Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cherry-pick #23070 to 7.x: [Filebeat] MISP improvements #23100

Merged
merged 1 commit into from
Dec 14, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -514,6 +514,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Migrate microsoft/m365_defender to httpjson v2 config {pull}23018[23018]
- Migrate okta to httpjson v2 config {pull}23059[23059]
andrewstucki marked this conversation as resolved.
Show resolved Hide resolved
- Add support for Snyk Vulnerability and Audit API. {pull}22677[22677]
- Misp improvements: Migration to httpjson v2 config, pagination and deduplication ID {pull}23070[23070]

*Heartbeat*

Expand Down
4 changes: 2 additions & 2 deletions filebeat/docs/modules/misp.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@ This is a filebeat module for reading threat intel information from the MISP pla
The configuration in the config.yml file uses the following format:

* var.api_key: specifies the API key to access MISP.
* var.json_objects_array: specifies the array object in MISP response, e.g., "response.Attribute".
* var.http_request_body: an object containing any parameter that needs to be sent to the search API. Default: `limit: 1000`
* var.url: URL of the MISP REST API, e.g., "http://x.x.x.x/attributes/restSearch"

include::../include/gs-link.asciidoc[]

[float]
Expand Down
9 changes: 3 additions & 6 deletions x-pack/filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1340,16 +1340,13 @@ filebeat.modules:
#var.api_key

# Array object in MISP response
#var.json_objects_array
#var.http_request_body.limit: 1000

# URL of the MISP REST API
#var.url

# You can also pass SSL options. For example:
#var.ssl: |-
# {
# verification_mode: none
# }
#var.ssl.verification_mode: none

#------------------------------- Mongodb Module -------------------------------
#- module: mongodb
Expand Down
9 changes: 3 additions & 6 deletions x-pack/filebeat/module/misp/_meta/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,10 @@
#var.api_key

# Array object in MISP response
#var.json_objects_array
#var.http_request_body.limit: 1000

# URL of the MISP REST API
#var.url

# You can also pass SSL options. For example:
#var.ssl: |-
# {
# verification_mode: none
# }
#var.ssl.verification_mode: none
4 changes: 2 additions & 2 deletions x-pack/filebeat/module/misp/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,9 @@ This is a filebeat module for reading threat intel information from the MISP pla
The configuration in the config.yml file uses the following format:

* var.api_key: specifies the API key to access MISP.
* var.json_objects_array: specifies the array object in MISP response, e.g., "response.Attribute".
* var.http_request_body: an object containing any parameter that needs to be sent to the search API. Default: `limit: 1000`
* var.url: URL of the MISP REST API, e.g., "http://x.x.x.x/attributes/restSearch"

include::../include/gs-link.asciidoc[]

[float]
Expand Down
37 changes: 28 additions & 9 deletions x-pack/filebeat/module/misp/threat/config/input.yml
Original file line number Diff line number Diff line change
@@ -1,16 +1,35 @@
{{ if eq .input "httpjson" }}

type: httpjson
api_key: {{ .api_key }}
http_client_timeout: {{ .http_client_timeout }}
http_method: {{ .http_method }}
http_headers: {{ .http_headers }}
http_request_body: {{ .http_request_body }}
config_version: "2"
interval: {{ .interval }}
json_objects_array: {{ .json_objects_array }}
pagination: {{ .pagination }}
url: {{ .url }}
ssl: {{ .ssl }}

request.method: POST
request.ssl: {{ .ssl | tojson }}
request.url: {{ .url }}
request.timeout: {{ .http_client_timeout }}
request.body: {{ .http_request_body | tojson }}
request.body.returnFormat: json
request.transforms:
- set:
target: header.Authorization
value: {{.api_key}}
- set:
target: body.timestamp
value: "[[.cursor.timestamp]]"

response.split:
target: body.response.Attribute

response.request_body_on_pagination: true
response.pagination:
- set:
target: body.page
value: "[[add .last_response.page 1]]"

cursor:
timestamp:
value: "[[.last_event.timestamp]]"

{{ else if eq .input "file" }}

Expand Down
18 changes: 14 additions & 4 deletions x-pack/filebeat/module/misp/threat/config/pipeline.js
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,19 @@
var threat = (function () {
var processor = require("processor");

var copyToOriginal = function (evt) {
evt.Put("event.original", evt.Get("message"));
};

var decodeJson = new processor.DecodeJSONFields({
fields: ["message"],
target: "json",
});

var setID = function (evt) {
evt.Put("@metadata._id", evt.Get("event.id"));
};

var categorizeEvent = new processor.AddFields({
target: "event",
fields: {
Expand Down Expand Up @@ -73,11 +81,11 @@ var threat = (function () {
break;
case 'btc':
attackPattern = '[' + 'bitcoin:address = ' + '\'' + v + '\'' + ']';
attackPatternKQL = 'bitcoin.address: ' + '"' + v + '"';
attackPatternKQL = 'bitcoin.address: ' + '"' + v + '"';
break;
case "domain":
attackPattern = '[' + 'dns:question:name = ' + '\'' + v + '\'' + ' OR url:domain = ' + '\'' + v + '\'' + ' OR source:domain = ' + '\'' + v + '\'' + ' OR destination:domain = ' + '\'' + v + '\'' + ']';
attackPatternKQL = 'dns.question.name: ' + '"' + v + '"' + ' OR url.domain: ' + '"' + v + '"' + ' OR source.domain: ' + '"' + v + '"' + ' OR destination.domain: ' + '"' + v + '"';
attackPatternKQL = 'dns.question.name: ' + '"' + v + '"' + ' OR url.domain: ' + '"' + v + '"' + ' OR source.domain: ' + '"' + v + '"' + ' OR destination.domain: ' + '"' + v + '"';
break;
case "domain|ip":
arr = v.split("|");
Expand Down Expand Up @@ -186,7 +194,7 @@ var threat = (function () {
attackPattern = '[' + 'file:hash:sha256 = ' + '\'' + v + '\'' + ']';
attackPatternKQL = 'file.hash.sha256: ' + '"' + v + '"';
evt.Put("file.hash.sha256", v);
break;
break;
case "sha512":
attackPattern = '[' + 'file:hash:sha512 = ' + '\'' + v + '\'' + ']';
attackPatternKQL = 'file.hash.sha512: ' + '"' + v + '"';
Expand All @@ -200,7 +208,7 @@ var threat = (function () {
case 'yara':
attackPattern = '[' + 'yara:rule = ' + '\'' + v + '\'' + ']';
attackPatternKQL = 'yara.rule: ' + '"' + v + '"';
break;
break;
}
if (attackPattern == undefined || attackPatternKQL == undefined) {
evt.Put("error.message", 'Unsupported type: ' + indicator_type);
Expand All @@ -210,10 +218,12 @@ var threat = (function () {
};

var pipeline = new processor.Chain()
.Add(copyToOriginal)
.Add(decodeJson)
.Add(categorizeEvent)
.Add(setThreatFeedField)
.Add(convertFields)
.Add(setID)
.Add(setAttackPattern)
.Add(copyTags)
.Build();
Expand Down
30 changes: 5 additions & 25 deletions x-pack/filebeat/module/misp/threat/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,35 +4,15 @@ var:
- name: input
default: httpjson
- name: api_key
default: ""
- name: http_client_timeout
default: 60
- name: http_method
default: GET
- name: http_headers
default: |-
{}
- name: http_request_body
default: |-
{}
default:
limit: 1000
- name: http_client_timeout
default: "60s"
- name: interval
default: 0
- name: json_objects_array
default: "response.Attribute"
- name: pagination
default: |-
{
"enabled": false,
"extra_body_content": {},
"id_field": "",
"req_field": "",
"url": ""
}
default: "60s"
- name: url
default: ""
- name: ssl
default: |-
{}

input: config/input.yml
ingest_pipeline: ingest/pipeline.json
Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/misp/threat/test/misp-test.json.log
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{"id":"1","event_id":"1","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":false,"uuid":"5d2cb906-eff4-40f0-9f1d-10eb7d6a0c26","timestamp":"1490878466","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"value":"98.235.162.24","Event":{"org_id":"1","distribution":"3","id":"1","info":"Tor exit nodes feed","orgc_id":"2","uuid":"58dcfe62-ed84-4e5e-b293-4991950d210f"}}
{"id":"2","event_id":"2","object_id":"0","object_relation":null,"category":"Payload delivery","type":"md5","to_ids":true,"uuid":"5d159be2-d4b4-4d97-9e14-406a02de0b81","timestamp":"1490878466","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"value":"89357a1b2e32f2b9bddff94b8136810b","Event":{"org_id":"1","distribution":"3","id":"1","info":"OSINT - OSX/Linker: New Mac malware attempts zero-day Gatekeeper bypass","orgc_id":"2","uuid":"5d159be2-d4b4-4d97-9e14-406a02de0b81"}}
{"id":"3","event_id":"3","object_id":"0","object_relation":null,"category":"Payload delivery","type":"filename","to_ids":true,"uuid":"5d159be2-d4b4-4d97-9e14-406a02de0b81","timestamp":"1490878466","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"value":"f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de","Event":{"org_id":"1","distribution":"3","id":"1","info":"OSINT - OSX/Linker: New Mac malware attempts zero-day Gatekeeper bypass","orgc_id":"2","uuid":"5d159be2-d4b4-4d97-9e14-406a02de0b81"}}
{"id":"3","event_id":"3","object_id":"0","object_relation":null,"category":"Payload delivery","type":"filename","to_ids":true,"uuid":"5d159be2-d4b4-4d97-9e14-406a02de0b82","timestamp":"1490878466","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"value":"f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de","Event":{"org_id":"1","distribution":"3","id":"1","info":"OSINT - OSX/Linker: New Mac malware attempts zero-day Gatekeeper bypass","orgc_id":"2","uuid":"5d159be2-d4b4-4d97-9e14-406a02de0b82"}}
{"id":"4","event_id":"4","object_id":"0","object_relation":null,"category":"Bad Domain","type":"domain","to_ids":true,"uuid":"563b3ea6-b26c-401f-a68b-4d84950d210b","timestamp":"1490878466","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"value":"f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de","Event":{"org_id":"4","distribution":"3","id":"4","info":"OSINT Expansion on Systematic cyber attacks against Israeli and Palestinian targets going on for a year by Norman","orgc_id":"2","uuid":"563b3ea6-b26c-401f-a68b-4d84950d210b"}}
{"Galaxy":[],"ShadowAttribute":[],"Tag":[{"colour":"#eb2323","exportable":true,"hide_tag":false,"id":"966","local":0,"name":"critical-ioc-quarantine","numerical_value":null,"user_id":"1"}],"category":"Network activity","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"693","first_seen":null,"id":"170814","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1602078120","to_ids":false,"type":"url","uuid":"83078f8c-3d38-4fec-87a1-8be22a0be0a6","value":"endgame.hungmnguyen.us"}
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
"event.id": "5d2cb906-eff4-40f0-9f1d-10eb7d6a0c26",
"event.kind": "event",
"event.module": "misp",
"event.original": "{\"id\":\"1\",\"event_id\":\"1\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Network activity\",\"type\":\"ip-dst\",\"to_ids\":false,\"uuid\":\"5d2cb906-eff4-40f0-9f1d-10eb7d6a0c26\",\"timestamp\":\"1490878466\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"value\":\"98.235.162.24\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"1\",\"info\":\"Tor exit nodes feed\",\"orgc_id\":\"2\",\"uuid\":\"58dcfe62-ed84-4e5e-b293-4991950d210f\"}}",
"event.type": "indicator",
"fileset.name": "threat",
"input.type": "log",
Expand All @@ -39,6 +40,7 @@
"event.id": "5d159be2-d4b4-4d97-9e14-406a02de0b81",
"event.kind": "event",
"event.module": "misp",
"event.original": "{\"id\":\"2\",\"event_id\":\"2\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Payload delivery\",\"type\":\"md5\",\"to_ids\":true,\"uuid\":\"5d159be2-d4b4-4d97-9e14-406a02de0b81\",\"timestamp\":\"1490878466\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"value\":\"89357a1b2e32f2b9bddff94b8136810b\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"1\",\"info\":\"OSINT - OSX/Linker: New Mac malware attempts zero-day Gatekeeper bypass\",\"orgc_id\":\"2\",\"uuid\":\"5d159be2-d4b4-4d97-9e14-406a02de0b81\"}}",
"event.type": "indicator",
"file.hash.md5": "89357a1b2e32f2b9bddff94b8136810b",
"fileset.name": "threat",
Expand All @@ -61,9 +63,10 @@
"@timestamp": "2017-03-30T12:54:26.000Z",
"event.category": "threat-intel",
"event.dataset": "misp.threat",
"event.id": "5d159be2-d4b4-4d97-9e14-406a02de0b81",
"event.id": "5d159be2-d4b4-4d97-9e14-406a02de0b82",
"event.kind": "event",
"event.module": "misp",
"event.original": "{\"id\":\"3\",\"event_id\":\"3\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Payload delivery\",\"type\":\"filename\",\"to_ids\":true,\"uuid\":\"5d159be2-d4b4-4d97-9e14-406a02de0b82\",\"timestamp\":\"1490878466\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"value\":\"f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"1\",\"info\":\"OSINT - OSX/Linker: New Mac malware attempts zero-day Gatekeeper bypass\",\"orgc_id\":\"2\",\"uuid\":\"5d159be2-d4b4-4d97-9e14-406a02de0b82\"}}",
"event.type": "indicator",
"file.path": "f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de",
"fileset.name": "threat",
Expand All @@ -74,12 +77,12 @@
"misp.threat_indicator.attack_pattern_kql": "file.path: \"f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de\"",
"misp.threat_indicator.description": "OSINT - OSX/Linker: New Mac malware attempts zero-day Gatekeeper bypass",
"misp.threat_indicator.feed": "misp",
"misp.threat_indicator.id": "5d159be2-d4b4-4d97-9e14-406a02de0b81",
"misp.threat_indicator.id": "5d159be2-d4b4-4d97-9e14-406a02de0b82",
"misp.threat_indicator.type": "filename",
"rule.category": "Payload delivery",
"rule.description": "OSINT - OSX/Linker: New Mac malware attempts zero-day Gatekeeper bypass",
"rule.id": "1",
"rule.uuid": "5d159be2-d4b4-4d97-9e14-406a02de0b81",
"rule.uuid": "5d159be2-d4b4-4d97-9e14-406a02de0b82",
"service.type": "misp"
},
{
Expand All @@ -89,6 +92,7 @@
"event.id": "563b3ea6-b26c-401f-a68b-4d84950d210b",
"event.kind": "event",
"event.module": "misp",
"event.original": "{\"id\":\"4\",\"event_id\":\"4\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Bad Domain\",\"type\":\"domain\",\"to_ids\":true,\"uuid\":\"563b3ea6-b26c-401f-a68b-4d84950d210b\",\"timestamp\":\"1490878466\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"value\":\"f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de\",\"Event\":{\"org_id\":\"4\",\"distribution\":\"3\",\"id\":\"4\",\"info\":\"OSINT Expansion on Systematic cyber attacks against Israeli and Palestinian targets going on for a year by Norman\",\"orgc_id\":\"2\",\"uuid\":\"563b3ea6-b26c-401f-a68b-4d84950d210b\"}}",
"event.type": "indicator",
"fileset.name": "threat",
"input.type": "log",
Expand All @@ -113,6 +117,7 @@
"event.id": "83078f8c-3d38-4fec-87a1-8be22a0be0a6",
"event.kind": "event",
"event.module": "misp",
"event.original": "{\"Galaxy\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#eb2323\",\"exportable\":true,\"hide_tag\":false,\"id\":\"966\",\"local\":0,\"name\":\"critical-ioc-quarantine\",\"numerical_value\":null,\"user_id\":\"1\"}],\"category\":\"Network activity\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"693\",\"first_seen\":null,\"id\":\"170814\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1602078120\",\"to_ids\":false,\"type\":\"url\",\"uuid\":\"83078f8c-3d38-4fec-87a1-8be22a0be0a6\",\"value\":\"endgame.hungmnguyen.us\"}",
"event.type": "indicator",
"fileset.name": "threat",
"input.type": "log",
Expand Down
9 changes: 3 additions & 6 deletions x-pack/filebeat/modules.d/misp.yml.disabled
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,10 @@
#var.api_key

# Array object in MISP response
#var.json_objects_array
#var.http_request_body.limit: 1000

# URL of the MISP REST API
#var.url

# You can also pass SSL options. For example:
#var.ssl: |-
# {
# verification_mode: none
# }
#var.ssl.verification_mode: none