Threat Intel Module | Support for MISP attributes #26008
Comments
jamiehynds
changed the title
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
|
Have the same issue, would love to see that implemented! |
|
This is high priority for us. Are there any workarounds with the Ingest Node pipeline to bring in the MISP events that use the objects? |
|
Did another dive into this issue today, and there is a few things to note. However in these cases, it can have both attributes and object attributes. At first I fixed the pipeline to simply make sure that objects are also included in the document, but then we end up with an array of attributes/indicators in a single document, which won't work when we map it to ECS. Instead we are working now on some small additions to the httpjson input, so we can easily do multiple splits, resulting in one document per attribute and per object attribute, which should resolve this issue. |
|
That's great Marius. Happy to test anything that is available 😊 |
Will let you know @nicpenning ! The PR to update httpjson will most likely be linked to this in some way :) |
|
Excellent! |
…ion operations It is possible for an empty Event.Attribute list to be passed in. In this case the File/Hash indicator processing will attempt to examine null type fields in attribute. This guards against that. Updates elastic#26008
…tinue past empty targets This adds a configuration option "ignore_error" that allows a split processor chain to continue if a target field is present but empty. Updates elastic#26008
…tinue past empty targets (#27880) (#27914) This adds a configuration option "ignore_empty_value" that allows a split processor chain to continue if a target field is missing or empty. Updates #26008 (cherry picked from commit 2036ad8) Co-authored-by: Dan Kortschak <[email protected]> Co-authored-by: Dan Kortschak <[email protected]>
|
Support has been added, so this can now be closed. |
…tinue past empty targets (elastic#27880) This adds a configuration option "ignore_empty_value" that allows a split processor chain to continue if a target field is missing or empty. Updates elastic#26008
MISP has a hierarchy of ‘Events’, ‘attributes’ and ‘objects’ and threat intel can be represented in MISP in a number of ways.
Use case 1
An event can be created which contains an attribute or multiple attributes. Filebeat ThreatIntel correctly processes event/attribute relationships for 1 to n attributes and stores the type/values in an index.
Event: 1234
attribute type: MD5
attribute value: e16ddaf4f91df524c28bf4f2e4b1ac09
Use case 2
An event can also be created which contains attributes and objects also containing attributes. Filebeat ThreatIntel correctly processes event/attribute relationships for 1 to n attributes however any event/object/attributes fail to strore in an index. In the example text ‘Malicious executable file” would be included but none of the file:object attributes would be processed.
Event: 4321
attribute type: text
attribute value: Malicious executable file
object: file
attribute type: filename
attribute value: badexe.exe
attribute type: size-in-bytes
attribute value: 46382
attribute type: md5
attribute value: e16ddaf4f91df524b27bf4f2e4b1ac09
attribute type: sha1
attribute value: 988eb4980904d42862f7dc9d4eed52469312ac20
attribute type: sha256
attribute value: 986051385feae5b9850804db2d701c0b029ad24f09bce340c12aee7a5c8a0391
Please see attached sample MISP events:
misp.sample.events_json.txt
The text was updated successfully, but these errors were encountered: