRDNI52M71E522D/logo.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:16.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961485/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ladiesincode.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css", + "threat.indicator.url.original": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css", + "threat.indicator.url.path": "/ladi/FRRDNI52M71E522D/logo.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961486", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2303,27 +2438,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961486", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:16.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961486/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "letonguesc.com", - "threatintel.indicator.url.extension": "gif", - "threatintel.indicator.url.full": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif", - "threatintel.indicator.url.original": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif", - "threatintel.indicator.url.path": "/leto/CPPMRC65E04H980Q/it.gif", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:16.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961486/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "letonguesc.com", + "threat.indicator.url.extension": "gif", + "threat.indicator.url.full": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif", + "threat.indicator.url.original": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif", + "threat.indicator.url.path": "/leto/CPPMRC65E04H980Q/it.gif", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961482", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2337,27 +2474,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961482", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961482/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://univirtek.com/viro/06389650018/it.css", - "threatintel.indicator.url.original": "https://univirtek.com/viro/06389650018/it.css", - "threatintel.indicator.url.path": "/viro/06389650018/it.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:15.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961482/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://univirtek.com/viro/06389650018/it.css", + "threat.indicator.url.original": "https://univirtek.com/viro/06389650018/it.css", + "threat.indicator.url.path": "/viro/06389650018/it.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961483", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2371,27 +2510,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961483", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961483/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png", - "threatintel.indicator.url.path": "/bella/CRSRRT61E15H501H/logo.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:15.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961483/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png", + "threat.indicator.url.original": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png", + "threat.indicator.url.path": "/bella/CRSRRT61E15H501H/logo.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961484", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2405,27 +2546,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961484", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961484/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg", - "threatintel.indicator.url.original": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg", - "threatintel.indicator.url.path": "/minu/SMPMSM67P05F205U/it.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:15.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961484/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg", + "threat.indicator.url.original": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg", + "threat.indicator.url.path": "/minu/SMPMSM67P05F205U/it.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961480", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2439,27 +2582,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961480", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:13.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961480/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png", - "threatintel.indicator.url.original": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png", - "threatintel.indicator.url.path": "/viro/SBNPQL78A24A783E/uk.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:13.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961480/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png", + "threat.indicator.url.original": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png", + "threat.indicator.url.path": "/viro/SBNPQL78A24A783E/uk.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961481", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2473,27 +2618,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961481", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:13.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961481/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://cxminute.com/minu/15578761007/maps.jpg", - "threatintel.indicator.url.original": "https://cxminute.com/minu/15578761007/maps.jpg", - "threatintel.indicator.url.path": "/minu/15578761007/maps.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:13.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961481/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://cxminute.com/minu/15578761007/maps.jpg", + "threat.indicator.url.original": "https://cxminute.com/minu/15578761007/maps.jpg", + "threat.indicator.url.path": "/minu/15578761007/maps.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961478", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2507,27 +2654,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961478", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:10.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961478/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://univirtek.com/viro/03079590133/1x1.png", - "threatintel.indicator.url.original": "https://univirtek.com/viro/03079590133/1x1.png", - "threatintel.indicator.url.path": "/viro/03079590133/1x1.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:10.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961478/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://univirtek.com/viro/03079590133/1x1.png", + "threat.indicator.url.original": "https://univirtek.com/viro/03079590133/1x1.png", + "threat.indicator.url.path": "/viro/03079590133/1x1.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961479", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2541,27 +2690,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961479", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:10.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961479/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ladiesincode.com", - "threatintel.indicator.url.extension": "gif", - "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif", - "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif", - "threatintel.indicator.url.path": "/ladi/BNCLNR77T56M082U/it.gif", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:10.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961479/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ladiesincode.com", + "threat.indicator.url.extension": "gif", + "threat.indicator.url.full": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif", + "threat.indicator.url.original": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif", + "threat.indicator.url.path": "/ladi/BNCLNR77T56M082U/it.gif", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961476", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2575,27 +2726,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961476", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:45.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961476/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css", - "threatintel.indicator.url.original": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css", - "threatintel.indicator.url.path": "/minu/JNKMTJ64B29L424O/uk.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:45.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961476/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css", + "threat.indicator.url.original": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css", + "threat.indicator.url.path": "/minu/JNKMTJ64B29L424O/uk.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961477", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2609,27 +2762,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961477", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:45.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961477/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png", - "threatintel.indicator.url.path": "/bella/PGNMRA64S22I608Z/en.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:45.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961477/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png", + "threat.indicator.url.original": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png", + "threat.indicator.url.path": "/bella/PGNMRA64S22I608Z/en.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961470", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2643,27 +2798,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961470", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961470/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg", - "threatintel.indicator.url.original": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg", - "threatintel.indicator.url.path": "/minu/RZKDRD77T23Z229T/logo.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961470/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg", + "threat.indicator.url.original": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg", + "threat.indicator.url.path": "/minu/RZKDRD77T23Z229T/logo.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961471", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2677,27 +2834,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961471", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961471/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "fhivelifestyle.online", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg", - "threatintel.indicator.url.original": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg", - "threatintel.indicator.url.path": "/nhbrwvdffsgt/adf/maps.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961471/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "fhivelifestyle.online", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg", + "threat.indicator.url.original": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg", + "threat.indicator.url.path": "/nhbrwvdffsgt/adf/maps.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961472", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2711,27 +2870,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961472", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961472/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/05739900487/1x1.css", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/05739900487/1x1.css", - "threatintel.indicator.url.path": "/bella/05739900487/1x1.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961472/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://belfetproduction.com/bella/05739900487/1x1.css", + "threat.indicator.url.original": "https://belfetproduction.com/bella/05739900487/1x1.css", + "threat.indicator.url.path": "/bella/05739900487/1x1.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961473", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2745,27 +2906,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961473", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961473/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/01767180597/map.css", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/01767180597/map.css", - "threatintel.indicator.url.path": "/bella/01767180597/map.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961473/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://belfetproduction.com/bella/01767180597/map.css", + "threat.indicator.url.original": "https://belfetproduction.com/bella/01767180597/map.css", + "threat.indicator.url.path": "/bella/01767180597/map.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961474", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2779,27 +2942,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961474", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961474/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css", - "threatintel.indicator.url.path": "/bella/BRNGRG55D21F394K/map.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961474/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css", + "threat.indicator.url.original": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css", + "threat.indicator.url.path": "/bella/BRNGRG55D21F394K/map.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961475", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2813,27 +2978,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961475", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961475/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css", - "threatintel.indicator.url.original": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css", - "threatintel.indicator.url.path": "/minu/DLLTZN67L20L157J/1x1.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961475/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css", + "threat.indicator.url.original": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css", + "threat.indicator.url.path": "/minu/DLLTZN67L20L157J/1x1.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961468", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2847,27 +3014,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961468", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:38.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961468/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://cxminute.com/minu/08035410722/logo.jpg", - "threatintel.indicator.url.original": "https://cxminute.com/minu/08035410722/logo.jpg", - "threatintel.indicator.url.path": "/minu/08035410722/logo.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:38.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961468/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://cxminute.com/minu/08035410722/logo.jpg", + "threat.indicator.url.original": "https://cxminute.com/minu/08035410722/logo.jpg", + "threat.indicator.url.path": "/minu/08035410722/logo.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961469", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2881,27 +3050,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961469", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:38.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961469/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css", - "threatintel.indicator.url.original": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css", - "threatintel.indicator.url.path": "/viro/GRNZEI60M13G346L/en.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:38.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961469/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css", + "threat.indicator.url.original": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css", + "threat.indicator.url.path": "/viro/GRNZEI60M13G346L/en.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961467", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2915,27 +3086,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961467", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:13.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961467/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "letonguesc.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://letonguesc.com/leto/03253350239/1x1.png", - "threatintel.indicator.url.original": "https://letonguesc.com/leto/03253350239/1x1.png", - "threatintel.indicator.url.path": "/leto/03253350239/1x1.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:13.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961467/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "letonguesc.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://letonguesc.com/leto/03253350239/1x1.png", + "threat.indicator.url.original": "https://letonguesc.com/leto/03253350239/1x1.png", + "threat.indicator.url.path": "/leto/03253350239/1x1.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961464", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2949,27 +3122,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961464", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961464/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ladiesincode.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/10582470158/uk.css", - "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/10582470158/uk.css", - "threatintel.indicator.url.path": "/ladi/10582470158/uk.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:09.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961464/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ladiesincode.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://ladiesincode.com/ladi/10582470158/uk.css", + "threat.indicator.url.original": "https://ladiesincode.com/ladi/10582470158/uk.css", + "threat.indicator.url.path": "/ladi/10582470158/uk.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961465", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2983,27 +3158,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961465", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961465/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ladiesincode.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css", - "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css", - "threatintel.indicator.url.path": "/ladi/BTTLNZ68A56D325C/map.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:09.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961465/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ladiesincode.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css", + "threat.indicator.url.original": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css", + "threat.indicator.url.path": "/ladi/BTTLNZ68A56D325C/map.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961466", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3017,27 +3194,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961466", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961466/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "letonguesc.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg", - "threatintel.indicator.url.original": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg", - "threatintel.indicator.url.path": "/leto/NNTLRT68P28A717L/en.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:09.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961466/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "letonguesc.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg", + "threat.indicator.url.original": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg", + "threat.indicator.url.path": "/leto/NNTLRT68P28A717L/en.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961461", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3051,27 +3230,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961461", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961461/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png", - "threatintel.indicator.url.original": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png", - "threatintel.indicator.url.path": "/viro/CTTNDR89A19B149W/maps.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:08.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961461/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png", + "threat.indicator.url.original": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png", + "threat.indicator.url.path": "/viro/CTTNDR89A19B149W/maps.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961462", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3085,27 +3266,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961462", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961462/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css", - "threatintel.indicator.url.original": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css", - "threatintel.indicator.url.path": "/minu/DRSNTN77B16I197U/logo.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:08.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961462/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css", + "threat.indicator.url.original": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css", + "threat.indicator.url.path": "/minu/DRSNTN77B16I197U/logo.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961463", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3119,27 +3302,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961463", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961463/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://univirtek.com/viro/02941830735/uk.css", - "threatintel.indicator.url.original": "https://univirtek.com/viro/02941830735/uk.css", - "threatintel.indicator.url.path": "/viro/02941830735/uk.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:08.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961463/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://univirtek.com/viro/02941830735/uk.css", + "threat.indicator.url.original": "https://univirtek.com/viro/02941830735/uk.css", + "threat.indicator.url.path": "/viro/02941830735/uk.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961458", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3153,27 +3338,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961458", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961458/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css", - "threatintel.indicator.url.path": "/bella/MNSGCM91A04G240K/it.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:07.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961458/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css", + "threat.indicator.url.original": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css", + "threat.indicator.url.path": "/bella/MNSGCM91A04G240K/it.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961459", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3187,27 +3374,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961459", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961459/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ladiesincode.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/03108100615/it.jpg", - "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/03108100615/it.jpg", - "threatintel.indicator.url.path": "/ladi/03108100615/it.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:07.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961459/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ladiesincode.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://ladiesincode.com/ladi/03108100615/it.jpg", + "threat.indicator.url.original": "https://ladiesincode.com/ladi/03108100615/it.jpg", + "threat.indicator.url.path": "/ladi/03108100615/it.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961460", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3221,27 +3410,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961460", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961460/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://cxminute.com/minu/PTACSM56A31F604X/en.png", - "threatintel.indicator.url.original": "https://cxminute.com/minu/PTACSM56A31F604X/en.png", - "threatintel.indicator.url.path": "/minu/PTACSM56A31F604X/en.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:07.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961460/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://cxminute.com/minu/PTACSM56A31F604X/en.png", + "threat.indicator.url.original": "https://cxminute.com/minu/PTACSM56A31F604X/en.png", + "threat.indicator.url.path": "/minu/PTACSM56A31F604X/en.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961455", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3255,27 +3446,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961455", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961455/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "gif", - "threatintel.indicator.url.full": "https://univirtek.com/viro/00183050368/en.gif", - "threatintel.indicator.url.original": "https://univirtek.com/viro/00183050368/en.gif", - "threatintel.indicator.url.path": "/viro/00183050368/en.gif", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:39.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961455/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "gif", + "threat.indicator.url.full": "https://univirtek.com/viro/00183050368/en.gif", + "threat.indicator.url.original": "https://univirtek.com/viro/00183050368/en.gif", + "threat.indicator.url.path": "/viro/00183050368/en.gif", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961456", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3289,27 +3482,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961456", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961456/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "gif", - "threatintel.indicator.url.full": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif", - "threatintel.indicator.url.original": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif", - "threatintel.indicator.url.path": "/minu/TSNLSN58H30G912H/uk.gif", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:39.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961456/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "gif", + "threat.indicator.url.full": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif", + "threat.indicator.url.original": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif", + "threat.indicator.url.path": "/minu/TSNLSN58H30G912H/uk.gif", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961457", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3323,27 +3518,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961457", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961457/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "letonguesc.com", - "threatintel.indicator.url.extension": "gif", - "threatintel.indicator.url.full": "https://letonguesc.com/leto/08658331007/blank.gif", - "threatintel.indicator.url.original": "https://letonguesc.com/leto/08658331007/blank.gif", - "threatintel.indicator.url.path": "/leto/08658331007/blank.gif", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:39.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961457/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "letonguesc.com", + "threat.indicator.url.extension": "gif", + "threat.indicator.url.full": "https://letonguesc.com/leto/08658331007/blank.gif", + "threat.indicator.url.original": "https://letonguesc.com/leto/08658331007/blank.gif", + "threat.indicator.url.path": "/leto/08658331007/blank.gif", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961450", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3357,27 +3554,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961450", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961450/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://cxminute.com/minu/01098910324/blank.png", - "threatintel.indicator.url.original": "https://cxminute.com/minu/01098910324/blank.png", - "threatintel.indicator.url.path": "/minu/01098910324/blank.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961450/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://cxminute.com/minu/01098910324/blank.png", + "threat.indicator.url.original": "https://cxminute.com/minu/01098910324/blank.png", + "threat.indicator.url.path": "/minu/01098910324/blank.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961451", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3391,27 +3590,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961451", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961451/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://univirtek.com/viro/02794390233/uk.css", - "threatintel.indicator.url.original": "https://univirtek.com/viro/02794390233/uk.css", - "threatintel.indicator.url.path": "/viro/02794390233/uk.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961451/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://univirtek.com/viro/02794390233/uk.css", + "threat.indicator.url.original": "https://univirtek.com/viro/02794390233/uk.css", + "threat.indicator.url.path": "/viro/02794390233/uk.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961452", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3425,27 +3626,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961452", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961452/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css", - "threatintel.indicator.url.original": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css", - "threatintel.indicator.url.path": "/viro/CSTDNT69D63F754D/en.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961452/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css", + "threat.indicator.url.original": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css", + "threat.indicator.url.path": "/viro/CSTDNT69D63F754D/en.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961453", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3459,27 +3662,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961453", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961453/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg", - "threatintel.indicator.url.original": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg", - "threatintel.indicator.url.path": "/viro/GSTGNE91B06L219W/1x1.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961453/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg", + "threat.indicator.url.original": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg", + "threat.indicator.url.path": "/viro/GSTGNE91B06L219W/1x1.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961454", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3493,27 +3698,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961454", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961454/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://univirtek.com/viro/03610140125/map.jpg", - "threatintel.indicator.url.original": "https://univirtek.com/viro/03610140125/map.jpg", - "threatintel.indicator.url.path": "/viro/03610140125/map.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961454/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://univirtek.com/viro/03610140125/map.jpg", + "threat.indicator.url.original": "https://univirtek.com/viro/03610140125/map.jpg", + "threat.indicator.url.path": "/viro/03610140125/map.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961448", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3527,24 +3734,17 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961448", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:36.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961448/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png", - "threatintel.indicator.url.path": "/bella/CRRLRD74E09A462T/blank.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:36.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961448/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png", + "threat.indicator.url.original": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png", + "threat.indicator.url.path": "/bella/CRRLRD74E09A462T/blank.png", + "threat.indicator.url.scheme": "https" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/anomali/_meta/fields.yml b/x-pack/filebeat/module/threatintel/anomali/_meta/fields.yml index 69ab6e22e9b..696b062b6b2 100644 --- a/x-pack/filebeat/module/threatintel/anomali/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/anomali/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: anomali +- name: anomali.limo type: group description: > Fields for Anomali Threat Intel @@ -50,4 +50,4 @@ - name: object_marking_refs type: keyword description: > - The STIX reference object. \ No newline at end of file + The STIX reference object. diff --git a/x-pack/filebeat/module/threatintel/anomali/config/config.yml b/x-pack/filebeat/module/threatintel/anomali/config/config.yml index a268ddb7559..1a30d874635 100644 --- a/x-pack/filebeat/module/threatintel/anomali/config/config.yml +++ b/x-pack/filebeat/module/threatintel/anomali/config/config.yml @@ -30,7 +30,7 @@ request.transforms: value: items 0-10000 - set: target: url.params.match[type] - value: {{ .types }} + value: indicator - set: target: url.params.added_after value: '[[.cursor.timestamp]]' @@ -54,17 +54,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: ["json.id"] - target_field: "@metadata._id" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml index eccbf5e9826..94ca3a84751 100644 --- a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml @@ -1,4 +1,5 @@ -description: Pipeline for parsing Anomali Threat Intel +--- +description: Pipeline for parsing Anomali Limo indicators processors: #################### # Event ECS fields # @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -20,16 +24,30 @@ processors: # General ECS fields # ###################### - rename: - field: json - target_field: threatintel.anomali + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: anomali.limo + - fingerprint: + fields: + - anomali.limo.id + target_field: "_id" ignore_missing: true ##################### # Threat ECS Fields # ##################### + - set: + field: threat.feed.name + value: "[Filebeat] Anomali Limo" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" ## File indicator operations - date: - field: threatintel.anomali.created + field: anomali.limo.created formats: - "yyyy-MM-dd'T'HH:mm:ssz" - "yyyy-MM-dd'T'HH:mm:ssZ" @@ -39,68 +57,73 @@ processors: - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx?.threatintel?.anomali?.created != null" + if: "ctx.anomali?.limo?.created != null" - date: - field: threatintel.anomali.modified - target_field: threatintel.anomali.modified + field: anomali.limo.modified + target_field: anomali.limo.modified formats: + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" - "yyyy-MM-dd'T'HH:mm:ss.Sz" - "yyyy-MM-dd'T'HH:mm:ss.SZ" - "yyyy-MM-dd'T'HH:mm:ss.SSz" - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx?.threatintel?.anomali?.modified != null" + if: "ctx.anomali?.limo?.modified != null" - date: - field: threatintel.anomali.valid_from - target_field: threatintel.indicator.first_seen + field: anomali.limo.valid_from + target_field: threat.indicator.first_seen formats: + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" - "yyyy-MM-dd'T'HH:mm:ss.Sz" - "yyyy-MM-dd'T'HH:mm:ss.SZ" - "yyyy-MM-dd'T'HH:mm:ss.SSz" - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx?.threatintel?.anomali?.valid_from != null" + if: "ctx.anomali?.limo?.valid_from != null" - grok: - field: threatintel.anomali.pattern + field: anomali.limo.pattern patterns: - "^\\[%{DATA:_tmp.threattype}:value%{SPACE}=%{SPACE}'%{DATA:_tmp.threatvalue}'\\]" + if: ctx.anomali?.limo?.pattern != null - rename: field: _tmp.threattype - target_field: threatintel.indicator.type + target_field: threat.indicator.type ignore_missing: true - rename: field: _tmp.threatvalue - target_field: threatintel.indicator.ip + target_field: threat.indicator.ip ignore_missing: true - if: "['ipv4-addr', 'ipv6-addr'].contains(ctx?.threatintel?.indicator?.type)" + if: "['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" - uri_parts: field: _tmp.threatvalue - target_field: threatintel.indicator.url + target_field: threat.indicator.url keep_original: true remove_if_successful: true - if: ctx?.threatintel?.indicator?.type == 'url' + if: ctx.threat?.indicator?.type == 'url' - set: - field: threatintel.indicator.url.full - value: "{{{threatintel.indicator.url.original}}}" + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" ignore_empty_value: true - rename: field: _tmp.threatvalue - target_field: threatintel.indicator.email.address + target_field: threat.indicator.email.address ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'email-addr' + if: ctx.threat?.indicator?.type == 'email-addr' - rename: field: _tmp.threatvalue - target_field: threatintel.indicator.url.domain + target_field: threat.indicator.url.domain ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'domain-name' + if: ctx.threat?.indicator?.type == 'domain-name' - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx.threat?.indicator?.type == null - foreach: - field: threatintel.anomali.labels + field: anomali.limo.labels ignore_missing: true processor: append: @@ -108,9 +131,9 @@ processors: value: "{{_ingest._value}}" allow_duplicates: false - grok: - field: threatintel.anomali.description + field: anomali.limo.description patterns: - - "^%{GREEDYDATA}Source: %{GREEDYDATA:threatintel.indicator.provider}" + - "^%{GREEDYDATA}Source: %{GREEDYDATA:threat.indicator.provider}" ignore_missing: true ignore_failure: true ###################### @@ -140,9 +163,14 @@ processors: } } handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - remove: field: - - threatintel.anomali.created + - anomali.limo.created - message - _tmp ignore_missing: true diff --git a/x-pack/filebeat/module/threatintel/anomali/manifest.yml b/x-pack/filebeat/module/threatintel/anomali/manifest.yml index 1087e00df8a..bdfcf20a3ad 100644 --- a/x-pack/filebeat/module/threatintel/anomali/manifest.yml +++ b/x-pack/filebeat/module/threatintel/anomali/manifest.yml @@ -8,8 +8,6 @@ var: - name: first_interval default: 24h - name: ssl - - name: types - default: indicators - name: username - name: password - name: url @@ -17,6 +15,8 @@ var: - name: tags default: [threatintel-anomali, forwarded] - name: proxy_url + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json index f527da1ed98..7f998f8c778 100644 --- a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json @@ -1,5 +1,20 @@ [ { + "anomali.limo.description": "TS ID: 55241332361; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--44c85d4f-45ca-4977-b693-c810bbfb7a28", + "anomali.limo.labels": [ + "malicious-activity", + "threatstream-confidence-76", + "threatstream-severity-medium" + ], + "anomali.limo.modified": "2020-01-22T02:58:57.431Z", + "anomali.limo.name": "mal_url: http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:58:57.431Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -16,32 +31,34 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332361; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--44c85d4f-45ca-4977-b693-c810bbfb7a28", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:58:57.431Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "chol.cc", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Work6/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332307; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--f9fe5c81-6869-4247-af81-62b7c8aba209", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:58:57.431Z", - "threatintel.anomali.name": "mal_url: http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:58:57.503Z", + "anomali.limo.name": "mal_url: http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:58:57.431Z", - "threatintel.indicator.first_seen": "2020-01-22T02:58:57.431Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "chol.cc", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Work6/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:58:57.503Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -58,32 +75,34 @@ "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332307; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f9fe5c81-6869-4247-af81-62b7c8aba209", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:58:57.503Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "worldatdoor.in", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332302; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--b0e14122-9005-4776-99fc-00872476c6d1", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-68", + "threatstream-confidence-71", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:58:57.503Z", - "threatintel.anomali.name": "mal_url: http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:58:57.570Z", + "anomali.limo.name": "mal_url: http://f0387770.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:58:57.503Z", - "threatintel.indicator.first_seen": "2020-01-22T02:58:57.503Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "worldatdoor.in", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0387770.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:58:57.57Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -100,31 +119,33 @@ "threatstream-confidence-71", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332302; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b0e14122-9005-4776-99fc-00872476c6d1", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:58:57.570Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0387770.xsph.ru", + "threat.indicator.url.full": "http://f0387770.xsph.ru/login", + "threat.indicator.url.original": "http://f0387770.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332312; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime", + "anomali.limo.id": "indicator--111ec76f-616d-4aa8-80fd-e11ef0066aba", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-71", + "threatstream-confidence-50", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:58:57.570Z", - "threatintel.anomali.name": "mal_url: http://f0387770.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:58:59.366Z", + "anomali.limo.name": "mal_url: http://178.62.187.103/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0387770.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:58:57.57Z", - "threatintel.indicator.first_seen": "2020-01-22T02:58:57.570Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0387770.xsph.ru", - "threatintel.indicator.url.full": "http://f0387770.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0387770.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://178.62.187.103/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:58:59.366Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -141,31 +162,33 @@ "threatstream-confidence-50", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332312; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime", - "threatintel.anomali.id": "indicator--111ec76f-616d-4aa8-80fd-e11ef0066aba", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:58:59.366Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "178.62.187.103", + "threat.indicator.url.full": "http://178.62.187.103/login", + "threat.indicator.url.original": "http://178.62.187.103/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332386; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--189ce776-6d7e-4e85-9222-de5876644988", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-50", + "threatstream-confidence-66", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:58:59.366Z", - "threatintel.anomali.name": "mal_url: http://178.62.187.103/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:58:59.457Z", + "anomali.limo.name": "mal_url: http://appareluea.com/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://178.62.187.103/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:58:59.366Z", - "threatintel.indicator.first_seen": "2020-01-22T02:58:59.366Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "178.62.187.103", - "threatintel.indicator.url.full": "http://178.62.187.103/login", - "threatintel.indicator.url.original": "http://178.62.187.103/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://appareluea.com/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:58:59.457Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -182,32 +205,34 @@ "threatstream-confidence-66", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332386; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--189ce776-6d7e-4e85-9222-de5876644988", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:58:59.457Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "appareluea.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://appareluea.com/panel/admin.php", + "threat.indicator.url.original": "http://appareluea.com/panel/admin.php", + "threat.indicator.url.path": "/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332391; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--a4144d34-b86d-475e-8047-eb46b48ee325", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-66", + "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:58:59.457Z", - "threatintel.anomali.name": "mal_url: http://appareluea.com/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:06.402Z", + "anomali.limo.name": "mal_url: http://nkpotu.xyz/Kpot3/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://appareluea.com/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:58:59.457Z", - "threatintel.indicator.first_seen": "2020-01-22T02:58:59.457Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "appareluea.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://appareluea.com/panel/admin.php", - "threatintel.indicator.url.original": "http://appareluea.com/panel/admin.php", - "threatintel.indicator.url.path": "/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://nkpotu.xyz/Kpot3/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:06.402Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -224,32 +249,34 @@ "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332391; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--a4144d34-b86d-475e-8047-eb46b48ee325", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:06.402Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "nkpotu.xyz", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://nkpotu.xyz/Kpot3/login.php", + "threat.indicator.url.original": "http://nkpotu.xyz/Kpot3/login.php", + "threat.indicator.url.path": "/Kpot3/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332372; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime", + "anomali.limo.id": "indicator--983d9c3d-b7f8-4345-b643-b1d18e6ac6b2", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-93", + "threatstream-confidence-49", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:06.402Z", - "threatintel.anomali.name": "mal_url: http://nkpotu.xyz/Kpot3/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:19.990Z", + "anomali.limo.name": "mal_ip: 162.144.128.116", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot3/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:06.402Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:06.402Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "nkpotu.xyz", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://nkpotu.xyz/Kpot3/login.php", - "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot3/login.php", - "threatintel.indicator.url.path": "/Kpot3/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '162.144.128.116']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:19.99Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -266,27 +293,29 @@ "threatstream-confidence-49", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332372; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime", - "threatintel.anomali.id": "indicator--983d9c3d-b7f8-4345-b643-b1d18e6ac6b2", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:19.990Z", + "threat.indicator.ip": "162.144.128.116", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332313; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--f9c6386b-dba2-41f9-8160-d307671e5c8e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-49", + "threatstream-confidence-79", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:19.990Z", - "threatintel.anomali.name": "mal_ip: 162.144.128.116", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:20.155Z", + "anomali.limo.name": "mal_url: http://ntrcgroup.com/nze/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '162.144.128.116']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:19.99Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:19.990Z", - "threatintel.indicator.ip": "162.144.128.116", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://ntrcgroup.com/nze/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:20.155Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -303,32 +332,34 @@ "threatstream-confidence-79", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332313; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f9c6386b-dba2-41f9-8160-d307671e5c8e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:20.155Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ntrcgroup.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://ntrcgroup.com/nze/panel/admin.php", + "threat.indicator.url.original": "http://ntrcgroup.com/nze/panel/admin.php", + "threat.indicator.url.path": "/nze/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332350; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--98fad53e-5389-47f7-a3ff-44d334af2d6b", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-79", + "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:20.155Z", - "threatintel.anomali.name": "mal_url: http://ntrcgroup.com/nze/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:25.521Z", + "anomali.limo.name": "mal_url: http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://ntrcgroup.com/nze/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:20.155Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:20.155Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ntrcgroup.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://ntrcgroup.com/nze/panel/admin.php", - "threatintel.indicator.url.original": "http://ntrcgroup.com/nze/panel/admin.php", - "threatintel.indicator.url.path": "/nze/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:25.521Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -345,32 +376,34 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332350; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--98fad53e-5389-47f7-a3ff-44d334af2d6b", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:25.521Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "chol.cc", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Work8/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332291; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--76c01735-fb76-463d-9609-9ea3aedf3f4f", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:25.521Z", - "threatintel.anomali.name": "mal_url: http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:25.626Z", + "anomali.limo.name": "mal_url: http://f0390764.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:25.521Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:25.521Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "chol.cc", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Work8/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0390764.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:25.626Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -387,31 +420,33 @@ "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332291; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--76c01735-fb76-463d-9609-9ea3aedf3f4f", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:25.626Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0390764.xsph.ru", + "threat.indicator.url.full": "http://f0390764.xsph.ru/login", + "threat.indicator.url.original": "http://f0390764.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332343; iType: mal_ip; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--e0a812dc-63c8-4949-b038-2241b2dbfcdc", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-68", + "threatstream-confidence-85", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:25.626Z", - "threatintel.anomali.name": "mal_url: http://f0390764.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:36.461Z", + "anomali.limo.name": "mal_ip: 45.143.138.39", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0390764.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:25.626Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:25.626Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0390764.xsph.ru", - "threatintel.indicator.url.full": "http://f0390764.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0390764.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '45.143.138.39']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:36.461Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -428,27 +463,29 @@ "threatstream-confidence-85", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332343; iType: mal_ip; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--e0a812dc-63c8-4949-b038-2241b2dbfcdc", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:36.461Z", + "threat.indicator.ip": "45.143.138.39", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332316; iType: mal_url; State: active; Org: Sksa Technology Sdn Bhd; Source: CyberCrime", + "anomali.limo.id": "indicator--6f0d8607-21cb-4738-9712-f4fd91a37f7d", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-85", + "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:36.461Z", - "threatintel.anomali.name": "mal_ip: 45.143.138.39", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:41.193Z", + "anomali.limo.name": "mal_url: http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '45.143.138.39']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:36.461Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:36.461Z", - "threatintel.indicator.ip": "45.143.138.39", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:41.193Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -465,32 +502,34 @@ "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332316; iType: mal_url; State: active; Org: Sksa Technology Sdn Bhd; Source: CyberCrime", - "threatintel.anomali.id": "indicator--6f0d8607-21cb-4738-9712-f4fd91a37f7d", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:41.193Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "aglfreight.com.my", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", + "threat.indicator.url.original": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", + "threat.indicator.url.path": "/inc/js/jstree/biu/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332284; iType: mal_url; State: active; Org: Oltelecom Jsc; Source: CyberCrime", + "anomali.limo.id": "indicator--c649d6d4-87c4-4b76-bfc2-75a509ccb187", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-82", + "threatstream-confidence-61", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:41.193Z", - "threatintel.anomali.name": "mal_url: http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:41.228Z", + "anomali.limo.name": "mal_url: http://95.182.122.184/", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:41.193Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:41.193Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "aglfreight.com.my", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", - "threatintel.indicator.url.original": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", - "threatintel.indicator.url.path": "/inc/js/jstree/biu/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://95.182.122.184/']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:41.228Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -507,31 +546,33 @@ "threatstream-confidence-61", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332284; iType: mal_url; State: active; Org: Oltelecom Jsc; Source: CyberCrime", - "threatintel.anomali.id": "indicator--c649d6d4-87c4-4b76-bfc2-75a509ccb187", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:41.228Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "95.182.122.184", + "threat.indicator.url.full": "http://95.182.122.184/", + "threat.indicator.url.original": "http://95.182.122.184/", + "threat.indicator.url.path": "/", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332337; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--408ebd2d-063f-4646-b2e7-c00519869736", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-61", + "threatstream-confidence-62", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:41.228Z", - "threatintel.anomali.name": "mal_url: http://95.182.122.184/", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:51.313Z", + "anomali.limo.name": "mal_ip: 198.54.115.121", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://95.182.122.184/']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:41.228Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:41.228Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "95.182.122.184", - "threatintel.indicator.url.full": "http://95.182.122.184/", - "threatintel.indicator.url.original": "http://95.182.122.184/", - "threatintel.indicator.url.path": "/", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '198.54.115.121']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:51.313Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -548,27 +589,29 @@ "threatstream-confidence-62", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332337; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--408ebd2d-063f-4646-b2e7-c00519869736", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:51.313Z", + "threat.indicator.ip": "198.54.115.121", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332324; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--e1d215cb-c7a5-40e0-bc53-8f92a2bcaba8", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-62", + "threatstream-confidence-38", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:51.313Z", - "threatintel.anomali.name": "mal_ip: 198.54.115.121", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:51.372Z", + "anomali.limo.name": "mal_ip: 192.185.119.172", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '198.54.115.121']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:51.313Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:51.313Z", - "threatintel.indicator.ip": "198.54.115.121", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '192.185.119.172']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:51.372Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -585,27 +628,29 @@ "threatstream-confidence-38", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332324; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--e1d215cb-c7a5-40e0-bc53-8f92a2bcaba8", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:51.372Z", + "threat.indicator.ip": "192.185.119.172", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332296; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--6f3a4a2b-62e3-48ef-94ae-70103f09cf7e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-38", + "threatstream-confidence-61", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:51.372Z", - "threatintel.anomali.name": "mal_ip: 192.185.119.172", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:51.442Z", + "anomali.limo.name": "mal_url: http://f0389246.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '192.185.119.172']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:51.372Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:51.372Z", - "threatintel.indicator.ip": "192.185.119.172", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0389246.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:51.442Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -622,31 +667,33 @@ "threatstream-confidence-61", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332296; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--6f3a4a2b-62e3-48ef-94ae-70103f09cf7e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:51.442Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0389246.xsph.ru", + "threat.indicator.url.full": "http://f0389246.xsph.ru/login", + "threat.indicator.url.original": "http://f0389246.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332400; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--213519c9-f511-4188-89c8-159f35f08008", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-61", + "threatstream-confidence-66", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:51.442Z", - "threatintel.anomali.name": "mal_url: http://f0389246.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:01.563Z", + "anomali.limo.name": "mal_url: http://appareluea.com/server/cp.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0389246.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:51.442Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:51.442Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0389246.xsph.ru", - "threatintel.indicator.url.full": "http://f0389246.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0389246.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://appareluea.com/server/cp.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:01.563Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -663,32 +710,34 @@ "threatstream-confidence-66", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332400; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--213519c9-f511-4188-89c8-159f35f08008", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:01.563Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "appareluea.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://appareluea.com/server/cp.php", + "threat.indicator.url.original": "http://appareluea.com/server/cp.php", + "threat.indicator.url.path": "/server/cp.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332396; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--5a563c85-c528-4e33-babe-2dcff34f73c4", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-66", + "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:01.563Z", - "threatintel.anomali.name": "mal_url: http://appareluea.com/server/cp.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:03.138Z", + "anomali.limo.name": "mal_url: http://nkpotu.xyz/Kpot2/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://appareluea.com/server/cp.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:01.563Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:01.563Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "appareluea.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://appareluea.com/server/cp.php", - "threatintel.indicator.url.original": "http://appareluea.com/server/cp.php", - "threatintel.indicator.url.path": "/server/cp.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://nkpotu.xyz/Kpot2/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:03.138Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -705,32 +754,34 @@ "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332396; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--5a563c85-c528-4e33-babe-2dcff34f73c4", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:03.138Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "nkpotu.xyz", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://nkpotu.xyz/Kpot2/login.php", + "threat.indicator.url.original": "http://nkpotu.xyz/Kpot2/login.php", + "threat.indicator.url.path": "/Kpot2/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332363; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--f3e33aab-e2af-4c15-8cb9-f008a37cf986", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-93", + "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:03.138Z", - "threatintel.anomali.name": "mal_url: http://nkpotu.xyz/Kpot2/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:03.396Z", + "anomali.limo.name": "mal_url: http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot2/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:03.138Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:03.138Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "nkpotu.xyz", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://nkpotu.xyz/Kpot2/login.php", - "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot2/login.php", - "threatintel.indicator.url.path": "/Kpot2/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:03.396Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -747,32 +798,34 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332363; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f3e33aab-e2af-4c15-8cb9-f008a37cf986", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:03.396Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "chol.cc", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Work5/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332320; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--f03f098d-2fa9-49e1-a7dd-02518aa105fa", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:03.396Z", - "threatintel.anomali.name": "mal_url: http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:03.642Z", + "anomali.limo.name": "mal_url: http://mecharnise.ir/ca4/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:03.396Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:03.396Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "chol.cc", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Work5/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://mecharnise.ir/ca4/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:03.642Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -789,32 +842,34 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332320; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f03f098d-2fa9-49e1-a7dd-02518aa105fa", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:03.642Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "mecharnise.ir", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://mecharnise.ir/ca4/panel/admin.php", + "threat.indicator.url.original": "http://mecharnise.ir/ca4/panel/admin.php", + "threat.indicator.url.path": "/ca4/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332367; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--e72e3ba0-7de5-46bb-ab1e-efdf3e0a0b3b", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-87", + "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:03.642Z", - "threatintel.anomali.name": "mal_url: http://mecharnise.ir/ca4/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:27.534Z", + "anomali.limo.name": "mal_url: http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://mecharnise.ir/ca4/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:03.642Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:03.642Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "mecharnise.ir", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://mecharnise.ir/ca4/panel/admin.php", - "threatintel.indicator.url.original": "http://mecharnise.ir/ca4/panel/admin.php", - "threatintel.indicator.url.path": "/ca4/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:27.534Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -831,32 +886,34 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332367; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--e72e3ba0-7de5-46bb-ab1e-efdf3e0a0b3b", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:27.534Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "chol.cc", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Work4/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332317; iType: mal_url; State: active; Org: SoftLayer Technologies; Source: CyberCrime", + "anomali.limo.id": "indicator--d6b59b66-5020-4368-85a7-196026856ea9", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-78", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:27.534Z", - "threatintel.anomali.name": "mal_url: http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:27.591Z", + "anomali.limo.name": "mal_url: http://kironofer.com/webpanel/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:27.534Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:27.534Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "chol.cc", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Work4/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://kironofer.com/webpanel/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:27.591Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -873,32 +930,34 @@ "threatstream-confidence-78", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332317; iType: mal_url; State: active; Org: SoftLayer Technologies; Source: CyberCrime", - "threatintel.anomali.id": "indicator--d6b59b66-5020-4368-85a7-196026856ea9", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:27.591Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "kironofer.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://kironofer.com/webpanel/login.php", + "threat.indicator.url.original": "http://kironofer.com/webpanel/login.php", + "threat.indicator.url.path": "/webpanel/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332309; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--aff7b07f-acc7-4bec-ab19-1fce972bfd09", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-78", + "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:27.591Z", - "threatintel.anomali.name": "mal_url: http://kironofer.com/webpanel/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:45.787Z", + "anomali.limo.name": "mal_url: http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://kironofer.com/webpanel/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:27.591Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:27.591Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "kironofer.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://kironofer.com/webpanel/login.php", - "threatintel.indicator.url.original": "http://kironofer.com/webpanel/login.php", - "threatintel.indicator.url.path": "/webpanel/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:45.787Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -915,32 +974,34 @@ "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332309; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--aff7b07f-acc7-4bec-ab19-1fce972bfd09", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:45.787Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "worldatdoor.in", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332286; iType: mal_url; State: active; Org: Garanntor-Hosting; Source: CyberCrime", + "anomali.limo.id": "indicator--ba71ba3a-1efd-40da-ab0d-f4397d6fc337", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-68", + "threatstream-confidence-91", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:45.787Z", - "threatintel.anomali.name": "mal_url: http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:45.841Z", + "anomali.limo.name": "mal_url: http://smartlinktelecom.top/kings/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:45.787Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:45.787Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "worldatdoor.in", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://smartlinktelecom.top/kings/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:45.841Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -957,32 +1018,34 @@ "threatstream-confidence-91", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332286; iType: mal_url; State: active; Org: Garanntor-Hosting; Source: CyberCrime", - "threatintel.anomali.id": "indicator--ba71ba3a-1efd-40da-ab0d-f4397d6fc337", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:45.841Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "smartlinktelecom.top", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://smartlinktelecom.top/kings/panel/admin.php", + "threat.indicator.url.original": "http://smartlinktelecom.top/kings/panel/admin.php", + "threat.indicator.url.path": "/kings/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332339; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--17777e7f-3e91-4446-a43d-79139de8a948", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-91", + "threatstream-confidence-64", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:45.841Z", - "threatintel.anomali.name": "mal_url: http://smartlinktelecom.top/kings/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:45.959Z", + "anomali.limo.name": "mal_url: http://carirero.net/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://smartlinktelecom.top/kings/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:45.841Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:45.841Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "smartlinktelecom.top", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://smartlinktelecom.top/kings/panel/admin.php", - "threatintel.indicator.url.original": "http://smartlinktelecom.top/kings/panel/admin.php", - "threatintel.indicator.url.path": "/kings/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://carirero.net/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:45.959Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -999,32 +1062,34 @@ "threatstream-confidence-64", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332339; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--17777e7f-3e91-4446-a43d-79139de8a948", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:45.959Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "carirero.net", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://carirero.net/login.php", + "threat.indicator.url.original": "http://carirero.net/login.php", + "threat.indicator.url.path": "/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332319; iType: mal_ip; State: active; Org: SoftLayer Technologies; Source: CyberCrime", + "anomali.limo.id": "indicator--f6be1804-cfe4-4f41-9338-2b65f5b1dda1", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-64", + "threatstream-confidence-30", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:45.959Z", - "threatintel.anomali.name": "mal_url: http://carirero.net/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:46.025Z", + "anomali.limo.name": "mal_ip: 74.116.84.20", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://carirero.net/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:45.959Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:45.959Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "carirero.net", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://carirero.net/login.php", - "threatintel.indicator.url.original": "http://carirero.net/login.php", - "threatintel.indicator.url.path": "/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '74.116.84.20']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:46.025Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1041,27 +1106,29 @@ "threatstream-confidence-30", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332319; iType: mal_ip; State: active; Org: SoftLayer Technologies; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f6be1804-cfe4-4f41-9338-2b65f5b1dda1", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:46.025Z", + "threat.indicator.ip": "74.116.84.20", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332305; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--b4fd8489-9589-4f70-996c-84989245a21b", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-30", + "threatstream-confidence-43", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:46.025Z", - "threatintel.anomali.name": "mal_ip: 74.116.84.20", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:57.729Z", + "anomali.limo.name": "mal_url: http://tuu.nu/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '74.116.84.20']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:46.025Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:46.025Z", - "threatintel.indicator.ip": "74.116.84.20", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://tuu.nu/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:57.729Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1078,31 +1145,33 @@ "threatstream-confidence-43", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332305; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b4fd8489-9589-4f70-996c-84989245a21b", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:57.729Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "tuu.nu", + "threat.indicator.url.full": "http://tuu.nu/login", + "threat.indicator.url.original": "http://tuu.nu/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332346; iType: mal_url; State: active; Org: Ifx Networks Colombia; Source: CyberCrime", + "anomali.limo.id": "indicator--bc50c62f-a015-4460-87df-2137626877e3", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-43", + "threatstream-confidence-36", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:57.729Z", - "threatintel.anomali.name": "mal_url: http://tuu.nu/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:01:02.696Z", + "anomali.limo.name": "mal_url: http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://tuu.nu/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:57.729Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:57.729Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "tuu.nu", - "threatintel.indicator.url.full": "http://tuu.nu/login", - "threatintel.indicator.url.original": "http://tuu.nu/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:01:02.696Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1119,32 +1188,34 @@ "threatstream-confidence-36", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332346; iType: mal_url; State: active; Org: Ifx Networks Colombia; Source: CyberCrime", - "threatintel.anomali.id": "indicator--bc50c62f-a015-4460-87df-2137626877e3", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:01:02.696Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "dulfix.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332323; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--2765af4b-bfb7-4ac8-82d2-ab6ed8a52461", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-36", + "threatstream-confidence-65", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:01:02.696Z", - "threatintel.anomali.name": "mal_url: http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:01:02.807Z", + "anomali.limo.name": "mal_url: http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:02.696Z", - "threatintel.indicator.first_seen": "2020-01-22T03:01:02.696Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "dulfix.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:01:02.807Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1161,32 +1232,34 @@ "threatstream-confidence-65", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332323; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--2765af4b-bfb7-4ac8-82d2-ab6ed8a52461", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:01:02.807Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "deliciasdvally.com.pe", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/includes/gter/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332399; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--9c0e63a1-c32a-470a-bf09-51488e239c63", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-65", + "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:01:02.807Z", - "threatintel.anomali.name": "mal_url: http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:01:24.810Z", + "anomali.limo.name": "mal_url: http://nkpotu.xyz/Kpot1/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:02.807Z", - "threatintel.indicator.first_seen": "2020-01-22T03:01:02.807Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "deliciasdvally.com.pe", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/includes/gter/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://nkpotu.xyz/Kpot1/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:01:24.81Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1203,32 +1276,34 @@ "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332399; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--9c0e63a1-c32a-470a-bf09-51488e239c63", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:01:24.810Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "nkpotu.xyz", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://nkpotu.xyz/Kpot1/login.php", + "threat.indicator.url.original": "http://nkpotu.xyz/Kpot1/login.php", + "threat.indicator.url.path": "/Kpot1/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332328; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime", + "anomali.limo.id": "indicator--8047678e-20be-4116-9bc4-7bb7c26554e0", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-93", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:01:24.810Z", - "threatintel.anomali.name": "mal_url: http://nkpotu.xyz/Kpot1/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:01:41.158Z", + "anomali.limo.name": "mal_ip: 194.87.147.80", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot1/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:24.81Z", - "threatintel.indicator.first_seen": "2020-01-22T03:01:24.810Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "nkpotu.xyz", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://nkpotu.xyz/Kpot1/login.php", - "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot1/login.php", - "threatintel.indicator.url.path": "/Kpot1/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '194.87.147.80']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:01:41.158Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1245,27 +1320,29 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332328; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime", - "threatintel.anomali.id": "indicator--8047678e-20be-4116-9bc4-7bb7c26554e0", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:01:41.158Z", + "threat.indicator.ip": "194.87.147.80", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332377; iType: mal_url; State: active; Org: A100 ROW GmbH; Source: CyberCrime", + "anomali.limo.id": "indicator--c57a880c-1ce0-45de-9bab-fb2910454a61", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-87", + "threatstream-confidence-85", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:01:41.158Z", - "threatintel.anomali.name": "mal_ip: 194.87.147.80", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:01:57.189Z", + "anomali.limo.name": "mal_url: http://35.158.92.3/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '194.87.147.80']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:41.158Z", - "threatintel.indicator.first_seen": "2020-01-22T03:01:41.158Z", - "threatintel.indicator.ip": "194.87.147.80", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://35.158.92.3/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:01:57.189Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1282,32 +1359,34 @@ "threatstream-confidence-85", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332377; iType: mal_url; State: active; Org: A100 ROW GmbH; Source: CyberCrime", - "threatintel.anomali.id": "indicator--c57a880c-1ce0-45de-9bab-fb2910454a61", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:01:57.189Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "35.158.92.3", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://35.158.92.3/panel/admin.php", + "threat.indicator.url.original": "http://35.158.92.3/panel/admin.php", + "threat.indicator.url.path": "/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332101; iType: mal_ip; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--6056152c-0fa5-4e34-871a-3c8990f1ee46", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-85", + "threatstream-confidence-42", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:01:57.189Z", - "threatintel.anomali.name": "mal_url: http://35.158.92.3/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:01:57.279Z", + "anomali.limo.name": "mal_ip: 45.95.168.70", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://35.158.92.3/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:57.189Z", - "threatintel.indicator.first_seen": "2020-01-22T03:01:57.189Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "35.158.92.3", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://35.158.92.3/panel/admin.php", - "threatintel.indicator.url.original": "http://35.158.92.3/panel/admin.php", - "threatintel.indicator.url.path": "/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '45.95.168.70']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:01:57.279Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1324,27 +1403,29 @@ "threatstream-confidence-42", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332101; iType: mal_ip; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--6056152c-0fa5-4e34-871a-3c8990f1ee46", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:01:57.279Z", + "threat.indicator.ip": "45.95.168.70", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332357; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--23215acb-4989-4434-ac6d-8f9367734f0f", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-42", + "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:01:57.279Z", - "threatintel.anomali.name": "mal_ip: 45.95.168.70", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:02:50.570Z", + "anomali.limo.name": "mal_url: http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '45.95.168.70']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:57.279Z", - "threatintel.indicator.first_seen": "2020-01-22T03:01:57.279Z", - "threatintel.indicator.ip": "45.95.168.70", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:02:50.57Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1361,32 +1442,34 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332357; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--23215acb-4989-4434-ac6d-8f9367734f0f", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:02:50.570Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "chol.cc", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Work7/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332289; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--452ece92-9ff2-4f99-8a7f-fd614ebea8cf", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-26", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:02:50.570Z", - "threatintel.anomali.name": "mal_url: http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:02:52.496Z", + "anomali.limo.name": "mal_url: http://f0391600.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:02:50.57Z", - "threatintel.indicator.first_seen": "2020-01-22T03:02:50.570Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "chol.cc", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Work7/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0391600.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:02:52.496Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1403,31 +1486,33 @@ "threatstream-confidence-26", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332289; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--452ece92-9ff2-4f99-8a7f-fd614ebea8cf", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:02:52.496Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0391600.xsph.ru", + "threat.indicator.url.full": "http://f0391600.xsph.ru/login", + "threat.indicator.url.original": "http://f0391600.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332334; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--10958d74-ec60-41af-a1ab-1613257e670f", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-26", + "threatstream-confidence-94", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:02:52.496Z", - "threatintel.anomali.name": "mal_url: http://f0391600.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:03:42.819Z", + "anomali.limo.name": "mal_url: http://extraclick.space/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0391600.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:02:52.496Z", - "threatintel.indicator.first_seen": "2020-01-22T03:02:52.496Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0391600.xsph.ru", - "threatintel.indicator.url.full": "http://f0391600.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0391600.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://extraclick.space/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:03:42.819Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1444,32 +1529,34 @@ "threatstream-confidence-94", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332334; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--10958d74-ec60-41af-a1ab-1613257e670f", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:03:42.819Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "extraclick.space", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://extraclick.space/login.php", + "threat.indicator.url.original": "http://extraclick.space/login.php", + "threat.indicator.url.path": "/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332326; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime", + "anomali.limo.id": "indicator--19556daa-6293-400d-8706-d0baa6b16b7a", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-94", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:03:42.819Z", - "threatintel.anomali.name": "mal_url: http://extraclick.space/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:03:52.044Z", + "anomali.limo.name": "mal_url: http://petrogarmani.pw/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://extraclick.space/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:03:42.819Z", - "threatintel.indicator.first_seen": "2020-01-22T03:03:42.819Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "extraclick.space", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://extraclick.space/login.php", - "threatintel.indicator.url.original": "http://extraclick.space/login.php", - "threatintel.indicator.url.path": "/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://petrogarmani.pw/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:03:52.044Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1486,32 +1573,34 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332326; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime", - "threatintel.anomali.id": "indicator--19556daa-6293-400d-8706-d0baa6b16b7a", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:03:52.044Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "petrogarmani.pw", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://petrogarmani.pw/login.php", + "threat.indicator.url.original": "http://petrogarmani.pw/login.php", + "threat.indicator.url.path": "/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332311; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--b09d9be9-6703-4a7d-a066-2baebb6418fc", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-87", + "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:03:52.044Z", - "threatintel.anomali.name": "mal_url: http://petrogarmani.pw/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:04:01.650Z", + "anomali.limo.name": "mal_url: http://worldatdoor.in/mighty/32/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://petrogarmani.pw/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:03:52.044Z", - "threatintel.indicator.first_seen": "2020-01-22T03:03:52.044Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "petrogarmani.pw", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://petrogarmani.pw/login.php", - "threatintel.indicator.url.original": "http://petrogarmani.pw/login.php", - "threatintel.indicator.url.path": "/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://worldatdoor.in/mighty/32/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:04:01.65Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1528,32 +1617,34 @@ "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332311; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b09d9be9-6703-4a7d-a066-2baebb6418fc", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:04:01.650Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "worldatdoor.in", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://worldatdoor.in/mighty/32/panel/admin.php", + "threat.indicator.url.original": "http://worldatdoor.in/mighty/32/panel/admin.php", + "threat.indicator.url.path": "/mighty/32/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332341; iType: mal_url; State: active; Org: Institute of Philosophy, Russian Academy of Scienc; Source: CyberCrime", + "anomali.limo.id": "indicator--43febf7d-4185-4a12-a868-e7be690b14aa", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-68", + "threatstream-confidence-92", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:04:01.650Z", - "threatintel.anomali.name": "mal_url: http://worldatdoor.in/mighty/32/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:04:32.717Z", + "anomali.limo.name": "mal_url: http://zanlma.com/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/mighty/32/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:04:01.65Z", - "threatintel.indicator.first_seen": "2020-01-22T03:04:01.650Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "worldatdoor.in", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://worldatdoor.in/mighty/32/panel/admin.php", - "threatintel.indicator.url.original": "http://worldatdoor.in/mighty/32/panel/admin.php", - "threatintel.indicator.url.path": "/mighty/32/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://zanlma.com/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:04:32.717Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1570,31 +1661,33 @@ "threatstream-confidence-92", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332341; iType: mal_url; State: active; Org: Institute of Philosophy, Russian Academy of Scienc; Source: CyberCrime", - "threatintel.anomali.id": "indicator--43febf7d-4185-4a12-a868-e7be690b14aa", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:04:32.717Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "zanlma.com", + "threat.indicator.url.full": "http://zanlma.com/login", + "threat.indicator.url.original": "http://zanlma.com/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332303; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--a34728e6-f91d-47e6-a4d8-a69176299e45", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-92", + "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:04:32.717Z", - "threatintel.anomali.name": "mal_url: http://zanlma.com/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:04:56.858Z", + "anomali.limo.name": "mal_url: http://f0369688.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://zanlma.com/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:04:32.717Z", - "threatintel.indicator.first_seen": "2020-01-22T03:04:32.717Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "zanlma.com", - "threatintel.indicator.url.full": "http://zanlma.com/login", - "threatintel.indicator.url.original": "http://zanlma.com/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0369688.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:04:56.858Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1611,31 +1704,33 @@ "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332303; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--a34728e6-f91d-47e6-a4d8-a69176299e45", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:04:56.858Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0369688.xsph.ru", + "threat.indicator.url.full": "http://f0369688.xsph.ru/login", + "threat.indicator.url.original": "http://f0369688.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332380; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--ac821704-5eb2-4f8f-a8b6-2a168dbd0e54", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-84", + "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:04:56.858Z", - "threatintel.anomali.name": "mal_url: http://f0369688.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:04:59.245Z", + "anomali.limo.name": "mal_url: http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0369688.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:04:56.858Z", - "threatintel.indicator.first_seen": "2020-01-22T03:04:56.858Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0369688.xsph.ru", - "threatintel.indicator.url.full": "http://f0369688.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0369688.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:04:59.245Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1652,32 +1747,34 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332380; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--ac821704-5eb2-4f8f-a8b6-2a168dbd0e54", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:04:59.245Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "chol.cc", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Work2/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868747; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--0d3e1bd8-0f16-4c22-b8a1-663ec255ad79", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-57", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:04:59.245Z", - "threatintel.anomali.name": "mal_url: http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:00:22.287Z", + "anomali.limo.name": "mal_ip: 192.185.214.199", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:04:59.245Z", - "threatintel.indicator.first_seen": "2020-01-22T03:04:59.245Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "chol.cc", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Work2/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '192.185.214.199']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:00:22.287Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1694,27 +1791,29 @@ "threatstream-confidence-57", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868747; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--0d3e1bd8-0f16-4c22-b8a1-663ec255ad79", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:00:22.287Z", + "threat.indicator.ip": "192.185.214.199", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55245868770; iType: mal_url; State: active; Org: Mills College; Source: CyberCrime", + "anomali.limo.id": "indicator--2cdd130a-c884-402d-b63c-e03f9448f5d9", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-57", + "threatstream-confidence-24", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:00:22.287Z", - "threatintel.anomali.name": "mal_ip: 192.185.214.199", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:01:11.329Z", + "anomali.limo.name": "mal_url: http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '192.185.214.199']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:00:22.287Z", - "threatintel.indicator.first_seen": "2020-01-23T03:00:22.287Z", - "threatintel.indicator.ip": "192.185.214.199", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:01:11.329Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1731,32 +1830,34 @@ "threatstream-confidence-24", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868770; iType: mal_url; State: active; Org: Mills College; Source: CyberCrime", - "threatintel.anomali.id": "indicator--2cdd130a-c884-402d-b63c-e03f9448f5d9", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:01:11.329Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "softtouchcollars.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868769; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--88e98e13-4bfd-4188-941a-f696a7b86b71", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-24", + "threatstream-confidence-61", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:01:11.329Z", - "threatintel.anomali.name": "mal_url: http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:01:36.682Z", + "anomali.limo.name": "mal_url: http://imobiliariatirol.com/gh/panelnew/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:01:11.329Z", - "threatintel.indicator.first_seen": "2020-01-23T03:01:11.329Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "softtouchcollars.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://imobiliariatirol.com/gh/panelnew/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:01:36.682Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1773,32 +1874,34 @@ "threatstream-confidence-61", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868769; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--88e98e13-4bfd-4188-941a-f696a7b86b71", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:01:36.682Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "imobiliariatirol.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://imobiliariatirol.com/gh/panelnew/admin.php", + "threat.indicator.url.original": "http://imobiliariatirol.com/gh/panelnew/admin.php", + "threat.indicator.url.path": "/gh/panelnew/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868772; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--27323b7d-85d3-4e89-8249-b7696925a772", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-61", + "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:01:36.682Z", - "threatintel.anomali.name": "mal_url: http://imobiliariatirol.com/gh/panelnew/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:02:15.854Z", + "anomali.limo.name": "mal_url: http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://imobiliariatirol.com/gh/panelnew/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:01:36.682Z", - "threatintel.indicator.first_seen": "2020-01-23T03:01:36.682Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "imobiliariatirol.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://imobiliariatirol.com/gh/panelnew/admin.php", - "threatintel.indicator.url.original": "http://imobiliariatirol.com/gh/panelnew/admin.php", - "threatintel.indicator.url.path": "/gh/panelnew/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:02:15.854Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1815,32 +1918,34 @@ "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868772; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--27323b7d-85d3-4e89-8249-b7696925a772", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:02:15.854Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "deliveryexpressworld.xyz", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868766; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--b0639721-de55-48c6-b237-3859d61aecfb", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-93", + "threatstream-confidence-62", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:02:15.854Z", - "threatintel.anomali.name": "mal_url: http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:02:47.364Z", + "anomali.limo.name": "mal_url: http://f0392261.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:02:15.854Z", - "threatintel.indicator.first_seen": "2020-01-23T03:02:15.854Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "deliveryexpressworld.xyz", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0392261.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:02:47.364Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1857,31 +1962,33 @@ "threatstream-confidence-62", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868766; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b0639721-de55-48c6-b237-3859d61aecfb", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:02:47.364Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0392261.xsph.ru", + "threat.indicator.url.full": "http://f0392261.xsph.ru/login", + "threat.indicator.url.original": "http://f0392261.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868749; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", + "anomali.limo.id": "indicator--677e714d-c237-42a1-b6b7-9145acd13eee", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-62", + "threatstream-confidence-80", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:02:47.364Z", - "threatintel.anomali.name": "mal_url: http://f0392261.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:03:05.048Z", + "anomali.limo.name": "mal_url: http://104.168.99.168/panel/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0392261.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:02:47.364Z", - "threatintel.indicator.first_seen": "2020-01-23T03:02:47.364Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0392261.xsph.ru", - "threatintel.indicator.url.full": "http://f0392261.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0392261.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://104.168.99.168/panel/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:03:05.048Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1898,32 +2005,34 @@ "threatstream-confidence-80", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868749; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", - "threatintel.anomali.id": "indicator--677e714d-c237-42a1-b6b7-9145acd13eee", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:03:05.048Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "104.168.99.168", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://104.168.99.168/panel/panel/admin.php", + "threat.indicator.url.original": "http://104.168.99.168/panel/panel/admin.php", + "threat.indicator.url.path": "/panel/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868767; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--5baa1dbd-d74e-408c-92b5-0a9f97e4b87a", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-80", + "threatstream-confidence-69", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:03:05.048Z", - "threatintel.anomali.name": "mal_url: http://104.168.99.168/panel/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:03:15.734Z", + "anomali.limo.name": "mal_url: http://f0387404.xsph.ru/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://104.168.99.168/panel/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:03:05.048Z", - "threatintel.indicator.first_seen": "2020-01-23T03:03:05.048Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "104.168.99.168", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://104.168.99.168/panel/panel/admin.php", - "threatintel.indicator.url.original": "http://104.168.99.168/panel/panel/admin.php", - "threatintel.indicator.url.path": "/panel/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0387404.xsph.ru/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:03:15.734Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1940,32 +2049,34 @@ "threatstream-confidence-69", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868767; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--5baa1dbd-d74e-408c-92b5-0a9f97e4b87a", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:03:15.734Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0387404.xsph.ru", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://f0387404.xsph.ru/panel/admin.php", + "threat.indicator.url.original": "http://f0387404.xsph.ru/panel/admin.php", + "threat.indicator.url.path": "/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868768; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--4563241e-5d2f-41a7-adb9-3925a5eeb1b1", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-69", + "threatstream-confidence-72", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:03:15.734Z", - "threatintel.anomali.name": "mal_url: http://f0387404.xsph.ru/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:03:42.599Z", + "anomali.limo.name": "mal_url: http://a0386457.xsph.ru/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0387404.xsph.ru/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:03:15.734Z", - "threatintel.indicator.first_seen": "2020-01-23T03:03:15.734Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0387404.xsph.ru", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://f0387404.xsph.ru/panel/admin.php", - "threatintel.indicator.url.original": "http://f0387404.xsph.ru/panel/admin.php", - "threatintel.indicator.url.path": "/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://a0386457.xsph.ru/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:03:42.599Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1982,32 +2093,34 @@ "threatstream-confidence-72", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868768; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--4563241e-5d2f-41a7-adb9-3925a5eeb1b1", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:03:42.599Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "a0386457.xsph.ru", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://a0386457.xsph.ru/panel/admin.php", + "threat.indicator.url.original": "http://a0386457.xsph.ru/panel/admin.php", + "threat.indicator.url.path": "/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078037; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--70cb5d42-91d3-4efe-8c47-995fc0ac4141", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-72", + "threatstream-confidence-74", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:03:42.599Z", - "threatintel.anomali.name": "mal_url: http://a0386457.xsph.ru/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:04.821Z", + "anomali.limo.name": "mal_url: http://defenseisrael.com/dis/index.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://a0386457.xsph.ru/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:03:42.599Z", - "threatintel.indicator.first_seen": "2020-01-23T03:03:42.599Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "a0386457.xsph.ru", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://a0386457.xsph.ru/panel/admin.php", - "threatintel.indicator.url.original": "http://a0386457.xsph.ru/panel/admin.php", - "threatintel.indicator.url.path": "/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://defenseisrael.com/dis/index.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:04.821Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2024,32 +2137,34 @@ "threatstream-confidence-74", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078037; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--70cb5d42-91d3-4efe-8c47-995fc0ac4141", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:04.821Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "defenseisrael.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://defenseisrael.com/dis/index.php", + "threat.indicator.url.original": "http://defenseisrael.com/dis/index.php", + "threat.indicator.url.path": "/dis/index.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078030; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", + "anomali.limo.id": "indicator--3aa712bb-b5d4-4632-bf50-48a4aeeaeb6d", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-74", + "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:04.821Z", - "threatintel.anomali.name": "mal_url: http://defenseisrael.com/dis/index.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:04.857Z", + "anomali.limo.name": "mal_ip: 91.215.170.249", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://defenseisrael.com/dis/index.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:04.821Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:04.821Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "defenseisrael.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://defenseisrael.com/dis/index.php", - "threatintel.indicator.url.original": "http://defenseisrael.com/dis/index.php", - "threatintel.indicator.url.path": "/dis/index.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '91.215.170.249']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:04.857Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2066,27 +2181,29 @@ "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078030; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", - "threatintel.anomali.id": "indicator--3aa712bb-b5d4-4632-bf50-48a4aeeaeb6d", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:04.857Z", + "threat.indicator.ip": "91.215.170.249", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55250078019; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "anomali.limo.id": "indicator--64227c7d-86ea-4146-a868-3decb5aa5f1d", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-83", + "threatstream-confidence-79", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:04.857Z", - "threatintel.anomali.name": "mal_ip: 91.215.170.249", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:04.883Z", + "anomali.limo.name": "mal_url: http://lbfb3f03.justinstalledpanel.com/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '91.215.170.249']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:04.857Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:04.857Z", - "threatintel.indicator.ip": "91.215.170.249", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://lbfb3f03.justinstalledpanel.com/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:04.883Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2103,31 +2220,33 @@ "threatstream-confidence-79", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078019; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", - "threatintel.anomali.id": "indicator--64227c7d-86ea-4146-a868-3decb5aa5f1d", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:04.883Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "lbfb3f03.justinstalledpanel.com", + "threat.indicator.url.full": "http://lbfb3f03.justinstalledpanel.com/login", + "threat.indicator.url.original": "http://lbfb3f03.justinstalledpanel.com/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078035; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--37fcf9a7-1a90-4d81-be0a-e824a4fa938e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-79", + "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:04.883Z", - "threatintel.anomali.name": "mal_url: http://lbfb3f03.justinstalledpanel.com/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:12.997Z", + "anomali.limo.name": "mal_url: http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://lbfb3f03.justinstalledpanel.com/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:04.883Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:04.883Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "lbfb3f03.justinstalledpanel.com", - "threatintel.indicator.url.full": "http://lbfb3f03.justinstalledpanel.com/login", - "threatintel.indicator.url.original": "http://lbfb3f03.justinstalledpanel.com/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:12.997Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2144,32 +2263,34 @@ "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078035; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--37fcf9a7-1a90-4d81-be0a-e824a4fa938e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:12.997Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "byedtronchgroup.yt", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078008; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--5a38786f-107e-4060-a7c9-ea8a5ded6aac", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-93", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:12.997Z", - "threatintel.anomali.name": "mal_url: http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:13.025Z", + "anomali.limo.name": "mal_url: http://199.192.28.11/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:12.997Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:12.997Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "byedtronchgroup.yt", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://199.192.28.11/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:13.025Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2186,32 +2307,34 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078008; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--5a38786f-107e-4060-a7c9-ea8a5ded6aac", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:13.025Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "199.192.28.11", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://199.192.28.11/panel/admin.php", + "threat.indicator.url.original": "http://199.192.28.11/panel/admin.php", + "threat.indicator.url.path": "/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078038; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--3eb79b31-1d6d-438c-a848-24a3407f6e32", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-87", + "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:13.025Z", - "threatintel.anomali.name": "mal_url: http://199.192.28.11/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:32.901Z", + "anomali.limo.name": "mal_url: http://217.8.117.51/aW8bVds1/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://199.192.28.11/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:13.025Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:13.025Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "199.192.28.11", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://199.192.28.11/panel/admin.php", - "threatintel.indicator.url.original": "http://199.192.28.11/panel/admin.php", - "threatintel.indicator.url.path": "/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://217.8.117.51/aW8bVds1/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:32.901Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2228,32 +2351,34 @@ "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078038; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--3eb79b31-1d6d-438c-a848-24a3407f6e32", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:32.901Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "217.8.117.51", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://217.8.117.51/aW8bVds1/login.php", + "threat.indicator.url.original": "http://217.8.117.51/aW8bVds1/login.php", + "threat.indicator.url.path": "/aW8bVds1/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078026; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime", + "anomali.limo.id": "indicator--a050832c-db6e-49a0-8470-7a3cd8f17178", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-82", + "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:32.901Z", - "threatintel.anomali.name": "mal_url: http://217.8.117.51/aW8bVds1/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:32.929Z", + "anomali.limo.name": "mal_url: http://lansome.site/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://217.8.117.51/aW8bVds1/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:32.901Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:32.901Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "217.8.117.51", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://217.8.117.51/aW8bVds1/login.php", - "threatintel.indicator.url.original": "http://217.8.117.51/aW8bVds1/login.php", - "threatintel.indicator.url.path": "/aW8bVds1/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://lansome.site/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:32.929Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2270,31 +2395,33 @@ "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078026; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime", - "threatintel.anomali.id": "indicator--a050832c-db6e-49a0-8470-7a3cd8f17178", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:32.929Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "lansome.site", + "threat.indicator.url.full": "http://lansome.site/login", + "threat.indicator.url.original": "http://lansome.site/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078034; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime", + "anomali.limo.id": "indicator--e88008f4-76fc-428d-831a-4b389e48b712", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-93", + "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:32.929Z", - "threatintel.anomali.name": "mal_url: http://lansome.site/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:49.028Z", + "anomali.limo.name": "mal_url: http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://lansome.site/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:32.929Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:32.929Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "lansome.site", - "threatintel.indicator.url.full": "http://lansome.site/login", - "threatintel.indicator.url.original": "http://lansome.site/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:49.028Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2311,32 +2438,34 @@ "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078034; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime", - "threatintel.anomali.id": "indicator--e88008f4-76fc-428d-831a-4b389e48b712", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:49.028Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "iplusvietnam.com.vn", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078032; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", + "anomali.limo.id": "indicator--dafe91cf-787c-471c-9afe-f7bb20a1b93f", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-83", + "threatstream-confidence-94", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:49.028Z", - "threatintel.anomali.name": "mal_url: http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:03.345Z", + "anomali.limo.name": "mal_url: http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:49.028Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:49.028Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "iplusvietnam.com.vn", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:03.345Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2353,32 +2482,34 @@ "threatstream-confidence-94", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078032; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", - "threatintel.anomali.id": "indicator--dafe91cf-787c-471c-9afe-f7bb20a1b93f", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:03.345Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "leakaryadeen.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/parl/id345/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078031; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime", + "anomali.limo.id": "indicator--232bdc34-44cb-4f41-af52-f6f1cd28818e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-94", + "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:03.345Z", - "threatintel.anomali.name": "mal_url: http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:16.318Z", + "anomali.limo.name": "mal_url: http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:03.345Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:03.345Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "leakaryadeen.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/parl/id345/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:16.318Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2395,32 +2526,34 @@ "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078031; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime", - "threatintel.anomali.id": "indicator--232bdc34-44cb-4f41-af52-f6f1cd28818e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:16.318Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "oaa-my.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/clap/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078027; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime", + "anomali.limo.id": "indicator--4adabe80-3be4-401a-948a-f9724c872374", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-81", + "threatstream-confidence-66", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:16.318Z", - "threatintel.anomali.name": "mal_url: http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:16.358Z", + "anomali.limo.name": "mal_url: http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:16.318Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:16.318Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "oaa-my.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/clap/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:16.358Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2437,32 +2570,34 @@ "threatstream-confidence-66", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078027; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime", - "threatintel.anomali.id": "indicator--4adabe80-3be4-401a-948a-f9724c872374", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:16.358Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "thaubenuocngam.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078013; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--1d7051c0-a42b-4801-bd7f-f0abf2cc125c", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-66", + "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:16.358Z", - "threatintel.anomali.name": "mal_url: http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:32.126Z", + "anomali.limo.name": "mal_url: http://suspiciousactivity.xyz/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:16.358Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:16.358Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "thaubenuocngam.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://suspiciousactivity.xyz/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:32.126Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2479,31 +2614,33 @@ "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078013; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--1d7051c0-a42b-4801-bd7f-f0abf2cc125c", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:32.126Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "suspiciousactivity.xyz", + "threat.indicator.url.full": "http://suspiciousactivity.xyz/login", + "threat.indicator.url.original": "http://suspiciousactivity.xyz/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078017; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--fb06856c-8aad-4fae-92fc-b73aae4f6dc7", + "anomali.limo.labels": [ "malicious-activity", "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:32.126Z", - "threatintel.anomali.name": "mal_url: http://suspiciousactivity.xyz/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:37.603Z", + "anomali.limo.name": "mal_url: http://217.8.117.8/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://suspiciousactivity.xyz/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:32.126Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:32.126Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "suspiciousactivity.xyz", - "threatintel.indicator.url.full": "http://suspiciousactivity.xyz/login", - "threatintel.indicator.url.original": "http://suspiciousactivity.xyz/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://217.8.117.8/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:37.603Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2520,31 +2657,33 @@ "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078017; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--fb06856c-8aad-4fae-92fc-b73aae4f6dc7", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:37.603Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "217.8.117.8", + "threat.indicator.url.full": "http://217.8.117.8/login", + "threat.indicator.url.original": "http://217.8.117.8/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078012; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--33e674f5-a64a-48f4-9d8c-248348356135", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-82", + "threatstream-confidence-71", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:37.603Z", - "threatintel.anomali.name": "mal_url: http://217.8.117.8/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:37.643Z", + "anomali.limo.name": "mal_url: http://f0387550.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://217.8.117.8/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:37.603Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:37.603Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "217.8.117.8", - "threatintel.indicator.url.full": "http://217.8.117.8/login", - "threatintel.indicator.url.original": "http://217.8.117.8/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0387550.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:37.643Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2561,31 +2700,33 @@ "threatstream-confidence-71", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078012; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--33e674f5-a64a-48f4-9d8c-248348356135", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:37.643Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0387550.xsph.ru", + "threat.indicator.url.full": "http://f0387550.xsph.ru/login", + "threat.indicator.url.original": "http://f0387550.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078018; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "anomali.limo.id": "indicator--6311f539-1d5d-423f-a238-d0c1dc167432", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-71", + "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:37.643Z", - "threatintel.anomali.name": "mal_url: http://f0387550.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:39.465Z", + "anomali.limo.name": "mal_url: http://lf4e4abf.justinstalledpanel.com/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0387550.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:37.643Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:37.643Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0387550.xsph.ru", - "threatintel.indicator.url.full": "http://f0387550.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0387550.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://lf4e4abf.justinstalledpanel.com/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:39.465Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2602,31 +2743,33 @@ "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078018; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", - "threatintel.anomali.id": "indicator--6311f539-1d5d-423f-a238-d0c1dc167432", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:39.465Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "lf4e4abf.justinstalledpanel.com", + "threat.indicator.url.full": "http://lf4e4abf.justinstalledpanel.com/login", + "threat.indicator.url.original": "http://lf4e4abf.justinstalledpanel.com/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078033; iType: mal_ip; State: active; Org: ColoCrossing; Source: CyberCrime", + "anomali.limo.id": "indicator--1c91f219-cfa6-44c7-a5ee-1c760489b43c", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-84", + "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:39.465Z", - "threatintel.anomali.name": "mal_url: http://lf4e4abf.justinstalledpanel.com/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:02.031Z", + "anomali.limo.name": "mal_ip: 206.217.131.245", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://lf4e4abf.justinstalledpanel.com/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:39.465Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:39.465Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "lf4e4abf.justinstalledpanel.com", - "threatintel.indicator.url.full": "http://lf4e4abf.justinstalledpanel.com/login", - "threatintel.indicator.url.original": "http://lf4e4abf.justinstalledpanel.com/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '206.217.131.245']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:02.031Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2643,27 +2786,29 @@ "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078033; iType: mal_ip; State: active; Org: ColoCrossing; Source: CyberCrime", - "threatintel.anomali.id": "indicator--1c91f219-cfa6-44c7-a5ee-1c760489b43c", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:02.031Z", + "threat.indicator.ip": "206.217.131.245", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55250078010; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime", + "anomali.limo.id": "indicator--c58983e2-18fd-47b8-aab4-6c8a2e2dcb35", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-81", + "threatstream-confidence-52", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:02.031Z", - "threatintel.anomali.name": "mal_ip: 206.217.131.245", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:15.878Z", + "anomali.limo.name": "mal_url: http://67.215.224.101/a1/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '206.217.131.245']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:02.031Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:02.031Z", - "threatintel.indicator.ip": "206.217.131.245", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://67.215.224.101/a1/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:15.878Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2680,32 +2825,34 @@ "threatstream-confidence-52", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078010; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime", - "threatintel.anomali.id": "indicator--c58983e2-18fd-47b8-aab4-6c8a2e2dcb35", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:15.878Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "67.215.224.101", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://67.215.224.101/a1/panel/admin.php", + "threat.indicator.url.original": "http://67.215.224.101/a1/panel/admin.php", + "threat.indicator.url.path": "/a1/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078000; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--1ab178a8-7991-4879-b9aa-8da49f40e92e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-52", + "threatstream-confidence-58", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:15.878Z", - "threatintel.anomali.name": "mal_url: http://67.215.224.101/a1/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:29.155Z", + "anomali.limo.name": "mal_ip: 162.241.73.163", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://67.215.224.101/a1/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:15.878Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:15.878Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "67.215.224.101", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://67.215.224.101/a1/panel/admin.php", - "threatintel.indicator.url.original": "http://67.215.224.101/a1/panel/admin.php", - "threatintel.indicator.url.path": "/a1/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '162.241.73.163']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:29.155Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2722,27 +2869,29 @@ "threatstream-confidence-58", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078000; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--1ab178a8-7991-4879-b9aa-8da49f40e92e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:29.155Z", + "threat.indicator.ip": "162.241.73.163", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55250078020; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "anomali.limo.id": "indicator--d5bdff38-6939-4a47-8e11-b910520565c4", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-58", + "threatstream-confidence-78", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:29.155Z", - "threatintel.anomali.name": "mal_ip: 162.241.73.163", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:50.233Z", + "anomali.limo.name": "mal_url: http://l60bdd58.justinstalledpanel.com/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '162.241.73.163']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:29.155Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:29.155Z", - "threatintel.indicator.ip": "162.241.73.163", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://l60bdd58.justinstalledpanel.com/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:50.233Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2759,31 +2908,33 @@ "threatstream-confidence-78", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078020; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", - "threatintel.anomali.id": "indicator--d5bdff38-6939-4a47-8e11-b910520565c4", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:50.233Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "l60bdd58.justinstalledpanel.com", + "threat.indicator.url.full": "http://l60bdd58.justinstalledpanel.com/login", + "threat.indicator.url.original": "http://l60bdd58.justinstalledpanel.com/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078009; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", + "anomali.limo.id": "indicator--1be74977-5aa6-4175-99dd-32b54863a06b", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-78", + "threatstream-confidence-25", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:50.233Z", - "threatintel.anomali.name": "mal_url: http://l60bdd58.justinstalledpanel.com/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:50.255Z", + "anomali.limo.name": "mal_url: http://107.175.150.73/~giftioz/.azma/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://l60bdd58.justinstalledpanel.com/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:50.233Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:50.233Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "l60bdd58.justinstalledpanel.com", - "threatintel.indicator.url.full": "http://l60bdd58.justinstalledpanel.com/login", - "threatintel.indicator.url.original": "http://l60bdd58.justinstalledpanel.com/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://107.175.150.73/~giftioz/.azma/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:50.255Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2800,32 +2951,34 @@ "threatstream-confidence-25", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078009; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", - "threatintel.anomali.id": "indicator--1be74977-5aa6-4175-99dd-32b54863a06b", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:50.255Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "107.175.150.73", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://107.175.150.73/~giftioz/.azma/panel/admin.php", + "threat.indicator.url.original": "http://107.175.150.73/~giftioz/.azma/panel/admin.php", + "threat.indicator.url.path": "/~giftioz/.azma/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078023; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "anomali.limo.id": "indicator--eacc25ce-584c-4b40-98ab-7935dabd5cb1", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-25", + "threatstream-confidence-78", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:50.255Z", - "threatintel.anomali.name": "mal_url: http://107.175.150.73/~giftioz/.azma/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:52.536Z", + "anomali.limo.name": "mal_url: http://5.188.60.52/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://107.175.150.73/~giftioz/.azma/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:50.255Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:50.255Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "107.175.150.73", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://107.175.150.73/~giftioz/.azma/panel/admin.php", - "threatintel.indicator.url.original": "http://107.175.150.73/~giftioz/.azma/panel/admin.php", - "threatintel.indicator.url.path": "/~giftioz/.azma/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://5.188.60.52/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:52.536Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2842,31 +2995,33 @@ "threatstream-confidence-78", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078023; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", - "threatintel.anomali.id": "indicator--eacc25ce-584c-4b40-98ab-7935dabd5cb1", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:52.536Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "5.188.60.52", + "threat.indicator.url.full": "http://5.188.60.52/login", + "threat.indicator.url.original": "http://5.188.60.52/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078025; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--504f4011-eaea-4921-aad5-f102bef7c798", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-78", + "threatstream-confidence-85", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:52.536Z", - "threatintel.anomali.name": "mal_url: http://5.188.60.52/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:54.784Z", + "anomali.limo.name": "mal_url: http://trotdeiman.ga/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://5.188.60.52/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:52.536Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:52.536Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "5.188.60.52", - "threatintel.indicator.url.full": "http://5.188.60.52/login", - "threatintel.indicator.url.original": "http://5.188.60.52/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://trotdeiman.ga/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:54.784Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2883,31 +3038,33 @@ "threatstream-confidence-85", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078025; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--504f4011-eaea-4921-aad5-f102bef7c798", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:54.784Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "trotdeiman.ga", + "threat.indicator.url.full": "http://trotdeiman.ga/login", + "threat.indicator.url.original": "http://trotdeiman.ga/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078014; iType: mal_ip; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--e3ffb953-6c59-461a-8242-0d26c2b5c358", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-85", + "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:54.784Z", - "threatintel.anomali.name": "mal_url: http://trotdeiman.ga/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:54.815Z", + "anomali.limo.name": "mal_ip: 217.8.117.8", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://trotdeiman.ga/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:54.784Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:54.784Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "trotdeiman.ga", - "threatintel.indicator.url.full": "http://trotdeiman.ga/login", - "threatintel.indicator.url.original": "http://trotdeiman.ga/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '217.8.117.8']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:54.815Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2924,27 +3081,29 @@ "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078014; iType: mal_ip; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--e3ffb953-6c59-461a-8242-0d26c2b5c358", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:54.815Z", + "threat.indicator.ip": "217.8.117.8", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55250078036; iType: mal_ip; State: active; Org: Global Frag Networks; Source: CyberCrime", + "anomali.limo.id": "indicator--3a47ad46-930d-4ced-b0e7-dc9d0776153e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-82", + "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:54.815Z", - "threatintel.anomali.name": "mal_ip: 217.8.117.8", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:00:01.726Z", + "anomali.limo.name": "mal_ip: 104.223.170.113", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '217.8.117.8']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:54.815Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:54.815Z", - "threatintel.indicator.ip": "217.8.117.8", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '104.223.170.113']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:00:01.726Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2961,27 +3120,29 @@ "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078036; iType: mal_ip; State: active; Org: Global Frag Networks; Source: CyberCrime", - "threatintel.anomali.id": "indicator--3a47ad46-930d-4ced-b0e7-dc9d0776153e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:00:01.726Z", + "threat.indicator.ip": "104.223.170.113", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55250078011; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--0e10924c-745c-4a58-8e27-ab3a6bacd666", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-83", + "threatstream-confidence-58", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:00:01.726Z", - "threatintel.anomali.name": "mal_ip: 104.223.170.113", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:00:01.762Z", + "anomali.limo.name": "mal_url: http://tavim.org/includes/firmino/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '104.223.170.113']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:00:01.726Z", - "threatintel.indicator.first_seen": "2020-01-24T03:00:01.726Z", - "threatintel.indicator.ip": "104.223.170.113", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://tavim.org/includes/firmino/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:00:01.762Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2998,32 +3159,34 @@ "threatstream-confidence-58", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078011; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--0e10924c-745c-4a58-8e27-ab3a6bacd666", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:00:01.762Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "tavim.org", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://tavim.org/includes/firmino/admin.php", + "threat.indicator.url.original": "http://tavim.org/includes/firmino/admin.php", + "threat.indicator.url.path": "/includes/firmino/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078015; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--c3fb816a-cc3b-4442-be4d-d62113ae5168", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-58", + "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:00:01.762Z", - "threatintel.anomali.name": "mal_url: http://tavim.org/includes/firmino/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:00:10.928Z", + "anomali.limo.name": "mal_url: http://onlinesecuritycenter.xyz/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://tavim.org/includes/firmino/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:00:01.762Z", - "threatintel.indicator.first_seen": "2020-01-24T03:00:01.762Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "tavim.org", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://tavim.org/includes/firmino/admin.php", - "threatintel.indicator.url.original": "http://tavim.org/includes/firmino/admin.php", - "threatintel.indicator.url.path": "/includes/firmino/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://onlinesecuritycenter.xyz/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:00:10.928Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3040,31 +3203,33 @@ "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078015; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--c3fb816a-cc3b-4442-be4d-d62113ae5168", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:00:10.928Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "onlinesecuritycenter.xyz", + "threat.indicator.url.full": "http://onlinesecuritycenter.xyz/login", + "threat.indicator.url.original": "http://onlinesecuritycenter.xyz/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078029; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime", + "anomali.limo.id": "indicator--9159e46d-f3a4-464b-ac68-8beaf87e1a8f", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-84", + "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:00:10.928Z", - "threatintel.anomali.name": "mal_url: http://onlinesecuritycenter.xyz/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:00:20.166Z", + "anomali.limo.name": "mal_url: http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://onlinesecuritycenter.xyz/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:00:10.928Z", - "threatintel.indicator.first_seen": "2020-01-24T03:00:10.928Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "onlinesecuritycenter.xyz", - "threatintel.indicator.url.full": "http://onlinesecuritycenter.xyz/login", - "threatintel.indicator.url.original": "http://onlinesecuritycenter.xyz/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:00:20.166Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3081,32 +3246,34 @@ "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078029; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime", - "threatintel.anomali.id": "indicator--9159e46d-f3a4-464b-ac68-8beaf87e1a8f", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:00:20.166Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "oaa-my.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/cutter/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078016; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--fefa8e76-ae0f-41ab-84e7-ea43ab055573", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-81", + "threatstream-confidence-90", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:00:20.166Z", - "threatintel.anomali.name": "mal_url: http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:00:24.048Z", + "anomali.limo.name": "mal_url: http://jumbajumbadun.fun/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:00:20.166Z", - "threatintel.indicator.first_seen": "2020-01-24T03:00:20.166Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "oaa-my.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/cutter/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://jumbajumbadun.fun/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:00:24.048Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3123,31 +3290,33 @@ "threatstream-confidence-90", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078016; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--fefa8e76-ae0f-41ab-84e7-ea43ab055573", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:00:24.048Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "jumbajumbadun.fun", + "threat.indicator.url.full": "http://jumbajumbadun.fun/login", + "threat.indicator.url.original": "http://jumbajumbadun.fun/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078024; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--6a76fa89-4d5f-40d0-9b03-671bdb2d5b4b", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-90", + "threatstream-confidence-58", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:00:24.048Z", - "threatintel.anomali.name": "mal_url: http://jumbajumbadun.fun/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:00:55.816Z", + "anomali.limo.name": "mal_url: http://tavim.org/includes/salah/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://jumbajumbadun.fun/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:00:24.048Z", - "threatintel.indicator.first_seen": "2020-01-24T03:00:24.048Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "jumbajumbadun.fun", - "threatintel.indicator.url.full": "http://jumbajumbadun.fun/login", - "threatintel.indicator.url.original": "http://jumbajumbadun.fun/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://tavim.org/includes/salah/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:00:55.816Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3164,32 +3333,34 @@ "threatstream-confidence-58", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078024; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--6a76fa89-4d5f-40d0-9b03-671bdb2d5b4b", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:00:55.816Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "tavim.org", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://tavim.org/includes/salah/admin.php", + "threat.indicator.url.original": "http://tavim.org/includes/salah/admin.php", + "threat.indicator.url.path": "/includes/salah/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078022; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "anomali.limo.id": "indicator--21055dfd-d0cb-42ec-93bd-ffaeadd11d80", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-58", + "threatstream-confidence-80", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:00:55.816Z", - "threatintel.anomali.name": "mal_url: http://tavim.org/includes/salah/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:01:10.501Z", + "anomali.limo.name": "mal_url: http://l0c23205.justinstalledpanel.com/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://tavim.org/includes/salah/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:00:55.816Z", - "threatintel.indicator.first_seen": "2020-01-24T03:00:55.816Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "tavim.org", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://tavim.org/includes/salah/admin.php", - "threatintel.indicator.url.original": "http://tavim.org/includes/salah/admin.php", - "threatintel.indicator.url.path": "/includes/salah/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://l0c23205.justinstalledpanel.com/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:01:10.501Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3206,31 +3377,33 @@ "threatstream-confidence-80", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078022; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", - "threatintel.anomali.id": "indicator--21055dfd-d0cb-42ec-93bd-ffaeadd11d80", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:01:10.501Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "l0c23205.justinstalledpanel.com", + "threat.indicator.url.full": "http://l0c23205.justinstalledpanel.com/login", + "threat.indicator.url.original": "http://l0c23205.justinstalledpanel.com/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078021; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "anomali.limo.id": "indicator--7471a595-e8b0-4c41-be4c-0a3e55675630", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-80", + "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:01:10.501Z", - "threatintel.anomali.name": "mal_url: http://l0c23205.justinstalledpanel.com/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:01:10.518Z", + "anomali.limo.name": "mal_url: http://l535e9e5.justinstalledpanel.com/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://l0c23205.justinstalledpanel.com/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:01:10.501Z", - "threatintel.indicator.first_seen": "2020-01-24T03:01:10.501Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "l0c23205.justinstalledpanel.com", - "threatintel.indicator.url.full": "http://l0c23205.justinstalledpanel.com/login", - "threatintel.indicator.url.original": "http://l0c23205.justinstalledpanel.com/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://l535e9e5.justinstalledpanel.com/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:01:10.518Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3247,31 +3420,33 @@ "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078021; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", - "threatintel.anomali.id": "indicator--7471a595-e8b0-4c41-be4c-0a3e55675630", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:01:10.518Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "l535e9e5.justinstalledpanel.com", + "threat.indicator.url.full": "http://l535e9e5.justinstalledpanel.com/login", + "threat.indicator.url.original": "http://l535e9e5.justinstalledpanel.com/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078007; iType: mal_ip; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--ead1e7e5-fdb3-47c2-9476-aa82741c038e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-83", + "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:01:10.518Z", - "threatintel.anomali.name": "mal_url: http://l535e9e5.justinstalledpanel.com/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:01:14.843Z", + "anomali.limo.name": "mal_ip: 217.8.117.47", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://l535e9e5.justinstalledpanel.com/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:01:10.518Z", - "threatintel.indicator.first_seen": "2020-01-24T03:01:10.518Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "l535e9e5.justinstalledpanel.com", - "threatintel.indicator.url.full": "http://l535e9e5.justinstalledpanel.com/login", - "threatintel.indicator.url.original": "http://l535e9e5.justinstalledpanel.com/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '217.8.117.47']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:01:14.843Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3288,27 +3463,29 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078007; iType: mal_ip; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--ead1e7e5-fdb3-47c2-9476-aa82741c038e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:01:14.843Z", + "threat.indicator.ip": "217.8.117.47", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55253484365; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", + "anomali.limo.id": "indicator--b0aee6bf-32f4-4f65-8de6-f65e04e92b15", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-67", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:01:14.843Z", - "threatintel.anomali.name": "mal_ip: 217.8.117.47", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:12.699Z", + "anomali.limo.name": "mal_url: http://46.161.27.57/northon/", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '217.8.117.47']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:01:14.843Z", - "threatintel.indicator.first_seen": "2020-01-24T03:01:14.843Z", - "threatintel.indicator.ip": "217.8.117.47", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://46.161.27.57/northon/']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:12.699Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3325,31 +3502,33 @@ "threatstream-confidence-67", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484365; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b0aee6bf-32f4-4f65-8de6-f65e04e92b15", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:12.699Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "46.161.27.57", + "threat.indicator.url.full": "http://46.161.27.57/northon/", + "threat.indicator.url.original": "http://46.161.27.57/northon/", + "threat.indicator.url.path": "/northon/", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484350; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", + "anomali.limo.id": "indicator--54afbceb-72f3-484e-aee4-904f77beeff6", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-67", + "threatstream-confidence-90", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:12.699Z", - "threatintel.anomali.name": "mal_url: http://46.161.27.57/northon/", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:28.034Z", + "anomali.limo.name": "mal_url: http://104.168.99.170/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://46.161.27.57/northon/']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:12.699Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:12.699Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "46.161.27.57", - "threatintel.indicator.url.full": "http://46.161.27.57/northon/", - "threatintel.indicator.url.original": "http://46.161.27.57/northon/", - "threatintel.indicator.url.path": "/northon/", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://104.168.99.170/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:28.034Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3366,31 +3545,33 @@ "threatstream-confidence-90", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484350; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", - "threatintel.anomali.id": "indicator--54afbceb-72f3-484e-aee4-904f77beeff6", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:28.034Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "104.168.99.170", + "threat.indicator.url.full": "http://104.168.99.170/login", + "threat.indicator.url.original": "http://104.168.99.170/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484356; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--da030e10-af9f-462d-bda8-33abb223e950", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-90", + "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:28.034Z", - "threatintel.anomali.name": "mal_url: http://104.168.99.170/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:38.187Z", + "anomali.limo.name": "mal_url: http://officelog.org/inc/js/jstree/scan/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://104.168.99.170/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:28.034Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:28.034Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "104.168.99.170", - "threatintel.indicator.url.full": "http://104.168.99.170/login", - "threatintel.indicator.url.original": "http://104.168.99.170/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/scan/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:38.187Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3407,32 +3588,34 @@ "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484356; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--da030e10-af9f-462d-bda8-33abb223e950", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:38.187Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "officelog.org", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://officelog.org/inc/js/jstree/scan/panel/admin.php", + "threat.indicator.url.original": "http://officelog.org/inc/js/jstree/scan/panel/admin.php", + "threat.indicator.url.path": "/inc/js/jstree/scan/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484343; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--d38e051a-bc5b-4723-884a-65e017d98299", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-89", + "threatstream-confidence-65", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:38.187Z", - "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/scan/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:38.214Z", + "anomali.limo.name": "mal_url: http://f0391587.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/scan/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:38.187Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:38.187Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "officelog.org", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/scan/panel/admin.php", - "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/scan/panel/admin.php", - "threatintel.indicator.url.path": "/inc/js/jstree/scan/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0391587.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:38.214Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3449,31 +3632,33 @@ "threatstream-confidence-65", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484343; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--d38e051a-bc5b-4723-884a-65e017d98299", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:38.214Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0391587.xsph.ru", + "threat.indicator.url.full": "http://f0391587.xsph.ru/login", + "threat.indicator.url.original": "http://f0391587.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484367; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", + "anomali.limo.id": "indicator--46491826-6ba1-4217-a35e-1eb0081a9e6a", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-65", + "threatstream-confidence-67", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:38.214Z", - "threatintel.anomali.name": "mal_url: http://f0391587.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:47.281Z", + "anomali.limo.name": "mal_url: http://46.161.27.57:8080/northon/", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0391587.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:38.214Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:38.214Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0391587.xsph.ru", - "threatintel.indicator.url.full": "http://f0391587.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0391587.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://46.161.27.57:8080/northon/']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:47.281Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3490,32 +3675,34 @@ "threatstream-confidence-67", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484367; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", - "threatintel.anomali.id": "indicator--46491826-6ba1-4217-a35e-1eb0081a9e6a", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:47.281Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "46.161.27.57", + "threat.indicator.url.full": "http://46.161.27.57:8080/northon/", + "threat.indicator.url.original": "http://46.161.27.57:8080/northon/", + "threat.indicator.url.path": "/northon/", + "threat.indicator.url.port": 8080, + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484342; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--b9715fd5-b89a-4859-b19f-55e052709227", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-67", + "threatstream-confidence-79", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:47.281Z", - "threatintel.anomali.name": "mal_url: http://46.161.27.57:8080/northon/", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:51.296Z", + "anomali.limo.name": "mal_url: http://f0393086.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://46.161.27.57:8080/northon/']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:47.281Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:47.281Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "46.161.27.57", - "threatintel.indicator.url.full": "http://46.161.27.57:8080/northon/", - "threatintel.indicator.url.original": "http://46.161.27.57:8080/northon/", - "threatintel.indicator.url.path": "/northon/", - "threatintel.indicator.url.port": 8080, - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0393086.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:51.296Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3532,31 +3719,33 @@ "threatstream-confidence-79", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484342; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b9715fd5-b89a-4859-b19f-55e052709227", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:51.296Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0393086.xsph.ru", + "threat.indicator.url.full": "http://f0393086.xsph.ru/login", + "threat.indicator.url.original": "http://f0393086.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484363; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--e3177515-f481-46c8-bad8-582ba0858ef3", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-79", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:51.296Z", - "threatintel.anomali.name": "mal_url: http://f0393086.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:56.007Z", + "anomali.limo.name": "mal_url: http://insuncos.com/files1/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0393086.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:51.296Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:51.296Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0393086.xsph.ru", - "threatintel.indicator.url.full": "http://f0393086.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0393086.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://insuncos.com/files1/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:56.007Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3573,32 +3762,34 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484363; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--e3177515-f481-46c8-bad8-582ba0858ef3", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:56.007Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "insuncos.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://insuncos.com/files1/panel/admin.php", + "threat.indicator.url.original": "http://insuncos.com/files1/panel/admin.php", + "threat.indicator.url.path": "/files1/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484339; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime", + "anomali.limo.id": "indicator--33cdeaeb-5201-4fbb-b9ae-9c23377e7533", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-87", + "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:56.007Z", - "threatintel.anomali.name": "mal_url: http://insuncos.com/files1/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:56.044Z", + "anomali.limo.name": "mal_url: http://tg-h.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files1/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:56.007Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:56.007Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "insuncos.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://insuncos.com/files1/panel/admin.php", - "threatintel.indicator.url.original": "http://insuncos.com/files1/panel/admin.php", - "threatintel.indicator.url.path": "/files1/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://tg-h.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:56.044Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3615,31 +3806,33 @@ "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484339; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime", - "threatintel.anomali.id": "indicator--33cdeaeb-5201-4fbb-b9ae-9c23377e7533", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:56.044Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "tg-h.ru", + "threat.indicator.url.full": "http://tg-h.ru/login", + "threat.indicator.url.original": "http://tg-h.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484351; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--2baaa5f0-c2f6-4bd1-b59d-3a75931da735", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-89", + "threatstream-confidence-86", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:56.044Z", - "threatintel.anomali.name": "mal_url: http://tg-h.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:58:11.038Z", + "anomali.limo.name": "mal_url: http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://tg-h.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:56.044Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:56.044Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "tg-h.ru", - "threatintel.indicator.url.full": "http://tg-h.ru/login", - "threatintel.indicator.url.original": "http://tg-h.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:58:11.038Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3656,32 +3849,34 @@ "threatstream-confidence-86", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484351; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--2baaa5f0-c2f6-4bd1-b59d-3a75931da735", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:58:11.038Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "wusetwo.xyz", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484366; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", + "anomali.limo.id": "indicator--f1bdef49-666f-46b5-a323-efa1f1446b62", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-86", + "threatstream-confidence-64", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:58:11.038Z", - "threatintel.anomali.name": "mal_url: http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:58:20.420Z", + "anomali.limo.name": "mal_url: http://185.234.217.36/northon/", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:11.038Z", - "threatintel.indicator.first_seen": "2020-01-25T02:58:11.038Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "wusetwo.xyz", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://185.234.217.36/northon/']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:58:20.42Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3698,31 +3893,33 @@ "threatstream-confidence-64", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484366; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f1bdef49-666f-46b5-a323-efa1f1446b62", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:58:20.420Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "185.234.217.36", + "threat.indicator.url.full": "http://185.234.217.36/northon/", + "threat.indicator.url.original": "http://185.234.217.36/northon/", + "threat.indicator.url.path": "/northon/", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484354; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime", + "anomali.limo.id": "indicator--a173f4b1-67ce-44f8-a6d0-bd8a24e8c593", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-64", + "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:58:20.420Z", - "threatintel.anomali.name": "mal_url: http://185.234.217.36/northon/", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:58:20.448Z", + "anomali.limo.name": "mal_url: http://topik07.mcdir.ru/papka/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://185.234.217.36/northon/']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:20.42Z", - "threatintel.indicator.first_seen": "2020-01-25T02:58:20.420Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "185.234.217.36", - "threatintel.indicator.url.full": "http://185.234.217.36/northon/", - "threatintel.indicator.url.original": "http://185.234.217.36/northon/", - "threatintel.indicator.url.path": "/northon/", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://topik07.mcdir.ru/papka/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:58:20.448Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3739,32 +3936,34 @@ "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484354; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime", - "threatintel.anomali.id": "indicator--a173f4b1-67ce-44f8-a6d0-bd8a24e8c593", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:58:20.448Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "topik07.mcdir.ru", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://topik07.mcdir.ru/papka/admin.php", + "threat.indicator.url.original": "http://topik07.mcdir.ru/papka/admin.php", + "threat.indicator.url.path": "/papka/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484362; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--b53dded1-d293-4cd1-9e63-b6e0cbd850f0", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-84", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:58:20.448Z", - "threatintel.anomali.name": "mal_url: http://topik07.mcdir.ru/papka/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:58:33.189Z", + "anomali.limo.name": "mal_url: http://insuncos.com/files2/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://topik07.mcdir.ru/papka/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:20.448Z", - "threatintel.indicator.first_seen": "2020-01-25T02:58:20.448Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "topik07.mcdir.ru", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://topik07.mcdir.ru/papka/admin.php", - "threatintel.indicator.url.original": "http://topik07.mcdir.ru/papka/admin.php", - "threatintel.indicator.url.path": "/papka/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://insuncos.com/files2/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:58:33.189Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3781,32 +3980,34 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484362; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b53dded1-d293-4cd1-9e63-b6e0cbd850f0", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:58:33.189Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "insuncos.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://insuncos.com/files2/panel/admin.php", + "threat.indicator.url.original": "http://insuncos.com/files2/panel/admin.php", + "threat.indicator.url.path": "/files2/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484364; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", + "anomali.limo.id": "indicator--2b30f8fe-13e8-4a7d-8eba-3e59c288bef7", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-87", + "threatstream-confidence-47", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:58:33.189Z", - "threatintel.anomali.name": "mal_url: http://insuncos.com/files2/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:58:49.056Z", + "anomali.limo.name": "mal_url: http://185.234.218.68/kaspersky/", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files2/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:33.189Z", - "threatintel.indicator.first_seen": "2020-01-25T02:58:33.189Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "insuncos.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://insuncos.com/files2/panel/admin.php", - "threatintel.indicator.url.original": "http://insuncos.com/files2/panel/admin.php", - "threatintel.indicator.url.path": "/files2/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://185.234.218.68/kaspersky/']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:58:49.056Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3823,31 +4024,33 @@ "threatstream-confidence-47", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484364; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", - "threatintel.anomali.id": "indicator--2b30f8fe-13e8-4a7d-8eba-3e59c288bef7", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:58:49.056Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "185.234.218.68", + "threat.indicator.url.full": "http://185.234.218.68/kaspersky/", + "threat.indicator.url.original": "http://185.234.218.68/kaspersky/", + "threat.indicator.url.path": "/kaspersky/", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484357; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--f502199a-17a4-404b-a114-fb5eda28c32c", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-47", + "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:58:49.056Z", - "threatintel.anomali.name": "mal_url: http://185.234.218.68/kaspersky/", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:58:59.472Z", + "anomali.limo.name": "mal_url: http://officelog.org/inc/js/jstree/mh/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://185.234.218.68/kaspersky/']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:49.056Z", - "threatintel.indicator.first_seen": "2020-01-25T02:58:49.056Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "185.234.218.68", - "threatintel.indicator.url.full": "http://185.234.218.68/kaspersky/", - "threatintel.indicator.url.original": "http://185.234.218.68/kaspersky/", - "threatintel.indicator.url.path": "/kaspersky/", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/mh/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:58:59.472Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3864,32 +4067,34 @@ "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484357; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f502199a-17a4-404b-a114-fb5eda28c32c", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:58:59.472Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "officelog.org", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://officelog.org/inc/js/jstree/mh/panel/admin.php", + "threat.indicator.url.original": "http://officelog.org/inc/js/jstree/mh/panel/admin.php", + "threat.indicator.url.path": "/inc/js/jstree/mh/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484359; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--af7422eb-5d8e-4878-bdd1-395313434dae", + "anomali.limo.labels": [ "malicious-activity", "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:58:59.472Z", - "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/mh/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:59:27.070Z", + "anomali.limo.name": "mal_url: http://officelog.org/inc/js/jstree/ch/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/mh/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:59.472Z", - "threatintel.indicator.first_seen": "2020-01-25T02:58:59.472Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "officelog.org", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/mh/panel/admin.php", - "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/mh/panel/admin.php", - "threatintel.indicator.url.path": "/inc/js/jstree/mh/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/ch/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:59:27.07Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3906,32 +4111,34 @@ "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484359; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--af7422eb-5d8e-4878-bdd1-395313434dae", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:59:27.070Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "officelog.org", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://officelog.org/inc/js/jstree/ch/panel/admin.php", + "threat.indicator.url.original": "http://officelog.org/inc/js/jstree/ch/panel/admin.php", + "threat.indicator.url.path": "/inc/js/jstree/ch/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484358; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--71b36c05-86dd-4685-81c0-5a99e2e14c23", + "anomali.limo.labels": [ "malicious-activity", "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:59:27.070Z", - "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/ch/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:59:28.967Z", + "anomali.limo.name": "mal_url: http://officelog.org/inc/js/jstree/dar/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/ch/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:59:27.07Z", - "threatintel.indicator.first_seen": "2020-01-25T02:59:27.070Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "officelog.org", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/ch/panel/admin.php", - "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/ch/panel/admin.php", - "threatintel.indicator.url.path": "/inc/js/jstree/ch/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/dar/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:59:28.967Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3948,32 +4155,34 @@ "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484358; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--71b36c05-86dd-4685-81c0-5a99e2e14c23", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:59:28.967Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "officelog.org", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://officelog.org/inc/js/jstree/dar/panel/admin.php", + "threat.indicator.url.original": "http://officelog.org/inc/js/jstree/dar/panel/admin.php", + "threat.indicator.url.path": "/inc/js/jstree/dar/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484352; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", + "anomali.limo.id": "indicator--9d948509-dfb4-45b6-b8bc-780df88a213f", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-89", + "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:59:28.967Z", - "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/dar/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:59:37.661Z", + "anomali.limo.name": "mal_url: http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/dar/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:59:28.967Z", - "threatintel.indicator.first_seen": "2020-01-25T02:59:28.967Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "officelog.org", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/dar/panel/admin.php", - "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/dar/panel/admin.php", - "threatintel.indicator.url.path": "/inc/js/jstree/dar/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:59:37.661Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3990,32 +4199,34 @@ "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484352; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", - "threatintel.anomali.id": "indicator--9d948509-dfb4-45b6-b8bc-780df88a213f", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:59:37.661Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "oaa-my.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/cage/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484224; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--9f613f8e-2040-4eee-8044-044023a8093e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-81", + "threatstream-confidence-53", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:59:37.661Z", - "threatintel.anomali.name": "mal_url: http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:59:37.692Z", + "anomali.limo.name": "mal_ip: 192.64.118.56", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:59:37.661Z", - "threatintel.indicator.first_seen": "2020-01-25T02:59:37.661Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "oaa-my.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/cage/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '192.64.118.56']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:59:37.692Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -4032,27 +4243,29 @@ "threatstream-confidence-53", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484224; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--9f613f8e-2040-4eee-8044-044023a8093e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:59:37.692Z", + "threat.indicator.ip": "192.64.118.56", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55253484361; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--518c3959-6c26-413f-9a5f-c8f76d86185a", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-53", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:59:37.692Z", - "threatintel.anomali.name": "mal_ip: 192.64.118.56", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:59:54.296Z", + "anomali.limo.name": "mal_url: http://insuncos.com/files3/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '192.64.118.56']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:59:37.692Z", - "threatintel.indicator.first_seen": "2020-01-25T02:59:37.692Z", - "threatintel.indicator.ip": "192.64.118.56", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://insuncos.com/files3/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:59:54.296Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -4069,29 +4282,16 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484361; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--518c3959-6c26-413f-9a5f-c8f76d86185a", - "threatintel.anomali.labels": [ - "malicious-activity", - "threatstream-confidence-87", - "threatstream-severity-medium" - ], - "threatintel.anomali.modified": "2020-01-25T02:59:54.296Z", - "threatintel.anomali.name": "mal_url: http://insuncos.com/files3/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files3/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:59:54.296Z", - "threatintel.indicator.first_seen": "2020-01-25T02:59:54.296Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "insuncos.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://insuncos.com/files3/panel/admin.php", - "threatintel.indicator.url.original": "http://insuncos.com/files3/panel/admin.php", - "threatintel.indicator.url.path": "/files3/panel/admin.php", - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:59:54.296Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "insuncos.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://insuncos.com/files3/panel/admin.php", + "threat.indicator.url.original": "http://insuncos.com/files3/panel/admin.php", + "threat.indicator.url.path": "/files3/panel/admin.php", + "threat.indicator.url.scheme": "http" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/_meta/fields.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/_meta/fields.yml index de0ededab33..41fae21921c 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: anomalithreatstream +- name: anomali.threatstream type: group description: > Fields for Anomali ThreatStream diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml index f6cfe024305..4d814c03fe5 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml @@ -1,7 +1,6 @@ {{ if eq .input "http_endpoint" }} type: http_endpoint -enabled: true listen_address: {{ .listen_address }} listen_port: {{ .listen_port }} @@ -16,12 +15,12 @@ hmac: prefix: sha256= {{ end }} -{{ if .ssl_certificate }} -ssl: - enabled: true - certificate: {{ .ssl_certificate }} - key: {{ .ssl_key }} - verification_mode: none +{{ if .ssl }} +ssl: {{ .ssl | tojson }} +{{ end }} + +{{ if .preserve_original_event }} +preserve_original_event: true {{ end }} {{ else if eq .input "file" }} @@ -35,24 +34,12 @@ exclude_files: [".gz$"] json.add_error_key: true {{ end }} -tags: {{.tags | tojson}} - -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 - - fingerprint: - fields: - - event.dataset - - json.id - target_field: '@metadata._id' - encoding: base64 - - script: - lang: javascript - id: my_filter - source: > - function process(event) { - event.Put("@metadata.op_type", "index"); - } +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml index 22644d79518..50b5c6c7bb2 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml @@ -1,19 +1,21 @@ +--- description: Pipeline for parsing Anomali ThreatStream processors: - # - # Safeguard against feeding the pipeline with documents other - # that the ones generated by Filebeat's http_endpoint input. - # - - fail: - if: "ctx.json == null || !(ctx.json instanceof Map)" - message: "missing json object in input document" - # # Set basic ECS fields. # - set: field: event.ingested value: "{{{ _ingest.timestamp }}}" + - set: + field: ecs.version + value: "1.12" + - fingerprint: + fields: + - event.dataset + - json.id + target_field: "_id" + ignore_missing: true - set: field: event.kind value: enrichment @@ -24,14 +26,21 @@ processors: field: event.type value: indicator + - set: + field: threat.feed.name + value: "[Filebeat] Anomali ThreatStream" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" + # - # Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). + # Map itype field to STIX 2.0 Cyber Observable values (threat.indicator.type). # - script: lang: painless if: "ctx.json.itype != null" description: > - Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). + Map itype field to STIX 2.0 Cyber Observable values (threat.indicator.type). params: actor_ip: ipv4-addr adware_domain: domain-name @@ -125,26 +134,26 @@ processors: - rename: field: threatintel_indicator_type - target_field: threatintel.indicator.type + target_field: threat.indicator.type ignore_missing: true # # Detect ipv6 for ipv4-addr types. # - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv6-addr - if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.srcip != null && ctx.json.srcip.contains(":")' + if: 'ctx.threat?.indicator?.type == "ipv4-addr" && ctx.json?.srcip != null && ctx.json.srcip.contains(":")' # # Map first and last seen dates. # - date: field: json.date_first - target_field: threatintel.indicator.first_seen + target_field: threat.indicator.first_seen formats: - ISO8601 - if: "ctx.json.date_first != null" + if: "ctx.json?.date_first != null" on_failure: - append: field: error.message @@ -152,10 +161,10 @@ processors: - date: field: json.date_last - target_field: threatintel.indicator.last_seen + target_field: threat.indicator.last_seen formats: - ISO8601 - if: "ctx.json.date_last != null" + if: "ctx.json?.date_last != null" on_failure: - append: field: error.message @@ -166,18 +175,18 @@ processors: # - convert: field: json.lat - target_field: threatintel.indicator.geo.location.lat + target_field: threat.indicator.geo.location.lat type: double - if: "ctx.json.lat != null && ctx.json.lon != null" + if: "ctx.json?.lat != null && ctx.json?.lon != null" on_failure: - append: field: error.message value: 'Cannot convert lat field "{{{ json.lat }}}" to double: {{{ _ingest.on_failure_message }}}' - convert: field: json.lon - target_field: threatintel.indicator.geo.location.lon + target_field: threat.indicator.geo.location.lon type: double - if: "ctx.json.lat != null && ctx.json.lon != null" + if: "ctx.json?.lat != null && ctx.json?.lon != null" on_failure: - append: field: error.message @@ -190,25 +199,40 @@ processors: # private => Amber ("Limited disclosure, restricted to participants’ organizations."). # - append: - field: threatintel.indicator.marking.tlp + field: threat.indicator.marking.tlp value: Amber - if: 'ctx.json.classification == "private"' + if: 'ctx.json?.classification == "private"' - append: - field: threatintel.indicator.marking.tlp + field: threat.indicator.marking.tlp value: White - if: 'ctx.json.classification == "public"' + if: 'ctx.json?.classification == "public"' # # Convert confidence field (-1..100) to ECS confidence (0..10). # - script: lang: painless + if: ctx.json?.confidence != null description: > Normalize confidence level. source: > def value = ctx.json.confidence; - if (value == null || value < 0.0 || value > 100.0) return; - ctx["threatintel_indicator_confidence"] = (long)Math.round((double)value / 10.0); + if (value <= 0.0 || value > 100.0) { + ctx["threatintel_indicator_confidence"] = "None"; + return; + } + if (value >= 1.0 && value <= 29.0) { + ctx["threatintel_indicator_confidence"] = "Low"; + return; + } + if (value >= 30.0 && value <= 69.0) { + ctx["threatintel_indicator_confidence"] = "Med"; + return; + } + if (value >= 70 && value <= 100) { + ctx["threatintel_indicator_confidence"] = "High"; + return; + } on_failure: - append: field: error.message @@ -216,7 +240,7 @@ processors: - rename: field: threatintel_indicator_confidence - target_field: threatintel.indicator.confidence + target_field: threat.indicator.confidence ignore_missing: true # @@ -224,7 +248,7 @@ processors: # - convert: field: json.asn - target_field: threatintel.indicator.as.number + target_field: threat.indicator.as.number type: long ignore_missing: true on_failure: @@ -234,41 +258,41 @@ processors: - rename: field: json.org - target_field: threatintel.indicator.as.organization.name + target_field: threat.indicator.as.organization.name ignore_missing: true - rename: field: json.email - target_field: threatintel.indicator.email.address + target_field: threat.indicator.email.address ignore_missing: true - rename: field: json.srcip - target_field: threatintel.indicator.ip + target_field: threat.indicator.ip ignore_missing: true - uri_parts: field: json.url - target_field: threatintel.indicator.url + target_field: threat.indicator.url keep_original: true remove_if_successful: true - if: "ctx.json.url != null" + if: "ctx.json?.url != null" on_failure: - append: field: error.message value: "Cannot parse url field `{{{ json.url }}}`: {{{ _ingest.on_failure_message }}}" - set: - field: threatintel.indicator.url.full - value: "{{{threatintel.indicator.url.original}}}" + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" ignore_empty_value: true - rename: field: json.domain - target_field: threatintel.indicator.url.domain + target_field: threat.indicator.url.domain ignore_missing: true - if: ctx.threatintel?.indicator?.url?.domain == null + if: ctx.threat?.indicator?.url?.domain == null - rename: field: json.country - target_field: threatintel.indicator.geo.country_iso_code + target_field: threat.indicator.geo.country_iso_code ignore_missing: true # @@ -277,27 +301,27 @@ processors: # - rename: field: json.md5 - target_field: threatintel.indicator.file.hash.md5 - if: "ctx.json.md5 != null && ctx.json.md5.length() == 32" + target_field: threat.indicator.file.hash.md5 + if: "ctx.json?.md5 != null && ctx.json.md5.length() == 32" - rename: field: json.md5 - target_field: threatintel.indicator.file.hash.sha1 - if: "ctx.json.md5 != null && ctx.json.md5.length() == 40" + target_field: threat.indicator.file.hash.sha1 + if: "ctx.json?.md5 != null && ctx.json.md5.length() == 40" - rename: field: json.md5 - target_field: threatintel.indicator.file.hash.sha256 - if: "ctx.json.md5 != null && ctx.json.md5.length() == 64" + target_field: threat.indicator.file.hash.sha256 + if: "ctx.json?.md5 != null && ctx.json.md5.length() == 64" - rename: field: json.md5 - target_field: threatintel.indicator.file.hash.sha512 - if: "ctx.json.md5 != null && ctx.json.md5.length() == 128" + target_field: threat.indicator.file.hash.sha512 + if: "ctx.json?.md5 != null && ctx.json.md5.length() == 128" - rename: field: json.source - target_field: threatintel.indicator.provider + target_field: threat.indicator.provider ignore_missing: true # @@ -310,22 +334,22 @@ processors: - set: field: event.severity value: 3 - if: 'ctx.json.severity == "low"' + if: 'ctx.json?.severity == "low"' - set: field: event.severity value: 5 - if: 'ctx.json.severity == "medium"' + if: 'ctx.json?.severity == "medium"' - set: field: event.severity value: 7 - if: 'ctx.json.severity == "high"' + if: 'ctx.json?.severity == "high"' - set: field: event.severity value: 9 - if: 'ctx.json.severity == "very-high"' + if: 'ctx.json?.severity == "very-high"' # # Field trusted_circles_ids is a comma-separated string @@ -335,24 +359,16 @@ processors: # - script: lang: painless - if: "ctx.json.trusted_circle_ids != null && ctx.json.trusted_circle_ids instanceof String" + if: "ctx.json?.trusted_circle_ids != null && ctx.json?.trusted_circle_ids instanceof String" description: > Convert trusted_circles_ids from CSV to an array. source: > - def lst = - Stream.of(ctx.json.trusted_circle_ids.splitOnToken(",")) - .filter(s -> !s.isEmpty()) - .toArray(String[]::new); - if (lst.length > 0) { + def lst = Stream.of(ctx.json.trusted_circle_ids.splitOnToken(',')).filter(s -> !s.isEmpty()).collect(Collectors.toList()); + if (lst.size() > 0) { ctx.json.trusted_circle_ids = lst; } else { ctx.json.remove('trusted_circle_ids'); } - on_failure: - - append: - field: error.message - value: 'unable to split trusted_circle_ids "{{{ json.trusted_circle_ids }}}": {{{ _ingest.on_failure_message }}}' - # # Split detail field and append each component to ECS tags field. # @@ -372,10 +388,33 @@ processors: append: field: tags value: "{{{ _ingest._value }}}" - + # + # Convert certain fields to the correct value + # + - convert: + field: json.id + type: string + if: "ctx.json?.id != null" + - convert: + field: json.source_feed_id + type: string + if: "ctx.json?.source_feed_id != null" + - convert: + field: json.update_id + type: string + if: "ctx.json?.update_id != null" + - convert: + field: json.import_session_id + type: string + if: "ctx.json?.import_session_id != null" # # Remove fields converted to an ECS field. # + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - remove: field: - json.asn @@ -391,7 +430,7 @@ processors: # - rename: field: json - target_field: threatintel.anomalithreatstream + target_field: anomali.threatstream on_failure: - append: diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/manifest.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/manifest.yml index de6faeea227..011e2bb553e 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/manifest.yml +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/manifest.yml @@ -8,13 +8,15 @@ var: - name: listen_port default: 8080 - name: secret - - name: ssl_certificate - - name: ssl_key + - name: ssl - name: paths default: /path/to/testing.log - name: tags default: - threatintel-anomalithreatstream + - forwarded + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml input: config/config.yml diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json b/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json index 21c627dde57..b101076a9e1 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json @@ -1,5 +1,20 @@ [ { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 20, + "anomali.threatstream.detail2": "imported by user 184", + "anomali.threatstream.id": "3135167627", + "anomali.threatstream.import_session_id": "1400", + "anomali.threatstream.itype": "mal_domain", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46279656657/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "3143", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "122" + ], + "anomali.threatstream.update_id": "3786618776", + "anomali.threatstream.value_type": "domain", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -11,39 +26,44 @@ "log.offset": 0, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 20, - "threatintel.anomalithreatstream.detail2": "imported by user 184", - "threatintel.anomalithreatstream.id": 3135167627, - "threatintel.anomalithreatstream.import_session_id": 1400, - "threatintel.anomalithreatstream.itype": "mal_domain", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46279656657/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 3143, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "122" - ], - "threatintel.anomalithreatstream.update_id": 3786618776, - "threatintel.anomalithreatstream.value_type": "domain", - "threatintel.indicator.as.organization.name": "OVH Hosting", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-08T12:21:50.000Z", - "threatintel.indicator.geo.country_iso_code": "FR", - "threatintel.indicator.geo.location.lat": -49.1, - "threatintel.indicator.geo.location.lon": 94.4, - "threatintel.indicator.ip": "203.0.113.35", - "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.as.organization.name": "OVH Hosting", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-08T12:21:50.000Z", + "threat.indicator.geo.country_iso_code": "FR", + "threat.indicator.geo.location.lat": -49.1, + "threat.indicator.geo.location.lon": 94.4, + "threat.indicator.ip": "203.0.113.35", + "threat.indicator.last_seen": "2020-10-08T12:24:42.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "d4xgfj.example.net" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "d4xgfj.example.net" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 51, + "anomali.threatstream.detail2": "imported by user 979", + "anomali.threatstream.id": "2465691587", + "anomali.threatstream.import_session_id": "1934", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P26893014825/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "639", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "355", + "386", + "461" + ], + "anomali.threatstream.update_id": "3311633654", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -55,40 +75,42 @@ "log.offset": 575, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 51, - "threatintel.anomalithreatstream.detail2": "imported by user 979", - "threatintel.anomalithreatstream.id": 2465691587, - "threatintel.anomalithreatstream.import_session_id": 1934, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P26893014825/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 639, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "355", - "386", - "461" - ], - "threatintel.anomalithreatstream.update_id": 3311633654, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.as.organization.name": "IP Khnykin Vitaliy Yakovlevich", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-08T12:21:59.000Z", - "threatintel.indicator.geo.country_iso_code": "RU", - "threatintel.indicator.geo.location.lat": -51.2, - "threatintel.indicator.geo.location.lon": -64.7, - "threatintel.indicator.ip": "2001:db8:fc77:2510:5ab8:7bc8:65a3:4894", - "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.as.organization.name": "IP Khnykin Vitaliy Yakovlevich", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-08T12:21:59.000Z", + "threat.indicator.geo.country_iso_code": "RU", + "threat.indicator.geo.location.lat": -51.2, + "threat.indicator.geo.location.lon": -64.7, + "threat.indicator.ip": "2001:db8:fc77:2510:5ab8:7bc8:65a3:4894", + "threat.indicator.last_seen": "2020-10-08T12:24:42.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv6-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv6-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 24, + "anomali.threatstream.detail2": "imported by user 830", + "anomali.threatstream.id": "1886961414", + "anomali.threatstream.import_session_id": "3569", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P16938191113/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "2564", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "740", + "954" + ], + "anomali.threatstream.update_id": "1860329541", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -100,40 +122,45 @@ "log.offset": 1163, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 24, - "threatintel.anomalithreatstream.detail2": "imported by user 830", - "threatintel.anomalithreatstream.id": 1886961414, - "threatintel.anomalithreatstream.import_session_id": 3569, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P16938191113/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 2564, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "740", - "954" - ], - "threatintel.anomalithreatstream.update_id": 1860329541, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.as.number": 22773, - "threatintel.indicator.as.organization.name": "Cox Communications", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-08T12:22:11.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.geo.location.lat": 38.4, - "threatintel.indicator.geo.location.lon": 0.0, - "threatintel.indicator.ip": "192.0.2.8", - "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.as.number": 22773, + "threat.indicator.as.organization.name": "Cox Communications", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-08T12:22:11.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.geo.location.lat": 38.4, + "threat.indicator.geo.location.lon": 0.0, + "threat.indicator.ip": "192.0.2.8", + "threat.indicator.last_seen": "2020-10-08T12:24:42.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 56, + "anomali.threatstream.detail2": "imported by user 723", + "anomali.threatstream.id": "1785659799", + "anomali.threatstream.import_session_id": "244", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.md5": "6466e2", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P44706407813/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "3759", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "439", + "801", + "942" + ], + "anomali.threatstream.update_id": "3898969521", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -145,36 +172,38 @@ "log.offset": 1720, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 56, - "threatintel.anomalithreatstream.detail2": "imported by user 723", - "threatintel.anomalithreatstream.id": 1785659799, - "threatintel.anomalithreatstream.import_session_id": 244, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.md5": "6466e2", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P44706407813/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 3759, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "439", - "801", - "942" - ], - "threatintel.anomalithreatstream.update_id": 3898969521, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-08T12:22:16.000Z", - "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-08T12:22:16.000Z", + "threat.indicator.last_seen": "2020-10-08T12:24:42.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 61, + "anomali.threatstream.detail2": "imported by user 16", + "anomali.threatstream.id": "2788278724", + "anomali.threatstream.import_session_id": "3146", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P39996084337/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1834", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "310", + "553", + "709" + ], + "anomali.threatstream.update_id": "1925356831", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -186,41 +215,43 @@ "log.offset": 2195, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 61, - "threatintel.anomalithreatstream.detail2": "imported by user 16", - "threatintel.anomalithreatstream.id": 2788278724, - "threatintel.anomalithreatstream.import_session_id": 3146, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P39996084337/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1834, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "310", - "553", - "709" - ], - "threatintel.anomalithreatstream.update_id": 1925356831, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.as.number": 20001, - "threatintel.indicator.as.organization.name": "Spectrum", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-08T12:28:50.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.geo.location.lat": -64.8, - "threatintel.indicator.geo.location.lon": -129.3, - "threatintel.indicator.ip": "192.0.2.235", - "threatintel.indicator.last_seen": "2020-10-09T18:49:37.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.as.number": 20001, + "threat.indicator.as.organization.name": "Spectrum", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-08T12:28:50.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.geo.location.lat": -64.8, + "threat.indicator.geo.location.lon": -129.3, + "threat.indicator.ip": "192.0.2.235", + "threat.indicator.last_seen": "2020-10-09T18:49:37.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 31, + "anomali.threatstream.detail2": "imported by user 659", + "anomali.threatstream.id": "2979716207", + "anomali.threatstream.import_session_id": "2369", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P24601068254/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "2122", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "297", + "811" + ], + "anomali.threatstream.update_id": "1327494837", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -232,40 +263,44 @@ "log.offset": 2757, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 31, - "threatintel.anomalithreatstream.detail2": "imported by user 659", - "threatintel.anomalithreatstream.id": 2979716207, - "threatintel.anomalithreatstream.import_session_id": 2369, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P24601068254/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 2122, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "297", - "811" - ], - "threatintel.anomalithreatstream.update_id": 1327494837, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.as.number": 11351, - "threatintel.indicator.as.organization.name": "Spectrum", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-08T12:29:01.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.geo.location.lat": 72.1, - "threatintel.indicator.geo.location.lon": -52.2, - "threatintel.indicator.ip": "2001:db8:df14:f43b:a986:5e2a:8ce9:4523", - "threatintel.indicator.last_seen": "2020-10-09T18:49:37.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.as.number": 11351, + "threat.indicator.as.organization.name": "Spectrum", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-08T12:29:01.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.geo.location.lat": 72.1, + "threat.indicator.geo.location.lon": -52.2, + "threat.indicator.ip": "2001:db8:df14:f43b:a986:5e2a:8ce9:4523", + "threat.indicator.last_seen": "2020-10-09T18:49:37.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv6-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv6-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 72, + "anomali.threatstream.detail2": "imported by user 50", + "anomali.threatstream.id": "3763825895", + "anomali.threatstream.itype": "c2_domain", + "anomali.threatstream.maltype": "malware:r47agu9", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P49850231022/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "967", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "238", + "259", + "537" + ], + "anomali.threatstream.update_id": "1356750652", + "anomali.threatstream.value_type": "domain", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -281,6 +316,7 @@ "Botnet-1QZ2U", "Botnet-VXPC5QK8T", "first_seen=2020-07-24T07:36:41", + "forwarded", "mask=2001:db8:867f:42a1:d692:b396:4f14:548c", "popularity=high", "popularity=high", @@ -288,35 +324,37 @@ "threatintel-anomalithreatstream", "type=2" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 72, - "threatintel.anomalithreatstream.detail2": "imported by user 50", - "threatintel.anomalithreatstream.id": 3763825895, - "threatintel.anomalithreatstream.itype": "c2_domain", - "threatintel.anomalithreatstream.maltype": "malware:r47agu9", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P49850231022/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 967, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "238", - "259", - "537" - ], - "threatintel.anomalithreatstream.update_id": 1356750652, - "threatintel.anomalithreatstream.value_type": "domain", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:14:43.000Z", - "threatintel.indicator.ip": "203.0.113.130", - "threatintel.indicator.last_seen": "2020-10-09T18:14:43.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:14:43.000Z", + "threat.indicator.ip": "203.0.113.130", + "threat.indicator.last_seen": "2020-10-09T18:14:43.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "ei1im6skd.example.com" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "ei1im6skd.example.com" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 60, + "anomali.threatstream.detail2": "imported by user 167", + "anomali.threatstream.id": "3178646499", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.md5": "0f321db9", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P35792781031/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1743", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "112", + "455", + "761" + ], + "anomali.threatstream.update_id": "1585930018", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -328,35 +366,37 @@ "log.offset": 4049, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 60, - "threatintel.anomalithreatstream.detail2": "imported by user 167", - "threatintel.anomalithreatstream.id": 3178646499, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.md5": "0f321db9", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P35792781031/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1743, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "112", - "455", - "761" - ], - "threatintel.anomalithreatstream.update_id": 1585930018, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:30:10.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:10.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:30:10.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:10.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 70, + "anomali.threatstream.detail2": "imported by user 654", + "anomali.threatstream.id": "2435568409", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:9rb9", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P41264495308/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "3940", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "633", + "641" + ], + "anomali.threatstream.update_id": "2070423140", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -368,43 +408,46 @@ "log.offset": 4495, "service.type": "threatintel", "tags": [ + "forwarded", "jn5jpvg", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 70, - "threatintel.anomalithreatstream.detail2": "imported by user 654", - "threatintel.anomalithreatstream.id": 2435568409, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:9rb9", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P41264495308/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 3940, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "633", - "641" - ], - "threatintel.anomalithreatstream.update_id": 2070423140, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:30:13.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.236", - "threatintel.indicator.last_seen": "2020-10-09T18:30:13.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:30:13.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.236", + "threat.indicator.last_seen": "2020-10-09T18:30:13.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ax1a6o38z.example.org", - "threatintel.indicator.url.full": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p", - "threatintel.indicator.url.original": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p", - "threatintel.indicator.url.path": "/enec3i/f1n8fv", - "threatintel.indicator.url.query": "4shpqq9=fbo9osx8p", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ax1a6o38z.example.org", + "threat.indicator.url.full": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p", + "threat.indicator.url.original": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p", + "threat.indicator.url.path": "/enec3i/f1n8fv", + "threat.indicator.url.query": "4shpqq9=fbo9osx8p", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 35, + "anomali.threatstream.detail2": "imported by user 81", + "anomali.threatstream.id": "1404936664", + "anomali.threatstream.itype": "mal_url", + "anomali.threatstream.maltype": "malware:4p1lc0bf", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P22799247040/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "2236", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "424", + "718" + ], + "anomali.threatstream.update_id": "2151391711", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -417,43 +460,46 @@ "service.type": "threatintel", "tags": [ "7zhsn5t7", + "forwarded", "threatintel-anomalithreatstream", "xl4" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 35, - "threatintel.anomalithreatstream.detail2": "imported by user 81", - "threatintel.anomalithreatstream.id": 1404936664, - "threatintel.anomalithreatstream.itype": "mal_url", - "threatintel.anomalithreatstream.maltype": "malware:4p1lc0bf", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P22799247040/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 2236, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "424", - "718" - ], - "threatintel.anomalithreatstream.update_id": 2151391711, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 4, - "threatintel.indicator.first_seen": "2020-10-09T18:30:13.000Z", - "threatintel.indicator.geo.country_iso_code": "CN", - "threatintel.indicator.ip": "2001:db8:62cc:2fd2:f406:9c03:e2e8:617d", - "threatintel.indicator.last_seen": "2020-10-09T18:30:13.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:30:13.000Z", + "threat.indicator.geo.country_iso_code": "CN", + "threat.indicator.ip": "2001:db8:62cc:2fd2:f406:9c03:e2e8:617d", + "threat.indicator.last_seen": "2020-10-09T18:30:13.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "beko3.example.com", - "threatintel.indicator.url.full": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge", - "threatintel.indicator.url.original": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge", - "threatintel.indicator.url.path": "/vkelnz/jdz6zf-ga", - "threatintel.indicator.url.query": "g39fu=88309ge", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "beko3.example.com", + "threat.indicator.url.full": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge", + "threat.indicator.url.original": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge", + "threat.indicator.url.path": "/vkelnz/jdz6zf-ga", + "threat.indicator.url.query": "g39fu=88309ge", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 7, + "anomali.threatstream.detail2": "imported by user 993", + "anomali.threatstream.id": "1300368058", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:s7-t", + "anomali.threatstream.md5": "b91c", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P43593676062/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1581", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "812" + ], + "anomali.threatstream.update_id": "1852221746", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -467,34 +513,39 @@ "tags": [ "aampq5", "d6-", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 7, - "threatintel.anomalithreatstream.detail2": "imported by user 993", - "threatintel.anomalithreatstream.id": 1300368058, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:s7-t", - "threatintel.anomalithreatstream.md5": "b91c", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P43593676062/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1581, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "812" - ], - "threatintel.anomalithreatstream.update_id": 1852221746, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2020-10-09T18:30:22.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:22.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:30:22.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:22.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 63, + "anomali.threatstream.detail2": "imported by user 963", + "anomali.threatstream.id": "1511736215", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:0vnvp84", + "anomali.threatstream.md5": "3c49c", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P47666251160/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1695", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "29", + "537", + "879" + ], + "anomali.threatstream.update_id": "3048270616", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -507,36 +558,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 63, - "threatintel.anomalithreatstream.detail2": "imported by user 963", - "threatintel.anomalithreatstream.id": 1511736215, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:0vnvp84", - "threatintel.anomalithreatstream.md5": "3c49c", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P47666251160/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1695, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "29", - "537", - "879" - ], - "threatintel.anomalithreatstream.update_id": 3048270616, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:30:23.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:23.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:30:23.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:23.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 95, + "anomali.threatstream.detail2": "imported by user 302", + "anomali.threatstream.id": "2213035853", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:25iv", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P11608678465/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "787", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "154", + "766" + ], + "anomali.threatstream.update_id": "2851232102", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -549,42 +601,46 @@ "service.type": "threatintel", "tags": [ "22nciqjs", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 95, - "threatintel.anomalithreatstream.detail2": "imported by user 302", - "threatintel.anomalithreatstream.id": 2213035853, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:25iv", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P11608678465/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 787, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "154", - "766" - ], - "threatintel.anomalithreatstream.update_id": 2851232102, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 10, - "threatintel.indicator.first_seen": "2020-10-09T18:30:30.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.162", - "threatintel.indicator.last_seen": "2020-10-09T18:30:30.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:30:30.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.162", + "threat.indicator.last_seen": "2020-10-09T18:30:30.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "sevs82.example.com", - "threatintel.indicator.url.full": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi", - "threatintel.indicator.url.original": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi", - "threatintel.indicator.url.path": "/c5-d/hdajog", - "threatintel.indicator.url.query": "4rs78hl=wvwi", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "sevs82.example.com", + "threat.indicator.url.full": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi", + "threat.indicator.url.original": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi", + "threat.indicator.url.path": "/c5-d/hdajog", + "threat.indicator.url.query": "4rs78hl=wvwi", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 18, + "anomali.threatstream.detail2": "imported by user 548", + "anomali.threatstream.id": "2594216423", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:i6z9qr", + "anomali.threatstream.md5": "e29608b", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P32471582403/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1475", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "539", + "6" + ], + "anomali.threatstream.update_id": "2328838402", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -597,36 +653,38 @@ "service.type": "threatintel", "tags": [ "26sg-3-", + "forwarded", "threatintel-anomalithreatstream", "vnx4nu7c" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 18, - "threatintel.anomalithreatstream.detail2": "imported by user 548", - "threatintel.anomalithreatstream.id": 2594216423, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:i6z9qr", - "threatintel.anomalithreatstream.md5": "e29608b", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P32471582403/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1475, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "539", - "6" - ], - "threatintel.anomalithreatstream.update_id": 2328838402, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:30:37.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:37.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:30:37.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:37.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 54, + "anomali.threatstream.detail2": "imported by user 438", + "anomali.threatstream.id": "1133111133", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:4rs9qpc1", + "anomali.threatstream.md5": "c38d2e6d", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P20539380512/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "3600", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "762" + ], + "anomali.threatstream.update_id": "1784507596", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -639,34 +697,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 54, - "threatintel.anomalithreatstream.detail2": "imported by user 438", - "threatintel.anomalithreatstream.id": 1133111133, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:4rs9qpc1", - "threatintel.anomalithreatstream.md5": "c38d2e6d", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P20539380512/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 3600, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "762" - ], - "threatintel.anomalithreatstream.update_id": 1784507596, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:30:40.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:40.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:30:40.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:40.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 78, + "anomali.threatstream.detail2": "imported by user 690", + "anomali.threatstream.id": "2543010039", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:ghdl7nwwq", + "anomali.threatstream.md5": "67808c", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P16167095005/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "926", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "751" + ], + "anomali.threatstream.update_id": "2343991526", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -679,35 +740,40 @@ "service.type": "threatintel", "tags": [ "8ahl", + "forwarded", "ica", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 78, - "threatintel.anomalithreatstream.detail2": "imported by user 690", - "threatintel.anomalithreatstream.id": 2543010039, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:ghdl7nwwq", - "threatintel.anomalithreatstream.md5": "67808c", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P16167095005/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 926, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "751" - ], - "threatintel.anomalithreatstream.update_id": 2343991526, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 8, - "threatintel.indicator.first_seen": "2020-10-09T18:30:45.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:45.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:30:45.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:45.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 0, + "anomali.threatstream.detail2": "imported by user 517", + "anomali.threatstream.id": "3233930917", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:m5pk44o", + "anomali.threatstream.md5": "efa99", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15758111412/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "2010", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "390", + "519", + "909" + ], + "anomali.threatstream.update_id": "3008175946", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -719,38 +785,41 @@ "log.offset": 8774, "service.type": "threatintel", "tags": [ + "forwarded", "gyu-", "iop", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 0, - "threatintel.anomalithreatstream.detail2": "imported by user 517", - "threatintel.anomalithreatstream.id": 3233930917, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:m5pk44o", - "threatintel.anomalithreatstream.md5": "efa99", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15758111412/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 2010, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "390", - "519", - "909" - ], - "threatintel.anomalithreatstream.update_id": 3008175946, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 0, - "threatintel.indicator.first_seen": "2020-10-09T18:30:54.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:54.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:30:54.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:54.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 34, + "anomali.threatstream.detail2": "imported by user 303", + "anomali.threatstream.id": "1777540600", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:-fesxy", + "anomali.threatstream.md5": "e8c1", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13990676648/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "3201", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "109", + "621", + "718" + ], + "anomali.threatstream.update_id": "2404949482", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -763,36 +832,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 34, - "threatintel.anomalithreatstream.detail2": "imported by user 303", - "threatintel.anomalithreatstream.id": 1777540600, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:-fesxy", - "threatintel.anomalithreatstream.md5": "e8c1", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13990676648/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 3201, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "109", - "621", - "718" - ], - "threatintel.anomalithreatstream.update_id": 2404949482, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:30:59.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:59.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:30:59.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:59.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 15, + "anomali.threatstream.detail2": "imported by user 219", + "anomali.threatstream.id": "2796250594", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:c1b7kt7", + "anomali.threatstream.md5": "be24", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13506696048/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "3205", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "559" + ], + "anomali.threatstream.update_id": "3529199846", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -805,34 +875,39 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 15, - "threatintel.anomalithreatstream.detail2": "imported by user 219", - "threatintel.anomalithreatstream.id": 2796250594, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:c1b7kt7", - "threatintel.anomalithreatstream.md5": "be24", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13506696048/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 3205, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "559" - ], - "threatintel.anomalithreatstream.update_id": 3529199846, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:31:10.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:10.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:31:10.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:10.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 56, + "anomali.threatstream.detail2": "imported by user 762", + "anomali.threatstream.id": "2310429917", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:slwl", + "anomali.threatstream.md5": "a2678fc", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P35629727989/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "885", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "190", + "495", + "959" + ], + "anomali.threatstream.update_id": "3510871820", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -845,36 +920,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 56, - "threatintel.anomalithreatstream.detail2": "imported by user 762", - "threatintel.anomalithreatstream.id": 2310429917, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:slwl", - "threatintel.anomalithreatstream.md5": "a2678fc", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P35629727989/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 885, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "190", - "495", - "959" - ], - "threatintel.anomalithreatstream.update_id": 3510871820, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:31:16.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:16.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:31:16.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:16.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 11, + "anomali.threatstream.detail2": "imported by user 616", + "anomali.threatstream.id": "2853859039", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:voc", + "anomali.threatstream.md5": "2ee715a9b", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P39948074871/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "586", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "454", + "562" + ], + "anomali.threatstream.update_id": "3756244435", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -887,35 +964,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 11, - "threatintel.anomalithreatstream.detail2": "imported by user 616", - "threatintel.anomalithreatstream.id": 2853859039, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:voc", - "threatintel.anomalithreatstream.md5": "2ee715a9b", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P39948074871/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 586, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "454", - "562" - ], - "threatintel.anomalithreatstream.update_id": 3756244435, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2020-10-09T18:31:22.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:22.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:31:22.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:22.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 51, + "anomali.threatstream.detail2": "imported by user 510", + "anomali.threatstream.id": "2328858169", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:yuq33pg5", + "anomali.threatstream.md5": "e1df8d", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P30902643017/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "826", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "362", + "846" + ], + "anomali.threatstream.update_id": "1410682100", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -928,39 +1008,41 @@ "service.type": "threatintel", "tags": [ "etukwxhs", + "forwarded", "g0vc9", "gcgm1we6l", "mask=203.0.113.182", "threat=bm-uj8c12", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 51, - "threatintel.anomalithreatstream.detail2": "imported by user 510", - "threatintel.anomalithreatstream.id": 2328858169, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:yuq33pg5", - "threatintel.anomalithreatstream.md5": "e1df8d", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P30902643017/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 826, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "362", - "846" - ], - "threatintel.anomalithreatstream.update_id": 1410682100, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:31:27.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:27.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:31:27.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:27.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 14", + "anomali.threatstream.id": "1145199430", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:qc6c9qt", + "anomali.threatstream.md5": "9006d07f", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P14842247088/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1793", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "305" + ], + "anomali.threatstream.update_id": "1592676961", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -973,33 +1055,36 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 14", - "threatintel.anomalithreatstream.id": 1145199430, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:qc6c9qt", - "threatintel.anomalithreatstream.md5": "9006d07f", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P14842247088/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1793, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "305" - ], - "threatintel.anomalithreatstream.update_id": 1592676961, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.first_seen": "2020-10-09T18:31:29.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:29.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:31:29.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:29.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 2, + "anomali.threatstream.detail2": "imported by user 600", + "anomali.threatstream.id": "1726466938", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:t52oo3", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P39735553093/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "1965", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "553" + ], + "anomali.threatstream.update_id": "2718905308", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1011,42 +1096,46 @@ "log.offset": 12237, "service.type": "threatintel", "tags": [ + "forwarded", "g1wn0g", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 2, - "threatintel.anomalithreatstream.detail2": "imported by user 600", - "threatintel.anomalithreatstream.id": 1726466938, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:t52oo3", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P39735553093/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 1965, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "553" - ], - "threatintel.anomalithreatstream.update_id": 2718905308, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 0, - "threatintel.indicator.first_seen": "2020-10-09T18:31:34.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.229", - "threatintel.indicator.last_seen": "2020-10-09T18:31:34.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:31:34.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.229", + "threat.indicator.last_seen": "2020-10-09T18:31:34.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "faahk3drf.example.net", - "threatintel.indicator.url.full": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz", - "threatintel.indicator.url.original": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz", - "threatintel.indicator.url.path": "/julf98x5/0g1t8f", - "threatintel.indicator.url.query": "cbffxs2qv=vwgz", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "faahk3drf.example.net", + "threat.indicator.url.full": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz", + "threat.indicator.url.original": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz", + "threat.indicator.url.path": "/julf98x5/0g1t8f", + "threat.indicator.url.query": "cbffxs2qv=vwgz", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 71, + "anomali.threatstream.detail2": "imported by user 976", + "anomali.threatstream.id": "1457264389", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:nx1qwwprl", + "anomali.threatstream.md5": "f5d", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P20794801988/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1437", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "866" + ], + "anomali.threatstream.update_id": "2310970191", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1059,35 +1148,40 @@ "service.type": "threatintel", "tags": [ "6rblg", + "forwarded", "pzs4xlqy", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 71, - "threatintel.anomalithreatstream.detail2": "imported by user 976", - "threatintel.anomalithreatstream.id": 1457264389, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:nx1qwwprl", - "threatintel.anomalithreatstream.md5": "f5d", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P20794801988/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1437, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "866" - ], - "threatintel.anomalithreatstream.update_id": 2310970191, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:31:36.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:36.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:31:36.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:36.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 70, + "anomali.threatstream.detail2": "imported by user 761", + "anomali.threatstream.id": "3532094043", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:k1y", + "anomali.threatstream.md5": "cfd9", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P48760414603/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "2198", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "68", + "70", + "789" + ], + "anomali.threatstream.update_id": "1487534287", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1100,36 +1194,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 70, - "threatintel.anomalithreatstream.detail2": "imported by user 761", - "threatintel.anomalithreatstream.id": 3532094043, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:k1y", - "threatintel.anomalithreatstream.md5": "cfd9", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P48760414603/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 2198, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "68", - "70", - "789" - ], - "threatintel.anomalithreatstream.update_id": 1487534287, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:31:39.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:39.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:31:39.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:39.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 23, + "anomali.threatstream.detail2": "imported by user 680", + "anomali.threatstream.id": "1753194968", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:ixlyb", + "anomali.threatstream.md5": "93daa", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P36997562731/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "2101", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "15" + ], + "anomali.threatstream.update_id": "1772862647", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1142,35 +1237,38 @@ "service.type": "threatintel", "tags": [ "6rw", + "forwarded", "g80r1d4sj", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 23, - "threatintel.anomalithreatstream.detail2": "imported by user 680", - "threatintel.anomalithreatstream.id": 1753194968, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:ixlyb", - "threatintel.anomalithreatstream.md5": "93daa", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P36997562731/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 2101, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "15" - ], - "threatintel.anomalithreatstream.update_id": 1772862647, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:31:43.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:43.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:31:43.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:43.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 0, + "anomali.threatstream.detail2": "imported by user 820", + "anomali.threatstream.id": "3285278133", + "anomali.threatstream.itype": "scan_ip", + "anomali.threatstream.maltype": "malware:1u76t", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P45121980169/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "1152", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "390", + "7" + ], + "anomali.threatstream.update_id": "2657969647", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1183,36 +1281,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 0, - "threatintel.anomalithreatstream.detail2": "imported by user 820", - "threatintel.anomalithreatstream.id": 3285278133, - "threatintel.anomalithreatstream.itype": "scan_ip", - "threatintel.anomalithreatstream.maltype": "malware:1u76t", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P45121980169/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 1152, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "390", - "7" - ], - "threatintel.anomalithreatstream.update_id": 2657969647, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 0, - "threatintel.indicator.first_seen": "2020-10-09T18:31:49.000Z", - "threatintel.indicator.geo.country_iso_code": "DE", - "threatintel.indicator.ip": "192.0.2.219", - "threatintel.indicator.last_seen": "2020-10-09T18:31:49.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:31:49.000Z", + "threat.indicator.geo.country_iso_code": "DE", + "threat.indicator.ip": "192.0.2.219", + "threat.indicator.last_seen": "2020-10-09T18:31:49.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 45, + "anomali.threatstream.detail2": "imported by user 894", + "anomali.threatstream.id": "2098390184", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:hc-wh", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P33231447204/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "3354", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "846" + ], + "anomali.threatstream.update_id": "2110937414", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1224,42 +1324,46 @@ "log.offset": 14812, "service.type": "threatintel", "tags": [ + "forwarded", "om0z7", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 45, - "threatintel.anomalithreatstream.detail2": "imported by user 894", - "threatintel.anomalithreatstream.id": 2098390184, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:hc-wh", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P33231447204/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 3354, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "846" - ], - "threatintel.anomalithreatstream.update_id": 2110937414, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:31:49.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.208", - "threatintel.indicator.last_seen": "2020-10-09T18:31:49.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:31:49.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.208", + "threat.indicator.last_seen": "2020-10-09T18:31:49.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "p9okf0.example.org", - "threatintel.indicator.url.full": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d", - "threatintel.indicator.url.original": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d", - "threatintel.indicator.url.path": "/jyb3n8f/f55vfyt48", - "threatintel.indicator.url.query": "s2n=0t2d", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "p9okf0.example.org", + "threat.indicator.url.full": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d", + "threat.indicator.url.original": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d", + "threat.indicator.url.path": "/jyb3n8f/f55vfyt48", + "threat.indicator.url.query": "s2n=0t2d", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 34, + "anomali.threatstream.detail2": "imported by user 747", + "anomali.threatstream.id": "3367490507", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:0ua9", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P34959401147/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "959", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "404", + "574" + ], + "anomali.threatstream.update_id": "2335801340", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1272,42 +1376,47 @@ "service.type": "threatintel", "tags": [ "adeba89", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 34, - "threatintel.anomalithreatstream.detail2": "imported by user 747", - "threatintel.anomalithreatstream.id": 3367490507, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:0ua9", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P34959401147/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 959, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "404", - "574" - ], - "threatintel.anomalithreatstream.update_id": 2335801340, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:31:58.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.105", - "threatintel.indicator.last_seen": "2020-10-09T18:31:58.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:31:58.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.105", + "threat.indicator.last_seen": "2020-10-09T18:31:58.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "fxkeo24m.example.com", - "threatintel.indicator.url.full": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4", - "threatintel.indicator.url.original": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4", - "threatintel.indicator.url.path": "/y75tg7sw/jnnu9xmc", - "threatintel.indicator.url.query": "apus=ob1hnba4", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "fxkeo24m.example.com", + "threat.indicator.url.full": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4", + "threat.indicator.url.original": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4", + "threat.indicator.url.path": "/y75tg7sw/jnnu9xmc", + "threat.indicator.url.query": "apus=ob1hnba4", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 14, + "anomali.threatstream.detail2": "imported by user 604", + "anomali.threatstream.id": "1998649659", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:s0anj", + "anomali.threatstream.md5": "b4dd5cf7", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P21831217400/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1405", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "422", + "749", + "852" + ], + "anomali.threatstream.update_id": "1339527388", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1320,36 +1429,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 14, - "threatintel.anomalithreatstream.detail2": "imported by user 604", - "threatintel.anomalithreatstream.id": 1998649659, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:s0anj", - "threatintel.anomalithreatstream.md5": "b4dd5cf7", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P21831217400/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1405, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "422", - "749", - "852" - ], - "threatintel.anomalithreatstream.update_id": 1339527388, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2020-10-09T18:32:02.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:02.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:32:02.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:02.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 85, + "anomali.threatstream.detail2": "imported by user 386", + "anomali.threatstream.id": "3005939184", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:hn5uajghq", + "anomali.threatstream.md5": "b890cdad", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P23229581043/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "652", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "120" + ], + "anomali.threatstream.update_id": "1316735853", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1362,35 +1472,40 @@ "service.type": "threatintel", "tags": [ "a-e8lz", + "forwarded", "nj3f", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 85, - "threatintel.anomalithreatstream.detail2": "imported by user 386", - "threatintel.anomalithreatstream.id": 3005939184, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:hn5uajghq", - "threatintel.anomalithreatstream.md5": "b890cdad", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P23229581043/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 652, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "120" - ], - "threatintel.anomalithreatstream.update_id": 1316735853, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:32:03.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:03.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:32:03.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:03.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 31, + "anomali.threatstream.detail2": "imported by user 706", + "anomali.threatstream.id": "1900495748", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:3taf", + "anomali.threatstream.md5": "817", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P35660572297/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "506", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "718", + "828", + "98" + ], + "anomali.threatstream.update_id": "3243777736", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1403,36 +1518,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 31, - "threatintel.anomalithreatstream.detail2": "imported by user 706", - "threatintel.anomalithreatstream.id": 1900495748, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:3taf", - "threatintel.anomalithreatstream.md5": "817", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P35660572297/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 506, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "718", - "828", - "98" - ], - "threatintel.anomalithreatstream.update_id": 3243777736, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:32:04.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:04.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:32:04.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:04.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 50, + "anomali.threatstream.detail2": "imported by user 222", + "anomali.threatstream.id": "1040883425", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:wsge", + "anomali.threatstream.md5": "a06b", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P33297645928/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "146", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "539", + "959" + ], + "anomali.threatstream.update_id": "1284922297", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1445,35 +1562,39 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 50, - "threatintel.anomalithreatstream.detail2": "imported by user 222", - "threatintel.anomalithreatstream.id": 1040883425, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:wsge", - "threatintel.anomalithreatstream.md5": "a06b", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P33297645928/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 146, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "539", - "959" - ], - "threatintel.anomalithreatstream.update_id": 1284922297, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:32:08.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:08.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:32:08.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:08.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 50, + "anomali.threatstream.detail2": "imported by user 414", + "anomali.threatstream.id": "1703603090", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:yid8n1", + "anomali.threatstream.md5": "ebd6108", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P25381157923/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "294", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "124", + "394", + "820" + ], + "anomali.threatstream.update_id": "1405107391", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1486,36 +1607,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 50, - "threatintel.anomalithreatstream.detail2": "imported by user 414", - "threatintel.anomalithreatstream.id": 1703603090, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:yid8n1", - "threatintel.anomalithreatstream.md5": "ebd6108", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P25381157923/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 294, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "124", - "394", - "820" - ], - "threatintel.anomalithreatstream.update_id": 1405107391, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:32:11.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:11.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:32:11.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:11.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 6, + "anomali.threatstream.detail2": "imported by user 872", + "anomali.threatstream.id": "1393798645", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:aeu2f0", + "anomali.threatstream.md5": "5afe0a", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P34100122259/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "1256", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "386", + "980" + ], + "anomali.threatstream.update_id": "2194495180", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1528,35 +1651,36 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 6, - "threatintel.anomalithreatstream.detail2": "imported by user 872", - "threatintel.anomalithreatstream.id": 1393798645, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:aeu2f0", - "threatintel.anomalithreatstream.md5": "5afe0a", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P34100122259/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 1256, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "386", - "980" - ], - "threatintel.anomalithreatstream.update_id": 2194495180, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2020-10-09T18:32:19.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:19.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:32:19.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:19.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 46, + "anomali.threatstream.detail2": "imported by user 237", + "anomali.threatstream.id": "3384379889", + "anomali.threatstream.itype": "scan_ip", + "anomali.threatstream.maltype": "malware:w3rx", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P38445847685/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "773", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "830" + ], + "anomali.threatstream.update_id": "2280522298", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1569,35 +1693,40 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 46, - "threatintel.anomalithreatstream.detail2": "imported by user 237", - "threatintel.anomalithreatstream.id": 3384379889, - "threatintel.anomalithreatstream.itype": "scan_ip", - "threatintel.anomalithreatstream.maltype": "malware:w3rx", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P38445847685/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 773, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "830" - ], - "threatintel.anomalithreatstream.update_id": 2280522298, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:32:30.000Z", - "threatintel.indicator.geo.country_iso_code": "CN", - "threatintel.indicator.ip": "2001:db8:b94f:43d3:f1ef:8964:c8e3:48d4", - "threatintel.indicator.last_seen": "2020-10-09T18:32:30.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:32:30.000Z", + "threat.indicator.geo.country_iso_code": "CN", + "threat.indicator.ip": "2001:db8:b94f:43d3:f1ef:8964:c8e3:48d4", + "threat.indicator.last_seen": "2020-10-09T18:32:30.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv6-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv6-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 60, + "anomali.threatstream.detail2": "imported by user 317", + "anomali.threatstream.id": "1291701932", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:upf65oc8", + "anomali.threatstream.md5": "758a81", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P40886917073/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "2980", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "407", + "437" + ], + "anomali.threatstream.update_id": "1128332354", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1610,35 +1739,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 60, - "threatintel.anomalithreatstream.detail2": "imported by user 317", - "threatintel.anomalithreatstream.id": 1291701932, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:upf65oc8", - "threatintel.anomalithreatstream.md5": "758a81", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P40886917073/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 2980, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "407", - "437" - ], - "threatintel.anomalithreatstream.update_id": 1128332354, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:32:35.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:35.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:32:35.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:35.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 352", + "anomali.threatstream.id": "3279148213", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:u0e", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P37449871811/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "2315", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "29", + "817", + "831" + ], + "anomali.threatstream.update_id": "2267992225", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1650,43 +1782,47 @@ "log.offset": 19948, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream", "ziqdk" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 352", - "threatintel.anomalithreatstream.id": 3279148213, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:u0e", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P37449871811/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 2315, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "29", - "817", - "831" - ], - "threatintel.anomalithreatstream.update_id": 2267992225, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.first_seen": "2020-10-09T18:33:10.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.16", - "threatintel.indicator.last_seen": "2020-10-09T18:33:10.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:33:10.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.16", + "threat.indicator.last_seen": "2020-10-09T18:33:10.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ke4ffyj5.example.com", - "threatintel.indicator.url.full": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1", - "threatintel.indicator.url.original": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1", - "threatintel.indicator.url.path": "/t-9ikyrtt/ai91", - "threatintel.indicator.url.query": "s6u=3y1", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ke4ffyj5.example.com", + "threat.indicator.url.full": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1", + "threat.indicator.url.original": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1", + "threat.indicator.url.path": "/t-9ikyrtt/ai91", + "threat.indicator.url.query": "s6u=3y1", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 42, + "anomali.threatstream.detail2": "imported by user 768", + "anomali.threatstream.id": "2138145846", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:-shiotjs", + "anomali.threatstream.md5": "c9b4", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P24530928152/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "837", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "322", + "410" + ], + "anomali.threatstream.update_id": "3812327380", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1699,35 +1835,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 42, - "threatintel.anomalithreatstream.detail2": "imported by user 768", - "threatintel.anomalithreatstream.id": 2138145846, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:-shiotjs", - "threatintel.anomalithreatstream.md5": "c9b4", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P24530928152/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 837, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "322", - "410" - ], - "threatintel.anomalithreatstream.update_id": 3812327380, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 4, - "threatintel.indicator.first_seen": "2020-10-09T18:33:13.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:13.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:13.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:13.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 25, + "anomali.threatstream.detail2": "imported by user 148", + "anomali.threatstream.id": "1502954738", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:c8f0r5d4", + "anomali.threatstream.md5": "ad0", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P43216360516/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "3786", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "520", + "695" + ], + "anomali.threatstream.update_id": "2085432040", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1740,35 +1879,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 25, - "threatintel.anomalithreatstream.detail2": "imported by user 148", - "threatintel.anomalithreatstream.id": 1502954738, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:c8f0r5d4", - "threatintel.anomalithreatstream.md5": "ad0", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P43216360516/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 3786, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "520", - "695" - ], - "threatintel.anomalithreatstream.update_id": 2085432040, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:33:14.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:14.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:33:14.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:14.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 56, + "anomali.threatstream.detail2": "imported by user 649", + "anomali.threatstream.id": "2730182815", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:2vsd1miq", + "anomali.threatstream.md5": "571957", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P23842171060/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "2923", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "127" + ], + "anomali.threatstream.update_id": "3768246717", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1781,34 +1922,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 56, - "threatintel.anomalithreatstream.detail2": "imported by user 649", - "threatintel.anomalithreatstream.id": 2730182815, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:2vsd1miq", - "threatintel.anomalithreatstream.md5": "571957", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P23842171060/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 2923, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "127" - ], - "threatintel.anomalithreatstream.update_id": 3768246717, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:33:14.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:14.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:14.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:14.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 132", + "anomali.threatstream.id": "1649793681", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:d1q-sdovn", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13727067406/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "1993", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "176", + "715", + "824" + ], + "anomali.threatstream.update_id": "3498000116", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1821,42 +1966,45 @@ "service.type": "threatintel", "tags": [ "73d", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 132", - "threatintel.anomalithreatstream.id": 1649793681, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:d1q-sdovn", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13727067406/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 1993, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "176", - "715", - "824" - ], - "threatintel.anomalithreatstream.update_id": 3498000116, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.first_seen": "2020-10-09T18:33:22.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.154", - "threatintel.indicator.last_seen": "2020-10-09T18:33:22.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:33:22.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.154", + "threat.indicator.last_seen": "2020-10-09T18:33:22.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "rl27d.example.net", - "threatintel.indicator.url.full": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk", - "threatintel.indicator.url.original": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk", - "threatintel.indicator.url.path": "/ko6/4rtt", - "threatintel.indicator.url.query": "b12=o4mgzz2kk", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "rl27d.example.net", + "threat.indicator.url.full": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk", + "threat.indicator.url.original": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk", + "threat.indicator.url.path": "/ko6/4rtt", + "threat.indicator.url.query": "b12=o4mgzz2kk", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 48, + "anomali.threatstream.detail2": "imported by user 137", + "anomali.threatstream.id": "2195098028", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:886x", + "anomali.threatstream.md5": "7f4", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P39956518309/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1936", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "469" + ], + "anomali.threatstream.update_id": "1238197737", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1869,35 +2017,38 @@ "service.type": "threatintel", "tags": [ "e3mm2h", + "forwarded", "knjq-wt", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 48, - "threatintel.anomalithreatstream.detail2": "imported by user 137", - "threatintel.anomalithreatstream.id": 2195098028, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:886x", - "threatintel.anomalithreatstream.md5": "7f4", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P39956518309/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1936, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "469" - ], - "threatintel.anomalithreatstream.update_id": 1238197737, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:33:24.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:24.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:24.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:24.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 62, + "anomali.threatstream.detail2": "imported by user 76", + "anomali.threatstream.id": "2273277634", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:eem8vy0", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P28216636081/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "2583", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "143", + "22" + ], + "anomali.threatstream.update_id": "3547953290", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1909,43 +2060,45 @@ "log.offset": 23077, "service.type": "threatintel", "tags": [ + "forwarded", "rb2my5u7", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 62, - "threatintel.anomalithreatstream.detail2": "imported by user 76", - "threatintel.anomalithreatstream.id": 2273277634, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:eem8vy0", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P28216636081/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 2583, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "143", - "22" - ], - "threatintel.anomalithreatstream.update_id": 3547953290, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:33:26.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.228", - "threatintel.indicator.last_seen": "2020-10-09T18:33:26.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:26.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.228", + "threat.indicator.last_seen": "2020-10-09T18:33:26.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "6ygk0y.example.com", - "threatintel.indicator.url.full": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef", - "threatintel.indicator.url.original": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef", - "threatintel.indicator.url.path": "/t520/4twe", - "threatintel.indicator.url.query": "ql4bhkpop=yfpkef", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "6ygk0y.example.com", + "threat.indicator.url.full": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef", + "threat.indicator.url.original": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef", + "threat.indicator.url.path": "/t520/4twe", + "threat.indicator.url.query": "ql4bhkpop=yfpkef", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 47, + "anomali.threatstream.detail2": "imported by user 304", + "anomali.threatstream.id": "1593951372", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:lrfqa", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P18416887501/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1922", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "281" + ], + "anomali.threatstream.update_id": "3726618139", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1958,41 +2111,47 @@ "service.type": "threatintel", "tags": [ "3jujb6j", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 47, - "threatintel.anomalithreatstream.detail2": "imported by user 304", - "threatintel.anomalithreatstream.id": 1593951372, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:lrfqa", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P18416887501/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1922, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "281" - ], - "threatintel.anomalithreatstream.update_id": 3726618139, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:33:27.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.38", - "threatintel.indicator.last_seen": "2020-10-09T18:33:27.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:27.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.38", + "threat.indicator.last_seen": "2020-10-09T18:33:27.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "rcsr9o.example.net", - "threatintel.indicator.url.full": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-", - "threatintel.indicator.url.original": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-", - "threatintel.indicator.url.path": "/e6f/08b", - "threatintel.indicator.url.query": "8d2y=d-42fr-", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "rcsr9o.example.net", + "threat.indicator.url.full": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-", + "threat.indicator.url.original": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-", + "threat.indicator.url.path": "/e6f/08b", + "threat.indicator.url.query": "8d2y=d-42fr-", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 578", + "anomali.threatstream.id": "2881597176", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:wpo", + "anomali.threatstream.md5": "89a0a684", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P37162617510/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1312", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "450", + "588", + "873" + ], + "anomali.threatstream.update_id": "2444963851", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2006,35 +2165,39 @@ "tags": [ "2uu9b", "f7ciq9", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 578", - "threatintel.anomalithreatstream.id": 2881597176, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:wpo", - "threatintel.anomalithreatstream.md5": "89a0a684", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P37162617510/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1312, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "450", - "588", - "873" - ], - "threatintel.anomalithreatstream.update_id": 2444963851, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.first_seen": "2020-10-09T18:33:29.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:29.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:33:29.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:29.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 51, + "anomali.threatstream.detail2": "imported by user 347", + "anomali.threatstream.id": "1789877636", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:f7l", + "anomali.threatstream.md5": "a41f", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15884312830/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1250", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "299", + "501", + "551" + ], + "anomali.threatstream.update_id": "3210446946", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2047,36 +2210,39 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 51, - "threatintel.anomalithreatstream.detail2": "imported by user 347", - "threatintel.anomalithreatstream.id": 1789877636, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:f7l", - "threatintel.anomalithreatstream.md5": "a41f", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15884312830/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1250, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "299", - "501", - "551" - ], - "threatintel.anomalithreatstream.update_id": 3210446946, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:33:43.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:43.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:43.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:43.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 56, + "anomali.threatstream.detail2": "imported by user 182", + "anomali.threatstream.id": "1300434967", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:5kjd", + "anomali.threatstream.md5": "d0f5f32", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P44427200974/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1603", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "122", + "460", + "615" + ], + "anomali.threatstream.update_id": "2994196701", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2089,37 +2255,38 @@ "service.type": "threatintel", "tags": [ "f5c6pl", + "forwarded", "kpjt", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 56, - "threatintel.anomalithreatstream.detail2": "imported by user 182", - "threatintel.anomalithreatstream.id": 1300434967, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:5kjd", - "threatintel.anomalithreatstream.md5": "d0f5f32", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P44427200974/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1603, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "122", - "460", - "615" - ], - "threatintel.anomalithreatstream.update_id": 2994196701, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:33:45.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:45.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:45.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:45.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 79, + "anomali.threatstream.detail2": "imported by user 976", + "anomali.threatstream.id": "2448066635", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:7x9cgytj", + "anomali.threatstream.md5": "4f984375b", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15169037907/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "814", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "804" + ], + "anomali.threatstream.update_id": "2396481494", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2132,34 +2299,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 79, - "threatintel.anomalithreatstream.detail2": "imported by user 976", - "threatintel.anomalithreatstream.id": 2448066635, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:7x9cgytj", - "threatintel.anomalithreatstream.md5": "4f984375b", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15169037907/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 814, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "804" - ], - "threatintel.anomalithreatstream.update_id": 2396481494, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 8, - "threatintel.indicator.first_seen": "2020-10-09T18:33:45.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:45.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:33:45.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:45.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 15, + "anomali.threatstream.detail2": "imported by user 408", + "anomali.threatstream.id": "1693329110", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:1l5tib0", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46598563676/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "3431", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "301", + "374" + ], + "anomali.threatstream.update_id": "1425004305", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2172,42 +2342,47 @@ "service.type": "threatintel", "tags": [ "5w8i", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 15, - "threatintel.anomalithreatstream.detail2": "imported by user 408", - "threatintel.anomalithreatstream.id": 1693329110, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:1l5tib0", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46598563676/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 3431, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "301", - "374" - ], - "threatintel.anomalithreatstream.update_id": 1425004305, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:33:48.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.115", - "threatintel.indicator.last_seen": "2020-10-09T18:33:48.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:33:48.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.115", + "threat.indicator.last_seen": "2020-10-09T18:33:48.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cc7d.example.com", - "threatintel.indicator.url.full": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb", - "threatintel.indicator.url.original": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb", - "threatintel.indicator.url.path": "/kxxwobg/hd6omn", - "threatintel.indicator.url.query": "tr8=essb", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cc7d.example.com", + "threat.indicator.url.full": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb", + "threat.indicator.url.original": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb", + "threat.indicator.url.path": "/kxxwobg/hd6omn", + "threat.indicator.url.query": "tr8=essb", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 35, + "anomali.threatstream.detail2": "imported by user 843", + "anomali.threatstream.id": "1522150430", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:8-8a", + "anomali.threatstream.md5": "9c67037e6", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P28645937174/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "2342", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "27", + "396", + "989" + ], + "anomali.threatstream.update_id": "3573181354", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2220,36 +2395,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 35, - "threatintel.anomalithreatstream.detail2": "imported by user 843", - "threatintel.anomalithreatstream.id": 1522150430, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:8-8a", - "threatintel.anomalithreatstream.md5": "9c67037e6", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P28645937174/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 2342, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "27", - "396", - "989" - ], - "threatintel.anomalithreatstream.update_id": 3573181354, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 4, - "threatintel.indicator.first_seen": "2020-10-09T18:33:51.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:51.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:51.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:51.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 71, + "anomali.threatstream.detail2": "imported by user 831", + "anomali.threatstream.id": "1760436567", + "anomali.threatstream.itype": "scan_ip", + "anomali.threatstream.maltype": "malware:vy02k4", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P14276852864/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "271", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "342", + "504" + ], + "anomali.threatstream.update_id": "1253389383", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2262,36 +2438,38 @@ "service.type": "threatintel", "tags": [ "f3ctz7j", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 71, - "threatintel.anomalithreatstream.detail2": "imported by user 831", - "threatintel.anomalithreatstream.id": 1760436567, - "threatintel.anomalithreatstream.itype": "scan_ip", - "threatintel.anomalithreatstream.maltype": "malware:vy02k4", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P14276852864/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 271, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "342", - "504" - ], - "threatintel.anomalithreatstream.update_id": 1253389383, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:33:57.000Z", - "threatintel.indicator.geo.country_iso_code": "VN", - "threatintel.indicator.ip": "192.0.2.61", - "threatintel.indicator.last_seen": "2020-10-09T18:33:57.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:33:57.000Z", + "threat.indicator.geo.country_iso_code": "VN", + "threat.indicator.ip": "192.0.2.61", + "threat.indicator.last_seen": "2020-10-09T18:33:57.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 85, + "anomali.threatstream.detail2": "imported by user 650", + "anomali.threatstream.id": "1925240476", + "anomali.threatstream.itype": "scan_ip", + "anomali.threatstream.maltype": "malware:2bnikxoma", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15033658538/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1067", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "51" + ], + "anomali.threatstream.update_id": "1098288836", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2304,35 +2482,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 85, - "threatintel.anomalithreatstream.detail2": "imported by user 650", - "threatintel.anomalithreatstream.id": 1925240476, - "threatintel.anomalithreatstream.itype": "scan_ip", - "threatintel.anomalithreatstream.maltype": "malware:2bnikxoma", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15033658538/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1067, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "51" - ], - "threatintel.anomalithreatstream.update_id": 1098288836, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.geo.country_iso_code": "DE", - "threatintel.indicator.ip": "192.0.2.233", - "threatintel.indicator.last_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:34:00.000Z", + "threat.indicator.geo.country_iso_code": "DE", + "threat.indicator.ip": "192.0.2.233", + "threat.indicator.last_seen": "2020-10-09T18:34:00.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 91, + "anomali.threatstream.detail2": "imported by user 489", + "anomali.threatstream.id": "3001806953", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:ak63t", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P34696300225/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "782", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "484" + ], + "anomali.threatstream.update_id": "2722308334", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2344,42 +2525,45 @@ "log.offset": 28355, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream", "v9ycq" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 91, - "threatintel.anomalithreatstream.detail2": "imported by user 489", - "threatintel.anomalithreatstream.id": 3001806953, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:ak63t", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P34696300225/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 782, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "484" - ], - "threatintel.anomalithreatstream.update_id": 2722308334, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "2001:db8:9850:9607:e204:423b:cade:837e", - "threatintel.indicator.last_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:34:00.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "2001:db8:9850:9607:e204:423b:cade:837e", + "threat.indicator.last_seen": "2020-10-09T18:34:00.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "v9aqrp81q.example.net", - "threatintel.indicator.url.full": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh", - "threatintel.indicator.url.original": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh", - "threatintel.indicator.url.path": "/psuj4bs/rvp", - "threatintel.indicator.url.query": "qufy=ymryh", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "v9aqrp81q.example.net", + "threat.indicator.url.full": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh", + "threat.indicator.url.original": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh", + "threat.indicator.url.path": "/psuj4bs/rvp", + "threat.indicator.url.query": "qufy=ymryh", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 453", + "anomali.threatstream.id": "3933431319", + "anomali.threatstream.itype": "scan_ip", + "anomali.threatstream.maltype": "malware:ejrypgr", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46019487828/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1904", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "444" + ], + "anomali.threatstream.update_id": "3520784497", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2392,34 +2576,40 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 453", - "threatintel.anomalithreatstream.id": 3933431319, - "threatintel.anomalithreatstream.itype": "scan_ip", - "threatintel.anomalithreatstream.maltype": "malware:ejrypgr", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46019487828/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1904, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "444" - ], - "threatintel.anomalithreatstream.update_id": 3520784497, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.first_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.geo.country_iso_code": "IN", - "threatintel.indicator.ip": "192.0.2.234", - "threatintel.indicator.last_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:34:00.000Z", + "threat.indicator.geo.country_iso_code": "IN", + "threat.indicator.ip": "192.0.2.234", + "threat.indicator.last_seen": "2020-10-09T18:34:00.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 95, + "anomali.threatstream.detail2": "imported by user 722", + "anomali.threatstream.id": "1356788940", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:q4a", + "anomali.threatstream.md5": "a4fa", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P30118085912/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "3698", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "743", + "936" + ], + "anomali.threatstream.update_id": "3707298072", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2431,37 +2621,41 @@ "log.offset": 29493, "service.type": "threatintel", "tags": [ + "forwarded", "qxwn7lw", "threatintel-anomalithreatstream", "xva1ki" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 95, - "threatintel.anomalithreatstream.detail2": "imported by user 722", - "threatintel.anomalithreatstream.id": 1356788940, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:q4a", - "threatintel.anomalithreatstream.md5": "a4fa", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P30118085912/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 3698, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "743", - "936" - ], - "threatintel.anomalithreatstream.update_id": 3707298072, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 10, - "threatintel.indicator.first_seen": "2020-10-09T18:34:02.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:02.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:34:02.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:02.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 6, + "anomali.threatstream.detail2": "imported by user 236", + "anomali.threatstream.id": "3804309005", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:2sclqws1s", + "anomali.threatstream.md5": "5e11299", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P14689465586/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "342", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "50", + "642", + "948" + ], + "anomali.threatstream.update_id": "3749914856", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2473,38 +2667,39 @@ "log.offset": 29986, "service.type": "threatintel", "tags": [ + "forwarded", "r81f4", "threatintel-anomalithreatstream", "wwsw" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 6, - "threatintel.anomalithreatstream.detail2": "imported by user 236", - "threatintel.anomalithreatstream.id": 3804309005, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:2sclqws1s", - "threatintel.anomalithreatstream.md5": "5e11299", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P14689465586/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 342, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "50", - "642", - "948" - ], - "threatintel.anomalithreatstream.update_id": 3749914856, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2020-10-09T18:34:05.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:05.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:05.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:05.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 15, + "anomali.threatstream.detail2": "imported by user 488", + "anomali.threatstream.id": "1022859708", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:9cfecc", + "anomali.threatstream.md5": "22315f8", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P33092174596/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "2811", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "1" + ], + "anomali.threatstream.update_id": "1637146862", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2517,34 +2712,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 15, - "threatintel.anomalithreatstream.detail2": "imported by user 488", - "threatintel.anomalithreatstream.id": 1022859708, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:9cfecc", - "threatintel.anomalithreatstream.md5": "22315f8", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P33092174596/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 2811, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "1" - ], - "threatintel.anomalithreatstream.update_id": 1637146862, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:34:11.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:11.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:11.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:11.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 54, + "anomali.threatstream.detail2": "imported by user 310", + "anomali.threatstream.id": "1581368214", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:r7vbej", + "anomali.threatstream.md5": "d4a", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P28408487114/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "1371", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "810", + "910" + ], + "anomali.threatstream.update_id": "1671617316", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2557,35 +2756,36 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 54, - "threatintel.anomalithreatstream.detail2": "imported by user 310", - "threatintel.anomalithreatstream.id": 1581368214, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:r7vbej", - "threatintel.anomalithreatstream.md5": "d4a", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P28408487114/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 1371, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "810", - "910" - ], - "threatintel.anomalithreatstream.update_id": 1671617316, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:34:12.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:12.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:34:12.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:12.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 376", + "anomali.threatstream.id": "3576055846", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:0qqrz", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P27429039546/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1808", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "660" + ], + "anomali.threatstream.update_id": "2477226249", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2597,41 +2797,48 @@ "log.offset": 31451, "service.type": "threatintel", "tags": [ + "forwarded", "gry2doqf", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 376", - "threatintel.anomalithreatstream.id": 3576055846, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:0qqrz", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P27429039546/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1808, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "660" - ], - "threatintel.anomalithreatstream.update_id": 2477226249, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.first_seen": "2020-10-09T18:34:17.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.83", - "threatintel.indicator.last_seen": "2020-10-09T18:34:17.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:34:17.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.83", + "threat.indicator.last_seen": "2020-10-09T18:34:17.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "o4kqv8b8.example.net", - "threatintel.indicator.url.full": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp", - "threatintel.indicator.url.original": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp", - "threatintel.indicator.url.path": "/gm4d-9gt/v2iqt", - "threatintel.indicator.url.query": "x65ry67ao=skta9rp", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "o4kqv8b8.example.net", + "threat.indicator.url.full": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp", + "threat.indicator.url.original": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp", + "threat.indicator.url.path": "/gm4d-9gt/v2iqt", + "threat.indicator.url.query": "x65ry67ao=skta9rp", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 89, + "anomali.threatstream.detail2": "imported by user 748", + "anomali.threatstream.id": "1315247197", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:r38g5hbgx", + "anomali.threatstream.md5": "3eac", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15092591036/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "206", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "19", + "6", + "954" + ], + "anomali.threatstream.update_id": "1760504719", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2644,37 +2851,39 @@ "service.type": "threatintel", "tags": [ "1l9tule2", + "forwarded", "k6p", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 89, - "threatintel.anomalithreatstream.detail2": "imported by user 748", - "threatintel.anomalithreatstream.id": 1315247197, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:r38g5hbgx", - "threatintel.anomalithreatstream.md5": "3eac", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15092591036/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 206, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "19", - "6", - "954" - ], - "threatintel.anomalithreatstream.update_id": 1760504719, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:34:20.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:20.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:34:20.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:20.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 25, + "anomali.threatstream.detail2": "imported by user 380", + "anomali.threatstream.id": "1562423716", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:882dlx", + "anomali.threatstream.md5": "59893613", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P35184012550/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "3446", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "392", + "581" + ], + "anomali.threatstream.update_id": "2530088908", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2687,36 +2896,40 @@ "service.type": "threatintel", "tags": [ "d9qquxe", + "forwarded", "threatintel-anomalithreatstream", "ulx" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 25, - "threatintel.anomalithreatstream.detail2": "imported by user 380", - "threatintel.anomalithreatstream.id": 1562423716, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:882dlx", - "threatintel.anomalithreatstream.md5": "59893613", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P35184012550/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 3446, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "392", - "581" - ], - "threatintel.anomalithreatstream.update_id": 2530088908, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:34:20.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:20.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:20.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:20.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 4, + "anomali.threatstream.detail2": "imported by user 423", + "anomali.threatstream.id": "1470897088", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:rwo6s", + "anomali.threatstream.md5": "5facf1f", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P10368659748/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "599", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "591", + "663", + "848" + ], + "anomali.threatstream.update_id": "1937893007", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2728,38 +2941,39 @@ "log.offset": 33043, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream", "wsu7l1", "zrb" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 4, - "threatintel.anomalithreatstream.detail2": "imported by user 423", - "threatintel.anomalithreatstream.id": 1470897088, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:rwo6s", - "threatintel.anomalithreatstream.md5": "5facf1f", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P10368659748/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 599, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "591", - "663", - "848" - ], - "threatintel.anomalithreatstream.update_id": 1937893007, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 0, - "threatintel.indicator.first_seen": "2020-10-09T18:34:32.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:32.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:32.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:32.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 9, + "anomali.threatstream.detail2": "imported by user 983", + "anomali.threatstream.id": "1205553827", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:-pbnrmv", + "anomali.threatstream.md5": "708b2c", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P41514908414/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "3751", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "299" + ], + "anomali.threatstream.update_id": "3858315866", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2772,34 +2986,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 9, - "threatintel.anomalithreatstream.detail2": "imported by user 983", - "threatintel.anomalithreatstream.id": 1205553827, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:-pbnrmv", - "threatintel.anomalithreatstream.md5": "708b2c", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P41514908414/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 3751, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "299" - ], - "threatintel.anomalithreatstream.update_id": 3858315866, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2020-10-09T18:34:32.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:32.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:32.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:32.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 314", + "anomali.threatstream.id": "1744295971", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:uqw", + "anomali.threatstream.md5": "0df", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P36955243007/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "2305", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "556" + ], + "anomali.threatstream.update_id": "2655715062", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2812,33 +3029,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 314", - "threatintel.anomalithreatstream.id": 1744295971, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:uqw", - "threatintel.anomalithreatstream.md5": "0df", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P36955243007/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 2305, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "556" - ], - "threatintel.anomalithreatstream.update_id": 2655715062, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.first_seen": "2020-10-09T18:34:39.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:39.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:34:39.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:39.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 45, + "anomali.threatstream.detail2": "imported by user 986", + "anomali.threatstream.id": "1782793990", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:mkctzuaaf", + "anomali.threatstream.md5": "770", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P41751433270/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "3513", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "445" + ], + "anomali.threatstream.update_id": "2172945223", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2850,36 +3071,38 @@ "log.offset": 34489, "service.type": "threatintel", "tags": [ + "forwarded", "ps2", "qr2wno4", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 45, - "threatintel.anomalithreatstream.detail2": "imported by user 986", - "threatintel.anomalithreatstream.id": 1782793990, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:mkctzuaaf", - "threatintel.anomalithreatstream.md5": "770", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P41751433270/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 3513, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "445" - ], - "threatintel.anomalithreatstream.update_id": 2172945223, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:34:40.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:40.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:34:40.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:40.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 98, + "anomali.threatstream.detail2": "imported by user 615", + "anomali.threatstream.id": "1130190904", + "anomali.threatstream.itype": "scan_ip", + "anomali.threatstream.maltype": "malware:3zu2d2", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13755730530/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1192", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "88" + ], + "anomali.threatstream.update_id": "1575621349", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2892,35 +3115,39 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 98, - "threatintel.anomalithreatstream.detail2": "imported by user 615", - "threatintel.anomalithreatstream.id": 1130190904, - "threatintel.anomalithreatstream.itype": "scan_ip", - "threatintel.anomalithreatstream.maltype": "malware:3zu2d2", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13755730530/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1192, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "88" - ], - "threatintel.anomalithreatstream.update_id": 1575621349, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 10, - "threatintel.indicator.first_seen": "2020-10-09T18:34:41.000Z", - "threatintel.indicator.geo.country_iso_code": "VN", - "threatintel.indicator.ip": "192.0.2.88", - "threatintel.indicator.last_seen": "2020-10-09T18:34:41.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:34:41.000Z", + "threat.indicator.geo.country_iso_code": "VN", + "threat.indicator.ip": "192.0.2.88", + "threat.indicator.last_seen": "2020-10-09T18:34:41.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 17, + "anomali.threatstream.detail2": "imported by user 202", + "anomali.threatstream.id": "2499059829", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:86-jrf6o", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P43937262060/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "852", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "308", + "949" + ], + "anomali.threatstream.update_id": "2450069481", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2933,42 +3160,45 @@ "service.type": "threatintel", "tags": [ "ao6", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 17, - "threatintel.anomalithreatstream.detail2": "imported by user 202", - "threatintel.anomalithreatstream.id": 2499059829, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:86-jrf6o", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P43937262060/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 852, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "308", - "949" - ], - "threatintel.anomalithreatstream.update_id": 2450069481, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:34:43.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.111", - "threatintel.indicator.last_seen": "2020-10-09T18:34:43.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:43.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.111", + "threat.indicator.last_seen": "2020-10-09T18:34:43.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "91p0p.example.com", - "threatintel.indicator.url.full": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21", - "threatintel.indicator.url.original": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21", - "threatintel.indicator.url.path": "/easx3j6iy/xvnchuoa", - "threatintel.indicator.url.query": "dvkljl=h21", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "91p0p.example.com", + "threat.indicator.url.full": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21", + "threat.indicator.url.original": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21", + "threat.indicator.url.path": "/easx3j6iy/xvnchuoa", + "threat.indicator.url.query": "dvkljl=h21", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 67, + "anomali.threatstream.detail2": "imported by user 421", + "anomali.threatstream.id": "2799251412", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:91o2", + "anomali.threatstream.md5": "f9edba87a", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P31632809876/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "3756", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "776" + ], + "anomali.threatstream.update_id": "3951093865", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2981,34 +3211,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 67, - "threatintel.anomalithreatstream.detail2": "imported by user 421", - "threatintel.anomalithreatstream.id": 2799251412, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:91o2", - "threatintel.anomalithreatstream.md5": "f9edba87a", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P31632809876/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 3756, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "776" - ], - "threatintel.anomalithreatstream.update_id": 3951093865, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:34:48.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:48.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:34:48.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:48.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 22, + "anomali.threatstream.detail2": "imported by user 807", + "anomali.threatstream.id": "3711409360", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:yakt8pe9r", + "anomali.threatstream.md5": "c3b497", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P37263483140/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "3903", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "35" + ], + "anomali.threatstream.update_id": "3046847198", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3021,34 +3254,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 22, - "threatintel.anomalithreatstream.detail2": "imported by user 807", - "threatintel.anomalithreatstream.id": 3711409360, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:yakt8pe9r", - "threatintel.anomalithreatstream.md5": "c3b497", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P37263483140/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 3903, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "35" - ], - "threatintel.anomalithreatstream.update_id": 3046847198, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:34:53.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:53.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:53.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:53.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 20, + "anomali.threatstream.detail2": "imported by user 298", + "anomali.threatstream.id": "3346530445", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:jfje", + "anomali.threatstream.md5": "ec57713c", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P10248765051/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1239", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "196", + "775" + ], + "anomali.threatstream.update_id": "2946803375", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3061,35 +3298,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 20, - "threatintel.anomalithreatstream.detail2": "imported by user 298", - "threatintel.anomalithreatstream.id": 3346530445, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:jfje", - "threatintel.anomalithreatstream.md5": "ec57713c", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P10248765051/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1239, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "196", - "775" - ], - "threatintel.anomalithreatstream.update_id": 2946803375, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:34:53.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:53.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:53.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:53.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 345", + "anomali.threatstream.id": "2804727563", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:c7e", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P11093591971/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "2617", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "131", + "793" + ], + "anomali.threatstream.update_id": "1687817836", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3102,41 +3341,45 @@ "service.type": "threatintel", "tags": [ "-g6", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 345", - "threatintel.anomalithreatstream.id": 2804727563, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:c7e", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P11093591971/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 2617, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "131", - "793" - ], - "threatintel.anomalithreatstream.update_id": 1687817836, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.first_seen": "2020-10-09T18:34:54.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.133", - "threatintel.indicator.last_seen": "2020-10-09T18:34:54.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:34:54.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.133", + "threat.indicator.last_seen": "2020-10-09T18:34:54.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "lzr6.example.org", - "threatintel.indicator.url.full": "https://lzr6.example.org/a7og/4vpv?e7k5=wun", - "threatintel.indicator.url.original": "https://lzr6.example.org/a7og/4vpv?e7k5=wun", - "threatintel.indicator.url.path": "/a7og/4vpv", - "threatintel.indicator.url.query": "e7k5=wun", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "lzr6.example.org", + "threat.indicator.url.full": "https://lzr6.example.org/a7og/4vpv?e7k5=wun", + "threat.indicator.url.original": "https://lzr6.example.org/a7og/4vpv?e7k5=wun", + "threat.indicator.url.path": "/a7og/4vpv", + "threat.indicator.url.query": "e7k5=wun", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 84, + "anomali.threatstream.detail2": "imported by user 747", + "anomali.threatstream.id": "2229747614", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:0d7cxf", + "anomali.threatstream.md5": "bde", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P12084157836/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1620", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "30" + ], + "anomali.threatstream.update_id": "2339220849", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3149,34 +3392,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 84, - "threatintel.anomalithreatstream.detail2": "imported by user 747", - "threatintel.anomalithreatstream.id": 2229747614, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:0d7cxf", - "threatintel.anomalithreatstream.md5": "bde", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P12084157836/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1620, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "30" - ], - "threatintel.anomalithreatstream.update_id": 2339220849, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 8, - "threatintel.indicator.first_seen": "2020-10-09T18:34:55.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:55.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:34:55.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:55.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 54, + "anomali.threatstream.detail2": "imported by user 832", + "anomali.threatstream.id": "2821279948", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:-farvj0e", + "anomali.threatstream.md5": "aa674f5f", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P43981956471/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "2038", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "908" + ], + "anomali.threatstream.update_id": "2083515068", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3189,34 +3435,39 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 54, - "threatintel.anomalithreatstream.detail2": "imported by user 832", - "threatintel.anomalithreatstream.id": 2821279948, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:-farvj0e", - "threatintel.anomalithreatstream.md5": "aa674f5f", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P43981956471/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 2038, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "908" - ], - "threatintel.anomalithreatstream.update_id": 2083515068, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:35:01.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:35:01.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:35:01.000Z", + "threat.indicator.last_seen": "2020-10-09T18:35:01.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 63, + "anomali.threatstream.detail2": "imported by user 217", + "anomali.threatstream.id": "3118884222", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:23xfw4nyi", + "anomali.threatstream.md5": "48721c98", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P20451120036/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "1492", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "207", + "501", + "993" + ], + "anomali.threatstream.update_id": "3429396478", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3229,36 +3480,36 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 63, - "threatintel.anomalithreatstream.detail2": "imported by user 217", - "threatintel.anomalithreatstream.id": 3118884222, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:23xfw4nyi", - "threatintel.anomalithreatstream.md5": "48721c98", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P20451120036/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 1492, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "207", - "501", - "993" - ], - "threatintel.anomalithreatstream.update_id": 3429396478, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:35:01.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:35:01.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:35:01.000Z", + "threat.indicator.last_seen": "2020-10-09T18:35:01.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 72, + "anomali.threatstream.detail2": "imported by user 402", + "anomali.threatstream.id": "3912225830", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:dto", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P16185398807/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1594", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "439" + ], + "anomali.threatstream.update_id": "3320773285", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3270,42 +3521,46 @@ "log.offset": 39578, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream", "y7d71" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 72, - "threatintel.anomalithreatstream.detail2": "imported by user 402", - "threatintel.anomalithreatstream.id": 3912225830, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:dto", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P16185398807/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1594, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "439" - ], - "threatintel.anomalithreatstream.update_id": 3320773285, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:35:04.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.177", - "threatintel.indicator.last_seen": "2020-10-09T18:35:04.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:35:04.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.177", + "threat.indicator.last_seen": "2020-10-09T18:35:04.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "932.example.com", - "threatintel.indicator.url.full": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw", - "threatintel.indicator.url.original": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw", - "threatintel.indicator.url.path": "/1xmdjyom/tf3inx1", - "threatintel.indicator.url.query": "s6zgr=ajgw", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "932.example.com", + "threat.indicator.url.full": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw", + "threat.indicator.url.original": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw", + "threat.indicator.url.path": "/1xmdjyom/tf3inx1", + "threat.indicator.url.query": "s6zgr=ajgw", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 34, + "anomali.threatstream.detail2": "imported by user 626", + "anomali.threatstream.id": "2591984894", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:7nq6far", + "anomali.threatstream.md5": "114bd63e0", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P19612019110/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1579", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "669" + ], + "anomali.threatstream.update_id": "2275758319", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3317,36 +3572,40 @@ "log.offset": 40161, "service.type": "threatintel", "tags": [ + "forwarded", "hlq", "nknea", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 34, - "threatintel.anomalithreatstream.detail2": "imported by user 626", - "threatintel.anomalithreatstream.id": 2591984894, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:7nq6far", - "threatintel.anomalithreatstream.md5": "114bd63e0", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P19612019110/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1579, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "669" - ], - "threatintel.anomalithreatstream.update_id": 2275758319, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:35:06.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:35:06.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:35:06.000Z", + "threat.indicator.last_seen": "2020-10-09T18:35:06.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 53, + "anomali.threatstream.detail2": "imported by user 756", + "anomali.threatstream.id": "2589012476", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:c1z0qya", + "anomali.threatstream.md5": "636cd4267", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P47658489795/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "3665", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "835", + "850" + ], + "anomali.threatstream.update_id": "2399518196", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3359,35 +3618,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 53, - "threatintel.anomalithreatstream.detail2": "imported by user 756", - "threatintel.anomalithreatstream.id": 2589012476, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:c1z0qya", - "threatintel.anomalithreatstream.md5": "636cd4267", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P47658489795/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 3665, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "835", - "850" - ], - "threatintel.anomalithreatstream.update_id": 2399518196, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:35:22.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:35:22.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:35:22.000Z", + "threat.indicator.last_seen": "2020-10-09T18:35:22.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 57, + "anomali.threatstream.detail2": "imported by user 893", + "anomali.threatstream.id": "2677187012", + "anomali.threatstream.itype": "mal_url", + "anomali.threatstream.maltype": "malware:qtp", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P28161033466/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "3395", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "234", + "909" + ], + "anomali.threatstream.update_id": "3342338979", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3403,44 +3664,48 @@ "5z6", "IP=192.0.2.45", "first_seen=2020-11-24T05:32:17", + "forwarded", "mask=2001:db8:6d86:4a6:af9b:4385:14d6:b714", "popularity=high", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 57, - "threatintel.anomalithreatstream.detail2": "imported by user 893", - "threatintel.anomalithreatstream.id": 2677187012, - "threatintel.anomalithreatstream.itype": "mal_url", - "threatintel.anomalithreatstream.maltype": "malware:qtp", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P28161033466/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 3395, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "234", - "909" - ], - "threatintel.anomalithreatstream.update_id": 3342338979, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:44:01.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.71", - "threatintel.indicator.last_seen": "2020-10-09T18:44:01.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:44:01.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.71", + "threat.indicator.last_seen": "2020-10-09T18:44:01.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "0te9x75e.example.net", - "threatintel.indicator.url.full": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3", - "threatintel.indicator.url.original": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3", - "threatintel.indicator.url.path": "/y2cbl5ov5/u-s9", - "threatintel.indicator.url.query": "vhppw120=bt0ze0du3", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "0te9x75e.example.net", + "threat.indicator.url.full": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3", + "threat.indicator.url.original": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3", + "threat.indicator.url.path": "/y2cbl5ov5/u-s9", + "threat.indicator.url.query": "vhppw120=bt0ze0du3", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 31, + "anomali.threatstream.detail2": "imported by user 450", + "anomali.threatstream.id": "3137219963", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:nosy8", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P33588463803/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "2108", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "755", + "843", + "943" + ], + "anomali.threatstream.update_id": "1484831936", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3453,43 +3718,45 @@ "service.type": "threatintel", "tags": [ "06epx", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 31, - "threatintel.anomalithreatstream.detail2": "imported by user 450", - "threatintel.anomalithreatstream.id": 3137219963, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:nosy8", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P33588463803/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 2108, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "755", - "843", - "943" - ], - "threatintel.anomalithreatstream.update_id": 1484831936, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:44:04.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.180", - "threatintel.indicator.last_seen": "2020-10-09T18:44:04.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:44:04.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.180", + "threat.indicator.last_seen": "2020-10-09T18:44:04.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "b7qdtnl8f.example.org", - "threatintel.indicator.url.full": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse", - "threatintel.indicator.url.original": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse", - "threatintel.indicator.url.path": "/z2a-tx3ip/7cv", - "threatintel.indicator.url.query": "9a67ct3mb=ijse", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "b7qdtnl8f.example.org", + "threat.indicator.url.full": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse", + "threat.indicator.url.original": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse", + "threat.indicator.url.path": "/z2a-tx3ip/7cv", + "threat.indicator.url.query": "9a67ct3mb=ijse", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 19, + "anomali.threatstream.detail2": "imported by user 479", + "anomali.threatstream.id": "2506436592", + "anomali.threatstream.itype": "mal_domain", + "anomali.threatstream.maltype": "malware:4okr", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P42606732542/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "393", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "324", + "63" + ], + "anomali.threatstream.update_id": "1826833096", + "anomali.threatstream.value_type": "domain", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3501,37 +3768,40 @@ "log.offset": 42447, "service.type": "threatintel", "tags": [ + "forwarded", "jjz8e", "n5okkr7mg", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 19, - "threatintel.anomalithreatstream.detail2": "imported by user 479", - "threatintel.anomalithreatstream.id": 2506436592, - "threatintel.anomalithreatstream.itype": "mal_domain", - "threatintel.anomalithreatstream.maltype": "malware:4okr", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P42606732542/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 393, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "324", - "63" - ], - "threatintel.anomalithreatstream.update_id": 1826833096, - "threatintel.anomalithreatstream.value_type": "domain", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:44:19.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:44:19.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:44:19.000Z", + "threat.indicator.last_seen": "2020-10-09T18:44:19.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "4gtq1n.example.net" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "4gtq1n.example.net" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 83, + "anomali.threatstream.detail2": "imported by user 969", + "anomali.threatstream.id": "1214135687", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.maltype": "malware:h68c70o", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P25206292349/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "425", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "324", + "474" + ], + "anomali.threatstream.update_id": "2101635974", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3545,40 +3815,43 @@ "tags": [ "IP=203.0.113.163", "first_seen=2020-02-14T13:46:51", + "forwarded", "gnz6", "mask=203.0.113.12", "popularity=high", "threatintel-anomalithreatstream", "u96h" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 83, - "threatintel.anomalithreatstream.detail2": "imported by user 969", - "threatintel.anomalithreatstream.id": 1214135687, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.maltype": "malware:h68c70o", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P25206292349/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 425, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "324", - "474" - ], - "threatintel.anomalithreatstream.update_id": 2101635974, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 8, - "threatintel.indicator.first_seen": "2020-10-09T18:44:27.000Z", - "threatintel.indicator.geo.country_iso_code": "RU", - "threatintel.indicator.ip": "192.0.2.17", - "threatintel.indicator.last_seen": "2020-10-09T18:44:27.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:44:27.000Z", + "threat.indicator.geo.country_iso_code": "RU", + "threat.indicator.ip": "192.0.2.17", + "threat.indicator.last_seen": "2020-10-09T18:44:27.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 15, + "anomali.threatstream.detail2": "imported by user 501", + "anomali.threatstream.id": "1632578144", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:y9xovpr2", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P21633460934/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1114", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "615", + "818" + ], + "anomali.threatstream.update_id": "1949050295", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3590,43 +3863,47 @@ "log.offset": 43582, "service.type": "threatintel", "tags": [ + "forwarded", "t37z5d2", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 15, - "threatintel.anomalithreatstream.detail2": "imported by user 501", - "threatintel.anomalithreatstream.id": 1632578144, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:y9xovpr2", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P21633460934/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1114, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "615", - "818" - ], - "threatintel.anomalithreatstream.update_id": 1949050295, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:44:35.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.183", - "threatintel.indicator.last_seen": "2020-10-09T18:44:35.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:44:35.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.183", + "threat.indicator.last_seen": "2020-10-09T18:44:35.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "tfva.example.org", - "threatintel.indicator.url.full": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao", - "threatintel.indicator.url.original": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao", - "threatintel.indicator.url.path": "/iih3qkj/b04g7", - "threatintel.indicator.url.query": "dwosh0qmt=wi9ao", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "tfva.example.org", + "threat.indicator.url.full": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao", + "threat.indicator.url.original": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao", + "threat.indicator.url.path": "/iih3qkj/b04g7", + "threat.indicator.url.query": "dwosh0qmt=wi9ao", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 85, + "anomali.threatstream.detail2": "imported by user 149", + "anomali.threatstream.id": "3098969355", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:wxbuhcov9", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P30134520108/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "398", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "597", + "913", + "946" + ], + "anomali.threatstream.update_id": "2645963867", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3638,44 +3915,47 @@ "log.offset": 44184, "service.type": "threatintel", "tags": [ + "forwarded", "rprsi-", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 85, - "threatintel.anomalithreatstream.detail2": "imported by user 149", - "threatintel.anomalithreatstream.id": 3098969355, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:wxbuhcov9", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P30134520108/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 398, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "597", - "913", - "946" - ], - "threatintel.anomalithreatstream.update_id": 2645963867, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:44:36.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.149", - "threatintel.indicator.last_seen": "2020-10-09T18:44:36.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:44:36.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.149", + "threat.indicator.last_seen": "2020-10-09T18:44:36.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "erg2.example.com", - "threatintel.indicator.url.full": "https://erg2.example.com/4ys/vywa93c?7oru=evpi", - "threatintel.indicator.url.original": "https://erg2.example.com/4ys/vywa93c?7oru=evpi", - "threatintel.indicator.url.path": "/4ys/vywa93c", - "threatintel.indicator.url.query": "7oru=evpi", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "erg2.example.com", + "threat.indicator.url.full": "https://erg2.example.com/4ys/vywa93c?7oru=evpi", + "threat.indicator.url.original": "https://erg2.example.com/4ys/vywa93c?7oru=evpi", + "threat.indicator.url.path": "/4ys/vywa93c", + "threat.indicator.url.query": "7oru=evpi", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 64, + "anomali.threatstream.detail2": "imported by user 59", + "anomali.threatstream.id": "2035701780", + "anomali.threatstream.itype": "mal_url", + "anomali.threatstream.maltype": "malware:xn2a", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P10508749376/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "2760", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "600", + "673", + "990" + ], + "anomali.threatstream.update_id": "2806149730", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3690,46 +3970,49 @@ "-jj", "IP=203.0.113.22", "first_seen=2020-12-24T20:20:31", + "forwarded", "gogpcno", "mask=2001:db8:bdc6:400b:c095:41c7:1d54:8ff6", "popularity=low", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 64, - "threatintel.anomalithreatstream.detail2": "imported by user 59", - "threatintel.anomalithreatstream.id": 2035701780, - "threatintel.anomalithreatstream.itype": "mal_url", - "threatintel.anomalithreatstream.maltype": "malware:xn2a", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P10508749376/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 2760, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "600", - "673", - "990" - ], - "threatintel.anomalithreatstream.update_id": 2806149730, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:44:37.000Z", - "threatintel.indicator.geo.country_iso_code": "IN", - "threatintel.indicator.ip": "203.0.113.27", - "threatintel.indicator.last_seen": "2020-10-09T18:44:37.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:44:37.000Z", + "threat.indicator.geo.country_iso_code": "IN", + "threat.indicator.ip": "203.0.113.27", + "threat.indicator.last_seen": "2020-10-09T18:44:37.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "0elz6c.example.com", - "threatintel.indicator.url.full": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl", - "threatintel.indicator.url.original": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl", - "threatintel.indicator.url.path": "/3nhx/cadsn6", - "threatintel.indicator.url.query": "kfcj94=gnl", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "0elz6c.example.com", + "threat.indicator.url.full": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl", + "threat.indicator.url.original": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl", + "threat.indicator.url.path": "/3nhx/cadsn6", + "threat.indicator.url.query": "kfcj94=gnl", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 44, + "anomali.threatstream.detail2": "imported by user 134", + "anomali.threatstream.id": "2120958409", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:cu6f11gp1", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46535027346/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1973", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "125", + "279", + "552" + ], + "anomali.threatstream.update_id": "3490786662", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3741,44 +4024,46 @@ "log.offset": 45480, "service.type": "threatintel", "tags": [ + "forwarded", "qztcai", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 44, - "threatintel.anomalithreatstream.detail2": "imported by user 134", - "threatintel.anomalithreatstream.id": 2120958409, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:cu6f11gp1", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46535027346/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1973, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "125", - "279", - "552" - ], - "threatintel.anomalithreatstream.update_id": 3490786662, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 4, - "threatintel.indicator.first_seen": "2020-10-09T18:44:45.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "2001:db8:129e:7520:8797:95ca:a4d1:3011", - "threatintel.indicator.last_seen": "2020-10-09T18:44:45.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:44:45.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "2001:db8:129e:7520:8797:95ca:a4d1:3011", + "threat.indicator.last_seen": "2020-10-09T18:44:45.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "6i0-utr.example.com", - "threatintel.indicator.url.full": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr", - "threatintel.indicator.url.original": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr", - "threatintel.indicator.url.path": "/hsv/50qcugwt", - "threatintel.indicator.url.query": "xcl=ofr", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "6i0-utr.example.com", + "threat.indicator.url.full": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr", + "threat.indicator.url.original": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr", + "threat.indicator.url.path": "/hsv/50qcugwt", + "threat.indicator.url.query": "xcl=ofr", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 94, + "anomali.threatstream.detail2": "imported by user 914", + "anomali.threatstream.id": "1139990065", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.maltype": "malware:9pyy91p7", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P20277063326/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "2363", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "346", + "610" + ], + "anomali.threatstream.update_id": "2750333841", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3793,39 +4078,41 @@ "IP=203.0.113.155", "ail6s", "first_seen=2020-11-23T17:11:50", + "forwarded", "mask=203.0.113.23", "popularity=medium", "q0n", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 94, - "threatintel.anomalithreatstream.detail2": "imported by user 914", - "threatintel.anomalithreatstream.id": 1139990065, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.maltype": "malware:9pyy91p7", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P20277063326/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 2363, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "346", - "610" - ], - "threatintel.anomalithreatstream.update_id": 2750333841, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:44:47.000Z", - "threatintel.indicator.geo.country_iso_code": "CN", - "threatintel.indicator.ip": "203.0.113.128", - "threatintel.indicator.last_seen": "2020-10-09T18:44:47.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:44:47.000Z", + "threat.indicator.geo.country_iso_code": "CN", + "threat.indicator.ip": "203.0.113.128", + "threat.indicator.last_seen": "2020-10-09T18:44:47.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 69, + "anomali.threatstream.detail2": "imported by user 886", + "anomali.threatstream.id": "2453026318", + "anomali.threatstream.itype": "mal_domain", + "anomali.threatstream.maltype": "malware:c0-a", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P26988858868/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1281", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "391" + ], + "anomali.threatstream.update_id": "3315952704", + "anomali.threatstream.value_type": "domain", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3839,39 +4126,44 @@ "tags": [ "0a3p", "first_seen=2020-03-11T09:04:13", + "forwarded", "mask=2001:db8:7aae:f1e6:e8b3:5702:40ea:29f0", "popularity=high", "smh", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 69, - "threatintel.anomalithreatstream.detail2": "imported by user 886", - "threatintel.anomalithreatstream.id": 2453026318, - "threatintel.anomalithreatstream.itype": "mal_domain", - "threatintel.anomalithreatstream.maltype": "malware:c0-a", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P26988858868/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1281, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "391" - ], - "threatintel.anomalithreatstream.update_id": 3315952704, - "threatintel.anomalithreatstream.value_type": "domain", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:44:50.000Z", - "threatintel.indicator.geo.country_iso_code": "HK", - "threatintel.indicator.ip": "203.0.113.16", - "threatintel.indicator.last_seen": "2020-10-09T18:44:50.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:44:50.000Z", + "threat.indicator.geo.country_iso_code": "HK", + "threat.indicator.ip": "203.0.113.16", + "threat.indicator.last_seen": "2020-10-09T18:44:50.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "ztpyt.example.org" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "ztpyt.example.org" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 88, + "anomali.threatstream.detail2": "imported by user 268", + "anomali.threatstream.id": "3554643386", + "anomali.threatstream.itype": "mal_url", + "anomali.threatstream.maltype": "malware:ai7s5vg01", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P48225335605/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "744", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "258", + "75", + "806" + ], + "anomali.threatstream.update_id": "3898530792", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3884,45 +4176,46 @@ "service.type": "threatintel", "tags": [ "first_seen=2020-07-17T00:42:30", + "forwarded", "mask=192.0.2.22", "mdedohd", "popularity=high", "sv5lmqoo", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 88, - "threatintel.anomalithreatstream.detail2": "imported by user 268", - "threatintel.anomalithreatstream.id": 3554643386, - "threatintel.anomalithreatstream.itype": "mal_url", - "threatintel.anomalithreatstream.maltype": "malware:ai7s5vg01", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P48225335605/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 744, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "258", - "75", - "806" - ], - "threatintel.anomalithreatstream.update_id": 3898530792, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:44:50.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:44:50.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:44:50.000Z", + "threat.indicator.last_seen": "2020-10-09T18:44:50.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "e5el.example.net", - "threatintel.indicator.url.full": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5", - "threatintel.indicator.url.original": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5", - "threatintel.indicator.url.path": "/rncer/fky", - "threatintel.indicator.url.query": "8tc53bbz=1pd-6w5", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "e5el.example.net", + "threat.indicator.url.full": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5", + "threat.indicator.url.original": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5", + "threat.indicator.url.path": "/rncer/fky", + "threat.indicator.url.query": "8tc53bbz=1pd-6w5", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 73, + "anomali.threatstream.detail2": "imported by user 737", + "anomali.threatstream.id": "2781657405", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:6faja4zy-", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13788530147/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "518", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "259" + ], + "anomali.threatstream.update_id": "1423149268", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3934,42 +4227,47 @@ "log.offset": 47992, "service.type": "threatintel", "tags": [ + "forwarded", "l019r8", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 73, - "threatintel.anomalithreatstream.detail2": "imported by user 737", - "threatintel.anomalithreatstream.id": 2781657405, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:6faja4zy-", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13788530147/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 518, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "259" - ], - "threatintel.anomalithreatstream.update_id": 1423149268, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:44:54.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.226", - "threatintel.indicator.last_seen": "2020-10-09T18:44:54.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:44:54.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.226", + "threat.indicator.last_seen": "2020-10-09T18:44:54.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "eryz36i.example.net", - "threatintel.indicator.url.full": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo", - "threatintel.indicator.url.original": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo", - "threatintel.indicator.url.path": "/9a86hdj/zti5r9fx", - "threatintel.indicator.url.query": "ahz=l7dsg01qo", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "eryz36i.example.net", + "threat.indicator.url.full": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo", + "threat.indicator.url.original": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo", + "threat.indicator.url.path": "/9a86hdj/zti5r9fx", + "threat.indicator.url.query": "ahz=l7dsg01qo", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 22, + "anomali.threatstream.detail2": "imported by user 703", + "anomali.threatstream.id": "1875325904", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:rrcnb", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P12535858975/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "417", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "114", + "792", + "802" + ], + "anomali.threatstream.update_id": "2621256767", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3982,43 +4280,45 @@ "service.type": "threatintel", "tags": [ "4yqbj3b", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 22, - "threatintel.anomalithreatstream.detail2": "imported by user 703", - "threatintel.anomalithreatstream.id": 1875325904, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:rrcnb", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P12535858975/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 417, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "114", - "792", - "802" - ], - "threatintel.anomalithreatstream.update_id": 2621256767, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:44:58.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.25", - "threatintel.indicator.last_seen": "2020-10-09T18:44:58.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:44:58.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.25", + "threat.indicator.last_seen": "2020-10-09T18:44:58.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "i-pb.example.com", - "threatintel.indicator.url.full": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd", - "threatintel.indicator.url.original": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd", - "threatintel.indicator.url.path": "/pjmy3/w0tgzb", - "threatintel.indicator.url.query": "noe1pr9=eiwcfihd", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "i-pb.example.com", + "threat.indicator.url.full": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd", + "threat.indicator.url.original": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd", + "threat.indicator.url.path": "/pjmy3/w0tgzb", + "threat.indicator.url.query": "noe1pr9=eiwcfihd", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 19, + "anomali.threatstream.detail2": "imported by user 846", + "anomali.threatstream.id": "2684776210", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.maltype": "malware:zfd", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P45743905551/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "965", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "641", + "697" + ], + "anomali.threatstream.update_id": "1171583779", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4032,40 +4332,44 @@ "tags": [ "IP=2001:db8:61be:1efa:290:c941:bef8:3803", "first_seen=2020-12-01T02:16:04", + "forwarded", "j6vwgb6", "mask=2001:db8:fc83:375e:9c60:3d50:1dc1:9f89", "popularity=medium", "qqo5fg", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 19, - "threatintel.anomalithreatstream.detail2": "imported by user 846", - "threatintel.anomalithreatstream.id": 2684776210, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.maltype": "malware:zfd", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P45743905551/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 965, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "641", - "697" - ], - "threatintel.anomalithreatstream.update_id": 1171583779, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:45:05.000Z", - "threatintel.indicator.geo.country_iso_code": "IN", - "threatintel.indicator.ip": "2001:db8:79d3:9083:95f2:a6fd:e475:4956", - "threatintel.indicator.last_seen": "2020-10-09T18:45:05.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:45:05.000Z", + "threat.indicator.geo.country_iso_code": "IN", + "threat.indicator.ip": "2001:db8:79d3:9083:95f2:a6fd:e475:4956", + "threat.indicator.last_seen": "2020-10-09T18:45:05.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv6-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv6-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 14, + "anomali.threatstream.detail2": "imported by user 812", + "anomali.threatstream.id": "1705726884", + "anomali.threatstream.import_session_id": "2813", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.maltype": "malware:ib0ezg", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P12586136986/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "632", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "459", + "936" + ], + "anomali.threatstream.update_id": "3651210157", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4077,41 +4381,42 @@ "log.offset": 49879, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 14, - "threatintel.anomalithreatstream.detail2": "imported by user 812", - "threatintel.anomalithreatstream.id": 1705726884, - "threatintel.anomalithreatstream.import_session_id": 2813, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.maltype": "malware:ib0ezg", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P12586136986/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 632, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "459", - "936" - ], - "threatintel.anomalithreatstream.update_id": 3651210157, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.as.number": 3356, - "threatintel.indicator.as.organization.name": "Level 3 Communications", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2021-04-07T13:10:07.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.geo.location.lat": 5.6, - "threatintel.indicator.geo.location.lon": 112.8, - "threatintel.indicator.ip": "192.0.2.12", - "threatintel.indicator.last_seen": "2021-04-19T08:57:46.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.as.number": 3356, + "threat.indicator.as.organization.name": "Level 3 Communications", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2021-04-07T13:10:07.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.geo.location.lat": 5.6, + "threat.indicator.geo.location.lon": 112.8, + "threat.indicator.ip": "192.0.2.12", + "threat.indicator.last_seen": "2021-04-19T08:57:46.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 81, + "anomali.threatstream.detail2": "imported by user 411", + "anomali.threatstream.id": "1502608684", + "anomali.threatstream.itype": "apt_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46655498126/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "2891", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "474", + "601" + ], + "anomali.threatstream.update_id": "1170853028", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4123,34 +4428,36 @@ "log.offset": 50468, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 81, - "threatintel.anomalithreatstream.detail2": "imported by user 411", - "threatintel.anomalithreatstream.id": 1502608684, - "threatintel.anomalithreatstream.itype": "apt_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46655498126/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 2891, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "474", - "601" - ], - "threatintel.anomalithreatstream.update_id": 1170853028, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 8, - "threatintel.indicator.first_seen": "2021-04-29T16:02:17.000Z", - "threatintel.indicator.ip": "203.0.113.5", - "threatintel.indicator.last_seen": "2021-04-29T16:02:17.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2021-04-29T16:02:17.000Z", + "threat.indicator.ip": "203.0.113.5", + "threat.indicator.last_seen": "2021-04-29T16:02:17.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 14, + "anomali.threatstream.detail2": "imported by user 601", + "anomali.threatstream.id": "1171635730", + "anomali.threatstream.itype": "ssh_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P24647878518/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "822", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "749" + ], + "anomali.threatstream.update_id": "1026394470", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4162,33 +4469,37 @@ "log.offset": 50919, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 14, - "threatintel.anomalithreatstream.detail2": "imported by user 601", - "threatintel.anomalithreatstream.id": 1171635730, - "threatintel.anomalithreatstream.itype": "ssh_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P24647878518/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 822, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "749" - ], - "threatintel.anomalithreatstream.update_id": 1026394470, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2021-04-29T16:02:23.000Z", - "threatintel.indicator.ip": "192.0.2.68", - "threatintel.indicator.last_seen": "2021-04-29T16:02:23.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2021-04-29T16:02:23.000Z", + "threat.indicator.ip": "192.0.2.68", + "threat.indicator.last_seen": "2021-04-29T16:02:23.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 70, + "anomali.threatstream.detail2": "imported by user 964", + "anomali.threatstream.id": "2251817936", + "anomali.threatstream.itype": "i2p_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P47421535249/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "3194", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "235", + "630" + ], + "anomali.threatstream.update_id": "3118045359", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4200,34 +4511,37 @@ "log.offset": 51361, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 70, - "threatintel.anomalithreatstream.detail2": "imported by user 964", - "threatintel.anomalithreatstream.id": 2251817936, - "threatintel.anomalithreatstream.itype": "i2p_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P47421535249/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 3194, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "235", - "630" - ], - "threatintel.anomalithreatstream.update_id": 3118045359, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2021-04-29T16:02:24.000Z", - "threatintel.indicator.ip": "203.0.113.54", - "threatintel.indicator.last_seen": "2021-04-29T16:02:24.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2021-04-29T16:02:24.000Z", + "threat.indicator.ip": "203.0.113.54", + "threat.indicator.last_seen": "2021-04-29T16:02:24.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 77, + "anomali.threatstream.detail2": "imported by user 137", + "anomali.threatstream.id": "1966380326", + "anomali.threatstream.itype": "parked_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P19479436344/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "229", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "303", + "461" + ], + "anomali.threatstream.update_id": "1757326916", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4239,34 +4553,38 @@ "log.offset": 51809, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 77, - "threatintel.anomalithreatstream.detail2": "imported by user 137", - "threatintel.anomalithreatstream.id": 1966380326, - "threatintel.anomalithreatstream.itype": "parked_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P19479436344/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 229, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "303", - "461" - ], - "threatintel.anomalithreatstream.update_id": 1757326916, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 8, - "threatintel.indicator.first_seen": "2021-04-29T16:02:25.000Z", - "threatintel.indicator.ip": "203.0.113.195", - "threatintel.indicator.last_seen": "2021-04-29T16:02:25.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2021-04-29T16:02:25.000Z", + "threat.indicator.ip": "203.0.113.195", + "threat.indicator.last_seen": "2021-04-29T16:02:25.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 14, + "anomali.threatstream.detail2": "imported by user 997", + "anomali.threatstream.id": "3377960871", + "anomali.threatstream.itype": "tor_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P25503355951/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1710", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "13", + "657", + "879" + ], + "anomali.threatstream.update_id": "1469037378", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4278,35 +4596,38 @@ "log.offset": 52257, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 14, - "threatintel.anomalithreatstream.detail2": "imported by user 997", - "threatintel.anomalithreatstream.id": 3377960871, - "threatintel.anomalithreatstream.itype": "tor_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P25503355951/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1710, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "13", - "657", - "879" - ], - "threatintel.anomalithreatstream.update_id": 1469037378, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2021-04-29T16:02:25.000Z", - "threatintel.indicator.ip": "192.0.2.239", - "threatintel.indicator.last_seen": "2021-04-29T16:02:25.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2021-04-29T16:02:25.000Z", + "threat.indicator.ip": "192.0.2.239", + "threat.indicator.last_seen": "2021-04-29T16:02:25.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 12, + "anomali.threatstream.detail2": "imported by user 445", + "anomali.threatstream.id": "1049633552", + "anomali.threatstream.itype": "c2_ip", + "anomali.threatstream.maltype": "malware:tos5xne", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P17175297976/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "274", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "683", + "719" + ], + "anomali.threatstream.update_id": "1541655552", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4318,33 +4639,20 @@ "log.offset": 52708, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream", "vjb9lmpcf" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 12, - "threatintel.anomalithreatstream.detail2": "imported by user 445", - "threatintel.anomalithreatstream.id": 1049633552, - "threatintel.anomalithreatstream.itype": "c2_ip", - "threatintel.anomalithreatstream.maltype": "malware:tos5xne", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P17175297976/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 274, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "683", - "719" - ], - "threatintel.anomalithreatstream.update_id": 1541655552, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2021-04-29T16:02:26.000Z", - "threatintel.indicator.ip": "192.0.2.169", - "threatintel.indicator.last_seen": "2021-04-29T16:02:26.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2021-04-29T16:02:26.000Z", + "threat.indicator.ip": "192.0.2.169", + "threat.indicator.last_seen": "2021-04-29T16:02:26.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/fields.go b/x-pack/filebeat/module/threatintel/fields.go index 4f915c83f55..d0fa140db90 100644 --- a/x-pack/filebeat/module/threatintel/fields.go +++ b/x-pack/filebeat/module/threatintel/fields.go @@ -19,5 +19,5 @@ func init() { // AssetThreatintel returns asset data. // This is the base64 encoded zlib format compressed contents of module/threatintel. func AssetThreatintel() string { - return "eJzsXetz2ziS/z5/RZfvwzhbsmI7cXbiqrkrj+3MuM5xMn7MbO3lSoHIloQ1CDAAKFl7df/7FR58iAQp2aa8c1vrL4n46P6h0Wg0Go3mHtzj8hj0TCLRlGtk3wFoqhnWL0pkSBQewxg1+Q4gRhVJmmoq+DH8+3cAALf2BbBvMDpFHiF8oAzH5upHEWcMh98BTCiyWB3bV/aAk6TBy/zpZYrHMJUiS/2VAEfz98GSg4kUCegZVkmV3JOCu/mrIqiioDymEdFCDidUKj1SiLx4KIcUE42Viy2onDzQPg2Ex6BpgrCYIV+VjxKZjBAsP5CYCqkxBkWnM035FPSMqgqsDsSMvChgw+5ZePNXVAMvE3y6Gd6rLBmjBDGxYFWNOyyIAjFWKOcYQyR4nEUepNVTEmk6p3rZhdIgagC8x+VCyHhDmS5TNAhLWEQZwUlUyI3sxks4XZpmfLJQyZghUA43txd/gcPh/nCF2vlDipF5a05YhmrlHsCfgGRacJGITO2ppdKYNJ+Qmk5IpBs3Yiox0kIum3dEQijfM7Jp3MOEULZH4lg2bk0oaz5P0/nb8OM0nb8L30lI1HIj0/jQuJpKEaFqykaJiV4Q2cSUSda8plDukSgSGW+KakF5LBZqT+KUKi2Xe/fYlNrD3tH++70IjbxNz2OHmlX053nadmZvje1YQEvA6J7RdMHzIeB0rjSVnaM0IpyjHClN9HNG6qmRo4Fy8tvr87NrmCOPhTQoiQaVRabDJhljS4hROw1PCKMRFZmyigRCwt31ZRfWVIo5jVE+T4IXMXLTY16Ehok1MDNctYM5ty5EkeATGpvHe8VUkgVJrEUjStEpLzs2BweZMretLam8pSLCUD3OslwJDTcpRgZGPIArwXEAl2IxgI8Y0ywZwC90Omu8tr93sN+4eBInVBJG9RJuDBTYPdh796rx2NnVRX7/aO/9UfOB388/5w9cJKlQihrjuQenKDWh/FVH1ziHYCuqopyUIu90uFkpJpoAVRCJxPSI8Va6NMc8rlBvF59nUrpOgYm+C6TECcrna/d1TsYMcGCU39tJWgCJY2peIAwonwiZEGvGyFhk+hGeBk0b+FYubSZBkrsNKxM54XDx2QCVqBTsUinRiFfTuRW1m1Op4K86DZeQzZ7e3LauBwmGA3DnLT0RpJ3oh76lvellq1Qtu+cKNiHS6NJQs6YKPM6Jk2RiRsylcVrhsxRaRIKBmhFpdNXz6baoQCQeN03YjOqmR/KzXHXk3dUT03+Nq9cYd4pARzOMG82vLqwgsCSqUiNaJDSqMW6T4hpJQtMuOfIVDbBOgQcOBJiICAPkcyoFT5BrQB6nghqHQgJHvRDyHnCOXA+D+G3btgbfUs9dhK23pbYg6bcpub+4tZY09ZM0bcljVNPZtKBAaga0Lo2GLO44/ZZhbiUJMw00o1cLJ49iZQVuZTW0y+XG5cLMntxc1T0WgMwyYUugpeSRRLNCYIJbbhdco+RYUwIAfCBJyvAYDo4O3r0PikTIKeH073auHAbWbF3qQqdcSByRsZgbHvuHb2sPJBnTdBTqkSoEjQ/1RVPJueUmFzJRxzAhTNURryjxp0rzLLtWEf0sxJQhXF6edvowbgn3LC00jtRQaVkLZzxb2mtG76ng2gw8G6RZSGqXAg6G5avqogH4LNKMWbV20yyRkiyDBKzD6nU/F9IQPggJZknRWNlD/l7+rEMAu9fnP49u/joA8+/5Xz6fXJ2Nbv76auD8NzUTGYthjBUsVNdXEQCCo6fvIeC3zHiMyvqzjrF50XL5eHd5e2F5Wh45WcZg3EQ9J5LakAtDPtUzR55nCUrvIA/M8nRmxGVon/3+6frMhsfMr1/Nr5WmNOiPEdJC5haiEWiMEU0IK+NATp13cTiFrzsHO19ftWr19/+1c3r8RWryRWI80jr9Mqb8S7IkaTrEB9z57++DKpqShlj7U80PGWOWwwAoj1gWm/6Y0TkODHkrLusDtbSpIbRf/vPy45ebTx9ufz+5Pv/ykUZSKDHRX353cRe4uv1ymkmJXP+GUlHBv1wkZOqCzXD+gFFWi6S4v08WrvqyoNw02YjryxmOs+m0NoXkQguB7k9qV5XQguVkh6BG3tr3nWCbMaj+oF7ng9p056pUmiZ1iuJZ1jSiejnqe+Jaac4p1cvuueOj4FoiYWGAgmvKkevtoqzqR8GyFfGVkHoGJ9ZwkRbYGddyOaJKjCIRb1G8jhFc3HwCw6gV8+lJJ9Dt6oAH2akGp4STOCxN6x42rYxXdxQj6wt3IbgUfEp1FrvtFka0/dFu+P8HdpjgO8ew9+c3w3cHb394sz+AHUb0zjG8PRoe7R+9P/gB/jds/820LPj2+/7a8tmk6/d+Pe1CutXO9yg7+/7XDMcYddi5CWU4THFIk3RG1GyDCEMnyNbFyc4JGPpFFDpJhdQKKAcCn89tdHwIJxw8DtjbMysw9xjUkIG5GxFu/JJMudXNhPIpylSapduYciLtomSOHMhEowSJkUhSypyPIiQIPUNpu3eP4RxXjaSWhKsiWKdgRuYIIorMfB0PYDGj0QwW1u2LZoRPERIh0bxWBPtsK1zQZLV3LpFI7p4nGmZap+r49evFYjGcUIm4xGEkktdjJqavXVhpz3hXREaz14f7B29f7x+81pJE95RP9xLCFkTinpPTnuFp3MuZTthw57uAPuxH737YfxO9xfeHhwfmP3FEjt6/e0NI/OZdHE/WaMqzpsRGL7YRaSNUJaZZgxisGV2wfjECfv/YtPV7lauf4TUAOgEyJ5QZR7u5JslxKRUj1hvTPzLHxop0U2RJfLR1WEl89ChMakYOti+rGTl4LKrDo3cvgevw6N1jkb35oT4pbAXZmx/ePhbZ0cHhSyA7Ojhci+yJgcbnxjJyoJZJGJGifw8jWhPp6+D2vQItNGGWdpjrI/2QzRk3nY+cJT5o5KrNt3wu34J6mHlCExz1G2WuMP948fG81sXN6XI1H+MJ4Tibr9If/jNLL/e/MsnKmNCOcT6QEaVpNIzETn8d2s+AQmYznzShPN+tYFjiKbd+haRTym1I6luGSgfbMZFkmmBjVbPNZnwW0rmdhfC9V2p+ff23r5Wu0CJtkf8kY/UMn+dsmkwsQbi7vrSbet7XIVwbb3opMmlca4iIwoGBuayEOZUWEpu2nHL4mkk2NHS/GicZrYttA4uuE6myfjhXWroUHiHBxw7N20Yadq+lQbq+jQ8rWwWu0/uTzR1PRGxTREqNsn2mQKFNJSyhBqGZvyuh0W03UV5sjCSCUy0k5dOBU9g8se/u+hISsrRB5KJjrAwlkno43oqa2HQjYGKqHC1DgioQE40c/pa5zMYiQc/toBM9ayK9XemgBL0OFG8X1IkCqlcSEgdgVlUMtU1t4qJlvy8lSgW6YatDzrPMx5y3CG34HhVXXstaz2psKwP8tVvLtQzyWhYFdLkHbn167LcOHm+RWjG+ffsmjO5bho3Mym2bf8vTq2e8khjo7viNk1BbGvSM/L/96Ge6YD/kXL/+x1czGPAhYlmMcTnFVJkOjRUldmgU0xMX5l07IhtJmmBIclFtkiVhnzX3iOU7znTx1KDC1MkAH6jSTYtgd2VsykmqS3y2Ke6Nr55KLW4S04lNXNKUaIQx6kUzaQPcvvpC2OlAhXXDbZmhxHjUt+tiWjGj0xlam5azsSbZsRrYBqcpFsNdZWN3q9m9H4TM4yGDysagJeneMSMLdiZCDP1zw0gkO6aDdqoXWiyp2wXxYo5Ro0wox9hMdBFVyJa+r4BRpYHRe3TZjtmY0QhUNpnQejowuGd3Z1qnx69fu0fdk0Mhp6+GcCuXeb5ZmkrxQBOifdLeeAmKJilbgib3TUPhOtdmwpseZmSMTLmdRi402GlrgYxZodxenqnSlEVimN23GDIVzXCLsc+mktxYhu121wba2sDm2vLCtq3ga+2+9xDd/L+Ebxlhzgnxz9jUR7c12UhtBSCM5Y03D1rbhambvGdCafd6xmPvdjbG6xDgglsnQWpKGKsbemggGtgQ7cRnYWN+320pgI2q5pCsS2MRRIRz0fTwVsbKoCKZwrI2GjhGJhbhEdw56lcNRFX0biFElB4mS0/I6bgb+0TpwKB3BjzvpBlRLr8ktdvxczOYxKRkV9FIlY0PhyobH6yYmUFwfJZw3SzgnXEvnAqtnYEzL1yAloQyYxVSlFTELRESkY4szMdb7T5GAE4mPh9Si9SrjG/oLt5enr0aAGFKwD0XC26kVoq6uUiwBnFg+qowaUaZc62pDKNhcxao82+Qn5RvmI6yKvFPOQ3YKaBtBig7bPO5IFMot7oTFljCeZat7n8zYPNwtP/+WREbhZISNurI5uuhrYHFqs34c8zzvD2qVFYepKgc3wGS6ZmQVPs0KLMYN6aTR8um4bGmvVBl45+ydEZ8XtHArAXLmIBbjOT5QSLTEAkmjNnmMWRpitL4jg0W0YxIEmmUjTSvYsvq6OjDTz+9P/3z2flPH/bf/7D//uzg8PT0JLzrbhu+NeEX2QyGjRloLZI9zaWC1IZAzqjSlE8zqmYYOyK7Z1evzPR5KpJEcH/t9OrVAGJMkdvkI8FbogutOUenP97dDODTj+d+prvg0QA+3f1o57XSdg3g9Kp45uaXk0N77AVOlMokWT0K4f5uzGpftqU6qGz8N2wcxttSDklF4p4vmNXLS4rdi/nm9sdT4/AIySkZwOWPN4TDByNAqiJR6YaB6YehFbqaEYnxcMrEmLCiSziGQ5WEaWPGjLm1qQRby8tsdPilmWic32JFXEHiva/dm5OrV0MnQZclOSdyaUxO6LRg/lcMEmsXqp1p07bH1m6YrmHLwrkpz6agGsDZ1Q2EZAGwa0guKIsjImNlPAcerx7BaCaTFl2686dqBLxjmlB0yonO5DPPC310O/cwIQllSytqNxx3q7tagYMhZJwp9Pv+a6erDgD5iXMh4cSQPP2lwOSPwF9UDrJDcO4rzyawwHZLu3Z2Tt4f8g00mGamz+w0dnd9OSNZpfsCKEI982QUK/1Dl52MM8kMuFEsFpwJEvfB/9JnZsHu3fXlKxcIhqXIrEeZMwICkUiXzjZSd8a0E+mcykzZzcKhRJUx3QfUk9/8eVcDV7qU/Q1BGLegHu93KCZMEP1EDGZR5whvioNRft9Lr1F+n+eb/1aQ9yUGWsbyJhuFLzSOaS+qa9Z1F2eVza6NBk/oHOaz+8GbDeMhyLVj2J4Pz1RfIohccjc4qrk47q4vh/A5P+VbOVQHgjPKcQBiMjH/cY4ztwvfTuQuSawv1P4kYyTsWUXhPCKr0VSBn3ZWz7AHII0Zie7NWlUNVSbHrA9wN3fXP12WlL1YW2RpnsDYipALPXI/N0WcksSZ856Ae3pwFsLfBcpXJpF99e3tgmqNEmaEx6yyNHZc3GblzBX2cBVR6p0Ou0IC4YIvE5GpV53gGZEaQ/ZkLARDwjeHfuF8L1SVLWVcgWVAjxF5BbkoAp82ApaXEtjVMrN7lfaI1qvOcUWmvdiCExe1MdImUwVEKRHR1ZM03zKU1FWLyNvUnCu4SAijfU0VjtofY4oIHIDvSF16BsvVOhgdTFNiBgrvi68nt2mT54TReDSRIgkAiOvLqk7uv8+QrzK0+/euUtNEZNzmYNiSDlyZEeJOetM4hCvPitgWKht9DDApTcoYWW/zs9/pksiqJ2QLRCHdD9x7FgQXWKurxKAaai72V8yCiKpi58Wa5kUe8ChOX4W6LVyX5xn2rHJ7I322pdh6kZkhlGcBuCJYa1hH7nRpH8zPH7Qk9uCvGTLFo3PMmbSqUlAmPa2Wb1dGkSEysEvEqgqNEXZyvbHxkIFdZP9C1Gzv5peTw6N3OyGIwoZ+Rr4uhHHQext7tpZP4fF7ToH1kZulnE+qtESSbGX+u6mTrs9/Ic1iRKlit7MPwTT9HMIrfUsVpJLOicu1sgkpJN8umqD3dovIkb/DlvWIV81fPs6JDvwbq88X8TH/VKdEQoWicmmoWT2zaa2SJEhUJstaDlGUSRItYde2fd8Ms4P9/VcrdaOq/fm9ERjG1G1XEU7YUtNIgcZoxgUT06UhUQi42xePURPKDgMta5QC6GzYmaXjzIhRxKCRqMj9IvEe7Xhp99Hg7WEnzhfyz0KcLdKRQqXsIb1egFRAuLM4nrxbrESms+06pWoEBV9Rg27QfdnhixUbvHbQ7ZBU+x33nYH7ZS1z/oOm+f8yyRo5ATtjkT8SHVbIRIflVfse7NDD1F9LCCserdMz9wr+5kf5ShIf5f/1JFMi7zH2j6Qzqmb5u3Wy7mb1QU9CRYT762a5XWmC8i/USalMpa6SXuVhLaR52Fo+80Mi1yN7OA6lZdXZ9wlhLb2fbyI8pvvL0l4Sp0TauAkpVnQuzD8AAqe/ncPFmU2dIdwdQiRak+gebHkao7eD4CJxs1FYP+X1RHU2voG1T5tzluh2zUaZpH1AuDbelLHcd9cXTSjeIK/ZEcA5SqqXfcA5lVTTyNX7C3WPD5zZmdgXhExTRuvWaa1lYGIxgMRXI5zR6WwAc5TLPfPf7sZa6ffR1Btfzre9+6E6RZ2YmbVy2KIV28gIp7+JocSncSqtUtT3bUNQdH2p+lQpGUIeRLiK34qUbKHeTv9Jy0xpjEcRlRHDEY17cbfLGdTTB0ffn01IilDfpuM8S81iv6duvLPE4OJsXXC+F2bXl4+0aXZQ9razeWarEVXKk21uFWg6KJb+9uyWX8cl8VFz2eQnnTH5OyHNQrJPWzDle0o/WaJ/xC3iVYShBe3LbBD/ISLILpkgBKpaHjUArnkWv/uQotuIDiemPP5Ia1kLvaDsVrpe2s2+rdql7SDxdDfGYQZmEMTmZQ5yUj8jR9koWrnuTPXaE9W56uaH2aaODRhXHLSrElq3SDmki9tto7m4bQVSiQu5LaiAAje6unt2LCsY+kCrT8NZEAUqGydUu41Ez5AFB3okYhwZ69KLoylitKbKrCCqJYPzqas+tstDz6pZIfaJ1v7i5vM/am/oRGtJx1nNK1gpDRn15H2slGE8FUmScePely5To4ZpBcQ2MGzA2a0zfM5+EMLjRoDvZZf6bm3ckY2s+cOncJDn0ydCaYj8Kig8s0xELwpQVszOo+10ZXm9EmVvFZQNZ6pZP3vQxY6VO/RrrENBP8Q8y/oLxN3d1dSiES9fKeIZmtUftz1XfEFFTFxVzTpn234ffAva53wIj5qfnniKjv4iFpAQviwJ+zPr3B/PtGWkXEnPtSKyX1nRJEl7kVNB7cnCiqlyjeppG+GsQs85yZURYwx7cLBIkQqVRwFHTEShfLhHD5sb1PbzOG5vYJpJjEFwN73YHSqbnWu4uZrBVK3tPvNwT3klPqPc52lZUCsdR5XnFjjcXrMyo/606kTDwizN7aeLgsoUsmyVOjyS8unIzvs9TVGruwGWMsYOloIi6qLWTl0xVWTMjFGQViXDCv+UfqxQtJvkjlGcF6JudG0Ina0nEqvRS5huoBoSW4bfcW1xMYb9IRE1NyM0i3YIx4DpMxNH1AtgPwXQtnpqBdwTcNmq8j1aqIBRIqyyCSwxEbr5rZNVl7lHXWp3myn3tRGDdqvIzlv9cEwNZ59q1oLUn6R+PtY+NbAFq1XMPrD2rZUteG0iV66gasmjvHrGBnpauHc9Kms5rAvqjx3TJaw+s3b0yncqNoG2cojdB4BpOn87cCUOCY/tedzuJkRE47T+gbznpLl7es9oys6VL4904j9mGExHqvSCaNkceaoql5grtfwzLcyKMyKMLXNFzqusXJzddEPc1tTULd1uTPaRHl1C//EU2639IFyzFHr8onEVUJEmXvDBeFD/jKXdTUTpT1KrNZq4pbXkir0vG2Bsq00WmD3FeEUiadS9e3KM0pJSkJAYi4/LFDipVsgm3Wi2tVCx9Cr6mH/eyl2v6WTxFbkSV7eCIsO+TjXUh0vlEEMi5tWaU5t38cussAqkyFeWWT1MsD7ndBvT/yfvP4eHFi1H1kYIO8T7LG+gEHJTOYrNvtpKcv1Ya34CpK+k9YJH7QB9kbJuC5vsuHKjM3LgN673lIyCk7xNpX7Qw+16ggojwWMil09X2SbQbfmGjwX7DC+x2ahte4vPatxmfmOgp/r2H0OteJ4n2QS9LY9y0x7YDOXL+Jj9Yt6K1xmC2Jf/GdDol/BDQ016ikcasDJb9kxDyNvnzSa+P5avGmjNhoreu/faqeWP9mODQ/Mf6M9uxU14YQ83qPrdvm4r5hfxedtU6rHeb7MVf3QvuIjW6mrhv+ek8Xy6/cv/gxPe/zpWC/86VvvPfqy2PCUTCRljPMmCNcSeNs6vPVH4YKluPuYru9+2hl5NCu15q2uyOs8tNXfEoPBvyw/l15NL133sizbTStelnW6QeFrAXM0zzP/K0nA0PT54fzjcHx4OD97stKJsbFz2jZPbyrW/WeuWJ4P62oed+DcB3xg4fYMPHYtchXmRnrgyfTtBDbWJ66f1U3ndENfAq5brqo+hi0qePBi2TuSi87RPgTUdScKn4Yq3LTfXYL22nxkUE7j4rNaeOqp+cTPv/f3XB+9aPqtJ1X1fI/+aqns/nh87yqPyhF2rJo6XgaKSG6mhBVZhAbv7e28bX6gOorkkY6yn9EM/g6OBylYlGcInbvv6SnAcwB3PVEbYAG6KQ7AD+EhY/t/fUC7L3+1Nwrk7nu/OoDcLaJa194jWyAOf+Nm4Td+rglvzpGYdl4pE4FsZ7ZUDHiddS9309vv3Hd1txsBN6EMq0E9Hl+dJLKjrjGH5GR33dZ4Jiezx9Yn/nBsvXpHm6TU2/vXR23brbluXJQlpfL5lk+atLSW7oQxcdzgYa1pjWn30tiorn6bJloXUhs32gqu9P2ozNVWZNOo21AXS8QAXMlHHrohYu9AN7lZxB44kwWNVSa5oUdPZdN7Wt568TOdV/pp7l5d0LFf1qX1N6c6MxqNgncLHBSgvyyJRvkKqpit+V2nAsS+ePrBiKXZwxIeUSlR9cDw3pDZiFhEWZayvllb45oQ7MBSJyD0K2VWh6WTbX51Oz9OX6FxQPfPfdmvV8UbQYtRbWOlT/q25cuFZp11s7cZzlMp+5LqX2ENJzq3ZiERglN+Xq25RL/He2GUOIQl7EutW3grzgo1AyrNAPqAHZCwyDYTnkP4vAAD//ytUcvM=" + return "eJzsXNtz2zaXf89fccYvSWYUNXGTztYPO+PmsvGM23R9yfZNAwFHIlYgwAKgFPWv/wYASVEUSEk25Ob7pn6yeDnnh4NzB8BXsMD1BdhMI7FcWhTPACy3ArsXNQokBi9gipY8A2BoqOaF5UpewH8/AwC48y+Af0PwOUqK8IkLnLqrvypWChw/A5hxFMxc+FdegSQ5XsDZmf8JYNcFXsBcq7KorrQfb78S4I25ZJwSq/R4xgWOM2KysRUma56vaS5wvVKata5HhlD/3WUIjt5zAzwvlLbgaI6Az4AsCRdk6sZyDCaTkR//620yVIEcONKHopohsrG70gti8E1GTDZVRLMJZ3uHURMg09IgzcY5ESuidzm3J3rP4D95PYCZ0nDpqL7/DL8GqrXiXVWqWv91NWcDywlx4hBsceibkUFY4FXcvwvzEo1BBtM13N9cZ6Q04+bZCArD55LYUidBUctiRnIu+HqQcamFAzdhaiWFIiwF/2tFibsDL+5vrl/CKkONsFYlUCKhZgQEqCrWoGZgM278PAwiXXJdGqssEWONphQ2BdTLr8DQIvVwtUd9KIgCNUUZQzETitgHYuASKsKH4hBcLpLMGpcLsApshvC1IQ8anc8b95pzqcX3Yso8ifY6z3r1IeglOvs4yH40zlC7MJdyKirPASit3mvGE2OJLU0qEdBSa5QWAtVaHPc312P4XRnDpwJhSUSJBojGC1BScIkjULOZ+weIZFDKhVSrYYsKcSUV6kANqNIaTaEk43IelJobqCKPH8QQpKkgdCG4sWZsSj0VKcDd3t/8cr2hXIm1R5buCWRehFLZSfh5KOKC5MGjJwJe0YMPMfxDoILnQJ1qbu9W3FrUkBHJBNYaWXMBmxHrkqD6CtuZdHihNBCp5DpXpXk5CF4Q3Zb5BvpUKYFEHg79KmSAaFwgtJlHiluwHOgpomwhD244U8Y6BS60WnKGGl5YXSIoDTMiDL4ctCsyT+ILLr02emmTuQFijKKcOJArbjMP888SNUfWHtNuuJAqJ4KPBc9VqngRSH4fcWKT50cYdjLtR7F0tA5iWhBnLTIV34rcoUNeEsHZZKZVHgHAiMXDuf9fhnKbIayISxi1sTBTpWTOIrgBqqRxZoIssI/hyhXjMx617CSoBDE2xmTjV6YokgXpQM0V5KTlNhpEMd2P3HsUBB+3dlRi5C0Uv5G8EOiKUnfXF0bcAFM54XIU/PNKlYLBFP0Tnlhs2low0ji11u2D9Nk3QpLIzBGqHpn67GQfa6qkjRcaRzP/+M1qAha/WWcyzaNLrJn0qlJUJomq5rstK3JERr5UbKvQFOGs1hvMCRcjX2x/JiZ7dfv58vzdT2cxiGr6/0jtJCd6weXcZenJbO/27uoPaNL+ilOkTqoCX8hMjdVI8pMEwNsu6W4AjKmWIMbwGQ/1egrJ7GY7RLYmlxsoNF8SG7IYrXIgUJRTwSnMsMp5mwZWdUesxx0unaz5oiY6qt7Yfr7SoeapQYkoOeOsp5AzmdJHFPZOS3IkptSNgySUlprQNbzwY3/t7OzN69cvXV7F5zI0jNrz+dwJDBmn3kqJJGJtOTVgkWZSCTVfOxKNgIczcoaWcHEeGZlzCYcP7IOnE/yIU8Sol2jJ/Sqv8trpGkqDGt6eD+J8ogQtxtkjnRg0his5SQOkBSI0kCvyoWShbrJ9tdL2gkpuqcEw6FSO+GrLCe81ujNS2Elwymej8Mu75voHL+r/Si3ORh1yZ1NVP0LPW2To+eaqfw/O+HlRXcuJaB7t0nP3Gv7ux+aVnL2r/61IFkQvkFWPFBk3Wf1ul2y42X6wImEokdV1V3S3hmCqF7qkTGkKTrny/db6Yau0e9h7PvdDo7QTqwldoPasBuc+J6Jn9ldcMEqOm/6Z0nlo3WqcE+27J6Sp63w/eT0CAu+/foSrDyMI9XRw89YSunBXQqQbRUvFw6wwZ+9SqLNLDrx/OpyzRqNKTXFSap4Cwo1Lp5znvr+52oVSOeQ9SwO4RM3tOgWc95pbTongdh2dnqp95iOxd06mLArBu95pr2cQajWCHBkv8xFkfJ6NYIl6/cr9OzxYL/0UQ731lIamH9oh6tJFVmP3Y5s44aQLDBt8FufaK0XgMywm261VHyolR6gCwc1eKRGfhgwhs7o0FtmEck0FTjhLkm9vImhFHwL9oKQ8bxp+h9p5WbhqP9E03nticPVhX4s+CbOb6yN9mjfKZEucH4gloZIfKpsh5hV4MWpq/1KLppDL2bv+9aUq+EzJX4ToRIVTvcL0iyf6Pa4ZbyOMVbZPs2L8XfSTjfc+MVDt/SURcF3tiM1pqzqqVqZNB3GgJZScd24MjhPgtzKfonYjbSiHireS9u7ctv3TaZBUdA/G4Qw0CmJXtHHhbkj9D0rUnO6A69ejA0a2UV2D6FfP54ENuJQcrCazWbcdsIF0dXdqNFd3vUBaDaKwIBVR4J2pHo6SDKXlM46m7rgGy/GNaVNOc27DsmLFUEQNnSqGE+ddkiSciqF3Va6S4K36og5hXdtuFI+bIpW3v7r9/e9aJLq0VvNp2ckOWv1JPaeJspAvek4k/yuI973K81K6NH+TOuFya1fJFohTYDiAc6g3JgKXKOIQjrOAapY9veDj3vkO26jahPQGuAnLr8pYoFU1FI8sM5VEARjj7g4RTdudb5XZW+32XkH5tqbJ0qxIN0tXnp33Dg39GPOyTNeQu7/vqMVO47wVkONFznHrdI6pT8/VzCmB3OHsx1814aL+uTbhCVVldBnmOB39rFaQE7neEPa7PoBLKkqGzIUNAobLudgvIstzNJbkRRI5NdQeLCzGTRhUouWEDy16IUluWYxz7FFj0apQpu4GToSisQ1yR5vNLVrL5dyENYJ5qZGBkiG8+KUqxw0cN/C9XW72Tp97ONEuk2BS9a4tD2pr4ripuDkXJNWQl5mk06pLCytXojuKcWWKebamxsmI5nI+8XE/UYjaXhXwlJEFWAaa7ovZG7oYN2QqnFPQXiXjCv+QeWxR9KvlgRELSoW7UxtDh98sSmYmT+G6gVvI+TyzFdeeFGOcDonqpBmxKDogHAcm5ZacLTh+f84DAJ1qprbAPQCXUJTEGlcP9VARp0REazFYY64s7jRBt1PmhLrUnzZzCauM0yzut5q9eg53L86UataD1CtcCqwpNbAHq1fMFFhTa2UPXr+jq1ZQs5a0wnWInjbpXUJl3Zh1Q/1Ym97ASrl9p90QPgwafGrt7qkawbxYvh25qP/Gr4aakmbDQ6DE4lzpJGtjftN7Re8RQzn7De1K6QVcUsuX3K6j+5Jas6B6FkkeqsobzCar99aR0ipXcVIixLpWZN9vJS6A3g5DPFVoGpbuMCb/SMKUMFh5mNY0CPeUQscXjduAmk3jDR9kI+c9NRqU1WYbv6qIGqRvAJs9mniiWnLL328G4Hyr3zSQPcR5UZXniTZFvg+kDOSEYY1kg5Nbg2I2jOZUhYqn19LHik91vaOTpkDKZ5y2cA0rKApMdcahay6tIw25WtZR87gpfpoKq0GKcqvMShBgq82npwj/X6r8OW5afGNZByEcEO+jsoFGyLvK0Sz2dSrJ/bbmV5NTId3avd7wGAHDAsPhsQq9H5LgC4Qzv3TtkpRqAfuV0TQa5P2e6m92fNpM0CBVkhG9frjK7gI9VW54LNhHZIm7gzp1tviowR2WN0ZmKnX+GBvF4zLJXdCnyigPnYHDUD5NjpkW80myzhjEVPlnRKOfIg+NDekhGWnEy5w4M40h74+bu/i+r1w1MpoDFT159jqo5UfnsVHT/Bvz2ZOkCU+c4UZVfzjX7cX8JDlvn0odm/3ujuJ7z4Kbbq399qyL8WHbeL7c/fFvcNT7n/O18M/52v/087Wb0zJUaYZsVnY2Ij/Gzm8qovDJUz3c5lur39J2D8wM7Vvds6vzo6cWjho0+a0BUn8SrfNCfBdsr0tqg+vbdnrAxtMG5vY+w/qvOcFxxouLNz+fj1+Pz8dvfjzrRbmzcJkap2Mwhq/eu9WbQcO8DeM/BPyO4aQGHzseuQ3zqrhkTKMxZ1EN9RvX33dP5w1D3AOv/f2urg1dtb/D6NgGkavBUz8N1mKiiZx3JRqg9tzcg/XGveLiwtXvZu/po5ZYn9ez//qHNz89j6LV3CxSWf4NN4vKno+1cro5aderidO1janpAWrogbVYwIvXr96+3NXICJprMsXuln5IYxw7qPznScbwRfq5/k1JHMG9LE1JxAhum8OwI/iViPrfr6jXm9/9Q8JlOKYfzqJ3T0pA62N8xFqU+IgxPTcNt90Tm11chird73x2vyBwnHQ9dTfbP/88MN3OBm6tq75PM9Gb8yQe1E0p0ICaGtSuRCYuNs4I9cfYZxA+IyibV7R7eo+P/+Hd237v7kdX5jnR/abVPzw+l0rjhEzVEi/gzevzt4+ZjgBjz2jcqN+9bcuq2qYp1o3UxrvjBchLYfmkz9W0ZbLz/YauQAYekErn5iJ8Uqxf6A53r7gjR5LgWFXSW1q0m2yGbOvPRFlmyCr/t84ur/lUb+tTf00Zzo6ySfSrhcc1KK83X4uqPplq+VbetXHgmIpn1VjxFAc44reCazQpOH50pA5iRomgpUg10hbfmvAAhmYjckIhh6/RDLJN99XOimf1wc4VtxkPXZteHd9pWkyStZW+aD7nkohW4dml3SztsiVqQzTHNAdMN+RCzUY0guBysam6Q78tBqU5khFBEs8k9lXeBuvPNwLZnAWqGnpApqq0QGQN6V8BAAD///eBqM4=" } diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/_meta/fields.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/_meta/fields.yml index 16a50f3a0ff..ea68e4c23cb 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: malwarebazaar +- name: abusech.malwarebazaar type: group description: > Fields for Malware Bazaar Threat Intel diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml index a8cbef0b52b..6c90f1d86dc 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml @@ -5,19 +5,14 @@ interval: {{ .interval }} request.method: POST {{ if .ssl }} - request.ssl: {{ .ssl | tojson }} {{ end }} {{ if .proxy_url }} request.proxy_url: {{ .proxy_url }} {{ end }} request.url: {{ .url }} -#request.encode_as: application/x-www-form-encoded - +request.encode_as: application/x-www-form-urlencoded request.transforms: -- set: - target: header.Content-Type - value: application/x-www-form-urlencoded - set: target: url.params.query value: get_recent @@ -39,17 +34,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: ["json.md5_hash"] - target_field: "@metadata._id" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml index c2c4b51810d..0a5aca9dbb3 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml @@ -1,4 +1,5 @@ -description: Pipeline for parsing Malware Bazaar Threat Intel +--- +description: Pipeline for parsing Abuse.ch URL Threat Intel processors: #################### # Event ECS fields # @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -20,148 +24,182 @@ processors: # General ECS fields # ###################### - rename: - field: json - target_field: threatintel.malwarebazaar - ignore_missing: true + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: abusech.malwarebazaar + - fingerprint: + fields: + - abusech.malwarebazaar.md5_hash + - abusech.malwarebazaar.sha256_hash + target_field: "_id" ##################### # Threat ECS Fields # ##################### + - set: + field: threat.feed.name + value: "[Filebeat] AbuseCH MalwareBazaar" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" - date: - field: threatintel.malwarebazaar.first_seen - target_field: threatintel.indicator.first_seen + field: abusech.malwarebazaar.first_seen + target_field: threat.indicator.first_seen formats: - "yyyy-MM-dd HH:mm:ss z" - "yyyy-MM-dd HH:mm:ss Z" - "yyyy-MM-dd HH:mm:ss" - if: "ctx?.threatintel?.malwarebazaar.first_seen != null" + if: "ctx.abusech?.malwarebazaar?.first_seen != null" - date: - field: threatintel.malwarebazaar.last_seen - target_field: threatintel.indicator.last_seen + field: abusech.malwarebazaar.last_seen + target_field: threat.indicator.last_seen formats: - "yyyy-MM-dd HH:mm:ss z" - "yyyy-MM-dd HH:mm:ss Z" - "yyyy-MM-dd HH:mm:ss" - if: "ctx?.threatintel?.malwarebazaar.last_seen != null" + if: "ctx.abusech?.malwarebazaar?.last_seen != null" - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - rename: - field: threatintel.malwarebazaar.file_name - target_field: threatintel.indicator.file.name + field: abusech.malwarebazaar.file_name + target_field: threat.indicator.file.name ignore_missing: true - rename: - field: threatintel.malwarebazaar.file_type_mime - target_field: threatintel.indicator.file.mime_type + field: abusech.malwarebazaar.file_type_mime + target_field: threat.indicator.file.mime_type ignore_missing: true - rename: - field: threatintel.malwarebazaar.reporter - target_field: threatintel.indicator.provider + field: abusech.malwarebazaar.reporter + target_field: threat.indicator.provider ignore_missing: true - rename: - field: threatintel.malwarebazaar.origin_country - target_field: threatintel.indicator.geo.country_iso_code + field: abusech.malwarebazaar.origin_country + target_field: threat.indicator.geo.country_iso_code ignore_missing: true - rename: - field: threatintel.malwarebazaar.signature - target_field: threatintel.indicator.signature + field: abusech.malwarebazaar.signature + target_field: threat.software.alias ignore_missing: true - foreach: - field: threatintel.malwarebazaar.code_sign + field: abusech.malwarebazaar.code_sign ignore_missing: true processor: rename: - field: subject_cn - target_field: threatintel.indicator.file.x509.subject.common_name + field: _ingest._value.subject_cn + target_field: threat.indicator.file.x509.subject.common_name + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: rename: - field: issuer_cn - target_field: threatintel.indicator.file.x509.issuer.common_name + field: _ingest._value.issuer_cn + target_field: threat.indicator.file.x509.issuer.common_name + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: rename: - field: algorithm - target_field: threatintel.indicator.file.x509.public_key_algorithm + field: _ingest._value.algorithm + target_field: threat.indicator.file.x509.public_key_algorithm + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: rename: - field: valid_from - target_field: threatintel.indicator.file.x509.not_before + field: _ingest._value.valid_from + target_field: threat.indicator.file.x509.not_before + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: rename: - field: valid_to - target_field: threatintel.indicator.file.x509.not_after + field: _ingest._value.valid_to + target_field: threat.indicator.file.x509.not_after + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: rename: - field: serial_number - target_field: threatintel.indicator.file.x509.serial_number + field: _ingest._value.serial_number + target_field: threat.indicator.file.x509.serial_number - rename: - field: threatintel.malwarebazaar.file_size - target_field: threatintel.indicator.file.size + field: abusech.malwarebazaar.file_size + target_field: threat.indicator.file.size ignore_missing: true - rename: - field: threatintel.malwarebazaar.file_type - target_field: threatintel.indicator.file.extension + field: abusech.malwarebazaar.file_type + target_field: threat.indicator.file.extension ignore_missing: true - rename: - field: threatintel.malwarebazaar.md5_hash - target_field: threatintel.indicator.file.hash.md5 + field: abusech.malwarebazaar.md5_hash + target_field: threat.indicator.file.hash.md5 ignore_missing: true - rename: - field: threatintel.malwarebazaar.sha256_hash - target_field: threatintel.indicator.file.hash.sha256 + field: abusech.malwarebazaar.sha256_hash + target_field: threat.indicator.file.hash.sha256 ignore_missing: true - rename: - field: threatintel.malwarebazaar.sha1_hash - target_field: threatintel.indicator.file.hash.sha1 + field: abusech.malwarebazaar.sha1_hash + target_field: threat.indicator.file.hash.sha1 ignore_missing: true - rename: - field: threatintel.malwarebazaar.sha3_384_hash - target_field: threatintel.indicator.file.hash.sha384 + field: abusech.malwarebazaar.sha3_384_hash + target_field: threat.indicator.file.hash.sha384 ignore_missing: true - rename: - field: threatintel.malwarebazaar.imphash - target_field: threatintel.indicator.file.pe.imphash + field: abusech.malwarebazaar.imphash + target_field: threat.indicator.file.pe.imphash ignore_missing: true - rename: - field: threatintel.malwarebazaar.ssdeep - target_field: threatintel.indicator.file.hash.ssdeep + field: abusech.malwarebazaar.ssdeep + target_field: threat.indicator.file.hash.ssdeep ignore_missing: true - rename: - field: threatintel.malwarebazaar.tlsh - target_field: threatintel.indicator.file.hash.tlsh + field: abusech.malwarebazaar.tlsh + target_field: threat.indicator.file.hash.tlsh ignore_missing: true - rename: - field: threatintel.malwarebazaar.telfhash - target_field: threatintel.indicator.file.elf.telfhash + field: abusech.malwarebazaar.telfhash + target_field: threat.indicator.file.elf.telfhash ignore_missing: true - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.md5 }}" - if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null + value: "{{ threat.indicator.file.hash.md5 }}" + if: ctx?.threat?.indicator?.file?.hash?.md5 != null - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.sha256 }}" - if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null + value: "{{ threat.indicator.file.hash.sha256 }}" + if: ctx?.threat?.indicator?.file?.hash?.sha256 != null - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.ssdeep }}" - if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null + value: "{{ threat.indicator.file.hash.ssdeep }}" + if: ctx?.threat?.indicator?.file?.hash?.ssdeep != null - append: field: related.hash - value: "{{ threatintel.indicator.file.pe.imphash }}" - if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null + value: "{{ threat.indicator.file.pe.imphash }}" + if: ctx?.threat?.indicator?.file?.pe?.imphash != null - append: field: related.hash - value: "{{ threatintel.indicator.file.elf.telfhash }}" - if: ctx?.threatintel?.indicator?.file?.elf?.telfhash != null + value: "{{ threat.indicator.file.elf.telfhash }}" + if: ctx?.threat?.indicator?.file?.elf?.telfhash != null - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.tlsh }}" - if: ctx?.threatintel?.indicator?.file?.hash?.tlsh != null + value: "{{ threat.indicator.file.hash.tlsh }}" + if: ctx?.threat?.indicator?.file?.hash?.tlsh != null - convert: - field: threatintel.indicator.file.size + field: threat.indicator.file.size type: long ignore_missing: true - convert: - field: threatintel.malwarebazaar.intelligence.downloads + field: abusech.malwarebazaar.intelligence.downloads type: long ignore_missing: true - convert: - field: threatintel.malwarebazaar.intelligence.uploads + field: abusech.malwarebazaar.intelligence.uploads type: long ignore_missing: true @@ -169,12 +207,12 @@ processors: # Cleanup processors # ###################### - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx?.threat?.indicator?.type == null - script: lang: painless - if: ctx?.threatintel != null + if: ctx?.abusech != null source: | void handleMap(Map map) { for (def x : map.values()) { @@ -196,10 +234,15 @@ processors: } } handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - remove: field: - - threatintel.malwarebazaar.first_seen - - threatintel.malwarebazaar.last_seen + - abusech.malwarebazaar.first_seen + - abusech.malwarebazaar.last_seen - message ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml index e9294ca9e2e..b90ea0d9562 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml @@ -11,6 +11,8 @@ var: - name: tags default: [threatintel-malwarebazaar, forwarded] - name: proxy_url + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json index 1d84eda36cb..40b3f4289ec 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json @@ -1,5 +1,12 @@ [ { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 15, + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "exe" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -20,30 +27,29 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "exe", - "threatintel.indicator.file.hash.md5": "0af07660056a692b7cb82fa329221ddd", - "threatintel.indicator.file.hash.sha1": "a71fd0504821092e003f350080a6bcc5fa6a972e", - "threatintel.indicator.file.hash.sha256": "5bce7d528c1363104a93fbb5a7fa9bdd991ce929cc09cc7fb29052a68d4fd24b", - "threatintel.indicator.file.hash.sha384": "3b454eb6421d17d093f19292b64d30bf918cb91e9322d0e2d2512857997f574ea2ca5b005133c16f6c33c7cee9c1bd0e", - "threatintel.indicator.file.hash.ssdeep": "3072:DsPPK3p+8r5igrL1Tq50cVBDmDJhE9yV4veedHrP6FXK7:D+PL8bronBDmDJ69JeedHriFG", - "threatintel.indicator.file.hash.tlsh": "F9848B24AF932F9BC6CCC1FE50C2D165C9A9F85DD2B1251A73B6CB89FE00544ED2C686", - "threatintel.indicator.file.mime_type": "application/x-dosexec", - "threatintel.indicator.file.name": "SALM0BRU.exe", - "threatintel.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", - "threatintel.indicator.file.size": 399872, - "threatintel.indicator.first_seen": "2021-04-06T20:34:58.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.provider": "James_inthe_box", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 15, - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "exe" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "exe", + "threat.indicator.file.hash.md5": "0af07660056a692b7cb82fa329221ddd", + "threat.indicator.file.hash.sha1": "a71fd0504821092e003f350080a6bcc5fa6a972e", + "threat.indicator.file.hash.sha256": "5bce7d528c1363104a93fbb5a7fa9bdd991ce929cc09cc7fb29052a68d4fd24b", + "threat.indicator.file.hash.sha384": "3b454eb6421d17d093f19292b64d30bf918cb91e9322d0e2d2512857997f574ea2ca5b005133c16f6c33c7cee9c1bd0e", + "threat.indicator.file.hash.ssdeep": "3072:DsPPK3p+8r5igrL1Tq50cVBDmDJhE9yV4veedHrP6FXK7:D+PL8bronBDmDJ69JeedHriFG", + "threat.indicator.file.hash.tlsh": "F9848B24AF932F9BC6CCC1FE50C2D165C9A9F85DD2B1251A73B6CB89FE00544ED2C686", + "threat.indicator.file.mime_type": "application/x-dosexec", + "threat.indicator.file.name": "SALM0BRU.exe", + "threat.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", + "threat.indicator.file.size": 399872, + "threat.indicator.first_seen": "2021-04-06T20:34:58.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.provider": "James_inthe_box", + "threat.indicator.type": "file" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 11, + "abusech.malwarebazaar.intelligence.uploads": 1, "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -63,26 +69,31 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "zip", - "threatintel.indicator.file.hash.md5": "296aad7075596d21516b30bfbc17fcac", - "threatintel.indicator.file.hash.sha1": "c454be4eb0892d61a4ad6bac16f97724e73cd795", - "threatintel.indicator.file.hash.sha256": "83d0429a2c5f1b611ebc30391eeeb75bebb51212ee1af51dbcf2624b48f9d27f", - "threatintel.indicator.file.hash.sha384": "0a1536add280715320040d5ac5340d3b205d90045ff5c90993b8e909edb9b3e9338b3ffbb3febcaf82584d00d516e8c7", - "threatintel.indicator.file.hash.ssdeep": "12288:j++y4mulTPaYJSaHwvJblQpLGwYeHU9vPpNGd+Zr:j3HPaMtQxblje01pNHZr", - "threatintel.indicator.file.hash.tlsh": "74A4233B9A6D5CA02B224AA69F37537D13A8406300944EAEFD375CA431583056B9F6FF", - "threatintel.indicator.file.mime_type": "application/zip", - "threatintel.indicator.file.name": "PO_NO.ENQUIRY-210604.zip", - "threatintel.indicator.file.size": 476768, - "threatintel.indicator.first_seen": "2021-04-06T20:32:25.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.provider": "GovCERT_CH", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 11, - "threatintel.malwarebazaar.intelligence.uploads": 1 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "zip", + "threat.indicator.file.hash.md5": "296aad7075596d21516b30bfbc17fcac", + "threat.indicator.file.hash.sha1": "c454be4eb0892d61a4ad6bac16f97724e73cd795", + "threat.indicator.file.hash.sha256": "83d0429a2c5f1b611ebc30391eeeb75bebb51212ee1af51dbcf2624b48f9d27f", + "threat.indicator.file.hash.sha384": "0a1536add280715320040d5ac5340d3b205d90045ff5c90993b8e909edb9b3e9338b3ffbb3febcaf82584d00d516e8c7", + "threat.indicator.file.hash.ssdeep": "12288:j++y4mulTPaYJSaHwvJblQpLGwYeHU9vPpNGd+Zr:j3HPaMtQxblje01pNHZr", + "threat.indicator.file.hash.tlsh": "74A4233B9A6D5CA02B224AA69F37537D13A8406300944EAEFD375CA431583056B9F6FF", + "threat.indicator.file.mime_type": "application/zip", + "threat.indicator.file.name": "PO_NO.ENQUIRY-210604.zip", + "threat.indicator.file.size": 476768, + "threat.indicator.first_seen": "2021-04-06T20:32:25.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.provider": "GovCERT_CH", + "threat.indicator.type": "file" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 30, + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "Hancitor" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -103,31 +114,34 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "dll", - "threatintel.indicator.file.hash.md5": "a4838dd31c672122441bebcbf7e9d277", - "threatintel.indicator.file.hash.sha1": "bf103996196df8255881127dee103c22fc12bef3", - "threatintel.indicator.file.hash.sha256": "f4910ea08d14eeb634084de47cf590d4dc5e554552f111da20d22ae71d7b425b", - "threatintel.indicator.file.hash.sha384": "ee7586cb085fde3c14c9c1bea4635ccb30b1af2020f64e87a9983e61b05026ec9b35255670a3d9ecaab436c4ba302dcc", - "threatintel.indicator.file.hash.ssdeep": "12288:L2X/txpFDEVkUNglTovKfoLy+hqK/cEUMMlGOG:RzglgLm/9lGOG", - "threatintel.indicator.file.hash.tlsh": "0C947D11BA96C473E572163008399F6A17BE7A900B704BDBE3CC097E4E755C24B36BA7", - "threatintel.indicator.file.mime_type": "application/x-dosexec", - "threatintel.indicator.file.name": "DropDll.dat", - "threatintel.indicator.file.pe.imphash": "0b5a952a025c2783c3126cdb9bef2844", - "threatintel.indicator.file.size": 435926, - "threatintel.indicator.first_seen": "2021-04-06T20:12:29.000Z", - "threatintel.indicator.geo.country_iso_code": "DE", - "threatintel.indicator.provider": "DmitriyMelikov", - "threatintel.indicator.signature": "Hancitor", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 30, - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "Hancitor" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "dll", + "threat.indicator.file.hash.md5": "a4838dd31c672122441bebcbf7e9d277", + "threat.indicator.file.hash.sha1": "bf103996196df8255881127dee103c22fc12bef3", + "threat.indicator.file.hash.sha256": "f4910ea08d14eeb634084de47cf590d4dc5e554552f111da20d22ae71d7b425b", + "threat.indicator.file.hash.sha384": "ee7586cb085fde3c14c9c1bea4635ccb30b1af2020f64e87a9983e61b05026ec9b35255670a3d9ecaab436c4ba302dcc", + "threat.indicator.file.hash.ssdeep": "12288:L2X/txpFDEVkUNglTovKfoLy+hqK/cEUMMlGOG:RzglgLm/9lGOG", + "threat.indicator.file.hash.tlsh": "0C947D11BA96C473E572163008399F6A17BE7A900B704BDBE3CC097E4E755C24B36BA7", + "threat.indicator.file.mime_type": "application/x-dosexec", + "threat.indicator.file.name": "DropDll.dat", + "threat.indicator.file.pe.imphash": "0b5a952a025c2783c3126cdb9bef2844", + "threat.indicator.file.size": 435926, + "threat.indicator.first_seen": "2021-04-06T20:12:29.000Z", + "threat.indicator.geo.country_iso_code": "DE", + "threat.indicator.provider": "DmitriyMelikov", + "threat.indicator.type": "file", + "threat.software.alias": "Hancitor" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 27, + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "backdoor", + "python" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -147,30 +161,31 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "unknown", - "threatintel.indicator.file.hash.md5": "8d7c8b55ac49d241fb7f75a27a5ef8d5", - "threatintel.indicator.file.hash.sha1": "a68ca1b41cb93fe2879bb3baeb8e19990758f099", - "threatintel.indicator.file.hash.sha256": "e45ffc61a85c2f5c0cbe9376ff215cad324bf14f925bf52ec0d2949f7d235a00", - "threatintel.indicator.file.hash.sha384": "788f61cf45bbc8cad5775de18d0d5f42c4e028af0aaa34c570645efc96af8ebc3d7fe330aaf22ef34d35360bbd4a708c", - "threatintel.indicator.file.hash.ssdeep": "192:z7X/yHo/yz/yBKiSOINLyhQMYd+LiTfq6LTf3ZoTta3Grj6rg2:z7CIKnNNLwufPfAPq7", - "threatintel.indicator.file.hash.tlsh": "AE3222515C6A881A03B3C66F7992B844FB588303C7116607F6FC86782F79568CAF1BBD", - "threatintel.indicator.file.mime_type": "text/x-script.python", - "threatintel.indicator.file.name": "vabsheche.py", - "threatintel.indicator.file.size": 11717, - "threatintel.indicator.first_seen": "2021-04-06T20:07:59.000Z", - "threatintel.indicator.geo.country_iso_code": "FR", - "threatintel.indicator.provider": "ArkbirdDevil", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 27, - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "backdoor", - "python" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "unknown", + "threat.indicator.file.hash.md5": "8d7c8b55ac49d241fb7f75a27a5ef8d5", + "threat.indicator.file.hash.sha1": "a68ca1b41cb93fe2879bb3baeb8e19990758f099", + "threat.indicator.file.hash.sha256": "e45ffc61a85c2f5c0cbe9376ff215cad324bf14f925bf52ec0d2949f7d235a00", + "threat.indicator.file.hash.sha384": "788f61cf45bbc8cad5775de18d0d5f42c4e028af0aaa34c570645efc96af8ebc3d7fe330aaf22ef34d35360bbd4a708c", + "threat.indicator.file.hash.ssdeep": "192:z7X/yHo/yz/yBKiSOINLyhQMYd+LiTfq6LTf3ZoTta3Grj6rg2:z7CIKnNNLwufPfAPq7", + "threat.indicator.file.hash.tlsh": "AE3222515C6A881A03B3C66F7992B844FB588303C7116607F6FC86782F79568CAF1BBD", + "threat.indicator.file.mime_type": "text/x-script.python", + "threat.indicator.file.name": "vabsheche.py", + "threat.indicator.file.size": 11717, + "threat.indicator.first_seen": "2021-04-06T20:07:59.000Z", + "threat.indicator.geo.country_iso_code": "FR", + "threat.indicator.provider": "ArkbirdDevil", + "threat.indicator.type": "file" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 21, + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "maldoc" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -190,29 +205,32 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "docx", - "threatintel.indicator.file.hash.md5": "fe185f106730583156f39233f77f8019", - "threatintel.indicator.file.hash.sha1": "e8378aede9f26f09b7d503d79a05d67612be15f6", - "threatintel.indicator.file.hash.sha256": "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4", - "threatintel.indicator.file.hash.sha384": "752e5d56a166227d06f8cbd40cd3f693f543f9c3f798c673c1430957bb7e149a12d9158138fa449479105f472e70f68f", - "threatintel.indicator.file.hash.ssdeep": "196608:KQaeKLOiBEp+uc+iuYmbMdHmN1Rwyd2jecXeaH1pHE+2:oeIOTp+p+iNJC1ChjhXZ1pHz2", - "threatintel.indicator.file.hash.tlsh": "13863341B085EE2EE2CA41BA0DA9C2BD43B63D131E054F677269B72D3EB76E0E7D4144", - "threatintel.indicator.file.mime_type": "application/msword", - "threatintel.indicator.file.name": "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4.bin", - "threatintel.indicator.file.size": 7929856, - "threatintel.indicator.first_seen": "2021-04-06T20:00:48.000Z", - "threatintel.indicator.geo.country_iso_code": "FR", - "threatintel.indicator.provider": "ArkbirdDevil", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 21, - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "maldoc" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "docx", + "threat.indicator.file.hash.md5": "fe185f106730583156f39233f77f8019", + "threat.indicator.file.hash.sha1": "e8378aede9f26f09b7d503d79a05d67612be15f6", + "threat.indicator.file.hash.sha256": "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4", + "threat.indicator.file.hash.sha384": "752e5d56a166227d06f8cbd40cd3f693f543f9c3f798c673c1430957bb7e149a12d9158138fa449479105f472e70f68f", + "threat.indicator.file.hash.ssdeep": "196608:KQaeKLOiBEp+uc+iuYmbMdHmN1Rwyd2jecXeaH1pHE+2:oeIOTp+p+iNJC1ChjhXZ1pHz2", + "threat.indicator.file.hash.tlsh": "13863341B085EE2EE2CA41BA0DA9C2BD43B63D131E054F677269B72D3EB76E0E7D4144", + "threat.indicator.file.mime_type": "application/msword", + "threat.indicator.file.name": "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4.bin", + "threat.indicator.file.size": 7929856, + "threat.indicator.first_seen": "2021-04-06T20:00:48.000Z", + "threat.indicator.geo.country_iso_code": "FR", + "threat.indicator.provider": "ArkbirdDevil", + "threat.indicator.type": "file" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 30, + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "apt", + "tonto" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -233,31 +251,29 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "dll", - "threatintel.indicator.file.hash.md5": "70da6872b6b2da9ddc94d14b02302917", - "threatintel.indicator.file.hash.sha1": "b2da45913353bfc66d189455f9ad80ef26968143", - "threatintel.indicator.file.hash.sha256": "2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c", - "threatintel.indicator.file.hash.sha384": "c82132559381b7b3b184b4ce8c7a58c301a46001621f346b637139f5987dee968ae2ef009a17b2388852b2db15a45b58", - "threatintel.indicator.file.hash.ssdeep": "1536:2NVi7z0r0lJRn6I8+YDgr1fnWG5Ff0+adgBYlCtMiQMX1c0E4JsWjcdonPv870E1:YM7zh8+Cofnp5eRm6riQ6OZoPv870E", - "threatintel.indicator.file.hash.tlsh": "A2D38C067790C071DAAF013908799E624B7F7D70DDB49D8B77841A8E69342D0AF3AB27", - "threatintel.indicator.file.mime_type": "application/x-dosexec", - "threatintel.indicator.file.name": "winlog.wll", - "threatintel.indicator.file.pe.imphash": "6476b7c4dd55eafbdf922a7ba1e2d5f9", - "threatintel.indicator.file.size": 131584, - "threatintel.indicator.first_seen": "2021-04-06T19:58:50.000Z", - "threatintel.indicator.geo.country_iso_code": "FR", - "threatintel.indicator.provider": "ArkbirdDevil", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 30, - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "apt", - "tonto" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "dll", + "threat.indicator.file.hash.md5": "70da6872b6b2da9ddc94d14b02302917", + "threat.indicator.file.hash.sha1": "b2da45913353bfc66d189455f9ad80ef26968143", + "threat.indicator.file.hash.sha256": "2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c", + "threat.indicator.file.hash.sha384": "c82132559381b7b3b184b4ce8c7a58c301a46001621f346b637139f5987dee968ae2ef009a17b2388852b2db15a45b58", + "threat.indicator.file.hash.ssdeep": "1536:2NVi7z0r0lJRn6I8+YDgr1fnWG5Ff0+adgBYlCtMiQMX1c0E4JsWjcdonPv870E1:YM7zh8+Cofnp5eRm6riQ6OZoPv870E", + "threat.indicator.file.hash.tlsh": "A2D38C067790C071DAAF013908799E624B7F7D70DDB49D8B77841A8E69342D0AF3AB27", + "threat.indicator.file.mime_type": "application/x-dosexec", + "threat.indicator.file.name": "winlog.wll", + "threat.indicator.file.pe.imphash": "6476b7c4dd55eafbdf922a7ba1e2d5f9", + "threat.indicator.file.size": 131584, + "threat.indicator.first_seen": "2021-04-06T19:58:50.000Z", + "threat.indicator.geo.country_iso_code": "FR", + "threat.indicator.provider": "ArkbirdDevil", + "threat.indicator.type": "file" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 32, + "abusech.malwarebazaar.intelligence.uploads": 1, "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -277,26 +293,33 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "docx", - "threatintel.indicator.file.hash.md5": "de80e1d7d9f5b1c64ec9f8d4f5063989", - "threatintel.indicator.file.hash.sha1": "3d613d5678e43faeea1c636185a0b4c3ec80e742", - "threatintel.indicator.file.hash.sha256": "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606", - "threatintel.indicator.file.hash.sha384": "a3ec981ed158fe08cc2cd97303807cfbed147e59ccfd92fcaa9395c5718b4d9b892d6e9fa6337f5976dc1bd042562fe4", - "threatintel.indicator.file.hash.ssdeep": "24576:WKEiZxl3A4yJJG2dPQQCthXzglgLm/9lGO:WKEGByvGOQQC/XElga/9lGO", - "threatintel.indicator.file.hash.tlsh": "8635D001BA82C573D5621A35083ADBAA177E7D604F704ADBB3C83B2E5D355C14B32BA7", - "threatintel.indicator.file.mime_type": "application/msword", - "threatintel.indicator.file.name": "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606.bin.sample", - "threatintel.indicator.file.size": 1088000, - "threatintel.indicator.first_seen": "2021-04-06T19:58:44.000Z", - "threatintel.indicator.geo.country_iso_code": "DE", - "threatintel.indicator.provider": "DmitriyMelikov", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 32, - "threatintel.malwarebazaar.intelligence.uploads": 1 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "docx", + "threat.indicator.file.hash.md5": "de80e1d7d9f5b1c64ec9f8d4f5063989", + "threat.indicator.file.hash.sha1": "3d613d5678e43faeea1c636185a0b4c3ec80e742", + "threat.indicator.file.hash.sha256": "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606", + "threat.indicator.file.hash.sha384": "a3ec981ed158fe08cc2cd97303807cfbed147e59ccfd92fcaa9395c5718b4d9b892d6e9fa6337f5976dc1bd042562fe4", + "threat.indicator.file.hash.ssdeep": "24576:WKEiZxl3A4yJJG2dPQQCthXzglgLm/9lGO:WKEGByvGOQQC/XElga/9lGO", + "threat.indicator.file.hash.tlsh": "8635D001BA82C573D5621A35083ADBAA177E7D604F704ADBB3C83B2E5D355C14B32BA7", + "threat.indicator.file.mime_type": "application/msword", + "threat.indicator.file.name": "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606.bin.sample", + "threat.indicator.file.size": 1088000, + "threat.indicator.first_seen": "2021-04-06T19:58:44.000Z", + "threat.indicator.geo.country_iso_code": "DE", + "threat.indicator.provider": "DmitriyMelikov", + "threat.indicator.type": "file" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 38, + "abusech.malwarebazaar.intelligence.mail.Generic": "low", + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "SnakeKeylogger", + "exe" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -317,33 +340,35 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "exe", - "threatintel.indicator.file.hash.md5": "2759c73c986c6a757bf9d25621c5595a", - "threatintel.indicator.file.hash.sha1": "00b52e8ca1785d5086703ad8cff1d28fc3354934", - "threatintel.indicator.file.hash.sha256": "84f983067868de50e5b1553782c056c1f5b5118bb2084473ca4b6908f221cd3b", - "threatintel.indicator.file.hash.sha384": "138dc28a74d15c1f9797ce732e99097c8c6db4549cb17cb7b20c1c6738a170328e45aea2d4c3b593912f14a97f521c1d", - "threatintel.indicator.file.hash.ssdeep": "12288:8t11ulRZRLZNh4YeX6f6XmwNShqE73YXy7moh:S11gZpZNmBX06WmAcy7m0", - "threatintel.indicator.file.hash.tlsh": "23F4AE212684C9C0D93E67B4D43584F003BABD16D631F69F6E887C693EB32D2D63B646", - "threatintel.indicator.file.mime_type": "application/x-dosexec", - "threatintel.indicator.file.name": "Purchase Order.8000.scan.pdf...exe", - "threatintel.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", - "threatintel.indicator.file.size": 752128, - "threatintel.indicator.first_seen": "2021-04-06T19:52:32.000Z", - "threatintel.indicator.geo.country_iso_code": "FR", - "threatintel.indicator.provider": "James_inthe_box", - "threatintel.indicator.signature": "SnakeKeylogger", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 38, - "threatintel.malwarebazaar.intelligence.mail.Generic": "low", - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "SnakeKeylogger", - "exe" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "exe", + "threat.indicator.file.hash.md5": "2759c73c986c6a757bf9d25621c5595a", + "threat.indicator.file.hash.sha1": "00b52e8ca1785d5086703ad8cff1d28fc3354934", + "threat.indicator.file.hash.sha256": "84f983067868de50e5b1553782c056c1f5b5118bb2084473ca4b6908f221cd3b", + "threat.indicator.file.hash.sha384": "138dc28a74d15c1f9797ce732e99097c8c6db4549cb17cb7b20c1c6738a170328e45aea2d4c3b593912f14a97f521c1d", + "threat.indicator.file.hash.ssdeep": "12288:8t11ulRZRLZNh4YeX6f6XmwNShqE73YXy7moh:S11gZpZNmBX06WmAcy7m0", + "threat.indicator.file.hash.tlsh": "23F4AE212684C9C0D93E67B4D43584F003BABD16D631F69F6E887C693EB32D2D63B646", + "threat.indicator.file.mime_type": "application/x-dosexec", + "threat.indicator.file.name": "Purchase Order.8000.scan.pdf...exe", + "threat.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", + "threat.indicator.file.size": 752128, + "threat.indicator.first_seen": "2021-04-06T19:52:32.000Z", + "threat.indicator.geo.country_iso_code": "FR", + "threat.indicator.provider": "James_inthe_box", + "threat.indicator.type": "file", + "threat.software.alias": "SnakeKeylogger" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 40, + "abusech.malwarebazaar.intelligence.mail.Generic": "low", + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "AgentTesla", + "exe" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -364,30 +389,23 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "exe", - "threatintel.indicator.file.hash.md5": "596b3dbf07a287dcf76860b5e54762c3", - "threatintel.indicator.file.hash.sha1": "a34fd5e57d75d17bc2d84055ca4752e5ee2e92f5", - "threatintel.indicator.file.hash.sha256": "0661d87116f44cbd5b5c6bec7fb06c4e5cd5b6ecbc5455d959e65f1ee46c54c8", - "threatintel.indicator.file.hash.sha384": "ed5d03454121d81adf65a01ba90af81b1a7cea052709c22bb9170508069d17242861f85e5546b2cc3efb07c10926368c", - "threatintel.indicator.file.hash.ssdeep": "12288:qRedcNeqimzAEmN03VgdZfBOMx+RVBM7pdWje9ppB5nAZGNY2:ZaNeqikqN0udZfBFUYp55nFN", - "threatintel.indicator.file.hash.tlsh": "A505CF712694C9A4FABD53B80434403007F5FE42E232FA9A6FD17C993E72782DA3B655", - "threatintel.indicator.file.mime_type": "application/x-dosexec", - "threatintel.indicator.file.name": "New Order PO#121012020_____PDF_______.exe", - "threatintel.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", - "threatintel.indicator.file.size": 836096, - "threatintel.indicator.first_seen": "2021-04-06T19:47:13.000Z", - "threatintel.indicator.geo.country_iso_code": "FR", - "threatintel.indicator.provider": "James_inthe_box", - "threatintel.indicator.signature": "AgentTesla", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 40, - "threatintel.malwarebazaar.intelligence.mail.Generic": "low", - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "AgentTesla", - "exe" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "exe", + "threat.indicator.file.hash.md5": "596b3dbf07a287dcf76860b5e54762c3", + "threat.indicator.file.hash.sha1": "a34fd5e57d75d17bc2d84055ca4752e5ee2e92f5", + "threat.indicator.file.hash.sha256": "0661d87116f44cbd5b5c6bec7fb06c4e5cd5b6ecbc5455d959e65f1ee46c54c8", + "threat.indicator.file.hash.sha384": "ed5d03454121d81adf65a01ba90af81b1a7cea052709c22bb9170508069d17242861f85e5546b2cc3efb07c10926368c", + "threat.indicator.file.hash.ssdeep": "12288:qRedcNeqimzAEmN03VgdZfBOMx+RVBM7pdWje9ppB5nAZGNY2:ZaNeqikqN0udZfBFUYp55nFN", + "threat.indicator.file.hash.tlsh": "A505CF712694C9A4FABD53B80434403007F5FE42E232FA9A6FD17C993E72782DA3B655", + "threat.indicator.file.mime_type": "application/x-dosexec", + "threat.indicator.file.name": "New Order PO#121012020_____PDF_______.exe", + "threat.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", + "threat.indicator.file.size": 836096, + "threat.indicator.first_seen": "2021-04-06T19:47:13.000Z", + "threat.indicator.geo.country_iso_code": "FR", + "threat.indicator.provider": "James_inthe_box", + "threat.indicator.type": "file", + "threat.software.alias": "AgentTesla" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/misp/config/config.yml b/x-pack/filebeat/module/threatintel/misp/config/config.yml index 922f794af20..53ce56b16a2 100644 --- a/x-pack/filebeat/module/threatintel/misp/config/config.yml +++ b/x-pack/filebeat/module/threatintel/misp/config/config.yml @@ -12,18 +12,24 @@ request.proxy_url: {{ .proxy_url }} {{ end }} request.url: {{ .url }} request.body: - limit: 100 - page: 1 - returnFormat: json -{{if .filters}} - {{ range $key, $value := .filters}}{{$key}}: {{$value | tojson}}{{end}} -{{end}} +{{ if .filters }} + {{ .filters | tojson}} +{{ end }} request.transforms: {{ if .api_token }} - set: target: header.Authorization value: {{ .api_token }} -{{end}} +{{ end }} +- set: + target: body.page + value: 1 +- set: + target: body.limit + value: 10 +- set: + target: body.returnFormat + value: json - set: target: body.timestamp value: '[[.cursor.timestamp]]' @@ -63,28 +69,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: - - json.Event.Attribute.uuid - - json.Event.Object.Attribute.uuid - ignore_missing: true - target_field: "@metadata._id" - encoding: base64 - - script: - lang: javascript - id: my_filter - source: > - function process(event) { - event.Put("@metadata.op_type", "index"); - } - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml index e64379422db..f4f54c903b9 100644 --- a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml @@ -1,3 +1,4 @@ +--- description: Pipeline for parsing MISP Threat Intel processors: #################### @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -19,236 +23,253 @@ processors: ###################### # General ECS fields # ###################### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - fingerprint: + fields: + - json.Event.Attribute.uuid + - json.Event.Object.Attribute.uuid + target_field: "_id" + ignore_missing: true - rename: field: json.Event - target_field: threatintel.misp + target_field: misp ignore_missing: true - set: - field: threatintel.indicator.provider + field: threat.indicator.provider value: misp - if: ctx?.threatintel?.misp?.Orgc?.local != 'false' + if: ctx.misp?.Orgc?.local != 'false' - set: - field: threatintel.indicator.provider + field: threat.indicator.provider value: "{{misp.Orgc.name}}" - if: ctx?.threatintel?.misp?.Orgc?.local == 'false' + if: ctx.misp?.Orgc?.local == 'false' ignore_empty_value: true # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event - remove: field: - - threatintel.misp.ShadowAttribute - - threatintel.misp.RelatedEvent - - threatintel.misp.Galaxy - - threatintel.misp.Attribute.Galaxy - - threatintel.misp.Attribute.ShadowAttribute - - threatintel.misp.EventReport - - threatintel.misp.Object.Attribute.Galaxy - - threatintel.misp.Object.Attribute.ShadowAttribute - - message + - misp.ShadowAttribute + - misp.RelatedEvent + - misp.Galaxy + - misp.Attribute.Galaxy + - misp.Attribute.ShadowAttribute + - misp.EventReport + - misp.Object.Attribute.Galaxy + - misp.Object.Attribute.ShadowAttribute ignore_missing: true - remove: field: - - threatintel.misp.Attribute + - misp.Attribute ignore_missing: true - if: ctx?.threatintel?.misp?.Attribute.size() == 0 + if: ctx.misp?.Attribute.size() == 0 - remove: field: - - threatintel.misp.Object + - misp.Object ignore_missing: true - if: ctx?.threatintel?.misp?.Object.size() == 0 + if: ctx.misp?.Object.size() == 0 - date: - field: threatintel.misp.timestamp + field: misp.timestamp formats: - UNIX ignore_failure: true - rename: - field: threatintel.misp.Attribute - target_field: threatintel.misp.attribute + field: misp.Attribute + target_field: misp.attribute ignore_missing: true - rename: - field: threatintel.misp.Object - target_field: threatintel.misp.object + field: misp.Object + target_field: misp.object ignore_missing: true - rename: - field: threatintel.misp.object.Attribute - target_field: threatintel.misp.object.attribute + field: misp.object.Attribute + target_field: misp.object.attribute ignore_missing: true - rename: - field: threatintel.misp.Orgc - target_field: threatintel.misp.orgc + field: misp.Orgc + target_field: misp.orgc ignore_missing: true - rename: - field: threatintel.misp.Org - target_field: threatintel.misp.org + field: misp.Org + target_field: misp.org ignore_missing: true - rename: - field: threatintel.misp.Tag - target_field: threatintel.misp.tag + field: misp.Tag + target_field: misp.tag ignore_missing: true # # Dance around issue of not being able to split the document into two. # # Make the Object.Attribute field primary if it exists, but keep the # # outer Attribute as context. - rename: - field: threatintel.misp.attribute - target_field: threatintel.misp.context.attribute + field: misp.attribute + target_field: misp.context.attribute ignore_missing: true - if: ctx?.threatintel?.misp?.object != null + if: ctx.misp?.object != null - rename: - field: threatintel.misp.object.attribute - target_field: threatintel.misp.attribute + field: misp.object.attribute + target_field: misp.attribute ignore_missing: true - if: ctx?.threatintel?.misp?.object != null + if: ctx.misp?.object != null ##################### # Threat ECS Fields # ##################### + - set: + field: threat.feed.name + value: "[Filebeat] MISP" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" - rename: - field: threatintel.misp.attribute.first_seen - target_field: threatintel.indicator.first_seen + field: misp.attribute.first_seen + target_field: threat.indicator.first_seen ignore_missing: true - rename: - field: threatintel.misp.attribute.last_seen - target_field: threatintel.indicator.last_seen + field: misp.attribute.last_seen + target_field: threat.indicator.last_seen ignore_missing: true - convert: - field: threatintel.misp.analysis + field: misp.analysis type: long - target_field: threatintel.indicator.scanner_stats + target_field: threat.indicator.scanner_stats ignore_missing: true - convert: - field: threatintel.misp.threat_level_id + field: misp.threat_level_id type: long ignore_missing: true ## File/Hash indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - if: "ctx?.threatintel?.misp?.attribute?.type != null && (['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.threatintel?.misp?.attribute?.type) || ctx.threatintel?.misp?.attribute?.type.startsWith('filename'))" + if: "ctx.misp?.attribute?.type != null && (['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.misp?.attribute?.type) || ctx.misp?.attribute?.type.startsWith('filename'))" - rename: - field: threatintel.misp.attribute.value - target_field: "threatintel.indicator.file.hash.{{threatintel.misp.attribute.type}}" + field: misp.attribute.value + target_field: "threat.indicator.file.hash.{{misp.attribute.type}}" ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'file' && ctx?.threatintel?.misp?.attribute?.type != null && !ctx?.threatintel?.misp?.attribute?.type.startsWith('filename')" + if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type != null && !ctx.misp?.attribute?.type.startsWith('filename')" - rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.file.name + field: misp.attribute.value + target_field: threat.indicator.file.name ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'file' && ctx?.threatintel?.misp?.attribute?.type == 'filename'" + if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type == 'filename'" - grok: - field: threatintel.misp.attribute.type + field: misp.attribute.type patterns: - "%{WORD}\\|%{WORD:_tmp.hashtype}" ignore_missing: true - if: ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') + if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') - grok: - field: threatintel.misp.attribute.value + field: misp.attribute.value patterns: - - "%{DATA:threatintel.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" + - "%{DATA:threat.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" ignore_missing: true - if: ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') + if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') - set: - field: threatintel.indicator.file.hash.{{_tmp.hashtype}} + field: threat.indicator.file.hash.{{_tmp.hashtype}} value: "{{_tmp.hashvalue}}" - if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null" + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null" ## URL/URI indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: url - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx?.threatintel?.misp?.attribute?.type)" + if: "ctx.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx.misp?.attribute?.type)" - uri_parts: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.url + field: misp.attribute.value + target_field: threat.indicator.url keep_original: true remove_if_successful: true - if: ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri' - + if: ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri' - set: - field: threatintel.indicator.url.full - value: "{{{threatintel.indicator.url.original}}}" + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" ignore_empty_value: true - if: "ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri'" + if: "ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri'" ## Regkey indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: windows-registry-key - if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('regkey')" + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('regkey')" - rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.registry.key + field: misp.attribute.value + target_field: threat.indicator.registry.key ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'windows-registry-key' && ctx?.threatintel?.misp?.attribute?.type == 'regkey'" + if: "ctx.threat?.indicator?.type == 'windows-registry-key' && ctx.misp?.attribute?.type == 'regkey'" - grok: - field: threatintel.misp.attribute.value + field: misp.attribute.value patterns: - - "%{DATA:threatintel.indicator.registry.key}\\|%{DATA:threatintel.indicator.registry.value}" + - "%{DATA:threat.indicator.registry.key}\\|%{DATA:threat.indicator.registry.value}" ignore_missing: true - if: "ctx?.threatintel?.misp?.attribute?.type == 'regkey|value'" + if: "ctx.misp?.attribute?.type == 'regkey|value'" ## AS indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: autonomous-system - if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type == 'AS'" + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type == 'AS'" - convert: - field: threatintel.misp.attribute.value + field: misp.attribute.value type: long - target_field: threatintel.indicator.as.number + target_field: threat.indicator.as.number ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'autonomous-system' + if: ctx.threat?.indicator?.type == 'autonomous-system' ## Domain/IP/Port indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: domain-name - if: "ctx?.threatintel?.misp?.attribute?.type != null && (ctx?.threatintel?.misp?.attribute?.type == 'hostname' || ctx?.threatintel?.misp?.attribute?.type.startsWith('domain'))" + if: "ctx.misp?.attribute?.type != null && (ctx.misp?.attribute?.type == 'hostname' || ctx.misp?.attribute?.type.startsWith('domain'))" - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv4-addr - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)" + if: "ctx.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" - rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.url.domain + field: misp.attribute.value + target_field: threat.indicator.url.domain ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'domain-name' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip' && ctx.threatintel?.indicator?.url?.domain == null" + if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.misp?.attribute?.type != 'domain|ip' && ctx.threat?.indicator?.url?.domain == null" - rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.ip + field: misp.attribute.value + target_field: threat.indicator.ip ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'ipv4-addr' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)" + if: "ctx.threat?.indicator?.type == 'ipv4-addr' && ctx.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" - grok: - field: threatintel.misp.attribute.value + field: misp.attribute.value patterns: - - "%{DATA:threatintel.indicator.url.domain}\\|%{IP:threatintel.indicator.ip}" + - "%{DATA:threat.indicator.url.domain}\\|%{IP:threat.indicator.ip}" ignore_missing: true - if: ctx.threatintel?.misp?.attribute?.type == 'domain|ip' && ctx.threatintel?.indicator?.url?.domain == null + if: ctx.misp?.attribute?.type == 'domain|ip' && ctx.threat?.indicator?.url?.domain == null - grok: - field: threatintel.misp.attribute.value + field: misp.attribute.value patterns: - - "%{IP:threatintel.indicator.ip}\\|%{NUMBER:threatintel.indicator.port}" + - "%{IP:threat.indicator.ip}\\|%{NUMBER:threat.indicator.port}" ignore_missing: true - if: "['ip-src|port', 'ip-dst|port'].contains(ctx.threatintel?.misp?.attribute?.type)" + if: "['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" ## Email indicator operations # Currently this ignores email-message, except setting the type it will leave the rest of the fields under misp. - set: - field: threatintel.indicator.type + field: threat.indicator.type value: email-addr - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.threatintel?.misp?.attribute?.type)" + if: "ctx.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)" - set: - field: threatintel.indicator.type + field: threat.indicator.type value: email-message - if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx.threatintel?.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.threatintel?.misp?.attribute?.type)" + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)" - rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.email.address + field: misp.attribute.value + target_field: threat.indicator.email.address ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'email-addr' + if: ctx.threat?.indicator?.type == 'email-addr' - rename: - field: threatintel.misp.event_creator_email + field: misp.event_creator_email target_field: user.email ignore_missing: true - append: @@ -258,14 +279,14 @@ processors: ## MAC Address indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: mac-addr - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.threatintel?.misp?.attribute?.type)" + if: "ctx.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.misp?.attribute?.type)" - rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.mac + field: misp.attribute.value + target_field: threat.indicator.mac ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'mac-addr' + if: ctx.threat?.indicator?.type == 'mac-addr' ################### # Tags ECS fields # @@ -273,9 +294,9 @@ processors: # Stripping special characters from tags - script: lang: painless - if: ctx?.threatintel?.misp?.tag != null + if: ctx.misp?.tag != null source: | - def tags = ctx.threatintel.misp.tag.stream() + def tags = ctx.misp.tag.stream() .map(t -> t.name.replace('\\', '').replace('"', '')) .collect(Collectors.toList()); def tlpTags = tags.stream() @@ -284,20 +305,45 @@ processors: .collect(Collectors.toList()); ctx.tags = tags; - ctx.threatintel.indicator.marking = [ 'tlp': tlpTags ]; + ctx.threat.indicator.marking = [ 'tlp': tlpTags ]; # Setting indicator type to unknown if it does not match anything - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx.threat?.indicator?.type == null + + ################# + # Convert types # + ################# + - convert: + field: misp.attribute.distribution + type: long + ignore_missing: true + - convert: + field: misp.context.attribute.distribution + type: long + ignore_missing: true + - convert: + field: threat.indicator.port + type: long + ignore_missing: true + - convert: + field: misp.attribute_count + type: long + ignore_missing: true ###################### # Cleanup processors # ###################### + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - script: lang: painless - if: ctx?.threatintel != null + if: ctx?.misp != null source: | void handleMap(Map map) { for (def x : map.values()) { @@ -322,24 +368,24 @@ processors: # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event - remove: field: - - threatintel.misp.attribute.value + - misp.attribute.value ignore_missing: true - if: ctx?.threatintel?.indicator?.type != 'unknown' + if: ctx.threat?.indicator?.type != 'unknown' - remove: field: # This removes a number of fields that may be wanted in the future when - # threatintel.misp.attribute and threatintel.misp.object.attribute can + # misp.attribute and misp.object.attribute can # be separated. At the root of .object are fields that mirror fields at - # the root of threatintel.misp. - - threatintel.misp.object + # the root of misp. + - misp.object ignore_missing: true - remove: field: - - threatintel.misp.Attribute.timestamp - - threatintel.misp.timestamp - - threatintel.misp.tag - - threatintel.misp.org - - threatintel.misp.analysis + - misp.Attribute.timestamp + - misp.timestamp + - misp.tag + - misp.org + - misp.analysis - _tmp - json ignore_missing: true diff --git a/x-pack/filebeat/module/threatintel/misp/manifest.yml b/x-pack/filebeat/module/threatintel/misp/manifest.yml index 41443c01df8..3a91b68f4fe 100644 --- a/x-pack/filebeat/module/threatintel/misp/manifest.yml +++ b/x-pack/filebeat/module/threatintel/misp/manifest.yml @@ -15,6 +15,8 @@ var: - name: tags default: [threatintel-misp, forwarded] - name: proxy_url + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json index 9f4dbc50fc8..04e12fc0323 100644 --- a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json @@ -9,6 +9,39 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 0, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "5", + "misp.attribute.id": "351", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1503930272", + "misp.attribute.to_ids": true, + "misp.attribute.type": "md5", + "misp.attribute.uuid": "59a427a0-f6f8-4178-9e7d-dfd702de0b81", + "misp.attribute_count": 7, + "misp.date": "2017-08-25", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "5", + "misp.info": "OSINT - New Arena Crysis Ransomware Variant Released", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CIRCL", + "misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1603226331", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f", "service.type": "threatintel", "tags": [ "malware_classification:malware-category=Ransomware", @@ -17,46 +50,15 @@ "tlp:white", "type:OSINT" ], - "threatintel.indicator.file.hash.md5": "f2679bdabe46e10edc6352fff3c829bc", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.md5": "f2679bdabe46e10edc6352fff3c829bc", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "5", - "threatintel.misp.attribute.id": "351", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1503930272", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "md5", - "threatintel.misp.attribute.uuid": "59a427a0-f6f8-4178-9e7d-dfd702de0b81", - "threatintel.misp.attribute_count": "7", - "threatintel.misp.date": "2017-08-25", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "5", - "threatintel.misp.info": "OSINT - New Arena Crysis Ransomware Variant Released", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CIRCL", - "threatintel.misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1603226331", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "file" }, { "@timestamp": "2017-08-28T14:24:36.000Z", @@ -68,6 +70,39 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 8248, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "1st stage", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "14", + "misp.attribute.id": "10794", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1542652482", + "misp.attribute.to_ids": false, + "misp.attribute.type": "domain|ip", + "misp.attribute.uuid": "5bf30242-8ef4-4c52-a2d7-0b7b0a016219", + "misp.attribute_count": 7, + "misp.date": "2017-08-25", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "5", + "misp.info": "OSINT - New Arena Crysis Ransomware Variant Released", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CIRCL", + "misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1603226331", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f", "service.type": "threatintel", "tags": [ "malware_classification:malware-category=Ransomware", @@ -76,47 +111,16 @@ "tlp:white", "type:OSINT" ], - "threatintel.indicator.ip": "178.128.103.74", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.ip": "178.128.103.74", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "your-ip.getmyip.com", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "1st stage", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "14", - "threatintel.misp.attribute.id": "10794", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1542652482", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "domain|ip", - "threatintel.misp.attribute.uuid": "5bf30242-8ef4-4c52-a2d7-0b7b0a016219", - "threatintel.misp.attribute_count": "7", - "threatintel.misp.date": "2017-08-25", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "5", - "threatintel.misp.info": "OSINT - New Arena Crysis Ransomware Variant Released", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CIRCL", - "threatintel.misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1603226331", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "your-ip.getmyip.com" }, { "@timestamp": "2017-04-28T18:23:44.000Z", @@ -128,55 +132,57 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 16434, + "misp.attribute.category": "External analysis", + "misp.attribute.comment": "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "4", + "misp.attribute.id": "342", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1490878550", + "misp.attribute.to_ids": false, + "misp.attribute.type": "link", + "misp.attribute.uuid": "58dd0056-6e74-43d5-b58b-494802de0b81", + "misp.attribute_count": 100, + "misp.date": "2017-03-30", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "4", + "misp.info": "OSINT - Carbon Paper: Peering into Turla\u2019s second stage backdoor", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CIRCL", + "misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1603226330", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "58dcfe62-ed84-4e5e-b293-4991950d210f", "service.type": "threatintel", "tags": [ "misp-galaxy:tool=Turla", "tlp:white" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "www.virustotal.com", - "threatintel.indicator.url.full": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", - "threatintel.indicator.url.original": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", - "threatintel.indicator.url.path": "/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", - "threatintel.indicator.url.scheme": "https", - "threatintel.misp.attribute.category": "External analysis", - "threatintel.misp.attribute.comment": "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "4", - "threatintel.misp.attribute.id": "342", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1490878550", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "link", - "threatintel.misp.attribute.uuid": "58dd0056-6e74-43d5-b58b-494802de0b81", - "threatintel.misp.attribute_count": "100", - "threatintel.misp.date": "2017-03-30", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "4", - "threatintel.misp.info": "OSINT - Carbon Paper: Peering into Turla\u2019s second stage backdoor", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CIRCL", - "threatintel.misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1603226330", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "58dcfe62-ed84-4e5e-b293-4991950d210f" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "url", + "threat.indicator.url.domain": "www.virustotal.com", + "threat.indicator.url.full": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", + "threat.indicator.url.original": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", + "threat.indicator.url.path": "/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", + "threat.indicator.url.scheme": "https" }, { "@timestamp": "2014-10-06T07:12:57.000Z", @@ -188,51 +194,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 20139, + "misp.attribute.category": "External analysis", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "2", + "misp.attribute.id": "1077", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1412579394", + "misp.attribute.to_ids": true, + "misp.attribute.type": "sha256", + "misp.attribute.uuid": "54324042-49fc-4628-a95e-44da950d210b", + "misp.attribute_count": 29, + "misp.date": "2014-10-03", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "2", + "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CthulhuSPRL.be", + "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610622316", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b", "service.type": "threatintel", "tags": [ "tlp:green", "type:OSINT" ], - "threatintel.indicator.file.hash.sha256": "0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.sha256": "0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0", + "threat.indicator.marking.tlp": [ "green" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "External analysis", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "2", - "threatintel.misp.attribute.id": "1077", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1412579394", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "sha256", - "threatintel.misp.attribute.uuid": "54324042-49fc-4628-a95e-44da950d210b", - "threatintel.misp.attribute_count": "29", - "threatintel.misp.date": "2014-10-03", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "2", - "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CthulhuSPRL.be", - "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610622316", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "file" }, { "@timestamp": "2014-10-06T07:12:57.000Z", @@ -244,51 +252,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 21711, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "2", + "misp.attribute.id": "1084", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1412579457", + "misp.attribute.to_ids": true, + "misp.attribute.type": "ip-dst", + "misp.attribute.uuid": "54324081-3308-4f1f-8674-4953950d210b", + "misp.attribute_count": 29, + "misp.date": "2014-10-03", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "2", + "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CthulhuSPRL.be", + "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610622316", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b", "service.type": "threatintel", "tags": [ "tlp:green", "type:OSINT" ], - "threatintel.indicator.ip": "223.25.233.248", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.ip": "223.25.233.248", + "threat.indicator.marking.tlp": [ "green" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "ipv4-addr", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "2", - "threatintel.misp.attribute.id": "1084", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1412579457", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "ip-dst", - "threatintel.misp.attribute.uuid": "54324081-3308-4f1f-8674-4953950d210b", - "threatintel.misp.attribute_count": "29", - "threatintel.misp.date": "2014-10-03", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "2", - "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CthulhuSPRL.be", - "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610622316", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "ipv4-addr" }, { "@timestamp": "2014-10-06T07:12:57.000Z", @@ -300,51 +310,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 23232, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "2", + "misp.attribute.id": "1086", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1412579548", + "misp.attribute.to_ids": true, + "misp.attribute.type": "hostname", + "misp.attribute.uuid": "543240dc-f068-437a-baa9-48f2950d210b", + "misp.attribute_count": 29, + "misp.date": "2014-10-03", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "2", + "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CthulhuSPRL.be", + "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610622316", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b", "service.type": "threatintel", "tags": [ "tlp:green", "type:OSINT" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "green" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "xenserver.ddns.net", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "2", - "threatintel.misp.attribute.id": "1086", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1412579548", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "hostname", - "threatintel.misp.attribute.uuid": "543240dc-f068-437a-baa9-48f2950d210b", - "threatintel.misp.attribute_count": "29", - "threatintel.misp.date": "2014-10-03", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "2", - "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CthulhuSPRL.be", - "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610622316", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "xenserver.ddns.net" }, { "@timestamp": "2014-10-06T07:12:57.000Z", @@ -356,51 +368,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 24759, + "misp.attribute.category": "External analysis", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "2", + "misp.attribute.id": "1089", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1412579577", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "543240f9-64e8-41f2-958f-4e21950d210b", + "misp.attribute.value": "Nitro", + "misp.attribute_count": 29, + "misp.date": "2014-10-03", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "2", + "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CthulhuSPRL.be", + "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610622316", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b", "service.type": "threatintel", "tags": [ "tlp:green", "type:OSINT" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "green" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "External analysis", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "2", - "threatintel.misp.attribute.id": "1089", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1412579577", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "543240f9-64e8-41f2-958f-4e21950d210b", - "threatintel.misp.attribute.value": "Nitro", - "threatintel.misp.attribute_count": "29", - "threatintel.misp.date": "2014-10-03", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "2", - "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CthulhuSPRL.be", - "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610622316", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "unknown" }, { "@timestamp": "2014-10-06T07:12:57.000Z", @@ -412,51 +426,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 26271, + "misp.attribute.category": "External analysis", + "misp.attribute.comment": "Automatically added (via 7915aabb2e66ff14841e4ef0fbff7486)", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "2", + "misp.attribute.id": "1090", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1455826343", + "misp.attribute.to_ids": true, + "misp.attribute.type": "sha1", + "misp.attribute.uuid": "56c625a7-f31c-460c-9ea1-c652950d210f", + "misp.attribute_count": 29, + "misp.date": "2014-10-03", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "2", + "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CthulhuSPRL.be", + "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610622316", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b", "service.type": "threatintel", "tags": [ "tlp:green", "type:OSINT" ], - "threatintel.indicator.file.hash.sha1": "0ea76f1586c008932d90c991dfdd5042f3aac8ea", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.sha1": "0ea76f1586c008932d90c991dfdd5042f3aac8ea", + "threat.indicator.marking.tlp": [ "green" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "External analysis", - "threatintel.misp.attribute.comment": "Automatically added (via 7915aabb2e66ff14841e4ef0fbff7486)", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "2", - "threatintel.misp.attribute.id": "1090", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1455826343", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "sha1", - "threatintel.misp.attribute.uuid": "56c625a7-f31c-460c-9ea1-c652950d210f", - "threatintel.misp.attribute_count": "29", - "threatintel.misp.date": "2014-10-03", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "2", - "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CthulhuSPRL.be", - "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610622316", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "file" }, { "@timestamp": "2014-10-06T07:12:57.000Z", @@ -468,51 +484,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 27875, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "22", + "misp.attribute.id": "12394", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1462454963", + "misp.attribute.to_ids": false, + "misp.attribute.type": "domain", + "misp.attribute.uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16", + "misp.attribute_count": 29, + "misp.date": "2014-10-03", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "2", + "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CthulhuSPRL.be", + "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610622316", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b", "service.type": "threatintel", "tags": [ "tlp:green", "type:OSINT" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "green" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "whatsapp.com", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "22", - "threatintel.misp.attribute.id": "12394", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1462454963", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "domain", - "threatintel.misp.attribute.uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16", - "threatintel.misp.attribute_count": "29", - "threatintel.misp.date": "2014-10-03", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "2", - "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CthulhuSPRL.be", - "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610622316", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "whatsapp.com" }, { "@timestamp": "2018-08-28T13:20:17.000Z", @@ -524,57 +542,59 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 29397, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "Fake adobe URL", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "158", + "misp.attribute.id": "17299", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1515427692", + "misp.attribute.to_ids": false, + "misp.attribute.type": "url", + "misp.attribute.uuid": "5a53976c-e7c8-480d-a68a-2fc50a016219", + "misp.attribute_count": 61, + "misp.date": "2018-01-08", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "158", + "misp.info": "Turla: Mosquito Whitepaper", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "5", + "misp.orgc.local": false, + "misp.orgc.name": "ESET", + "misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", + "misp.orgc_id": "5", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610637953", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219", "service.type": "threatintel", "tags": [ "Turla", "misp-galaxy:threat-actor=Turla Group", "tlp:white" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "get.adobe.com", - "threatintel.indicator.url.full": "http://get.adobe.com/stats/AbfFcBebD/?q=", - "threatintel.indicator.url.original": "http://get.adobe.com/stats/AbfFcBebD/?q=", - "threatintel.indicator.url.path": "/stats/AbfFcBebD/", - "threatintel.indicator.url.query": "q=", - "threatintel.indicator.url.scheme": "http", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "Fake adobe URL", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "158", - "threatintel.misp.attribute.id": "17299", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1515427692", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "url", - "threatintel.misp.attribute.uuid": "5a53976c-e7c8-480d-a68a-2fc50a016219", - "threatintel.misp.attribute_count": "61", - "threatintel.misp.date": "2018-01-08", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "158", - "threatintel.misp.info": "Turla: Mosquito Whitepaper", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "5", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "ESET", - "threatintel.misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", - "threatintel.misp.orgc_id": "5", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610637953", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "url", + "threat.indicator.url.domain": "get.adobe.com", + "threat.indicator.url.full": "http://get.adobe.com/stats/AbfFcBebD/?q=", + "threat.indicator.url.original": "http://get.adobe.com/stats/AbfFcBebD/?q=", + "threat.indicator.url.path": "/stats/AbfFcBebD/", + "threat.indicator.url.query": "q=", + "threat.indicator.url.scheme": "http" }, { "@timestamp": "2018-08-28T13:20:17.000Z", @@ -586,51 +606,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 31486, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "Win32 backdoor C&C URI", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "158", + "misp.attribute.id": "17330", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1515429089", + "misp.attribute.to_ids": false, + "misp.attribute.type": "uri", + "misp.attribute.uuid": "5a539ce1-3de0-4e34-8fc4-2fc50a016219", + "misp.attribute_count": 61, + "misp.date": "2018-01-08", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "158", + "misp.info": "Turla: Mosquito Whitepaper", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "5", + "misp.orgc.local": false, + "misp.orgc.name": "ESET", + "misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", + "misp.orgc_id": "5", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610637953", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219", "service.type": "threatintel", "tags": [ "Turla", "misp-galaxy:threat-actor=Turla Group", "tlp:white" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "url", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "Win32 backdoor C&C URI", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "158", - "threatintel.misp.attribute.id": "17330", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1515429089", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "uri", - "threatintel.misp.attribute.uuid": "5a539ce1-3de0-4e34-8fc4-2fc50a016219", - "threatintel.misp.attribute_count": "61", - "threatintel.misp.date": "2018-01-08", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "158", - "threatintel.misp.info": "Turla: Mosquito Whitepaper", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "5", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "ESET", - "threatintel.misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", - "threatintel.misp.orgc_id": "5", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610637953", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "url" }, { "@timestamp": "2018-08-28T13:20:17.000Z", @@ -642,53 +664,55 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 33567, + "misp.attribute.category": "Artifacts dropped", + "misp.attribute.comment": "JavaScript backdoor", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "158", + "misp.attribute.id": "17322", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1515429089", + "misp.attribute.to_ids": false, + "misp.attribute.type": "filename|sha1", + "misp.attribute.uuid": "5a539ce1-e6a0-426a-942c-2fc50a016219", + "misp.attribute_count": 61, + "misp.date": "2018-01-08", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "158", + "misp.info": "Turla: Mosquito Whitepaper", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "5", + "misp.orgc.local": false, + "misp.orgc.name": "ESET", + "misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", + "misp.orgc_id": "5", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610637953", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219", "service.type": "threatintel", "tags": [ "Turla", "misp-galaxy:threat-actor=Turla Group", "tlp:white" ], - "threatintel.indicator.file.hash.sha1": "c51d288469df9f25e2fb7ac491918b3e579282ea", - "threatintel.indicator.file.name": "google_update_checker.js", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.sha1": "c51d288469df9f25e2fb7ac491918b3e579282ea", + "threat.indicator.file.name": "google_update_checker.js", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Artifacts dropped", - "threatintel.misp.attribute.comment": "JavaScript backdoor", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "158", - "threatintel.misp.attribute.id": "17322", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1515429089", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "filename|sha1", - "threatintel.misp.attribute.uuid": "5a539ce1-e6a0-426a-942c-2fc50a016219", - "threatintel.misp.attribute_count": "61", - "threatintel.misp.date": "2018-01-08", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "158", - "threatintel.misp.info": "Turla: Mosquito Whitepaper", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "5", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "ESET", - "threatintel.misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", - "threatintel.misp.orgc_id": "5", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610637953", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file" }, { "@timestamp": "2018-01-23T16:09:56.000Z", @@ -700,50 +724,52 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 35697, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "22", + "misp.attribute.id": "12268", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1456266422", + "misp.attribute.to_ids": true, + "misp.attribute.type": "email-src", + "misp.attribute.uuid": "56ccdcb6-4d6c-4e48-b955-52849062e56a", + "misp.attribute_count": 133, + "misp.date": "2015-12-08", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "22", + "misp.info": "Packrat: Seven Years of a South American Threat Actor", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "4", + "misp.orgc.local": false, + "misp.orgc.name": "CUDESO", + "misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", + "misp.orgc_id": "4", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610637901", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a", "service.type": "threatintel", "tags": [ "tlp:white" ], - "threatintel.indicator.email.address": "claudiobonadio88@gmail.com", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.email.address": "claudiobonadio88@gmail.com", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "email-addr", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "22", - "threatintel.misp.attribute.id": "12268", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1456266422", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "email-src", - "threatintel.misp.attribute.uuid": "56ccdcb6-4d6c-4e48-b955-52849062e56a", - "threatintel.misp.attribute_count": "133", - "threatintel.misp.date": "2015-12-08", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "22", - "threatintel.misp.info": "Packrat: Seven Years of a South American Threat Actor", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "4", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CUDESO", - "threatintel.misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", - "threatintel.misp.orgc_id": "4", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610637901", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "email-addr" }, { "@timestamp": "2018-01-23T16:09:56.000Z", @@ -755,50 +781,52 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 37011, + "misp.attribute.category": "Artifacts dropped", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "22", + "misp.attribute.id": "12298", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1456266454", + "misp.attribute.to_ids": true, + "misp.attribute.type": "regkey", + "misp.attribute.uuid": "56ccdcd6-f4b8-4383-9624-52849062e56a", + "misp.attribute_count": 133, + "misp.date": "2015-12-08", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "22", + "misp.info": "Packrat: Seven Years of a South American Threat Actor", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "4", + "misp.orgc.local": false, + "misp.orgc.name": "CUDESO", + "misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", + "misp.orgc_id": "4", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610637901", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a", "service.type": "threatintel", "tags": [ "tlp:white" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.registry.key": "HKLM\\SOFTWARE\\Microsoft\\Active", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "windows-registry-key", - "threatintel.misp.attribute.category": "Artifacts dropped", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "22", - "threatintel.misp.attribute.id": "12298", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1456266454", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "regkey", - "threatintel.misp.attribute.uuid": "56ccdcd6-f4b8-4383-9624-52849062e56a", - "threatintel.misp.attribute_count": "133", - "threatintel.misp.date": "2015-12-08", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "22", - "threatintel.misp.info": "Packrat: Seven Years of a South American Threat Actor", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "4", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CUDESO", - "threatintel.misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", - "threatintel.misp.orgc_id": "4", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610637901", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a" + "threat.indicator.provider": "misp", + "threat.indicator.registry.key": "HKLM\\SOFTWARE\\Microsoft\\Active", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "windows-registry-key" }, { "@timestamp": "2020-12-13T14:03:16.000Z", @@ -810,51 +838,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 38330, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "On port 2222", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "10", + "misp.attribute.id": "10686", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1607517728", + "misp.attribute.to_ids": true, + "misp.attribute.type": "ip-dst|port", + "misp.attribute.uuid": "5fd0c620-a844-4ace-9710-a37bc0a8ab16", + "misp.attribute_count": 15, + "misp.date": "2020-12-09", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "10", + "misp.info": "Recent Qakbot (Qbot) activity", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "4", + "misp.orgc.local": false, + "misp.orgc.name": "CUDESO", + "misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", + "misp.orgc_id": "4", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610637888", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16", "service.type": "threatintel", "tags": [ "misp-galaxy:banker=Qakbot", "tlp:white" ], - "threatintel.indicator.ip": "62.38.114.12", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.ip": "62.38.114.12", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.port": "2222", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "ipv4-addr", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "On port 2222", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "10", - "threatintel.misp.attribute.id": "10686", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1607517728", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "ip-dst|port", - "threatintel.misp.attribute.uuid": "5fd0c620-a844-4ace-9710-a37bc0a8ab16", - "threatintel.misp.attribute_count": "15", - "threatintel.misp.date": "2020-12-09", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "10", - "threatintel.misp.info": "Recent Qakbot (Qbot) activity", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "4", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CUDESO", - "threatintel.misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", - "threatintel.misp.orgc_id": "4", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610637888", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16" + "threat.indicator.port": 2222, + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "ipv4-addr" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json index 6db06ab777c..ae03f9bce95 100644 --- a/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json @@ -9,48 +9,50 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 0, + "misp.attribute.category": "Payload installation", + "misp.attribute.comment": "Contextual comment for the file md5 attribute", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3631", + "misp.attribute.id": "266258", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621588162", + "misp.attribute.to_ids": false, + "misp.attribute.type": "md5", + "misp.attribute.uuid": "34c59b06-d35d-4808-919c-4b452f185c52", + "misp.attribute_count": 1, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3631", + "misp.info": "Test event 1 just atrributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "8ca56ae9-3747-4172-93d2-808da1a4eaf3", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.md5": "70461da8b94c6ca5d2fda3260c5a8c3b", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload installation", - "threatintel.misp.attribute.comment": "Contextual comment for the file md5 attribute", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3631", - "threatintel.misp.attribute.id": "266258", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621588162", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "md5", - "threatintel.misp.attribute.uuid": "34c59b06-d35d-4808-919c-4b452f185c52", - "threatintel.misp.attribute_count": "1", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3631", - "threatintel.misp.info": "Test event 1 just atrributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "8ca56ae9-3747-4172-93d2-808da1a4eaf3", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.md5": "70461da8b94c6ca5d2fda3260c5a8c3b", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -66,48 +68,50 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 1614, + "misp.attribute.category": "Artifacts dropped", + "misp.attribute.comment": "Artefact dropped for test 2", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3632", + "misp.attribute.id": "266259", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621588675", + "misp.attribute.to_ids": true, + "misp.attribute.type": "md5", + "misp.attribute.uuid": "73102a1c-7432-47b7-9644-6f9d46b6887c", + "misp.attribute_count": 4, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3632", + "misp.info": "Test event 2 just more atrributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.md5": "60461da8b94c6ca5d2fda3260c5a8c3b", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Artifacts dropped", - "threatintel.misp.attribute.comment": "Artefact dropped for test 2", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3632", - "threatintel.misp.attribute.id": "266259", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621588675", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "md5", - "threatintel.misp.attribute.uuid": "73102a1c-7432-47b7-9644-6f9d46b6887c", - "threatintel.misp.attribute_count": "4", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3632", - "threatintel.misp.info": "Test event 2 just more atrributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.md5": "60461da8b94c6ca5d2fda3260c5a8c3b", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -123,48 +127,50 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 3241, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "Conext for domain type attribute event 2", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3632", + "misp.attribute.id": "266260", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621588744", + "misp.attribute.to_ids": true, + "misp.attribute.type": "domain", + "misp.attribute.uuid": "a52a1b47-a580-4f33-96ba-939cf9146c9b", + "misp.attribute_count": 4, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3632", + "misp.info": "Test event 2 just more atrributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "baddom.madeup.local", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "Conext for domain type attribute event 2", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3632", - "threatintel.misp.attribute.id": "266260", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621588744", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "domain", - "threatintel.misp.attribute.uuid": "a52a1b47-a580-4f33-96ba-939cf9146c9b", - "threatintel.misp.attribute_count": "4", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3632", - "threatintel.misp.info": "Test event 2 just more atrributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "baddom.madeup.local", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -180,48 +186,50 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 4870, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "Ip-src attribute context for event2", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3632", + "misp.attribute.id": "266261", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621588800", + "misp.attribute.to_ids": false, + "misp.attribute.type": "ip-src", + "misp.attribute.uuid": "3dbf224b-7c84-4c4b-9f95-80f28954bd10", + "misp.attribute_count": 4, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3632", + "misp.info": "Test event 2 just more atrributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.ip": "10.0.0.1", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "ipv4-addr", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "Ip-src attribute context for event2", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3632", - "threatintel.misp.attribute.id": "266261", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621588800", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "ip-src", - "threatintel.misp.attribute.uuid": "3dbf224b-7c84-4c4b-9f95-80f28954bd10", - "threatintel.misp.attribute_count": "4", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3632", - "threatintel.misp.info": "Test event 2 just more atrributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.ip": "10.0.0.1", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "ipv4-addr", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -237,48 +245,50 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 6484, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "ip-dst context for event id 2", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3632", + "misp.attribute.id": "266262", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621588836", + "misp.attribute.to_ids": true, + "misp.attribute.type": "ip-dst", + "misp.attribute.uuid": "db4bfd36-7374-4f8c-9031-60e56d4bba30", + "misp.attribute_count": 4, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3632", + "misp.info": "Test event 2 just more atrributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.ip": "192.168.1.50", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "ipv4-addr", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "ip-dst context for event id 2", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3632", - "threatintel.misp.attribute.id": "266262", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621588836", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "ip-dst", - "threatintel.misp.attribute.uuid": "db4bfd36-7374-4f8c-9031-60e56d4bba30", - "threatintel.misp.attribute_count": "4", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3632", - "threatintel.misp.info": "Test event 2 just more atrributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.ip": "192.168.1.50", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "ipv4-addr", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -294,63 +304,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 8095, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3633", + "misp.attribute.id": "266267", + "misp.attribute.object_id": "18207", + "misp.attribute.object_relation": "fullpath", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621589548", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "ff97cc32-815e-4fc9-9d4b-cab9822027a6", + "misp.attribute.value": "\\the\\fullpath\\to the file\\filenameofobject.txt", + "misp.attribute_count": 6, + "misp.context.attribute.category": "Payload delivery", + "misp.context.attribute.comment": "filename contect for test event 3", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3633", + "misp.context.attribute.id": "266263", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1621589229", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "filename", + "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "misp.context.attribute.value": "thetestfile.txt", + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3633", + "misp.info": "Test event 3 objects and attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3633", - "threatintel.misp.attribute.id": "266267", - "threatintel.misp.attribute.object_id": "18207", - "threatintel.misp.attribute.object_relation": "fullpath", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621589548", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "ff97cc32-815e-4fc9-9d4b-cab9822027a6", - "threatintel.misp.attribute.value": "\\the\\fullpath\\to the file\\filenameofobject.txt", - "threatintel.misp.attribute_count": "6", - "threatintel.misp.context.attribute.category": "Payload delivery", - "threatintel.misp.context.attribute.comment": "filename contect for test event 3", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3633", - "threatintel.misp.context.attribute.id": "266263", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1621589229", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "filename", - "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "threatintel.misp.context.attribute.value": "thetestfile.txt", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3633", - "threatintel.misp.info": "Test event 3 objects and attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -366,63 +378,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 10558, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3633", + "misp.attribute.id": "266268", + "misp.attribute.object_id": "18207", + "misp.attribute.object_relation": "size-in-bytes", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621589548", + "misp.attribute.to_ids": false, + "misp.attribute.type": "size-in-bytes", + "misp.attribute.uuid": "e378b4d9-43e1-4c64-bd4e-70fce2b4e581", + "misp.attribute.value": "505050", + "misp.attribute_count": 6, + "misp.context.attribute.category": "Payload delivery", + "misp.context.attribute.comment": "filename contect for test event 3", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3633", + "misp.context.attribute.id": "266263", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1621589229", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "filename", + "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "misp.context.attribute.value": "thetestfile.txt", + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3633", + "misp.info": "Test event 3 objects and attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3633", - "threatintel.misp.attribute.id": "266268", - "threatintel.misp.attribute.object_id": "18207", - "threatintel.misp.attribute.object_relation": "size-in-bytes", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621589548", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "size-in-bytes", - "threatintel.misp.attribute.uuid": "e378b4d9-43e1-4c64-bd4e-70fce2b4e581", - "threatintel.misp.attribute.value": "505050", - "threatintel.misp.attribute_count": "6", - "threatintel.misp.context.attribute.category": "Payload delivery", - "threatintel.misp.context.attribute.comment": "filename contect for test event 3", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3633", - "threatintel.misp.context.attribute.id": "266263", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1621589229", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "filename", - "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "threatintel.misp.context.attribute.value": "thetestfile.txt", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3633", - "threatintel.misp.info": "Test event 3 objects and attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -438,63 +452,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 12990, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3633", + "misp.attribute.id": "266264", + "misp.attribute.object_id": "18207", + "misp.attribute.object_relation": "md5", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621589548", + "misp.attribute.to_ids": true, + "misp.attribute.type": "md5", + "misp.attribute.uuid": "787b3822-0bec-4278-b34a-5d649e7bce05", + "misp.attribute_count": 6, + "misp.context.attribute.category": "Payload delivery", + "misp.context.attribute.comment": "filename contect for test event 3", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3633", + "misp.context.attribute.id": "266263", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1621589229", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "filename", + "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "misp.context.attribute.value": "thetestfile.txt", + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3633", + "misp.info": "Test event 3 objects and attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.md5": "70461da8b94c6ca5d2fda3260c5a8c3b", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3633", - "threatintel.misp.attribute.id": "266264", - "threatintel.misp.attribute.object_id": "18207", - "threatintel.misp.attribute.object_relation": "md5", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621589548", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "md5", - "threatintel.misp.attribute.uuid": "787b3822-0bec-4278-b34a-5d649e7bce05", - "threatintel.misp.attribute_count": "6", - "threatintel.misp.context.attribute.category": "Payload delivery", - "threatintel.misp.context.attribute.comment": "filename contect for test event 3", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3633", - "threatintel.misp.context.attribute.id": "266263", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1621589229", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "filename", - "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "threatintel.misp.context.attribute.value": "thetestfile.txt", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3633", - "threatintel.misp.info": "Test event 3 objects and attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.md5": "70461da8b94c6ca5d2fda3260c5a8c3b", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -510,63 +526,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 15439, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3633", + "misp.attribute.id": "266265", + "misp.attribute.object_id": "18207", + "misp.attribute.object_relation": "sha256", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621589548", + "misp.attribute.to_ids": true, + "misp.attribute.type": "sha256", + "misp.attribute.uuid": "657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e", + "misp.attribute_count": 6, + "misp.context.attribute.category": "Payload delivery", + "misp.context.attribute.comment": "filename contect for test event 3", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3633", + "misp.context.attribute.id": "266263", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1621589229", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "filename", + "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "misp.context.attribute.value": "thetestfile.txt", + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3633", + "misp.info": "Test event 3 objects and attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.sha256": "f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3633", - "threatintel.misp.attribute.id": "266265", - "threatintel.misp.attribute.object_id": "18207", - "threatintel.misp.attribute.object_relation": "sha256", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621589548", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "sha256", - "threatintel.misp.attribute.uuid": "657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e", - "threatintel.misp.attribute_count": "6", - "threatintel.misp.context.attribute.category": "Payload delivery", - "threatintel.misp.context.attribute.comment": "filename contect for test event 3", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3633", - "threatintel.misp.context.attribute.id": "266263", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1621589229", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "filename", - "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "threatintel.misp.context.attribute.value": "thetestfile.txt", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3633", - "threatintel.misp.info": "Test event 3 objects and attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.sha256": "f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -582,63 +600,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 17926, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3633", + "misp.attribute.id": "266266", + "misp.attribute.object_id": "18207", + "misp.attribute.object_relation": "filename", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621589548", + "misp.attribute.to_ids": true, + "misp.attribute.type": "filename", + "misp.attribute.uuid": "6648d129-9200-431b-9b41-263a84f7c9d2", + "misp.attribute_count": 6, + "misp.context.attribute.category": "Payload delivery", + "misp.context.attribute.comment": "filename contect for test event 3", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3633", + "misp.context.attribute.id": "266263", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1621589229", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "filename", + "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "misp.context.attribute.value": "thetestfile.txt", + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3633", + "misp.info": "Test event 3 objects and attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.name": "filenameofobject.txt", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3633", - "threatintel.misp.attribute.id": "266266", - "threatintel.misp.attribute.object_id": "18207", - "threatintel.misp.attribute.object_relation": "filename", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621589548", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "filename", - "threatintel.misp.attribute.uuid": "6648d129-9200-431b-9b41-263a84f7c9d2", - "threatintel.misp.attribute_count": "6", - "threatintel.misp.context.attribute.category": "Payload delivery", - "threatintel.misp.context.attribute.comment": "filename contect for test event 3", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3633", - "threatintel.misp.context.attribute.id": "266263", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1621589229", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "filename", - "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "threatintel.misp.context.attribute.value": "thetestfile.txt", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3633", - "threatintel.misp.info": "Test event 3 objects and attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.name": "filenameofobject.txt", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -654,49 +674,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 20372, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3634", + "misp.attribute.id": "266269", + "misp.attribute.object_id": "18208", + "misp.attribute.object_relation": "text", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621591770", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "25d2f181-26ae-4d6f-b4fd-85b9d1f82e67", + "misp.attribute.value": "Free text in the file object", + "misp.attribute_count": 3, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3634", + "misp.info": "Test event 4 with object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3634", - "threatintel.misp.attribute.id": "266269", - "threatintel.misp.attribute.object_id": "18208", - "threatintel.misp.attribute.object_relation": "text", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621591770", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "25d2f181-26ae-4d6f-b4fd-85b9d1f82e67", - "threatintel.misp.attribute.value": "Free text in the file object", - "threatintel.misp.attribute_count": "3", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3634", - "threatintel.misp.info": "Test event 4 with object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -712,49 +734,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 21959, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3634", + "misp.attribute.id": "266270", + "misp.attribute.object_id": "18208", + "misp.attribute.object_relation": "sha256", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621591770", + "misp.attribute.to_ids": true, + "misp.attribute.type": "sha256", + "misp.attribute.uuid": "4e579782-346b-44b3-b72c-1cae8d87cb25", + "misp.attribute_count": 3, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3634", + "misp.info": "Test event 4 with object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc666", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3634", - "threatintel.misp.attribute.id": "266270", - "threatintel.misp.attribute.object_id": "18208", - "threatintel.misp.attribute.object_relation": "sha256", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621591770", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "sha256", - "threatintel.misp.attribute.uuid": "4e579782-346b-44b3-b72c-1cae8d87cb25", - "threatintel.misp.attribute_count": "3", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3634", - "threatintel.misp.info": "Test event 4 with object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc666", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -770,49 +794,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 23597, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3634", + "misp.attribute.id": "266271", + "misp.attribute.object_id": "18208", + "misp.attribute.object_relation": "filename", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621591770", + "misp.attribute.to_ids": true, + "misp.attribute.type": "filename", + "misp.attribute.uuid": "a40343b5-a480-4288-9b0c-7ae074a77140", + "misp.attribute_count": 3, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3634", + "misp.info": "Test event 4 with object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.name": "filenameinmispobject.txt", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3634", - "threatintel.misp.attribute.id": "266271", - "threatintel.misp.attribute.object_id": "18208", - "threatintel.misp.attribute.object_relation": "filename", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621591770", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "filename", - "threatintel.misp.attribute.uuid": "a40343b5-a480-4288-9b0c-7ae074a77140", - "threatintel.misp.attribute_count": "3", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3634", - "threatintel.misp.info": "Test event 4 with object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.name": "filenameinmispobject.txt", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -828,49 +854,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 25198, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3635", + "misp.attribute.id": "266272", + "misp.attribute.object_id": "18209", + "misp.attribute.object_relation": "text", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621592379", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "188a6a15-5704-4e4f-acba-22c55ab08fe8", + "misp.attribute.value": "Object 5 free text attribute in object", + "misp.attribute_count": 5, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3635", + "misp.info": "Test event 5 with an object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3635", - "threatintel.misp.attribute.id": "266272", - "threatintel.misp.attribute.object_id": "18209", - "threatintel.misp.attribute.object_relation": "text", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621592379", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "188a6a15-5704-4e4f-acba-22c55ab08fe8", - "threatintel.misp.attribute.value": "Object 5 free text attribute in object", - "threatintel.misp.attribute_count": "5", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3635", - "threatintel.misp.info": "Test event 5 with an object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -886,49 +914,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 26791, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3635", + "misp.attribute.id": "266275", + "misp.attribute.object_id": "18209", + "misp.attribute.object_relation": "entropy", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621592379", + "misp.attribute.to_ids": false, + "misp.attribute.type": "float", + "misp.attribute.uuid": "2400b103-4a33-4f92-ac04-a558b6c6e252", + "misp.attribute.value": "0.53535445", + "misp.attribute_count": 5, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3635", + "misp.info": "Test event 5 with an object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3635", - "threatintel.misp.attribute.id": "266275", - "threatintel.misp.attribute.object_id": "18209", - "threatintel.misp.attribute.object_relation": "entropy", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621592379", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "float", - "threatintel.misp.attribute.uuid": "2400b103-4a33-4f92-ac04-a558b6c6e252", - "threatintel.misp.attribute.value": "0.53535445", - "threatintel.misp.attribute_count": "5", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3635", - "threatintel.misp.info": "Test event 5 with an object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -944,49 +974,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 28360, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3635", + "misp.attribute.id": "266276", + "misp.attribute.object_id": "18209", + "misp.attribute.object_relation": "size-in-bytes", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621592379", + "misp.attribute.to_ids": false, + "misp.attribute.type": "size-in-bytes", + "misp.attribute.uuid": "e5ea3ec0-cdf4-4d3e-bd66-a7bf384fd3d7", + "misp.attribute.value": "55555", + "misp.attribute_count": 5, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3635", + "misp.info": "Test event 5 with an object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3635", - "threatintel.misp.attribute.id": "266276", - "threatintel.misp.attribute.object_id": "18209", - "threatintel.misp.attribute.object_relation": "size-in-bytes", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621592379", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "size-in-bytes", - "threatintel.misp.attribute.uuid": "e5ea3ec0-cdf4-4d3e-bd66-a7bf384fd3d7", - "threatintel.misp.attribute.value": "55555", - "threatintel.misp.attribute_count": "5", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3635", - "threatintel.misp.info": "Test event 5 with an object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1002,49 +1034,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 29938, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3635", + "misp.attribute.id": "266273", + "misp.attribute.object_id": "18209", + "misp.attribute.object_relation": "sha256", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621592379", + "misp.attribute.to_ids": true, + "misp.attribute.type": "sha256", + "misp.attribute.uuid": "803f10bd-9087-4169-8699-277579a92693", + "misp.attribute_count": 5, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3635", + "misp.info": "Test event 5 with an object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc665", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3635", - "threatintel.misp.attribute.id": "266273", - "threatintel.misp.attribute.object_id": "18209", - "threatintel.misp.attribute.object_relation": "sha256", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621592379", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "sha256", - "threatintel.misp.attribute.uuid": "803f10bd-9087-4169-8699-277579a92693", - "threatintel.misp.attribute_count": "5", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3635", - "threatintel.misp.info": "Test event 5 with an object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc665", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1060,49 +1094,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 31572, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3635", + "misp.attribute.id": "266274", + "misp.attribute.object_id": "18209", + "misp.attribute.object_relation": "filename", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621592379", + "misp.attribute.to_ids": true, + "misp.attribute.type": "filename", + "misp.attribute.uuid": "e5c7a9f0-c0e1-4024-9ab8-de8a1b403e4f", + "misp.attribute_count": 5, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3635", + "misp.info": "Test event 5 with an object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.name": "object5.txt", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3635", - "threatintel.misp.attribute.id": "266274", - "threatintel.misp.attribute.object_id": "18209", - "threatintel.misp.attribute.object_relation": "filename", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621592379", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "filename", - "threatintel.misp.attribute.uuid": "e5c7a9f0-c0e1-4024-9ab8-de8a1b403e4f", - "threatintel.misp.attribute_count": "5", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3635", - "threatintel.misp.info": "Test event 5 with an object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.name": "object5.txt", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1118,63 +1154,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 33156, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266278", + "misp.attribute.object_id": "18210", + "misp.attribute.object_relation": "text", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200348", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "955e34a5-a630-42c9-868d-6e3dcb575987", + "misp.attribute.value": "Excutable create bad pipe", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266278", - "threatintel.misp.attribute.object_id": "18210", - "threatintel.misp.attribute.object_relation": "text", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200348", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "955e34a5-a630-42c9-868d-6e3dcb575987", - "threatintel.misp.attribute.value": "Excutable create bad pipe", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1190,63 +1228,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 35151, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266281", + "misp.attribute.object_id": "18211", + "misp.attribute.object_relation": "size-in-bytes", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200780", + "misp.attribute.to_ids": false, + "misp.attribute.type": "size-in-bytes", + "misp.attribute.uuid": "2fa7721b-ad73-4914-b082-8d44233ced98", + "misp.attribute.value": "3892", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266281", - "threatintel.misp.attribute.object_id": "18211", - "threatintel.misp.attribute.object_relation": "size-in-bytes", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200780", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "size-in-bytes", - "threatintel.misp.attribute.uuid": "2fa7721b-ad73-4914-b082-8d44233ced98", - "threatintel.misp.attribute.value": "3892", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1262,63 +1302,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 37149, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266283", + "misp.attribute.object_id": "18211", + "misp.attribute.object_relation": "name", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200780", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "d35c1ff8-a69c-482b-8fb0-1182988d9468", + "misp.attribute.value": ".data", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266283", - "threatintel.misp.attribute.object_id": "18211", - "threatintel.misp.attribute.object_relation": "name", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200780", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "d35c1ff8-a69c-482b-8fb0-1182988d9468", - "threatintel.misp.attribute.value": ".data", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1334,63 +1376,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 39130, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266284", + "misp.attribute.object_id": "18211", + "misp.attribute.object_relation": "text", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200780", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "dc11971a-a676-4676-b24c-a45a8791e0b0", + "misp.attribute.value": "Extracted zip archive data", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266284", - "threatintel.misp.attribute.object_id": "18211", - "threatintel.misp.attribute.object_relation": "text", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200780", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "dc11971a-a676-4676-b24c-a45a8791e0b0", - "threatintel.misp.attribute.value": "Extracted zip archive data", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1406,63 +1450,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 41132, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266285", + "misp.attribute.object_id": "18211", + "misp.attribute.object_relation": "entropy", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200780", + "misp.attribute.to_ids": false, + "misp.attribute.type": "float", + "misp.attribute.uuid": "a85c0cbb-25a8-4bc9-b146-3cba1020e5bb", + "misp.attribute.value": "7.93280431051", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266285", - "threatintel.misp.attribute.object_id": "18211", - "threatintel.misp.attribute.object_relation": "entropy", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200780", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "float", - "threatintel.misp.attribute.uuid": "a85c0cbb-25a8-4bc9-b146-3cba1020e5bb", - "threatintel.misp.attribute.value": "7.93280431051", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1478,63 +1524,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 43125, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266279", + "misp.attribute.object_id": "18210", + "misp.attribute.object_relation": "md5", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200348", + "misp.attribute.to_ids": true, + "misp.attribute.type": "md5", + "misp.attribute.uuid": "1c97c043-5de2-41a1-b591-3237174cd290", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.md5": "7392463caf95534d56460bc9f360adc1", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266279", - "threatintel.misp.attribute.object_id": "18210", - "threatintel.misp.attribute.object_relation": "md5", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200348", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "md5", - "threatintel.misp.attribute.uuid": "1c97c043-5de2-41a1-b591-3237174cd290", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.md5": "7392463caf95534d56460bc9f360adc1", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1550,63 +1598,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 45136, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266282", + "misp.attribute.object_id": "18211", + "misp.attribute.object_relation": "md5", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200780", + "misp.attribute.to_ids": true, + "misp.attribute.type": "md5", + "misp.attribute.uuid": "f3b8696e-5390-4383-ace2-6e06bfae497d", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.md5": "7295463caf95534d56460bc9f360adc1", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266282", - "threatintel.misp.attribute.object_id": "18211", - "threatintel.misp.attribute.object_relation": "md5", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200780", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "md5", - "threatintel.misp.attribute.uuid": "f3b8696e-5390-4383-ace2-6e06bfae497d", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.md5": "7295463caf95534d56460bc9f360adc1", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1622,63 +1672,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 47153, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266280", + "misp.attribute.object_id": "18210", + "misp.attribute.object_relation": "filename", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200348", + "misp.attribute.to_ids": true, + "misp.attribute.type": "filename", + "misp.attribute.uuid": "2dfcb937-e6af-4b5d-ad50-f8eb975990f3", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.name": "badmojopipe.exe", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266280", - "threatintel.misp.attribute.object_id": "18210", - "threatintel.misp.attribute.object_relation": "filename", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200348", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "filename", - "threatintel.misp.attribute.uuid": "2dfcb937-e6af-4b5d-ad50-f8eb975990f3", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.name": "badmojopipe.exe", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" diff --git a/x-pack/filebeat/module/threatintel/otx/config/config.yml b/x-pack/filebeat/module/threatintel/otx/config/config.yml index 9e2f5169e6f..fe18e1141d3 100644 --- a/x-pack/filebeat/module/threatintel/otx/config/config.yml +++ b/x-pack/filebeat/module/threatintel/otx/config/config.yml @@ -55,17 +55,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: ["json.id"] - target_field: "@metadata._id" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml index 4cb3ed37aef..4b3f6aeaea6 100644 --- a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml @@ -1,4 +1,5 @@ -description: Pipeline for parsing MISP Threat Intel +--- +description: Pipeline for parsing Abuse.ch URL Threat Intel processors: #################### # Event ECS fields # @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -20,108 +24,126 @@ processors: # General ECS fields # ###################### - rename: - field: json - target_field: threatintel.otx + field: message + target_field: event.original ignore_missing: true + - json: + field: event.original + target_field: otx + - fingerprint: + fields: + - otx.id + target_field: "_id" ##################### # Threat ECS Fields # ##################### + - set: + field: threat.feed.name + value: "[Filebeat] Alienvault OTX" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" ## File indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - if: "ctx.threatintel?.otx?.type.startsWith('FileHash') || ctx.threatintel?.otx?.type == 'filepath'" + if: "ctx.otx?.type.startsWith('FileHash') || ctx.otx?.type == 'filepath'" - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.md5 + field: otx.indicator + target_field: threat.indicator.file.hash.md5 ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-MD5'" + if: "ctx.otx?.type == 'FileHash-MD5'" - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.sha1 + field: otx.indicator + target_field: threat.indicator.file.hash.sha1 ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-SHA1'" + if: "ctx.otx?.type == 'FileHash-SHA1'" - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.sha256 + field: otx.indicator + target_field: threat.indicator.file.hash.sha256 ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-SHA256'" + if: "ctx.otx?.type == 'FileHash-SHA256'" - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.pehash + field: otx.indicator + target_field: threat.indicator.file.hash.pehash ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-PEHASH'" + if: "ctx.otx?.type == 'FileHash-PEHASH'" - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.imphash + field: otx.indicator + target_field: threat.indicator.file.hash.imphash ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-IMPHASH'" + if: "ctx.otx?.type == 'FileHash-IMPHASH'" ## IP indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv4-addr - if: ctx.threatintel?.otx?.type == 'IPv4' + if: ctx.otx?.type == 'IPv4' - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv6-addr - if: ctx.threatintel?.otx?.type == 'IPv6' + if: ctx.otx?.type == 'IPv6' - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.ip + field: otx.indicator + target_field: threat.indicator.ip ignore_missing: true - if: "ctx?.threatintel?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx?.threatintel?.indicator?.type)" + if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" ## URL indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: url - if: "ctx?.threatintel?.indicator?.type == null && ['URL', 'URI'].contains(ctx.threatintel?.otx?.type)" + if: "ctx.threat?.indicator?.type == null && ['URL', 'URI'].contains(ctx.otx?.type)" - uri_parts: - field: threatintel.otx.indicator - target_field: threatintel.indicator.url + field: otx.indicator + target_field: threat.indicator.url keep_original: true remove_if_successful: true - if: ctx?.threatintel?.indicator?.type == 'url' + if: ctx.threat?.indicator?.type == 'url' - set: - field: threatintel.indicator.url.full - value: "{{{threatintel.indicator.url.original}}}" + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" ignore_empty_value: true - if: "ctx?.threatintel?.otx?.type == 'URL'" + if: "ctx.otx?.type == 'URL'" ## Email indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: email-addr - if: ctx?.threatintel?.otx?.type == 'email' + if: ctx.otx?.type == 'email' - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.email.address + field: otx.indicator + target_field: threat.indicator.email.address ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'email-addr'" + if: "ctx.threat?.indicator?.type == 'email-addr'" ## Domain indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: domain-name - if: "ctx?.threatintel?.indicator?.type == null && ['domain', 'hostname'].contains(ctx.threatintel?.otx?.type)" + if: "ctx.threat?.indicator?.type == null && ['domain', 'hostname'].contains(ctx.otx?.type)" - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.url.domain + field: otx.indicator + target_field: threat.indicator.url.domain ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'domain-name' && ctx.threatintel?.indicator?.url?.domain == null" + if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.threat?.indicator?.url?.domain == null" ###################### # Cleanup processors # ###################### + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx.threat?.indicator?.type == null - script: lang: painless - if: ctx?.threatintel != null + if: ctx.otx != null source: | void handleMap(Map map) { for (def x : map.values()) { @@ -145,16 +167,16 @@ processors: handleMap(ctx); - remove: field: - - threatintel.otx.content + - otx.content ignore_missing: true - if: ctx?.threatintel?.otx?.content == "" + if: ctx.otx?.content == "" - remove: field: - - threatintel.otx.type - - threatintel.otx.id + - otx.type + - otx.id - message ignore_missing: true - if: ctx?.threatintel?.indicator?.type != null + if: ctx.threat?.indicator?.type != null on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/threatintel/otx/manifest.yml b/x-pack/filebeat/module/threatintel/otx/manifest.yml index 0fdefa51d76..72830224984 100644 --- a/x-pack/filebeat/module/threatintel/otx/manifest.yml +++ b/x-pack/filebeat/module/threatintel/otx/manifest.yml @@ -20,6 +20,8 @@ var: - name: tags default: [threatintel-otx, forwarded] - name: proxy_url + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json index e56752d47c3..590bc64bfbc 100644 --- a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json @@ -13,8 +13,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "86.104.194.30", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "86.104.194.30", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -25,15 +27,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 102, + "otx.description": "MD5 of a5725af4391d21a232dc6d4ad33d7d915bd190bdac9b1826b73f364dc5c1aa65", + "otx.title": "Win32:Hoblig-B", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "90421f8531f963d81cf54245b72cde80", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of a5725af4391d21a232dc6d4ad33d7d915bd190bdac9b1826b73f364dc5c1aa65", - "threatintel.otx.title": "Win32:Hoblig-B" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "90421f8531f963d81cf54245b72cde80", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -49,8 +53,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "ip.anysrc.net" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "ip.anysrc.net" }, { "event.category": "threat", @@ -66,8 +72,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "107.173.58.176", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "107.173.58.176", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -83,8 +91,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "d8c70ca70fd3555a0828fede6cc1f59e2c320ede80157039b6a2f09c336d5f7a", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "d8c70ca70fd3555a0828fede6cc1f59e2c320ede80157039b6a2f09c336d5f7a", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -95,14 +105,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 688, + "otx.description": "MD5 of df9b37477a83189cd4541674e64ce29bf7bf98338ed0d635276660e0c6419d09", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "f8e58af3ffefd4037fef246e93a55dc8", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of df9b37477a83189cd4541674e64ce29bf7bf98338ed0d635276660e0c6419d09" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "f8e58af3ffefd4037fef246e93a55dc8", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -118,8 +130,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "1c62f004d0c9b91d3467b1b8106772e667e7e2075470c2ec7982b63573c90c54", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "1c62f004d0c9b91d3467b1b8106772e667e7e2075470c2ec7982b63573c90c54", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -130,14 +144,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 1053, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "8d24a14f2600482d0231396b6350cf21773335ec2f0b8919763317fdab78baae", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "8d24a14f2600482d0231396b6350cf21773335ec2f0b8919763317fdab78baae", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -153,8 +169,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "213.252.244.38", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "213.252.244.38", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -170,8 +188,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "c758ec922b173820374e552c2f015ac53cc5d9f99cc92080e608652aaa63695b", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "c758ec922b173820374e552c2f015ac53cc5d9f99cc92080e608652aaa63695b", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -187,8 +207,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -199,14 +221,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 1671, + "otx.description": "MD5 of 0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "aeb08b0651bc8a13dcf5e5f6c0d482f8", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "aeb08b0651bc8a13dcf5e5f6c0d482f8", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -222,8 +246,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "6df5e1a017dff52020c7ff6ad92fdd37494e31769e1be242f6b23d1ea2d60140", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "6df5e1a017dff52020c7ff6ad92fdd37494e31769e1be242f6b23d1ea2d60140", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -239,8 +265,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "c72fef3835f65cb380f6920b22c3488554d1af6d298562ccee92284f265c9619", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "c72fef3835f65cb380f6920b22c3488554d1af6d298562ccee92284f265c9619", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -256,8 +284,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "e711fcd0f182b214c6ec74011a395f4c853068d59eb7c57f90c4a3e1de64434a", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "e711fcd0f182b214c6ec74011a395f4c853068d59eb7c57f90c4a3e1de64434a", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -273,8 +303,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "d3ec8f4a46b21fb189fc3d58f3d87bf9897653ecdf90b7952dcc71f3b4023b4e", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "d3ec8f4a46b21fb189fc3d58f3d87bf9897653ecdf90b7952dcc71f3b4023b4e", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -290,8 +322,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "70447996722e5c04514d20b7a429d162b46546002fb0c87f512b40f16bac99bb", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "70447996722e5c04514d20b7a429d162b46546002fb0c87f512b40f16bac99bb", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -302,15 +336,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 2703, + "otx.description": "MD5 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "29340643ca2e6677c19e1d3bf351d654", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "29340643ca2e6677c19e1d3bf351d654", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -321,15 +357,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 2919, + "otx.description": "MD5 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "86c314bc2dc37ba84f7364acd5108c2b", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "86c314bc2dc37ba84f7364acd5108c2b", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -340,15 +378,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 3135, + "otx.description": "MD5 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", + "otx.title": "Trojan:Win32/Occamy.B", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "cb0c1248d3899358a375888bb4e8f3fe", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", - "threatintel.otx.title": "Trojan:Win32/Occamy.B" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "cb0c1248d3899358a375888bb4e8f3fe", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -359,15 +399,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 3355, + "otx.description": "MD5 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "d348f536e214a47655af387408b4fca5", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "d348f536e214a47655af387408b4fca5", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -378,14 +420,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 3571, + "otx.title": "vad_contains_network_strings", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "vad_contains_network_strings" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -401,8 +445,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "b105891f90b2a8730bbadf02b5adeccbba539883bf75dec2ff7a5a97625dd222", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "b105891f90b2a8730bbadf02b5adeccbba539883bf75dec2ff7a5a97625dd222", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -418,8 +464,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "e4db5405ac7ab517d43722e1ca8d653ea4a32802bc8a5410d032275eedc7b7ee", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "e4db5405ac7ab517d43722e1ca8d653ea4a32802bc8a5410d032275eedc7b7ee", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -430,14 +478,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 4098, + "otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -453,8 +503,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "5051906d6ed1b2ae9c9a9f070ef73c9be8f591d2e41d144649a0dc96e28d0400", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "5051906d6ed1b2ae9c9a9f070ef73c9be8f591d2e41d144649a0dc96e28d0400", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -465,15 +517,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 4470, + "otx.description": "MD5 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", + "otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "14b74cb9be8cad8eb5fa8842d00bb692", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", - "threatintel.otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "14b74cb9be8cad8eb5fa8842d00bb692", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -484,15 +538,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 4709, + "otx.description": "SHA1 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", + "otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "a5b59f7d133e354dfc73f40517aab730f322f0ef", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "SHA1 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", - "threatintel.otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "a5b59f7d133e354dfc73f40517aab730f322f0ef", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -508,8 +564,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -520,15 +578,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 5125, + "otx.description": "MD5 of 5cb822616d2c9435c9ddd060d6abdbc286ab57cfcf6dc64768c52976029a925b", + "otx.title": "vad_contains_network_strings", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "ff2dcea4963e060a658f4dffbb119529", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 5cb822616d2c9435c9ddd060d6abdbc286ab57cfcf6dc64768c52976029a925b", - "threatintel.otx.title": "vad_contains_network_strings" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "ff2dcea4963e060a658f4dffbb119529", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -539,15 +599,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 5352, + "otx.description": "MD5 of 29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413", + "otx.title": "vad_contains_network_strings", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "0d73f1a1c4b2f8723fffc83eb3d00f31", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413", - "threatintel.otx.title": "vad_contains_network_strings" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "0d73f1a1c4b2f8723fffc83eb3d00f31", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -563,8 +625,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "185.25.50.167", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "185.25.50.167", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -580,8 +644,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "d35a30264c0698709ad554489004e0077e263d354ced0c54552a0b500f91ecc0", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "d35a30264c0698709ad554489004e0077e263d354ced0c54552a0b500f91ecc0", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -597,8 +663,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "5264b455f453820be629a324196131492ff03c80491e823ac06657c9387250dd", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "5264b455f453820be629a324196131492ff03c80491e823ac06657c9387250dd", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -609,14 +677,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 6018, + "otx.title": "Trojan:Win32/Occamy.B", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Trojan:Win32/Occamy.B" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -627,14 +697,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 6204, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -650,8 +722,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -662,14 +736,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 6553, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -680,14 +756,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 6735, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -703,8 +781,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "c51024bb119211c335f95e731cfa9a744fcdb645a57d35fb379d01b7dbdd098e", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "c51024bb119211c335f95e731cfa9a744fcdb645a57d35fb379d01b7dbdd098e", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -715,15 +795,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 7084, + "otx.description": "SHA1 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "ad20c6fac565f901c82a21b70f9739037eb54818", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "SHA1 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "ad20c6fac565f901c82a21b70f9739037eb54818", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -734,15 +816,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 7310, + "otx.description": "SHA1 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "13f11e273f9a4a56557f03821c3bfd591cca6ebc", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "SHA1 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "13f11e273f9a4a56557f03821c3bfd591cca6ebc", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -753,15 +837,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 7536, + "otx.description": "SHA1 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "1581fe76e3c96dc33182daafd09c8cf5c17004e0", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "SHA1 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "1581fe76e3c96dc33182daafd09c8cf5c17004e0", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -772,15 +858,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 7762, + "otx.description": "SHA1 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", + "otx.title": "Trojan:Win32/Occamy.B", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "b72e75e9e901a44b655a5cf89cf0eadcaff46037", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "SHA1 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", - "threatintel.otx.title": "Trojan:Win32/Occamy.B" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "b72e75e9e901a44b655a5cf89cf0eadcaff46037", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -796,8 +884,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "maper.info" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "maper.info" }, { "event.category": "threat", @@ -813,8 +903,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "213.252.244.126", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "213.252.244.126", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -830,8 +922,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "78.129.139.131", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "78.129.139.131", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -842,14 +936,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 8309, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -860,14 +956,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 8498, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "be9fb556a3c7aef0329e768d7f903e7dd42a821abc663e11fb637ce33b007087", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "be9fb556a3c7aef0329e768d7f903e7dd42a821abc663e11fb637ce33b007087", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -878,14 +976,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 8687, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "3bfec096c4837d1e6485fe0ae0ea6f1c0b44edc611d4f2204cc9cf73c985cbc2", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "3bfec096c4837d1e6485fe0ae0ea6f1c0b44edc611d4f2204cc9cf73c985cbc2", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -896,14 +996,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 8876, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "dff2e39b2e008ea89a3d6b36dcd9b8c927fb501d60c1ad5a52ed1ffe225da2e2", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "dff2e39b2e008ea89a3d6b36dcd9b8c927fb501d60c1ad5a52ed1ffe225da2e2", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -914,14 +1016,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 9065, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "6b4d271a48d118843aee3dee4481fa2930732ed7075db3241a8991418f00d92b", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "6b4d271a48d118843aee3dee4481fa2930732ed7075db3241a8991418f00d92b", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -932,14 +1036,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 9254, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "26de4265303491bed1424d85b263481ac153c2b3513f9ee48ffb42c12312ac43", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "26de4265303491bed1424d85b263481ac153c2b3513f9ee48ffb42c12312ac43", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -950,14 +1056,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 9443, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "02f54da6c6f2f87ff7b713d46e058dedac1cedabd693643bb7f6dfe994b2105d", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "02f54da6c6f2f87ff7b713d46e058dedac1cedabd693643bb7f6dfe994b2105d", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -973,8 +1081,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "103.13.67.4", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "103.13.67.4", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -990,8 +1100,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "80.90.87.201", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "80.90.87.201", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1007,8 +1119,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "80.80.163.182", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "80.80.163.182", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1024,8 +1138,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "91.187.114.210", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "91.187.114.210", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1041,8 +1157,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "170.238.117.187", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "170.238.117.187", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1058,8 +1176,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "e999b83629355ec7ff3b6fda465ef53ce6992c9327344fbf124f7eb37808389d", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "e999b83629355ec7ff3b6fda465ef53ce6992c9327344fbf124f7eb37808389d", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -1075,8 +1195,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "103.84.238.3", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "103.84.238.3", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1092,8 +1214,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "179.43.158.171", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "179.43.158.171", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1109,8 +1233,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "198.211.116.199", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "198.211.116.199", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1121,14 +1247,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 10641, + "otx.title": "Trickbot", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "203.176.135.102", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.otx.title": "Trickbot" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "203.176.135.102", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1144,8 +1272,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "fotmailz.com" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "fotmailz.com" }, { "event.category": "threat", @@ -1161,8 +1291,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "pori89g5jqo3v8.com" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "pori89g5jqo3v8.com" }, { "event.category": "threat", @@ -1178,8 +1310,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "sebco.co.ke" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "sebco.co.ke" }, { "event.category": "threat", @@ -1190,14 +1324,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 11077, + "otx.title": "Trickbot", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "177.74.232.124", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.otx.title": "Trickbot" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "177.74.232.124", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1213,8 +1349,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "chishir.com" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "chishir.com" }, { "event.category": "threat", @@ -1230,8 +1368,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "kostunivo.com" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "kostunivo.com" }, { "event.category": "threat", @@ -1247,8 +1387,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "mangoclone.com" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "mangoclone.com" }, { "event.category": "threat", @@ -1264,8 +1406,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "onixcellent.com" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "onixcellent.com" }, { "event.category": "threat", @@ -1276,14 +1420,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 11618, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "fc0efd612ad528795472e99cae5944b68b8e26dc", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "fc0efd612ad528795472e99cae5944b68b8e26dc", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -1294,14 +1440,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 11774, + "otx.title": "Sf:ShellCode-DZ\\ [Trj]", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "24d4bbc982a6a561f0426a683b9617de1a96a74a", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Sf:ShellCode-DZ\\ [Trj]" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "24d4bbc982a6a561f0426a683b9617de1a96a74a", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -1312,14 +1460,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 11936, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "fa98074dc18ad7e2d357b5d168c00a91256d87d1", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "fa98074dc18ad7e2d357b5d168c00a91256d87d1", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -1330,14 +1480,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 12092, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "e5dc7c8bfa285b61dda1618f0ade9c256be75d1a", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "e5dc7c8bfa285b61dda1618f0ade9c256be75d1a", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -1348,14 +1500,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 12248, + "otx.title": "Trickbot", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "96.9.77.142", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.otx.title": "Trickbot" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "96.9.77.142", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1371,8 +1525,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "36.89.106.69", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "36.89.106.69", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1388,8 +1544,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "96.9.73.73", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "96.9.73.73", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1400,15 +1558,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 12563, + "otx.description": "MD5 of 9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6", + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "10ec3571596c30b9993b89f12d29d23c", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "10ec3571596c30b9993b89f12d29d23c", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -1424,12 +1584,14 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "www.playboysplus.com", - "threatintel.indicator.url.full": "http://www.playboysplus.com", - "threatintel.indicator.url.original": "http://www.playboysplus.com", - "threatintel.indicator.url.path": "", - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "www.playboysplus.com", + "threat.indicator.url.full": "http://www.playboysplus.com", + "threat.indicator.url.original": "http://www.playboysplus.com", + "threat.indicator.url.path": "", + "threat.indicator.url.scheme": "http" }, { "event.category": "threat", @@ -1445,12 +1607,14 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "join.playboysplus.com", - "threatintel.indicator.url.full": "http://join.playboysplus.com/signup/", - "threatintel.indicator.url.original": "http://join.playboysplus.com/signup/", - "threatintel.indicator.url.path": "/signup/", - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "join.playboysplus.com", + "threat.indicator.url.full": "http://join.playboysplus.com/signup/", + "threat.indicator.url.original": "http://join.playboysplus.com/signup/", + "threat.indicator.url.path": "/signup/", + "threat.indicator.url.scheme": "http" }, { "event.category": "threat", @@ -1466,13 +1630,15 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "api.vk.com", - "threatintel.indicator.url.extension": "get", - "threatintel.indicator.url.full": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386", - "threatintel.indicator.url.original": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386", - "threatintel.indicator.url.path": "/method/wall.get", - "threatintel.indicator.url.query": "count=1&owner_id=-81972386", - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "api.vk.com", + "threat.indicator.url.extension": "get", + "threat.indicator.url.full": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386", + "threat.indicator.url.original": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386", + "threat.indicator.url.path": "/method/wall.get", + "threat.indicator.url.query": "count=1&owner_id=-81972386", + "threat.indicator.url.scheme": "http" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml b/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml index 08b2f682f3f..2c610e5379d 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml +++ b/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml @@ -38,27 +38,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: - - event.dataset - - json.entity.id - target_field: "@metadata._id" - encoding: base64 - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 - - script: - lang: javascript - id: set_opt_type - source: > - function process(event) { - event.Put("@metadata.op_type", "index"); - } +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml index 8e0a6d4b334..6247c0cd882 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml @@ -1,19 +1,14 @@ description: Pipeline for parsing Recorded Future threat intel. processors: - # - # Safeguard against feeding the pipeline with documents other - # that the ones generated by Filebeat's httpjson input. - # - - fail: - if: "ctx.json == null || !(ctx.json instanceof Map)" - message: "missing json object in input document" - # # Set basic ECS fields. # - set: field: event.ingested - value: "{{{ _ingest.timestamp }}}" + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -24,14 +19,29 @@ processors: field: event.type value: indicator + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + + - set: + field: threat.feed.name + value: "[Filebeat] RecordedFuture" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" + # - # Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). + # Map itype field to STIX 2.0 Cyber Observable values (threat.indicator.type). # - script: lang: painless if: "ctx.json.entity?.type != null" description: > - Map entity.type field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). + Map entity.type field to STIX 2.0 Cyber Observable values (threat.indicator.type). params: IpAddress: ipv4-addr InternetDomainName: domain-name @@ -40,7 +50,7 @@ processors: source: > String mapping = params[ctx.json.entity.type]; if (mapping != null) { - ctx["threatintel_indicator_type"] = mapping; + ctx["threat_indicator_type"] = mapping; } on_failure: - append: @@ -48,24 +58,24 @@ processors: value: 'Unable to determine indicator type from "{{{ json.entity.type }}}": {{{ _ingest.on_failure_message }}}' - rename: - field: threatintel_indicator_type - target_field: threatintel.indicator.type + field: threat_indicator_type + target_field: threat.indicator.type ignore_missing: true # # Detect ipv6 for ipv4-addr types. # - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv6-addr - if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && ctx.json.entity.name.contains(":")' + if: 'ctx.threat?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && ctx.json.entity.name.contains(":")' # # Map first and last seen dates. # - date: field: json.timestamps.firstSeen - target_field: threatintel.indicator.first_seen + target_field: threat.indicator.first_seen formats: - ISO8601 if: "ctx.json.timestamps?.firstSeen != null" @@ -75,7 +85,7 @@ processors: value: 'Error parsing firstSeen field value "{{{ json.timestamps.firstSeen }}}": {{{ _ingest.on_failure_message }}}' - date: field: json.timestamps.lastSeen - target_field: threatintel.indicator.last_seen + target_field: threat.indicator.last_seen formats: - ISO8601 if: "ctx.json.timestamps?.lastSeen != null" @@ -89,20 +99,20 @@ processors: # - rename: field: json.location.location.city - target_field: threatintel.indicator.geo.city_name + target_field: threat.indicator.geo.city_name ignore_missing: true - rename: field: json.location.location.continent - target_field: threatintel.indicator.geo.continent_name + target_field: threat.indicator.geo.continent_name ignore_missing: true - rename: field: json.location.location.country - target_field: threatintel.indicator.geo.country_name + target_field: threat.indicator.geo.country_name ignore_missing: true - grok: field: json.location.asn patterns: - - "^(?:[Aa][Ss])?%{NUMBER:threatintel.indicator.as.number:long}$" + - "^(?:[Aa][Ss])?%{NUMBER:threat.indicator.as.number:long}$" ignore_missing: true on_failure: - append: @@ -110,10 +120,10 @@ processors: value: "Cannot parse asn field `{{{ json.location.asn }}}`: {{{ _ingest.on_failure_message }}}" - rename: field: json.location.organization - target_field: threatintel.indicator.as.organization.name + target_field: threat.indicator.as.organization.name ignore_missing: true - set: - field: threatintel.indicator.reference + field: threat.indicator.reference value: "{{{ json.intelCard }}}" ignore_empty_value: true - set: @@ -123,30 +133,30 @@ processors: - set: field: json.ip_range value: "{{{ json.entity.name }}}/32" - if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' + if: 'ctx.threat?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' - set: field: json.ip_range value: "{{{ json.entity.name }}}/128" - if: 'ctx.threatintel?.indicator?.type == "ipv6-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' + if: 'ctx.threat?.indicator?.type == "ipv6-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' - set: field: json.ip_range value: "{{{json.entity.name}}}" if: 'ctx.json.entity?.type == "IpAddress" && ctx.json.entity.name != null && ctx.json.entity.name.contains("/")' - rename: field: json.entity.name - target_field: threatintel.indicator.ip + target_field: threat.indicator.ip if: 'ctx.json.entity?.type == "IpAddress" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' - rename: field: json.entity.name - target_field: threatintel.indicator.url.domain + target_field: threat.indicator.url.domain ignore_missing: true - if: 'ctx.threatintel?.indicator?.type == "domain-name" && ctx.threatintel?.indicator?.url?.domain == null' + if: 'ctx.threat?.indicator?.type == "domain-name" && ctx.threat?.indicator?.url?.domain == null' - uri_parts: field: json.entity.name - target_field: threatintel.indicator.url + target_field: threat.indicator.url keep_original: true remove_if_successful: true - if: 'ctx.threatintel?.indicator?.type == "url"' + if: 'ctx.threat?.indicator?.type == "url"' on_failure: - append: field: error.message @@ -157,10 +167,10 @@ processors: field: json.fileHashes value: "{{{ json.entity.name }}}" allow_duplicates: false - if: 'ctx.threatintel?.indicator?.type == "file"' + if: 'ctx.threat?.indicator?.type == "file"' - remove: field: json.entity.name - if: 'ctx.threatintel?.indicator?.type == "file"' + if: 'ctx.threat?.indicator?.type == "file"' - script: lang: painless description: > @@ -187,7 +197,7 @@ processors: value: "Failed to map fileHashes field: {{ _ingest.on_failure_message }}" - rename: field: _hashes - target_field: threatintel.indicator.file.hash + target_field: threat.indicator.file.hash ignore_missing: true # @@ -213,11 +223,48 @@ processors: - message ignore_missing: true # - # Save fields without an ECS mapping under `threatintel.recordedfuture`. + # Save fields without an ECS mapping under `recordedfuture`. # - rename: field: json - target_field: threatintel.recordedfuture + target_field: recordedfuture + + ###################### + # Cleanup processors # + ###################### + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - set: + field: threat.indicator.type + value: unknown + if: ctx.threat?.indicator?.type == null + - script: + lang: painless + if: ctx.recordedfuture != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml b/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml index 93df3884160..da8a88e19da 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml +++ b/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml @@ -14,6 +14,8 @@ var: default: [threatintel-recordedfuture, forwarded] - name: proxy_url - name: api_token + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml input: config/config.yml diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json index 29b0a8ed4a5..7da98ffcc29 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json @@ -9,26 +9,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 0, + "recordedfuture.entity.id": "idn:16url-gy.example.net", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2016-07-25T20:29:32.750Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.901Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "16url-gy.example.net", - "threatintel.recordedfuture.entity.id": "idn:16url-gy.example.net", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2016-07-25T20:29:32.750Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.901Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "16url-gy.example.net" }, { "event.category": "threat", @@ -40,26 +42,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 482, + "recordedfuture.entity.id": "idn:b999f.example.org", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2012-11-21T01:54:04.292Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.812Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "b999f.example.org", - "threatintel.recordedfuture.entity.id": "idn:b999f.example.org", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2012-11-21T01:54:04.292Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.812Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "b999f.example.org" }, { "event.category": "threat", @@ -71,26 +75,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 955, + "recordedfuture.entity.id": "idn:c422.example.net", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2018-02-21T13:53:46.470Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.778Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "c422.example.net", - "threatintel.recordedfuture.entity.id": "idn:c422.example.net", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2018-02-21T13:53:46.470Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.778Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "c422.example.net" }, { "event.category": "threat", @@ -102,26 +108,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 1425, + "recordedfuture.entity.id": "idn:8rwcvgjsp.example.net", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2016-08-15T11:56:24.964Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.747Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "8rwcvgjsp.example.net", - "threatintel.recordedfuture.entity.id": "idn:8rwcvgjsp.example.net", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2016-08-15T11:56:24.964Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.747Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "8rwcvgjsp.example.net" }, { "event.category": "threat", @@ -133,26 +141,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 1910, + "recordedfuture.entity.id": "idn:c9px.example.net", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2016-06-29T21:06:06.066Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.460Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "c9px.example.net", - "threatintel.recordedfuture.entity.id": "idn:c9px.example.net", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2016-06-29T21:06:06.066Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.460Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "c9px.example.net" }, { "event.category": "threat", @@ -164,26 +174,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 2380, + "recordedfuture.entity.id": "idn:ttj1i9z7.example.com", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2018-09-20T03:26:08.564Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "ttj1i9z7.example.com", - "threatintel.recordedfuture.entity.id": "idn:ttj1i9z7.example.com", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2018-09-20T03:26:08.564Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "ttj1i9z7.example.com" }, { "event.category": "threat", @@ -195,26 +207,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 2862, + "recordedfuture.entity.id": "idn:7pgc.example.org", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2017-02-23T17:44:16.104Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "7pgc.example.org", - "threatintel.recordedfuture.entity.id": "idn:7pgc.example.org", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2017-02-23T17:44:16.104Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "7pgc.example.org" }, { "event.category": "threat", @@ -226,26 +240,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 3332, + "recordedfuture.entity.id": "idn:xm5u434.example.net", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2017-04-10T06:55:27.658Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "xm5u434.example.net", - "threatintel.recordedfuture.entity.id": "idn:xm5u434.example.net", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2017-04-10T06:55:27.658Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "xm5u434.example.net" }, { "event.category": "threat", @@ -257,26 +273,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 3811, + "recordedfuture.entity.id": "idn:gpgju.example.com", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2018-07-27T15:22:39.390Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "gpgju.example.com", - "threatintel.recordedfuture.entity.id": "idn:gpgju.example.com", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2018-07-27T15:22:39.390Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "gpgju.example.com" }, { "event.category": "threat", @@ -288,25 +306,27 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 4284, + "recordedfuture.entity.id": "idn:55g.example.com", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2021-01-10T21:24:38.353Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:45.025Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "55g.example.com", - "threatintel.recordedfuture.entity.id": "idn:55g.example.com", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-01-10T21:24:38.353Z", + "threat.indicator.last_seen": "2021-06-20T18:23:45.025Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "55g.example.com" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json index dbc47e31767..cf8b9c1b23e 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json @@ -9,24 +9,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 0, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "25328d1a481903f2d900479570842247", - "threatintel.indicator.file.hash.sha1": "d73c663e2ac0c7a14ca0e2681dd599b2e7a24f65", - "threatintel.indicator.file.hash.sha256": "dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.503Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.503Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -44,10 +32,24 @@ "timestamp": "2021-06-20T18:40:18.503Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "25328d1a481903f2d900479570842247", + "threat.indicator.file.hash.sha1": "d73c663e2ac0c7a14ca0e2681dd599b2e7a24f65", + "threat.indicator.file.hash.sha256": "dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", + "threat.indicator.first_seen": "2021-06-20T18:40:18.503Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.503Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -59,24 +61,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 1478, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "7b8d9afd032f0c253b7dd68aca6fb50b", - "threatintel.indicator.file.hash.sha1": "f9ece49c249aabab29fd9c2193d897b7d131ed17", - "threatintel.indicator.file.hash.sha256": "4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.452Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.452Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -94,10 +84,24 @@ "timestamp": "2021-06-20T18:40:18.452Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "7b8d9afd032f0c253b7dd68aca6fb50b", + "threat.indicator.file.hash.sha1": "f9ece49c249aabab29fd9c2193d897b7d131ed17", + "threat.indicator.file.hash.sha256": "4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", + "threat.indicator.first_seen": "2021-06-20T18:40:18.452Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.452Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -109,24 +113,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 2954, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "7b65b50ed4554c86cb777e35e7750209", - "threatintel.indicator.file.hash.sha1": "e10942ba3fbb937c90c7cb3e39c06a13324981a8", - "threatintel.indicator.file.hash.sha256": "299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.343Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.343Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -144,10 +136,24 @@ "timestamp": "2021-06-20T18:40:18.343Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "7b65b50ed4554c86cb777e35e7750209", + "threat.indicator.file.hash.sha1": "e10942ba3fbb937c90c7cb3e39c06a13324981a8", + "threat.indicator.file.hash.sha256": "299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", + "threat.indicator.first_seen": "2021-06-20T18:40:18.343Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.343Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -159,24 +165,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 4457, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "c6353df35499ca6934da2169b7bd1635", - "threatintel.indicator.file.hash.sha1": "3e208c649da0a9efbde7bbde6eece2142fdac3f9", - "threatintel.indicator.file.hash.sha256": "e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.258Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.258Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -194,10 +188,24 @@ "timestamp": "2021-06-20T18:40:18.257Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "c6353df35499ca6934da2169b7bd1635", + "threat.indicator.file.hash.sha1": "3e208c649da0a9efbde7bbde6eece2142fdac3f9", + "threat.indicator.file.hash.sha256": "e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", + "threat.indicator.first_seen": "2021-06-20T18:40:18.258Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.258Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -209,24 +217,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 5932, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "3d568bd03766a8d47c8fabb7d392c32e", - "threatintel.indicator.file.hash.sha1": "3ea8b08bc9ed3009a4d6a0ab5851b8e3fc10ead2", - "threatintel.indicator.file.hash.sha256": "184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.131Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.131Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -236,10 +232,24 @@ "timestamp": "2021-06-19T17:39:24.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/14", - "threatintel.recordedfuture.risk.riskSummary": "1 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "1/14", + "recordedfuture.risk.riskSummary": "1 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "3d568bd03766a8d47c8fabb7d392c32e", + "threat.indicator.file.hash.sha1": "3ea8b08bc9ed3009a4d6a0ab5851b8e3fc10ead2", + "threat.indicator.file.hash.sha256": "184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", + "threat.indicator.first_seen": "2021-06-20T18:40:18.131Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.131Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -251,24 +261,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 7054, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "a40e91f2d29616076114eea0f2a693af", - "threatintel.indicator.file.hash.sha1": "e38ccd47629c1b75385a83fbfbba0ea7f3b3a705", - "threatintel.indicator.file.hash.sha256": "1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.093Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.093Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -286,10 +284,24 @@ "timestamp": "2021-06-20T18:40:18.093Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "a40e91f2d29616076114eea0f2a693af", + "threat.indicator.file.hash.sha1": "e38ccd47629c1b75385a83fbfbba0ea7f3b3a705", + "threat.indicator.file.hash.sha256": "1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", + "threat.indicator.first_seen": "2021-06-20T18:40:18.093Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.093Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -301,24 +313,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 8550, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "02062782c7eeaff185ea6966460f7c9a", - "threatintel.indicator.file.hash.sha1": "64355796dc38992ca5e434682ddbf63bdfabeb4e", - "threatintel.indicator.file.hash.sha256": "bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.070Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.070Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -336,10 +336,24 @@ "timestamp": "2021-06-20T18:40:18.070Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "02062782c7eeaff185ea6966460f7c9a", + "threat.indicator.file.hash.sha1": "64355796dc38992ca5e434682ddbf63bdfabeb4e", + "threat.indicator.file.hash.sha256": "bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", + "threat.indicator.first_seen": "2021-06-20T18:40:18.070Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.070Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -351,24 +365,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 10020, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "bdd205ffc81c54e7cc1a9080cfa093e4", - "threatintel.indicator.file.hash.sha1": "a6b928fd6fee43495b96941ef80b25d074f6e0e2", - "threatintel.indicator.file.hash.sha256": "c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.011Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.011Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -386,10 +388,24 @@ "timestamp": "2021-06-20T18:40:18.010Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "bdd205ffc81c54e7cc1a9080cfa093e4", + "threat.indicator.file.hash.sha1": "a6b928fd6fee43495b96941ef80b25d074f6e0e2", + "threat.indicator.file.hash.sha256": "c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", + "threat.indicator.first_seen": "2021-06-20T18:40:18.011Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.011Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -401,24 +417,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 11492, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "af45390e39574cdb037d684074e6a542", - "threatintel.indicator.file.hash.sha1": "f6a14c7424604cd51ba6a6d3f7594ec762f48645", - "threatintel.indicator.file.hash.sha256": "c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", - "threatintel.indicator.first_seen": "2021-06-20T18:40:17.964Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:17.964Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -436,10 +440,24 @@ "timestamp": "2021-06-20T18:40:17.964Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "af45390e39574cdb037d684074e6a542", + "threat.indicator.file.hash.sha1": "f6a14c7424604cd51ba6a6d3f7594ec762f48645", + "threat.indicator.file.hash.sha256": "c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", + "threat.indicator.first_seen": "2021-06-20T18:40:17.964Z", + "threat.indicator.last_seen": "2021-06-20T18:40:17.964Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -451,24 +469,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 12964, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "5b8bcd367f802cd104210bb47abb3ab1", - "threatintel.indicator.file.hash.sha1": "b40d1796bd6974860ce6be691152ad963300c711", - "threatintel.indicator.file.hash.sha256": "0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", - "threatintel.indicator.first_seen": "2021-06-20T18:40:17.919Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:17.919Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -486,9 +492,23 @@ "timestamp": "2021-06-20T18:40:17.919Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "5b8bcd367f802cd104210bb47abb3ab1", + "threat.indicator.file.hash.sha1": "b40d1796bd6974860ce6be691152ad963300c711", + "threat.indicator.file.hash.sha256": "0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", + "threat.indicator.first_seen": "2021-06-20T18:40:17.919Z", + "threat.indicator.last_seen": "2021-06-20T18:40:17.919Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", + "threat.indicator.type": "file" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json index 74488f715da..c46c3e2a51f 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json @@ -9,32 +9,34 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 0, + "recordedfuture.entity.id": "ip:2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "recordedfuture.entity.name": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "recordedfuture.ip_range": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.number": 31287, - "threatintel.indicator.as.organization.name": "IPACCT CABLE Ltd", - "threatintel.indicator.first_seen": "2021-04-18T00:11:48.512Z", - "threatintel.indicator.geo.city_name": "Radnevo", - "threatintel.indicator.geo.continent_name": "Europe", - "threatintel.indicator.geo.country_name": "Bulgaria", - "threatintel.indicator.last_seen": "2021-06-19T19:40:32.897Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", - "threatintel.indicator.type": "ipv6-addr", - "threatintel.recordedfuture.entity.id": "ip:2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", - "threatintel.recordedfuture.entity.name": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", - "threatintel.recordedfuture.ip_range": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 31287, + "threat.indicator.as.organization.name": "IPACCT CABLE Ltd", + "threat.indicator.first_seen": "2021-04-18T00:11:48.512Z", + "threat.indicator.geo.city_name": "Radnevo", + "threat.indicator.geo.continent_name": "Europe", + "threat.indicator.geo.country_name": "Bulgaria", + "threat.indicator.last_seen": "2021-06-19T19:40:32.897Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "threat.indicator.type": "ipv6-addr" }, { "event.category": "threat", @@ -46,32 +48,33 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 763, + "recordedfuture.entity.id": "ip:2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", + "recordedfuture.ip_range": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071/128", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.number": 197207, - "threatintel.indicator.as.organization.name": "Mobile Communication Company of Iran PLC", - "threatintel.indicator.first_seen": "2021-06-19T17:55:58.019Z", - "threatintel.indicator.geo.city_name": null, - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "Iran", - "threatintel.indicator.ip": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", - "threatintel.indicator.last_seen": "2021-06-19T19:40:32.839Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", - "threatintel.indicator.type": "ipv6-addr", - "threatintel.recordedfuture.entity.id": "ip:2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", - "threatintel.recordedfuture.ip_range": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071/128", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 197207, + "threat.indicator.as.organization.name": "Mobile Communication Company of Iran PLC", + "threat.indicator.first_seen": "2021-06-19T17:55:58.019Z", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "Iran", + "threat.indicator.ip": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", + "threat.indicator.last_seen": "2021-06-19T19:40:32.839Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", + "threat.indicator.type": "ipv6-addr" }, { "event.category": "threat", @@ -83,31 +86,29 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 1531, + "recordedfuture.entity.id": "ip:203.0.113.55", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55", + "recordedfuture.ip_range": "203.0.113.55/32", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.organization.name": null, - "threatintel.indicator.first_seen": "2021-06-19T19:40:30.596Z", - "threatintel.indicator.geo.city_name": null, - "threatintel.indicator.geo.continent_name": null, - "threatintel.indicator.geo.country_name": null, - "threatintel.indicator.ip": "203.0.113.55", - "threatintel.indicator.last_seen": "2021-06-19T19:40:30.596Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:203.0.113.55", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55", - "threatintel.recordedfuture.ip_range": "203.0.113.55/32", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-19T19:40:30.596Z", + "threat.indicator.ip": "203.0.113.55", + "threat.indicator.last_seen": "2021-06-19T19:40:30.596Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -119,32 +120,34 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 2161, + "recordedfuture.entity.id": "ip:203.0.113.108", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108", + "recordedfuture.ip_range": "203.0.113.108/32", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.number": 17622, - "threatintel.indicator.as.organization.name": "China Unicom Guangzhou network", - "threatintel.indicator.first_seen": "2021-06-19T19:40:20.534Z", - "threatintel.indicator.geo.city_name": "Guangzhou", - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "China", - "threatintel.indicator.ip": "203.0.113.108", - "threatintel.indicator.last_seen": "2021-06-19T19:40:20.534Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:203.0.113.108", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108", - "threatintel.recordedfuture.ip_range": "203.0.113.108/32", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 17622, + "threat.indicator.as.organization.name": "China Unicom Guangzhou network", + "threat.indicator.first_seen": "2021-06-19T19:40:20.534Z", + "threat.indicator.geo.city_name": "Guangzhou", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "China", + "threat.indicator.ip": "203.0.113.108", + "threat.indicator.last_seen": "2021-06-19T19:40:20.534Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -156,32 +159,33 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 2851, + "recordedfuture.entity.id": "ip:203.0.113.139", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139", + "recordedfuture.ip_range": "203.0.113.139/32", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.number": 7713, - "threatintel.indicator.as.organization.name": "PT Telekomunikasi Indonesia", - "threatintel.indicator.first_seen": "2016-06-23T07:39:06.418Z", - "threatintel.indicator.geo.city_name": null, - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "Indonesia", - "threatintel.indicator.ip": "203.0.113.139", - "threatintel.indicator.last_seen": "2021-06-19T19:40:03.882Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:203.0.113.139", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139", - "threatintel.recordedfuture.ip_range": "203.0.113.139/32", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 7713, + "threat.indicator.as.organization.name": "PT Telekomunikasi Indonesia", + "threat.indicator.first_seen": "2016-06-23T07:39:06.418Z", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "Indonesia", + "threat.indicator.ip": "203.0.113.139", + "threat.indicator.last_seen": "2021-06-19T19:40:03.882Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -193,32 +197,34 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 3532, + "recordedfuture.entity.id": "ip:2001:db8:bf58:c5c3:7a06:5267:82e0:621a", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a", + "recordedfuture.ip_range": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a/128", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.number": 17622, - "threatintel.indicator.as.organization.name": "China Unicom Guangzhou network", - "threatintel.indicator.first_seen": "2021-06-19T19:40:02.557Z", - "threatintel.indicator.geo.city_name": "Guangzhou", - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "China", - "threatintel.indicator.ip": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a", - "threatintel.indicator.last_seen": "2021-06-19T19:40:02.557Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a", - "threatintel.indicator.type": "ipv6-addr", - "threatintel.recordedfuture.entity.id": "ip:2001:db8:bf58:c5c3:7a06:5267:82e0:621a", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a", - "threatintel.recordedfuture.ip_range": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a/128", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 17622, + "threat.indicator.as.organization.name": "China Unicom Guangzhou network", + "threat.indicator.first_seen": "2021-06-19T19:40:02.557Z", + "threat.indicator.geo.city_name": "Guangzhou", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "China", + "threat.indicator.ip": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a", + "threat.indicator.last_seen": "2021-06-19T19:40:02.557Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a", + "threat.indicator.type": "ipv6-addr" }, { "event.category": "threat", @@ -230,32 +236,34 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 4295, + "recordedfuture.entity.id": "ip:192.0.2.147", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147", + "recordedfuture.ip_range": "192.0.2.147/32", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.number": 4837, - "threatintel.indicator.as.organization.name": "CHINA UNICOM China169 Backbone", - "threatintel.indicator.first_seen": "2017-12-20T02:21:07.734Z", - "threatintel.indicator.geo.city_name": "Zhengzhou", - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "China", - "threatintel.indicator.ip": "192.0.2.147", - "threatintel.indicator.last_seen": "2021-06-19T19:39:43.160Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:192.0.2.147", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147", - "threatintel.recordedfuture.ip_range": "192.0.2.147/32", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 4837, + "threat.indicator.as.organization.name": "CHINA UNICOM China169 Backbone", + "threat.indicator.first_seen": "2017-12-20T02:21:07.734Z", + "threat.indicator.geo.city_name": "Zhengzhou", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "China", + "threat.indicator.ip": "192.0.2.147", + "threat.indicator.last_seen": "2021-06-19T19:39:43.160Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -267,28 +275,13 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 4972, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.as.number": 9829, - "threatintel.indicator.as.organization.name": "National Internet Backbone", - "threatintel.indicator.first_seen": "2019-12-24T09:54:02.935Z", - "threatintel.indicator.geo.city_name": "Palakkad", - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "India", - "threatintel.indicator.ip": "203.0.113.198", - "threatintel.indicator.last_seen": "2021-06-19T19:39:25.532Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:203.0.113.198", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198", - "threatintel.recordedfuture.ip_range": "203.0.113.198/32", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "ip:203.0.113.198", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198", + "recordedfuture.ip_range": "203.0.113.198/32", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -298,10 +291,27 @@ "timestamp": "2019-12-24T09:53:13.546Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/54", - "threatintel.recordedfuture.risk.riskSummary": "1 of 54 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/54", + "recordedfuture.risk.riskSummary": "1 of 54 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 9829, + "threat.indicator.as.organization.name": "National Internet Backbone", + "threat.indicator.first_seen": "2019-12-24T09:54:02.935Z", + "threat.indicator.geo.city_name": "Palakkad", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "India", + "threat.indicator.ip": "203.0.113.198", + "threat.indicator.last_seen": "2021-06-19T19:39:25.532Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -313,28 +323,13 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 5970, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.as.number": 9829, - "threatintel.indicator.as.organization.name": "National Internet Backbone", - "threatintel.indicator.first_seen": "2020-03-03T08:10:28.489Z", - "threatintel.indicator.geo.city_name": "Bangalore", - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "India", - "threatintel.indicator.ip": "192.0.2.179", - "threatintel.indicator.last_seen": "2021-06-19T19:39:11.694Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:192.0.2.179", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179", - "threatintel.recordedfuture.ip_range": "192.0.2.179/32", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "ip:192.0.2.179", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179", + "recordedfuture.ip_range": "192.0.2.179/32", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -360,10 +355,27 @@ "timestamp": "2021-06-21T19:53:19.897Z" } ], - "threatintel.recordedfuture.risk.riskString": "3/54", - "threatintel.recordedfuture.risk.riskSummary": "3 of 54 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 3, - "threatintel.recordedfuture.risk.score": 15 + "recordedfuture.risk.riskString": "3/54", + "recordedfuture.risk.riskSummary": "3 of 54 Risk Rules currently observed.", + "recordedfuture.risk.rules": 3, + "recordedfuture.risk.score": 15, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 9829, + "threat.indicator.as.organization.name": "National Internet Backbone", + "threat.indicator.first_seen": "2020-03-03T08:10:28.489Z", + "threat.indicator.geo.city_name": "Bangalore", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "India", + "threat.indicator.ip": "192.0.2.179", + "threat.indicator.last_seen": "2021-06-19T19:39:11.694Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -375,28 +387,13 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 7483, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.as.number": 45899, - "threatintel.indicator.as.organization.name": "VNPT Corp", - "threatintel.indicator.first_seen": "2021-06-19T19:38:57.372Z", - "threatintel.indicator.geo.city_name": "Long Phu", - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "Vietnam", - "threatintel.indicator.ip": "192.0.2.245", - "threatintel.indicator.last_seen": "2021-06-19T19:38:57.372Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:192.0.2.245", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245", - "threatintel.recordedfuture.ip_range": "192.0.2.245/32", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "ip:192.0.2.245", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245", + "recordedfuture.ip_range": "192.0.2.245/32", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -406,9 +403,26 @@ "timestamp": "2021-06-19T19:50:20.162Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/54", - "threatintel.recordedfuture.risk.riskSummary": "1 of 54 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/54", + "recordedfuture.risk.riskSummary": "1 of 54 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 45899, + "threat.indicator.as.organization.name": "VNPT Corp", + "threat.indicator.first_seen": "2021-06-19T19:38:57.372Z", + "threat.indicator.geo.city_name": "Long Phu", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "Vietnam", + "threat.indicator.ip": "192.0.2.245", + "threat.indicator.last_seen": "2021-06-19T19:38:57.372Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245", + "threat.indicator.type": "ipv4-addr" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json index 779d86ae965..f840643fef3 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json @@ -9,26 +9,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 0, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "d6s.example.net", - "threatintel.indicator.url.original": "https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", - "threatintel.indicator.url.path": "/nzy/vvc68ke", - "threatintel.indicator.url.query": "p5uxwn=1bj", - "threatintel.indicator.url.scheme": "https", - "threatintel.recordedfuture.entity.id": "url:https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -38,10 +24,26 @@ "timestamp": "2021-04-15T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "d6s.example.net", + "threat.indicator.url.original": "https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", + "threat.indicator.url.path": "/nzy/vvc68ke", + "threat.indicator.url.query": "p5uxwn=1bj", + "threat.indicator.url.scheme": "https" }, { "event.category": "threat", @@ -53,26 +55,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 874, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ga7v9u.example.org", - "threatintel.indicator.url.original": "https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", - "threatintel.indicator.url.path": "/bnqv8e2v8/qb49", - "threatintel.indicator.url.query": "7kq=iw61", - "threatintel.indicator.url.scheme": "https", - "threatintel.recordedfuture.entity.id": "url:https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -82,10 +70,26 @@ "timestamp": "2021-02-14T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ga7v9u.example.org", + "threat.indicator.url.original": "https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", + "threat.indicator.url.path": "/bnqv8e2v8/qb49", + "threat.indicator.url.query": "7kq=iw61", + "threat.indicator.url.scheme": "https" }, { "event.category": "threat", @@ -97,26 +101,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 1760, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cdmw.example.net", - "threatintel.indicator.url.original": "https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", - "threatintel.indicator.url.path": "/c20fwa/wwn", - "threatintel.indicator.url.query": "dlz53=z6ovc", - "threatintel.indicator.url.scheme": "https", - "threatintel.recordedfuture.entity.id": "url:https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -126,10 +116,26 @@ "timestamp": "2021-05-15T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cdmw.example.net", + "threat.indicator.url.original": "https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", + "threat.indicator.url.path": "/c20fwa/wwn", + "threat.indicator.url.query": "dlz53=z6ovc", + "threat.indicator.url.scheme": "https" }, { "event.category": "threat", @@ -141,26 +147,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 2627, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "4mne.example.local", - "threatintel.indicator.url.original": "https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", - "threatintel.indicator.url.path": "/ns2rk8f/wngtk2xz", - "threatintel.indicator.url.query": "vceuk7wl6=3p0", - "threatintel.indicator.url.scheme": "https", - "threatintel.recordedfuture.entity.id": "url:https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -170,10 +162,26 @@ "timestamp": "2021-02-14T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "4mne.example.local", + "threat.indicator.url.original": "https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", + "threat.indicator.url.path": "/ns2rk8f/wngtk2xz", + "threat.indicator.url.query": "vceuk7wl6=3p0", + "threat.indicator.url.scheme": "https" }, { "event.category": "threat", @@ -185,26 +193,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 3524, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "z198hloc8.example.com", - "threatintel.indicator.url.original": "http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", - "threatintel.indicator.url.path": "/f8ih39/f6kou", - "threatintel.indicator.url.query": "f6-u3=uwhii", - "threatintel.indicator.url.scheme": "http", - "threatintel.recordedfuture.entity.id": "url:http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -214,10 +208,26 @@ "timestamp": "2020-06-24T12:01:33.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "z198hloc8.example.com", + "threat.indicator.url.original": "http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", + "threat.indicator.url.path": "/f8ih39/f6kou", + "threat.indicator.url.query": "f6-u3=uwhii", + "threat.indicator.url.scheme": "http" }, { "event.category": "threat", @@ -229,26 +239,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 4377, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "y484j-fb6.example.local", - "threatintel.indicator.url.original": "http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", - "threatintel.indicator.url.path": "/b97s24xf/prz", - "threatintel.indicator.url.query": "sg-x1do=4myont", - "threatintel.indicator.url.scheme": "http", - "threatintel.recordedfuture.entity.id": "url:http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -258,10 +254,26 @@ "timestamp": "2021-02-14T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "y484j-fb6.example.local", + "threat.indicator.url.original": "http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", + "threat.indicator.url.path": "/b97s24xf/prz", + "threat.indicator.url.query": "sg-x1do=4myont", + "threat.indicator.url.scheme": "http" }, { "event.category": "threat", @@ -273,26 +285,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 5272, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "sp2xyqq82.example.local", - "threatintel.indicator.url.original": "http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", - "threatintel.indicator.url.path": "/zxvm093/kat1rcz", - "threatintel.indicator.url.query": "vaev0aeod=rc0513", - "threatintel.indicator.url.scheme": "http", - "threatintel.recordedfuture.entity.id": "url:http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -302,10 +300,26 @@ "timestamp": "2020-11-16T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "sp2xyqq82.example.local", + "threat.indicator.url.original": "http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", + "threat.indicator.url.path": "/zxvm093/kat1rcz", + "threat.indicator.url.query": "vaev0aeod=rc0513", + "threat.indicator.url.scheme": "http" }, { "event.category": "threat", @@ -317,26 +331,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 6187, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "zh4o7xc.example.com", - "threatintel.indicator.url.original": "https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", - "threatintel.indicator.url.path": "/-yiq/vg2whtxif", - "threatintel.indicator.url.query": "cb0-knk=s6poib5r", - "threatintel.indicator.url.scheme": "https", - "threatintel.recordedfuture.entity.id": "url:https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -346,10 +346,26 @@ "timestamp": "2021-05-15T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "zh4o7xc.example.com", + "threat.indicator.url.original": "https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", + "threat.indicator.url.path": "/-yiq/vg2whtxif", + "threat.indicator.url.query": "cb0-knk=s6poib5r", + "threat.indicator.url.scheme": "https" }, { "event.category": "threat", @@ -361,26 +377,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 7094, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "fiivf4s.example.org", - "threatintel.indicator.url.original": "http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", - "threatintel.indicator.url.path": "/8u2qi/86vfcfq7m", - "threatintel.indicator.url.query": "pfb2ensc0=h7imk8io2", - "threatintel.indicator.url.scheme": "http", - "threatintel.recordedfuture.entity.id": "url:http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -390,10 +392,26 @@ "timestamp": "2021-02-14T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "fiivf4s.example.org", + "threat.indicator.url.original": "http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", + "threat.indicator.url.path": "/8u2qi/86vfcfq7m", + "threat.indicator.url.query": "pfb2ensc0=h7imk8io2", + "threat.indicator.url.scheme": "http" }, { "event.category": "threat", @@ -405,26 +423,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 8007, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "abav9v.example.org", - "threatintel.indicator.url.original": "http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", - "threatintel.indicator.url.path": "/gj93q/7fs7", - "threatintel.indicator.url.query": "kcq7=pjaj1", - "threatintel.indicator.url.scheme": "http", - "threatintel.recordedfuture.entity.id": "url:http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -434,9 +438,25 @@ "timestamp": "2021-02-14T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "abav9v.example.org", + "threat.indicator.url.original": "http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", + "threat.indicator.url.path": "/gj93q/7fs7", + "threat.indicator.url.query": "kcq7=pjaj1", + "threat.indicator.url.scheme": "http" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/threatq/config/config.yml b/x-pack/filebeat/module/threatintel/threatq/config/config.yml index 89e8cab731e..0f520215bc8 100644 --- a/x-pack/filebeat/module/threatintel/threatq/config/config.yml +++ b/x-pack/filebeat/module/threatintel/threatq/config/config.yml @@ -1,7 +1,6 @@ {{ if eq .input "httpjson" }} type: httpjson -config_version: "2" interval: {{ .interval }} auth.oauth2: @@ -50,22 +49,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - process_array: true - max_depth: 5 - overwrite_keys: true - add_error_key: true - - fingerprint: - fields: ["json.id", "json.indicator_id"] - target_field: "@metadata._id" - ignore_missing: true - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 \ No newline at end of file +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/threatq/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/threatq/ingest/pipeline.yml index 6d301f89844..96f8b224e19 100644 --- a/x-pack/filebeat/module/threatintel/threatq/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/threatq/ingest/pipeline.yml @@ -1,3 +1,4 @@ +--- description: Pipeline for parsing ThreatQ Threat Intel processors: #################### @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -19,6 +23,19 @@ processors: ############### # Parse dates # ############### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - fingerprint: + fields: + - json.id + - json.indicator_id + target_field: "_id" + ignore_missing: true - date: target_field: "@timestamp" field: "json.updated_at" @@ -27,28 +44,28 @@ processors: if: "ctx.json.updated_at != null" ignore_failure: true - date: - target_field: "threatintel.threatq.created_at" + target_field: "threatq.created_at" field: "json.created_at" formats: - "yyyy-MM-dd HH:mm:ss" if: "ctx.json.created_at != null" ignore_failure: true - date: - target_field: "threatintel.threatq.expires_at" + target_field: "threatq.expires_at" field: "json.expires_at" formats: - "yyyy-MM-dd HH:mm:ss" if: "ctx.json.expires_at != null" ignore_failure: true - date: - target_field: "threatintel.threatq.expires_calculated_at" + target_field: "threatq.expires_calculated_at" field: "json.expires_calculated_at" formats: - "yyyy-MM-dd HH:mm:ss" if: "ctx.json.expires_calculated_at != null" ignore_failure: true - date: - target_field: "threatintel.threatq.published_at" + target_field: "threatq.published_at" field: "json.published_at" formats: - "yyyy-MM-dd HH:mm:ss" @@ -58,29 +75,50 @@ processors: ##################### # Threat ECS Fields # ##################### + - set: + field: threat.feed.name + value: "[Filebeat] ThreatQuotient" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" - rename: field: json.type.name - target_field: threatintel.indicator.type + target_field: threat.indicator.type ignore_missing: true - rename: field: json.description - target_field: threatintel.indicator.description + target_field: threat.indicator.description ignore_missing: true - - convert: - field: json.score - target_field: threatintel.indicator.confidence - type: integer - on_failure: - - append: - field: error.message - value: "Cannot convert json.score to integer: {{{ _ingest.on_failure_message }}}" + - script: + lang: painless + if: ctx.json?.score != null + description: > + Normalize confidence level. + source: > + def value = ctx.json.score; + if (value <= 0.0 || value > 100.0) { + ctx.threat.indicator.confidence = "None"; + return; + } + if (value >= 1.0 && value <= 29.0) { + ctx.threat.indicator.confidence = "Low"; + return; + } + if (value >= 30.0 && value <= 69.0) { + ctx.threat.indicator.confidence = "Med"; + return; + } + if (value >= 70 && value <= 100) { + ctx.threat.indicator.confidence = "High"; + return; + } - rename: field: json.status.name - target_field: threatintel.threatq.status + target_field: threatq.status ignore_missing: true - rename: field: json.value - target_field: threatintel.threatq.indicator_value + target_field: threatq.indicator_value ignore_missing: true ######################################### @@ -89,119 +127,144 @@ processors: # Indicator type: Email Address - set: - field: threatintel.indicator.email.address - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'Email Address'" + field: threat.indicator.email.address + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'Email Address'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: email-addr - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'Email Address'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'Email Address'" # Indicator type: FQDN - set: - field: threatintel.indicator.domain - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'FQDN'" + field: threat.indicator.domain + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'FQDN'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: domain-name - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'FQDN'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'FQDN'" # Indicator type: IP Address - set: - field: threatintel.indicator.ip - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'IP Address'" + field: threat.indicator.ip + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IP Address'" + ignore_empty_value: true + - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv4-addr - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'IP Address'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IP Address'" # Indicator type: IPv6 Address - set: - field: threatintel.indicator.domain - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'IPv6 Address'" + field: threat.indicator.domain + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IPv6 Address'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv6-addr - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'IPv6 Address'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IPv6 Address'" # Indicator type: MD5 - set: - field: threatintel.indicator.file.hash.md5 - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'MD5'" + field: threat.indicator.file.hash.md5 + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'MD5'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'MD5'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'MD5'" # Indicator type: SHA-1 - set: - field: threatintel.indicator.file.hash.sha1 - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-1'" + field: threat.indicator.file.hash.sha1 + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-1'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-1'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-1'" # Indicator type: SHA-256 - set: - field: threatintel.indicator.file.hash.sha256 - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-256'" + field: threat.indicator.file.hash.sha256 + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-256'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-256'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-256'" # Indicator type: SHA-512 - set: - field: threatintel.indicator.file.hash.sha512 - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-512'" + field: threat.indicator.file.hash.sha512 + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-512'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-512'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-512'" # Indicator type: URL + - uri_parts: + field: threatq.indicator_value + target_field: threat.indicator.url + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'URL' && ctx.threatq?.indicator_value != null" + remove_if_successful: true - set: - field: threatintel.indicator.url.full - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'URL'" - - set: - field: threatintel.indicator.type + field: threat.indicator.type value: url - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'URL'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'URL'" # Indicator type: x509 Serial - set: - field: threatintel.indicator.x509.serial_number - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'x509 Serial'" + field: threat.indicator.x509.serial_number + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'x509 Serial'" + ignore_empty_value: true ################################### # Map indicator providers and TLP # ################################### - - foreach: - description: Append threat intel sources - field: json.sources - ignore_missing: true - processor: - append: - field: threatintel.indicator.provider - value: "{{{ _ingest._value.name }}}" - - foreach: - description: Append threat intel source TLP values - field: json.sources - ignore_missing: true - processor: - append: - field: threatintel.indicator.marking.tlp - value: "{{{ _ingest._value.tlp_name }}}" + - script: + if: "ctx.json?.sources != null && ctx.json?.sources instanceof List && ctx.json?.sources.size() > 0" + lang: painless + description: "Extract TLP and providers from source" + source: |- + def providers = new ArrayList(); + def tlps = new ArrayList(); + for (source in ctx.json.sources) { + if (source == null) { + return; + } + if (source.containsKey("provider") && source["provider"] != null) { + providers.add(source["provider"]); + } + if (source.containsKey("tlp_name") && source["tlp_name"] != null) { + tlps.add(source["tlp_name"]); + } + } + if (tlps.size() > 0) { + if (ctx.threat.indicator.marking == null) { + ctx.threat.indicator.marking = new HashMap(); + } + ctx.threat.indicator.marking.tlp = tlps; + } + if (providers.size() > 0) { + if (ctx.threat.indicator.provider == null) { + ctx.threat.indicator.provider = new HashMap(); + } + ctx.threat.indicator.provider = providers; + } ############################ # Map indicator attributes # @@ -228,7 +291,7 @@ processors: ignore_missing: true processor: append: - field: threatintel.threatq.attributes.{{{ _ingest._value.name }}} + field: threatq.attributes.{{{ _ingest._value.name }}} value: "{{{ _ingest._value.value }}}" ############################# @@ -239,20 +302,25 @@ processors: ignore_missing: true processor: append: - field: threatintel.threatq.adversaries + field: threatq.adversaries value: "{{{ _ingest._value.name }}}" ###################### # Cleanup processors # ###################### # Setting indicator type to unknown if it does not match anything + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx.threat?.indicator?.type == null - script: lang: painless - if: ctx?.threatintel != null + if: ctx.threat != null source: | void handleMap(Map map) { for (def x : map.values()) { diff --git a/x-pack/filebeat/module/threatintel/threatq/manifest.yml b/x-pack/filebeat/module/threatintel/threatq/manifest.yml index dd7165b182f..d5628d2a705 100644 --- a/x-pack/filebeat/module/threatintel/threatq/manifest.yml +++ b/x-pack/filebeat/module/threatintel/threatq/manifest.yml @@ -11,11 +11,13 @@ var: - name: client_id - name: client_secret - name: host - default: "https://www.threatq.com/" + default: "https://www.threatq.com" - name: proxy_url - name: http_client_timeout - name: tags default: [threatintel-threatq, forwarded] + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/threatq/test/threatq_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/threatq/test/threatq_sample.ndjson.log-expected.json index 58c61e5161c..58958850bd5 100644 --- a/x-pack/filebeat/module/threatintel/threatq/test/threatq_sample.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/threatq/test/threatq_sample.ndjson.log-expected.json @@ -14,38 +14,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.44.202.220", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.44.202.220", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "3" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Saipan" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "MP" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.44.202.220", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.44.202.220", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -62,38 +58,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.94.155.176", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.94.155.176", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Sacramento" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.94.155.176", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.94.155.176", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -110,38 +102,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.42.81.68", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.42.81.68", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "New York" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.42.81.68", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.42.81.68", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -158,32 +146,28 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "37.17.250.101", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "37.17.250.101", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:41.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:02.000Z", - "threatintel.threatq.indicator_value": "37.17.250.101", - "threatintel.threatq.published_at": "2020-09-11T14:35:41.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:41.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:02.000Z", + "threatq.indicator_value": "37.17.250.101", + "threatq.published_at": "2020-09-11T14:35:41.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -200,38 +184,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.94.129.203", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.94.129.203", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Sacramento" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.94.129.203", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.94.129.203", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -248,38 +228,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.216.117.22", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.216.117.22", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "3" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Houston" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.216.117.22", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.216.117.22", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -296,38 +272,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.80.70.115", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.80.70.115", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Fort Lauderdale" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.80.70.115", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.80.70.115", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -344,38 +316,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.65.79.99", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.65.79.99", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Pompano Beach" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.65.79.99", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.65.79.99", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -392,37 +360,33 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.199.22.46", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.199.22.46", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Little Elm" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.199.22.46", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.199.22.46", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc b/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc index 9b7e4401204..d56df0ba01b 100644 --- a/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc @@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "apachetomcat" devic *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.paths`*:: diff --git a/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc b/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc index 5728796de54..779c5deabc0 100644 --- a/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc @@ -28,7 +28,7 @@ NOTE: This was converted from RSA NetWitness log parser XML "zscalernss" device *`var.input`*:: -The input from which messages are read. One of `file`, `tcp` or `udp`. +The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. *`var.syslog_host`*:: diff --git a/x-pack/functionbeat/functionbeat.reference.yml b/x-pack/functionbeat/functionbeat.reference.yml index fc162f600dd..5ea23a3b0db 100644 --- a/x-pack/functionbeat/functionbeat.reference.yml +++ b/x-pack/functionbeat/functionbeat.reference.yml @@ -1177,11 +1177,6 @@ logging.files: # file. Defaults to true. # rotateonstartup: true - # Rotated files are either suffixed with a number e.g. functionbeat.1 when - # renamed during rotation. Or when set to date, the date is added to - # the end of the file. On rotation a new file is created, older files are untouched. - #suffix: count - # ============================= X-Pack Monitoring ============================== # Functionbeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The @@ -1366,6 +1361,10 @@ logging.files: # `http.user`. #http.named_pipe.security_descriptor: +# Defines if the HTTP pprof endpoints are enabled. +# It is recommended that this is only enabled on localhost as these endpoints may leak data. +#http.pprof.enabled: false + # ============================== Process Security ============================== # Enable or disable seccomp system call filtering on Linux. Default is enabled. diff --git a/x-pack/heartbeat/heartbeat.reference.yml b/x-pack/heartbeat/heartbeat.reference.yml index dc6622a50b3..8f0f019626b 100644 --- a/x-pack/heartbeat/heartbeat.reference.yml +++ b/x-pack/heartbeat/heartbeat.reference.yml @@ -1529,11 +1529,6 @@ logging.files: # file. Defaults to true. # rotateonstartup: true - # Rotated files are either suffixed with a number e.g. heartbeat.1 when - # renamed during rotation. Or when set to date, the date is added to - # the end of the file. On rotation a new file is created, older files are untouched. - #suffix: count - # ============================= X-Pack Monitoring ============================== # Heartbeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The @@ -1718,6 +1713,10 @@ logging.files: # `http.user`. #http.named_pipe.security_descriptor: +# Defines if the HTTP pprof endpoints are enabled. +# It is recommended that this is only enabled on localhost as these endpoints may leak data. +#http.pprof.enabled: false + # ============================== Process Security ============================== # Enable or disable seccomp system call filtering on Linux. Default is enabled. diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml index c1d3f485cb6..be4adb144c8 100644 --- a/x-pack/metricbeat/metricbeat.reference.yml +++ b/x-pack/metricbeat/metricbeat.reference.yml @@ -2727,11 +2727,6 @@ logging.files: # file. Defaults to true. # rotateonstartup: true - # Rotated files are either suffixed with a number e.g. metricbeat.1 when - # renamed during rotation. Or when set to date, the date is added to - # the end of the file. On rotation a new file is created, older files are untouched. - #suffix: count - # ============================= X-Pack Monitoring ============================== # Metricbeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The @@ -2916,6 +2911,10 @@ logging.files: # `http.user`. #http.named_pipe.security_descriptor: +# Defines if the HTTP pprof endpoints are enabled. +# It is recommended that this is only enabled on localhost as these endpoints may leak data. +#http.pprof.enabled: false + # ============================== Process Security ============================== # Enable or disable seccomp system call filtering on Linux. Default is enabled. diff --git a/x-pack/metricbeat/module/aws/rds/manifest.yml b/x-pack/metricbeat/module/aws/rds/manifest.yml index 0cd7117778d..997a8c71ea3 100644 --- a/x-pack/metricbeat/module/aws/rds/manifest.yml +++ b/x-pack/metricbeat/module/aws/rds/manifest.yml @@ -159,7 +159,7 @@ processors: - from: "aws.rds.metrics.TransactionLogsGeneration.avg" to: "aws.rds.transaction_logs_generation" - from: "aws.rds.metrics.WriteIOPS.avg" - to: "aws.rds.write_iops" + to: "aws.rds.write.iops" - from: "aws.rds.metrics.Queries.avg" to: "aws.rds.queries" - from: "aws.rds.metrics.Deadlocks.avg" diff --git a/x-pack/metricbeat/module/azure/billing/billing.go b/x-pack/metricbeat/module/azure/billing/billing.go index 66917644296..ea2a788b292 100644 --- a/x-pack/metricbeat/module/azure/billing/billing.go +++ b/x-pack/metricbeat/module/azure/billing/billing.go @@ -5,8 +5,6 @@ package billing import ( - "time" - "github.com/pkg/errors" "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure" @@ -60,13 +58,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // It publishes the event which is then forwarded to the output. In case // of an error set the Error field of mb.Event or simply call report.Error(). func (m *MetricSet) Fetch(report mb.ReporterV2) error { - startTime := time.Now().UTC().Truncate(24 * time.Hour).Add((-48) * time.Hour) - endTime := startTime.Add(time.Hour * 24).Add(time.Second * (-1)) - results, err := m.client.GetMetrics(startTime, endTime) + results, err := m.client.GetMetrics() if err != nil { return errors.Wrap(err, "error retrieving usage information") } - events := EventsMapping(results, startTime, endTime, m.client.Config.SubscriptionId) + events := EventsMapping(m.client.Config.SubscriptionId, results) for _, event := range events { isOpen := report.Event(event) if !isOpen { diff --git a/x-pack/metricbeat/module/azure/billing/client.go b/x-pack/metricbeat/module/azure/billing/client.go index 2d7ce9bca9a..3f1c73bf2f0 100644 --- a/x-pack/metricbeat/module/azure/billing/client.go +++ b/x-pack/metricbeat/module/azure/billing/client.go @@ -12,6 +12,7 @@ import ( "github.com/pkg/errors" + prevConsumption "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption" "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption" "github.com/elastic/beats/v7/libbeat/logp" @@ -25,7 +26,7 @@ type Client struct { } type Usage struct { - UsageDetails []consumption.BasicUsageDetail + UsageDetails []prevConsumption.UsageDetail ActualCosts []consumption.Forecast ForecastCosts []consumption.Forecast } @@ -45,7 +46,8 @@ func NewClient(config azure.Config) (*Client, error) { } // GetMetrics returns the usage detail and forecast values. -func (client *Client) GetMetrics(startTime time.Time, endTime time.Time) (Usage, error) { +func (client *Client) GetMetrics() (Usage, error) { + var usage Usage scope := fmt.Sprintf("subscriptions/%s", client.Config.SubscriptionId) if client.Config.BillingScopeDepartment != "" { @@ -53,9 +55,11 @@ func (client *Client) GetMetrics(startTime time.Time, endTime time.Time) (Usage, } else if client.Config.BillingScopeAccountId != "" { scope = fmt.Sprintf("/providers/Microsoft.Billing/billingAccounts/%s", client.Config.BillingScopeAccountId) } - - filter := fmt.Sprintf("properties/usageStart eq '%s' and properties/usageEnd eq '%s'", startTime.Format(time.RFC3339Nano), endTime.Format(time.RFC3339Nano)) - usageDetails, err := client.BillingService.GetUsageDetails(scope, "properties/meterDetails", filter, "", nil, consumption.MetrictypeActualCostMetricType) + startTime := time.Now().UTC().Truncate(24 * time.Hour).Add((-24) * time.Hour) + endTime := startTime.Add(time.Hour * 24).Add(time.Second * (-1)) + usageDetails, err := client.BillingService.GetUsageDetails(scope, "properties/meterDetails", + fmt.Sprintf("properties/usageStart eq '%s' and properties/usageEnd eq '%s'", startTime.Format(time.RFC3339Nano), endTime.Format(time.RFC3339Nano)), + "", nil, "properties/instanceLocation") if err != nil { return usage, errors.Wrap(err, "Retrieving usage details failed in client") } diff --git a/x-pack/metricbeat/module/azure/billing/client_test.go b/x-pack/metricbeat/module/azure/billing/client_test.go index 55bd15062d3..c18562fd945 100644 --- a/x-pack/metricbeat/module/azure/billing/client_test.go +++ b/x-pack/metricbeat/module/azure/billing/client_test.go @@ -7,8 +7,8 @@ package billing import ( "errors" "testing" - "time" + prevConsumption "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption" "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" @@ -26,11 +26,9 @@ func TestClient(t *testing.T) { client.Config = config m := &MockService{} m.On("GetForcast", mock.Anything).Return(consumption.ForecastsListResult{}, errors.New("invalid query")) - m.On("GetUsageDetails", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(consumption.UsageDetailsListResultPage{}, nil) + m.On("GetUsageDetails", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(prevConsumption.UsageDetailsListResultPage{}, nil) client.BillingService = m - startTime := time.Now().UTC().Truncate(24 * time.Hour).Add((-48) * time.Hour) - endTime := startTime.Add(time.Hour * 24).Add(time.Second * (-1)) - results, err := client.GetMetrics(startTime, endTime) + results, err := client.GetMetrics() assert.Error(t, err) assert.Equal(t, len(results.ActualCosts), 0) m.AssertExpectations(t) @@ -41,11 +39,9 @@ func TestClient(t *testing.T) { m := &MockService{} forecasts := []consumption.Forecast{{}, {}} m.On("GetForcast", mock.Anything).Return(consumption.ForecastsListResult{Value: &forecasts}, nil) - m.On("GetUsageDetails", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(consumption.UsageDetailsListResultPage{}, nil) + m.On("GetUsageDetails", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(prevConsumption.UsageDetailsListResultPage{}, nil) client.BillingService = m - startTime := time.Now().UTC().Truncate(24 * time.Hour).Add((-48) * time.Hour) - endTime := startTime.Add(time.Hour * 24).Add(time.Second * (-1)) - results, err := client.GetMetrics(startTime, endTime) + results, err := client.GetMetrics() assert.NoError(t, err) assert.Equal(t, len(results.ActualCosts), 2) assert.Equal(t, len(results.ForecastCosts), 2) diff --git a/x-pack/metricbeat/module/azure/billing/data.go b/x-pack/metricbeat/module/azure/billing/data.go index 7f9c0a19279..9aafb87d992 100644 --- a/x-pack/metricbeat/module/azure/billing/data.go +++ b/x-pack/metricbeat/module/azure/billing/data.go @@ -5,6 +5,8 @@ package billing import ( + "fmt" + "strings" "time" "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption" @@ -15,71 +17,36 @@ import ( "github.com/elastic/beats/v7/metricbeat/mb" ) -func EventsMapping(results Usage, startTime time.Time, endTime time.Time, subscriptionId string) []mb.Event { +func EventsMapping(subscriptionId string, results Usage) []mb.Event { var events []mb.Event - // usage details come in different forms, most common for this api call is LegacyUsageDetail if len(results.UsageDetails) > 0 { - for _, ud := range results.UsageDetails { - event := mb.Event{Timestamp: time.Now().UTC()} - if legacyUsageDetail, err := ud.AsLegacyUsageDetail(); err == true { - event.ModuleFields = common.MapStr{ + for _, usageDetail := range results.UsageDetails { + event := mb.Event{ + ModuleFields: common.MapStr{ "resource": common.MapStr{ - "type": legacyUsageDetail.ConsumedService, - "group": legacyUsageDetail.ResourceGroup, - "name": legacyUsageDetail.ResourceName, + "type": usageDetail.ConsumedService, + "group": getResourceGroupFromId(*usageDetail.InstanceID), + "name": usageDetail.InstanceName, }, - "subscription_id": legacyUsageDetail.SubscriptionID, - } - event.MetricSetFields = common.MapStr{ - "pretax_cost": legacyUsageDetail.Cost, - "department_name": legacyUsageDetail.InvoiceSection, - "product": legacyUsageDetail.Product, - "usage_start": startTime, - "usage_end": endTime, - "billing_period_start": legacyUsageDetail.BillingPeriodStartDate.ToTime(), - "billing_period_end": legacyUsageDetail.BillingPeriodEndDate.ToTime(), - "currency": legacyUsageDetail.BillingCurrency, - "effective_price": legacyUsageDetail.EffectivePrice, - "account_name": legacyUsageDetail.BillingAccountName, - "account_id": legacyUsageDetail.BillingAccountID, - "subscription_name": legacyUsageDetail.SubscriptionName, - "unit_price": legacyUsageDetail.UnitPrice, - "quantity": legacyUsageDetail.Quantity, - } - event.RootFields = common.MapStr{} - event.RootFields.Put("cloud.provider", "azure") - event.RootFields.Put("cloud.region", legacyUsageDetail.ResourceLocation) - event.RootFields.Put("cloud.instance.name", legacyUsageDetail.ResourceName) - event.RootFields.Put("cloud.instance.id", legacyUsageDetail.ResourceID) - } - if modernUsageDetail, err := ud.AsModernUsageDetail(); err == true { - event.ModuleFields = common.MapStr{ - "resource": common.MapStr{ - "type": modernUsageDetail.ConsumedService, - "group": modernUsageDetail.ResourceGroup, - "name": modernUsageDetail.InstanceName, - }, - "subscription_id": modernUsageDetail.SubscriptionGUID, - } - event.MetricSetFields = common.MapStr{ - "product": modernUsageDetail.Product, - "usage_start": startTime, - "usage_end": endTime, - "billing_period_start": modernUsageDetail.BillingPeriodStartDate.ToTime(), - "billing_period_end": modernUsageDetail.BillingPeriodEndDate.ToTime(), - "currency": modernUsageDetail.BillingCurrencyCode, - "account_id": modernUsageDetail.BillingAccountID, - "billing_account_name": modernUsageDetail.BillingAccountName, - "subscription_name": modernUsageDetail.SubscriptionName, - "unit_price": modernUsageDetail.UnitPrice, - } - event.RootFields = common.MapStr{} - event.RootFields.Put("cloud.provider", "azure") - event.RootFields.Put("cloud.region", modernUsageDetail.ResourceLocation) - } - if _, err := ud.AsUsageDetail(); err == true { - continue + "subscription_id": usageDetail.SubscriptionGUID, + }, + MetricSetFields: common.MapStr{ + "pretax_cost": usageDetail.PretaxCost, + "department_name": usageDetail.DepartmentName, + "product": usageDetail.Product, + "usage_start": usageDetail.UsageStart.ToTime(), + "usage_end": usageDetail.UsageEnd.ToTime(), + "currency": usageDetail.Currency, + "billing_period_id": usageDetail.BillingPeriodID, + "account_name": usageDetail.AccountName, + }, + Timestamp: time.Now().UTC(), } + event.RootFields = common.MapStr{} + event.RootFields.Put("cloud.provider", "azure") + event.RootFields.Put("cloud.region", usageDetail.InstanceLocation) + event.RootFields.Put("cloud.instance.name", usageDetail.InstanceName) + event.RootFields.Put("cloud.instance.id", usageDetail.InstanceID) events = append(events, event) } } @@ -125,3 +92,14 @@ func EventsMapping(results Usage, startTime time.Time, endTime time.Time, subscr } return events } + +// getResourceGroupFromId maps resource group from resource ID +func getResourceGroupFromId(path string) string { + params := strings.Split(path, "/") + for i, param := range params { + if param == "resourceGroups" { + return fmt.Sprintf("%s", params[i+1]) + } + } + return "" +} diff --git a/x-pack/metricbeat/module/azure/billing/data_test.go b/x-pack/metricbeat/module/azure/billing/data_test.go index 25490b33213..8d883d2862d 100644 --- a/x-pack/metricbeat/module/azure/billing/data_test.go +++ b/x-pack/metricbeat/module/azure/billing/data_test.go @@ -8,9 +8,9 @@ import ( "testing" "time" + prevConsumption "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption" + consumption "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption" "github.com/Azure/go-autorest/autorest/date" - - "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption" "github.com/shopspring/decimal" "github.com/stretchr/testify/assert" ) @@ -18,7 +18,6 @@ import ( func TestEventMapping(t *testing.T) { usageDate := "2020-08-08" name := "test" - billingAccountId := "123" startDate := date.Time{} var charge decimal.Decimal = decimal.NewFromFloat(8.123456) @@ -38,19 +37,26 @@ func TestEventMapping(t *testing.T) { ChargeType: "Actual", ConfidenceLevels: nil, } - var pros = consumption.LegacyUsageDetailProperties{ - BillingAccountID: &billingAccountId, - BillingAccountName: &name, - BillingPeriodStartDate: &startDate, - BillingPeriodEndDate: &startDate, - Cost: &charge, - InvoiceSection: &name, - Product: &name, - } - var legacy = consumption.LegacyUsageDetail{ - LegacyUsageDetailProperties: &pros, + var prop1 = prevConsumption.UsageDetailProperties{ + InstanceName: &name, + SubscriptionName: &name, + AccountName: &name, + DepartmentName: &name, + Product: &name, + InstanceID: &name, + UsageStart: &startDate, + UsageEnd: &startDate, } - var usage = Usage{UsageDetails: []consumption.BasicUsageDetail{legacy}, + usage := Usage{ + UsageDetails: []prevConsumption.UsageDetail{ + { + UsageDetailProperties: &prop1, + ID: nil, + Name: nil, + Type: nil, + Tags: nil, + }, + }, ActualCosts: []consumption.Forecast{ { ForecastProperties: &prop2, @@ -58,17 +64,17 @@ func TestEventMapping(t *testing.T) { Name: nil, Type: nil, Tags: nil, - }}, ForecastCosts: []consumption.Forecast{ + }}, + ForecastCosts: []consumption.Forecast{ { ForecastProperties: &prop, ID: nil, Name: nil, Type: nil, Tags: nil, - }}} - startTime := time.Now().UTC().Truncate(24 * time.Hour).Add((-48) * time.Hour) - endTime := startTime.Add(time.Hour * 24).Add(time.Second * (-1)) - events := EventsMapping(usage, startTime, endTime, "sub") + }}, + } + events := EventsMapping("sub", usage) assert.Equal(t, len(events), 2) for _, event := range events { diff --git a/x-pack/metricbeat/module/azure/billing/mock_service.go b/x-pack/metricbeat/module/azure/billing/mock_service.go index c91723aee12..2ab1d557855 100644 --- a/x-pack/metricbeat/module/azure/billing/mock_service.go +++ b/x-pack/metricbeat/module/azure/billing/mock_service.go @@ -11,6 +11,7 @@ import ( "github.com/elastic/beats/v7/libbeat/logp" + prevConsumption "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption" "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption" ) @@ -35,19 +36,7 @@ func (service *MockService) GetForcast(filter string) (consumption.ForecastsList } // GetUsageDetails is a mock function for the billing service -func (service *MockService) GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply consumption.Metrictype) (consumption.UsageDetailsListResultPage, error) { +func (service *MockService) GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply string) (prevConsumption.UsageDetailsListResultPage, error) { args := service.Called(scope, expand, filter, skiptoken, top, apply) - return args.Get(0).(consumption.UsageDetailsListResultPage), args.Error(1) -} - -// GetMarketplaceUsage -func (service *MockService) GetMarketplaceUsage(scope string, filter string, skiptoken string, top *int32) (consumption.MarketplacesListResultPage, error) { - args := service.Called(scope, filter, skiptoken, top) - return args.Get(0).(consumption.MarketplacesListResultPage), args.Error(1) -} - -// GetCharges -func (service *MockService) GetCharges(scope string, startDate string, endDate string, filter string, apply string) (consumption.ChargesListResult, error) { - args := service.Called(scope, startDate, endDate, filter, apply) - return args.Get(0).(consumption.ChargesListResult), args.Error(1) + return args.Get(0).(prevConsumption.UsageDetailsListResultPage), args.Error(1) } diff --git a/x-pack/metricbeat/module/azure/billing/service.go b/x-pack/metricbeat/module/azure/billing/service.go index 7f7831130df..cb7d588a0f2 100644 --- a/x-pack/metricbeat/module/azure/billing/service.go +++ b/x-pack/metricbeat/module/azure/billing/service.go @@ -12,25 +12,23 @@ import ( "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption" "github.com/Azure/go-autorest/autorest/azure/auth" + prevConsumption "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption" + "github.com/elastic/beats/v7/libbeat/logp" ) // Service interface for the azure monitor service and mock for testing type Service interface { GetForcast(filter string) (consumption.ForecastsListResult, error) - GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply consumption.Metrictype) (consumption.UsageDetailsListResultPage, error) - GetMarketplaceUsage(scope string, filter string, skiptoken string, top *int32) (consumption.MarketplacesListResultPage, error) - GetCharges(scope string, startDate string, endDate string, filter string, apply string) (consumption.ChargesListResult, error) + GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply string) (prevConsumption.UsageDetailsListResultPage, error) } // BillingService service wrapper to the azure sdk for go type UsageService struct { - forcastsClient *consumption.ForecastsClient - usageClient *consumption.UsageDetailsClient - marketplaceClient *consumption.MarketplacesClient - chargesClient *consumption.ChargesClient - context context.Context - log *logp.Logger + usageDetailsClient *prevConsumption.UsageDetailsClient + forcastsClient *consumption.ForecastsClient + context context.Context + log *logp.Logger } // NewService instantiates the Azure monitoring service @@ -43,21 +41,15 @@ func NewService(config azure.Config) (*UsageService, error) { return nil, err } forcastsClient := consumption.NewForecastsClientWithBaseURI(config.ResourceManagerEndpoint, config.SubscriptionId) - usageDetailsClient := consumption.NewUsageDetailsClientWithBaseURI(config.ResourceManagerEndpoint, config.SubscriptionId) - // no data available for marketplace and charges apis but could be in the future - marketplaceClient := consumption.NewMarketplacesClientWithBaseURI(config.ResourceManagerEndpoint, config.SubscriptionId) - chargesClient := consumption.NewChargesClientWithBaseURI(config.ResourceManagerEndpoint, config.SubscriptionId) + usageDetailsClient := prevConsumption.NewUsageDetailsClientWithBaseURI(config.ResourceManagerEndpoint, config.SubscriptionId) + forcastsClient.Authorizer = authorizer usageDetailsClient.Authorizer = authorizer - marketplaceClient.Authorizer = authorizer - chargesClient.Authorizer = authorizer service := &UsageService{ - forcastsClient: &forcastsClient, - usageClient: &usageDetailsClient, - marketplaceClient: &marketplaceClient, - chargesClient: &chargesClient, - context: context.Background(), - log: logp.NewLogger("azure billing service"), + usageDetailsClient: &usageDetailsClient, + forcastsClient: &forcastsClient, + context: context.Background(), + log: logp.NewLogger("azure billing service"), } return service, nil } @@ -68,16 +60,6 @@ func (service *UsageService) GetForcast(filter string) (consumption.ForecastsLis } // GetUsageDetails -func (service *UsageService) GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply consumption.Metrictype) (consumption.UsageDetailsListResultPage, error) { - return service.usageClient.List(service.context, scope, expand, filter, skiptoken, top, apply) -} - -// GetMarketplaceUsage -func (service *UsageService) GetMarketplaceUsage(scope string, filter string, skiptoken string, top *int32) (consumption.MarketplacesListResultPage, error) { - return service.marketplaceClient.List(service.context, scope, filter, top, skiptoken) -} - -// GetCharges -func (service *UsageService) GetCharges(scope string, startDate string, endDate string, filter string, apply string) (consumption.ChargesListResult, error) { - return service.chargesClient.List(service.context, scope, startDate, endDate, filter, apply) +func (service *UsageService) GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply string) (prevConsumption.UsageDetailsListResultPage, error) { + return service.usageDetailsClient.List(service.context, scope, expand, filter, skiptoken, top, apply) } diff --git a/x-pack/osquerybeat/osquerybeat.reference.yml b/x-pack/osquerybeat/osquerybeat.reference.yml index 9e00e1efbbf..edb3adcfb1d 100644 --- a/x-pack/osquerybeat/osquerybeat.reference.yml +++ b/x-pack/osquerybeat/osquerybeat.reference.yml @@ -896,11 +896,6 @@ logging.files: # file. Defaults to true. # rotateonstartup: true - # Rotated files are either suffixed with a number e.g. osquerybeat.1 when - # renamed during rotation. Or when set to date, the date is added to - # the end of the file. On rotation a new file is created, older files are untouched. - #suffix: count - # ============================= X-Pack Monitoring ============================== # Osquerybeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The @@ -1085,6 +1080,10 @@ logging.files: # `http.user`. #http.named_pipe.security_descriptor: +# Defines if the HTTP pprof endpoints are enabled. +# It is recommended that this is only enabled on localhost as these endpoints may leak data. +#http.pprof.enabled: false + # ============================== Process Security ============================== # Enable or disable seccomp system call filtering on Linux. Default is enabled. diff --git a/x-pack/packetbeat/packetbeat.reference.yml b/x-pack/packetbeat/packetbeat.reference.yml index 236087aae23..5f931ddde70 100644 --- a/x-pack/packetbeat/packetbeat.reference.yml +++ b/x-pack/packetbeat/packetbeat.reference.yml @@ -1878,11 +1878,6 @@ logging.files: # file. Defaults to true. # rotateonstartup: true - # Rotated files are either suffixed with a number e.g. packetbeat.1 when - # renamed during rotation. Or when set to date, the date is added to - # the end of the file. On rotation a new file is created, older files are untouched. - #suffix: count - # ============================= X-Pack Monitoring ============================== # Packetbeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The @@ -2067,6 +2062,10 @@ logging.files: # `http.user`. #http.named_pipe.security_descriptor: +# Defines if the HTTP pprof endpoints are enabled. +# It is recommended that this is only enabled on localhost as these endpoints may leak data. +#http.pprof.enabled: false + # ============================== Process Security ============================== # Enable or disable seccomp system call filtering on Linux. Default is enabled. diff --git a/x-pack/winlogbeat/module/powershell/_meta/fields.yml b/x-pack/winlogbeat/module/powershell/_meta/fields.yml index 7507fcc099c..093ac17761c 100644 --- a/x-pack/winlogbeat/module/powershell/_meta/fields.yml +++ b/x-pack/winlogbeat/module/powershell/_meta/fields.yml @@ -127,6 +127,14 @@ - name: script_block_text type: text + analyzer: + winlogbeat_powershell_script_analyzer: + type: pattern + pattern: "[\\W&&[^-]]+" + search_analyzer: + winlogbeat_powershell_script_analyzer: + type: pattern + pattern: "[\\W&&[^-]]+" description: > Text of the executed script block. example: ".\\a_script.ps1" diff --git a/x-pack/winlogbeat/module/powershell/fields.go b/x-pack/winlogbeat/module/powershell/fields.go index 16bb78e0a37..8ca3a28ece4 100644 --- a/x-pack/winlogbeat/module/powershell/fields.go +++ b/x-pack/winlogbeat/module/powershell/fields.go @@ -19,5 +19,5 @@ func init() { // AssetPowershell returns asset data. // This is the base64 encoded zlib format compressed contents of module/powershell. func AssetPowershell() string { - return "eJy8V1FP6zgTfe+vGPGefBQKfO3DlVhWu6q0CwhY9qVSNYknjRfHztpOS/fXr2wn0Nwkl7ag5QGpsT3nzPjMmSSCF9rOoFQb0iYnIUYAlltBM7h3zx7dMygUqwSNABiZVPPSciVn8G0EAPCUkyFATWBzAlqTtJBxEsyAKSnlGU/BKr8YwkCmtP/5O0+1Miqz0Z9cMrUx0Tvk/+5K0uhwUABKBvWWXVZCrUw8AtAkCA3NICGLI6jRZyNPLwKJBe1mGHPmVwDstqSZK8BG6eZZK8OAM2dxvUivWJSuNm/UA59QuSG8kpckuKTl/sD39RHgXeyT8ckglK6kKTE9BOqhPtILNclweno1YdHkApNoQhfn0XQ8vYhoOp7+f4zpWZIkw2wM/V2RTKlFRSi56q11vRlkVSSkQWVeJO/hgF4prdzmDs/xIAWrLIq98J/czh3wgozBFRng0hNpkumCnw6ip6ooULavYqVVVfYR+BktOi2jJdZ0TEiZGNSRGvBG4lD/vWGjzd8e9l9+V2to86baQ3htVdzMFou6HxcLszWWivOzxSItWEyvVOthl5b7fyitWyzoMFrD+A7wUPynbXkY/nVZCp56z+oyWKOouhQsvdpB/JyAy7V6+QB2XpRK2+g3laLg/xDzMoL2zyjjghwRuNZpztf0QEZVOiXTZeowQxZLRha5MB3aqDVuh3h/21kAuJZht6ukSv6i1BpIlbTIJZcrCAjEgMtM6cLDDhd9D67xUVedk9/okEOc3krfBB7zN9C9CNUdvWx7wUHc6qPOFDY5T3NfnhAfuNnxjH5dMhY5Me/F9phObd/4nRRbqAwxP+fvUWNBlvRPXLL3G/eBY5hL5jqGTLD6Zq+n15+LMVQkYuvMYa98Du+7djau/D5Go8paH36hIPQqVhlwCxsuBDAqSTJQcveOfLJ96Tx674znd/GNKkpNxrjp9gsXFFZ+MFikpNTJqjKkj58vb3HcjelmwspVvbjXzGGqQC4PFc0fDi8c7S3N8/WvD9e3T18zSzzYoKjWuNIo7WCxSa64pOOLvPPKGkJ9VNE1aSeEQ7N8DscapXZgm7ihO61qHLbvslsFOrmIx/H46uryPB6fnl71DNhS05qryiyNRftJA7mvY4GPNZhNvz+skQtMRI85SNp8Bbtb2hxD7NGqsiQ2qDE3oL/gNTHsAxftI5GFrctEqPTl/XNh76rMWWdO1+A+4oCOTtkZSxhGV+eX42gyPbuMcDphEZsSsowlk/MMe9TVovqddx9s6PRqj2AeLxa4DNvi0vzgC6zUKiVj4hDbSXHZbucPP8i+a+O6d3NlvDHX8eE9fverrbdd+7muOfvM/Oh6jOP5kfT+g1ZsUut3idTydZ9FfPrl576GHR42z6i5N6h/AwAA///IlkMK" + return "eJzEV8Fu4zYQvfsrBjnspZAaJ86m9mGBdIsWBtokSNLsYb01RuLYYkORKknb8X59QYqKrUhKbCdocwhgkZz3ZubxjRTBA61HUKgVaZORED0Ay62gEVy7Z7fuGeSKLQT1ABiZVPPCciVH8KkHAHCXkSFATWAzAlqStDDjJJgBU1DKZzwFq/xiGQZmSvuff/BUK6NmNvrCJVMrE20gf7wqSKPDQQEoGYQt26yEmpu4B6BJEBoaQUIWexDQRz1PLwKJOW1nGHPmVwDsuqCRK8BK6epZLcMSZ8zisEiPmBeuNk/USz5l5brwCl6Q4JKmuwNfhyPAm9hH/aNOKL2QpsB0H6ibcKQVajDD4fH5gEWDM0yiAZ2dRsP+8CyiYX/4Ux/TkyRJutkY+mdBMqUaFaHkvLXWYTPIRZ6QBjXzItmEA3qkdOE2N3j2OylYZVHshH/ndm6B52QMzskAl55IlUwT/LgTPVV5jrLeirlWi6KNwC9o0WkZLbHqxpQpE4MQqQKvJA7h7wkbbfb0sL35Ta2hzapqd+HVVfF5NJmE+ziZmLWxlJ+eTCZpzmJ6pKCHbVru/760LjGn/Wh14zvAffHv1sV++BdFIXjqPavJYIli0aRg6dF24mcEXC7Vwyuw47xQ2ka/qxQF/07MywjqP6MZF+SIwIVOM76kGzJqoVMyTaYOs8xiysgiF6ZBG7XGdRfvT1sLABey3O0qqZK/KbUGUiUtcsnlHEoEYsDlTOncw3YXfQeu8UGtzshvdMhlnNZKfy55jJ9AdyIUbvS07gV7cQtHnSmsMp5mvjxlfOBmyzPadclY5MS8E9tDbmq941dSrGFhiPk5f40ac7Kkf+aSbTruA8cwlszdGDKl1Vd7Pb32XIyhPBFrZw475bP/vatn48rvY1SqDPrwCzmhV7GaAbew4kIAo4IkAyW3e+STbUvn1ntnPL6KP6u80GSMm26/ckHlyguDRUpKnawWhvTh8+UpjuuYriasnIfFnWYOUzlyua9o/nR45dHW0txf/HZzcXn3PrPEg3WKaolzjdJ2FpvknEs6vMhbr6xlqNcquiTthLBvlvflsUqpDdgqbnk7raoctq3ZtQIdncX9uH9+/vE07h8fn7cM2ELTkquFmRqL9o0Gch1igY/VmU27PyyRC0xEizlIWr0Hu0taHULs1qqiINapMTeg3+E1sdwHLtprIiu3ThOh0ofN58LOVRmzxpwO4D5ih46O2QlLGEbnpx/70WB48jHC4YBFbEjIZiwZnM6wRV01qs+8u9XQUaJYfyc9qrVuxaVQ84TQTjeVn4bg7Ueq+AVaS1o+WwtPR3D0dTL58uHD17+ib99+ONraZQh1mnUE/x/4vDTp6NEe0NJ4MsHAOS7MC5+mhVYpGROXsd0dndZ97tUv1Wf+FkwtU8ZPrBAfNvGbn7OtPtbOdcnZWwZr03wdz9fu5H/gUVVq7faZWr5s8843vxVeB9juKXyPmnvn/jcAAP//Kx+R4w==" } diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index 76ef1f0b21e..39739db1479 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -1595,6 +1595,32 @@ var security = (function () { [0x00010000, 'Delete'] ]; + // https://docs.microsoft.com/en-us/windows/win32/secauthz/access-rights-and-access-masks + var accessMaskDescriptions = [ + [0x00000001, 'Create Child'], + [0x00000002, 'Delete Child'], + [0x00000004, 'List Contents'], + [0x00000008, 'SELF'], + [0x00000010, 'Read Property'], + [0x00000020, 'Write Property'], + [0x00000040, 'Delete Treee'], + [0x00000080, 'List Object'], + [0x00000100, 'Control Access'], + [0x00010000, 'DELETE'], + [0x00020000, 'READ_CONTROL'], + [0x00040000, 'WRITE_DAC'], + [0x00080000, 'WRITE_OWNER'], + [0x00100000, 'SYNCHRONIZE'], + [0x00F00000, 'STANDARD_RIGHTS_REQUIRED'], + [0x001F0000, 'STANDARD_RIGHTS_ALL'], + [0x0000FFFF, 'SPECIFIC_RIGHTS_ALL'], + [0x01000000, 'ADS_RIGHT_ACCESS_SYSTEM_SECURITY'], + [0x10000000, 'ADS_RIGHT_GENERIC_ALL'], + [0x20000000, 'ADS_RIGHT_GENERIC_EXECUTE'], + [0x40000000, 'ADS_RIGHT_GENERIC_WRITE'], + [0x80000000, 'ADS_RIGHT_GENERIC_READ'] + ]; + // lookupMessageCode returns the string associated with the code. key should // be the name of the field in evt containing the code (e.g. %%2313). var lookupMessageCode = function (evt, key) { @@ -1844,6 +1870,22 @@ var security = (function () { } }; + var translateAccessMask = function(mask) { + if (!mask) { + return; + } + var accessCode = parseInt(mask); + var accessResult = []; + for (var i = 0; i < accessMaskDescriptions.length; i++) { + if ((accessCode | accessMaskDescriptions[i][0]) === accessCode) { + accessResult.push(accessMaskDescriptions[i][1]); + } + } + if (accessResult) { + return accessResult; + } + }; + var addSessionData = new processor.Chain() .Convert({ fields: [ @@ -2389,22 +2431,44 @@ var security = (function () { evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); }) .Add(function(evt){ - var maskCodes = evt.Get("winlog.event_data.AccessMask"); - if (!maskCodes) { + var accessMask = evt.Get("winlog.event_data.AccessMask"); + if (!accessMask) { return; } - var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String); - evt.Put("winlog.event_data.AccessMask", maskList); - var maskResults = []; - for (var j = 0; j < maskList.length; j++) { - var description = msobjsMessageTable[maskList[j]]; - if (description === undefined) { - return; + var accessDescriptions = translateAccessMask(accessMask); + if (!accessDescriptions) { + return; + } + if (accessDescriptions.length > 0) { + evt.Put("winlog.event_data.AccessMaskDescription", accessDescriptions); + } + }) + .Add(function(evt){ + var listNames = ["AccessList", "AccessMask"] + for (var i = 0; i < listNames.length; i++) { + var listContents = evt.Get("winlog.event_data." + listNames[i]) + if (!listContents) { + continue; } - maskResults.push(description); + var listDescription = evt.Get("winlog.event_data." + listNames[i] + "Description") + if (listDescription) { + continue; + } + + var items = listContents.replace(/\s+/g, '').split("%%").filter(String); + evt.Put("winlog.event_data." + listNames[i], items) + var results = []; + for (var j = 0; j < items.length; j++) { + var description = msobjsMessageTable[items[j]]; + if (description === undefined) { + continue; + } + results.push(description); + } + evt.Put("winlog.event_data." + listNames[i] + "Description", results); } - evt.Put("winlog.event_data.AccessMaskDescription", maskResults); }) + .Build(); var trustDomainMgmtEvts = new processor.Chain() diff --git a/x-pack/winlogbeat/winlogbeat.reference.yml b/x-pack/winlogbeat/winlogbeat.reference.yml index 17a5016f02d..5d06be1566a 100644 --- a/x-pack/winlogbeat/winlogbeat.reference.yml +++ b/x-pack/winlogbeat/winlogbeat.reference.yml @@ -1349,11 +1349,6 @@ logging.files: # file. Defaults to true. # rotateonstartup: true - # Rotated files are either suffixed with a number e.g. winlogbeat.1 when - # renamed during rotation. Or when set to date, the date is added to - # the end of the file. On rotation a new file is created, older files are untouched. - #suffix: count - # ============================= X-Pack Monitoring ============================== # Winlogbeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The @@ -1538,6 +1533,10 @@ logging.files: # `http.user`. #http.named_pipe.security_descriptor: +# Defines if the HTTP pprof endpoints are enabled. +# It is recommended that this is only enabled on localhost as these endpoints may leak data. +#http.pprof.enabled: false + # ============================== Process Security ============================== # Enable or disable seccomp system call filtering on Linux. Default is enabled.