diff --git a/.mergify.yml b/.mergify.yml index c438000f4158..8ab1e9b9363c 100644 --- a/.mergify.yml +++ b/.mergify.yml @@ -105,6 +105,8 @@ pull_request_rules: conditions: - -label~=^backport - base=master + - -merged + - -closed actions: comment: message: | @@ -120,6 +122,8 @@ pull_request_rules: - name: remove-backport label conditions: - label~=backport-v + - -merged + - -closed actions: label: remove: diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index d64d8f15ff12..6bb189ee3016 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -62,6 +62,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - All modules: Replace usages of deprecated ECS fields `process.ppid` and `log.original` with `process.parent.pid` and `event.original`. {pull}28620[28620] - Replace usages of `host.user.*` fields with `user.*` in `cisco`, `microsoft` and `oracle` modules. {pull}28620[28620] - Remove `docker` input. Please use `filestream` input with `container` parser or `container` input. {pull}28817[28817] +- Change `threatintel` module to use new `threat.*` ECS fields. {pull}29014[29014] *Heartbeat* @@ -138,6 +139,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Periodic metrics in logs will now report `libbeat.output.events.active` and `beat.memstats.rss` - Allows disable pod events enrichment with deployment name {pull}28521[28521] - Fix `fingerprint` processor to give it access to the `@timestamp` field. {issue}28683[28683] +- Fix the wrong beat name on monitoring and state endpoint {issue}27755[27755] *Auditbeat* @@ -180,7 +182,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Relax time parsing and capture group and session type in Cisco ASA module {issue}24710[24710] {pull}28325[28325] - Correctly track bytes read when max_bytes is exceeded. {issue}28317[28317] {pull}28352[28352] - Upgrade azure-eventhub sdk reference, contains potential checkpoint fixes. {pull}28919[28919] +- Revert usageDetails api version to 2019-01-01. {pull}28995[28995] - Fix in `aws-s3` input regarding provider discovery through endpoint {pull}28963[28963] +- Fix `threatintel.misp` filters configuration. {issue}27970[27970] *Heartbeat* @@ -236,6 +240,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add source.ip validation for event ID 4778 in the Security module. {issue}19627[19627] - Tolerate faults when Windows Event Log session is interrupted {issue}27947[27947] {pull}28191[28191] - Add ECS 1.9 new users fields {pull}26509[26509] +- Don't split hyphenated tokens {pull}28483[28483] *Functionbeat* @@ -333,6 +338,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add support for '/var/log/pods/' path for add_kubernetes_metadata processor with `resource_type: pod`. {pull}28868[28868] - Add documentation for add_kubernetes_metadata processors `log_path` matcher. {pull}28868[28868] - Add support in aws-s3 input for s3 notification from SNS to SQS. {pull}28800[28800] +- Add support in aws-s3 input for custom script parsing of s3 notifications. {pull}28946[28946] +- Improve error handling in aws-s3 input for malformed s3 notifications. {issue}28828[28828] {pull}28946[28946] *Heartbeat* @@ -357,6 +364,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added a new beta `enterprisesearch` module for Elastic Enterprise Search {pull}27549[27549] - Preliminary AIX support {pull}27954[27954] - Register additional name for `storage` metricset in the azure module. {pull}28447[28447] +- Update reference to gosigar pacakge for filesystem windows fix. {pull}28909[28909] *Packetbeat* diff --git a/NOTICE.txt b/NOTICE.txt index 0d69370c101a..d5599add95ee 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -863,15 +863,15 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-event-hubs -------------------------------------------------------------------------------- Dependency : github.com/Azure/azure-sdk-for-go -Version: v57.0.0+incompatible +Version: v59.0.0+incompatible Licence type (autodetected): MIT -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-sdk-for-go@v57.0.0+incompatible/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-sdk-for-go@v59.0.0+incompatible/LICENSE.txt: The MIT License (MIT) -Copyright (c) 2021 Microsoft +Copyright (c) Microsoft Corporation. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal @@ -891,6 +891,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + -------------------------------------------------------------------------------- Dependency : github.com/Azure/azure-storage-blob-go Version: v0.8.0 @@ -8276,11 +8277,11 @@ Contents of probable licence file $GOMODCACHE/github.com/elastic/go-windows@v1.0 -------------------------------------------------------------------------------- Dependency : github.com/elastic/gosigar -Version: v0.14.1 +Version: v0.14.2 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/gosigar@v0.14.1/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/elastic/gosigar@v0.14.2/LICENSE: Apache License Version 2.0, January 2004 diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index d89839516fec..34b05a0fd246 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -150641,385 +150641,8 @@ Threat intelligence Filebeat Module. -[float] -=== threatintel - -Fields from the threatintel Filebeat module. - - - -*`threatintel.indicator.first_seen`*:: -+ --- -The date and time when intelligence source first reported sighting this indicator. - - -type: date - --- - -*`threatintel.indicator.last_seen`*:: -+ --- -The date and time when intelligence source last reported sighting this indicator. - - -type: date - --- - -*`threatintel.indicator.sightings`*:: -+ --- -Number of times this indicator was observed conducting threat activity. - - -type: long - --- - -*`threatintel.indicator.type`*:: -+ --- -Type of indicator as represented by Cyber Observable in STIX 2.0. Expected values - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * process - * software - * url - * user-account - * windows-registry-key - * x-509-certificate - - -type: keyword - --- - -*`threatintel.indicator.description`*:: -+ --- -Describes the type of action conducted by the threat. - - -type: keyword - --- - -*`threatintel.indicator.scanner_stats`*:: -+ --- -Count of AV/EDR vendors that successfully detected malicious file or URL. - - -type: long - --- - -*`threatintel.indicator.provider`*:: -+ --- -Identifies the name of the intelligence provider. - - -type: keyword - --- - -*`threatintel.indicator.confidence`*:: -+ --- -Identifies the confidence rating assigned by the provider using STIX confidence scales. Expected values - * Not Specified, None, Low, Medium, High - * 0-10 - * Admirality Scale (1-6) - * DNI Scale (5-95) - * WEP Scale (Impossible - Certain) - - -type: keyword - --- - -*`threatintel.indicator.module`*:: -+ --- -Identifies the name of specific module this data is coming from. - - -type: keyword - --- - -*`threatintel.indicator.dataset`*:: -+ --- -Identifies the name of specific dataset from the intelligence source. - - -type: keyword - --- - -*`threatintel.indicator.reference`*:: -+ --- -Reference URL linking to additional information about this indicator. - - -type: keyword - --- - -*`threatintel.indicator.ip`*:: -+ --- -Identifies a threat indicator as an IP address (irrespective of direction). - - -type: ip - --- - -*`threatintel.indicator.port`*:: -+ --- -Identifies a threat indicator as a port number (irrespective of direction). - - -type: long - --- - -*`threatintel.indicator.email.address`*:: -+ --- -Identifies a threat indicator as an email address (irrespective of direction). - - -type: keyword - --- - -*`threatintel.indicator.marking.tlp`*:: -+ --- -Traffic Light Protocol sharing markings. Expected values are: - * White - * Green - * Amber - * Red - - -type: keyword - --- - - -*`threatintel.indicator.matched.atomic`*:: -+ --- -Identifies the atomic indicator that matched a local environment endpoint or network event. - - -type: keyword - --- - -*`threatintel.indicator.matched.field`*:: -+ --- -Identifies the field of the atomic indicator that matched a local environment endpoint or network event. - - -type: keyword - --- - -*`threatintel.indicator.matched.type`*:: -+ --- -Identifies the type of the atomic indicator that matched a local environment endpoint or network event. - - -type: keyword - --- - - -*`threatintel.indicator.as.number`*:: -+ --- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long - -example: 15169 - --- - -*`threatintel.indicator.as.organization.name`*:: -+ --- -Organization name. - -type: keyword - -example: Google LLC - --- - -*`threatintel.indicator.as.organization.name.text`*:: -+ --- -type: text - --- - - -*`threatintel.indicator.registry.data.strings`*:: -+ --- -Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). - - -type: keyword - -example: ["C:\rta\red_ttp\bin\myapp.exe"] - --- - -*`threatintel.indicator.registry.path`*:: -+ --- -Full path, including hive, key and value - -type: keyword - -example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - --- - -*`threatintel.indicator.registry.value`*:: -+ --- -Name of the value written. - -type: keyword - -example: Debugger - --- - -*`threatintel.indicator.registry.key`*:: -+ --- -Registry key value - -type: keyword - --- - - -*`threatintel.indicator.geo.city_name`*:: -+ --- -City name. - -type: keyword - -example: Montreal - --- - -*`threatintel.indicator.geo.continent_name`*:: -+ --- -Name of the continent. - -type: keyword - -example: North America - --- - -*`threatintel.indicator.geo.country_iso_code`*:: -+ --- -Country ISO code. - -type: keyword - -example: CA - --- - -*`threatintel.indicator.geo.country_name`*:: -+ --- -Country name. - -type: keyword - -example: Canada - --- - -*`threatintel.indicator.geo.location`*:: -+ --- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } - --- - -*`threatintel.indicator.geo.region_iso_code`*:: -+ --- -Region ISO code. - -type: keyword - -example: CA-QC - --- - -*`threatintel.indicator.geo.region_name`*:: -+ --- -Region name. - -type: keyword - -example: Quebec - --- - -*`threatintel.indicator.file.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - - -*`threatintel.indicator.file.hash.tlsh`*:: +*`threat.indicator.file.hash.tlsh`*:: + -- The file's import tlsh, if available. @@ -151029,47 +150652,7 @@ type: keyword -- -*`threatintel.indicator.file.hash.ssdeep`*:: -+ --- -The file's ssdeep hash, if available. - - -type: keyword - --- - -*`threatintel.indicator.file.hash.md5`*:: -+ --- -The file's md5 hash, if available. - - -type: keyword - --- - -*`threatintel.indicator.file.hash.sha1`*:: -+ --- -The file's sha1 hash, if available. - - -type: keyword - --- - -*`threatintel.indicator.file.hash.sha256`*:: -+ --- -The file's sha256 hash, if available. - - -type: keyword - --- - -*`threatintel.indicator.file.hash.sha384`*:: +*`threat.indicator.file.hash.sha384`*:: + -- The file's sha384 hash, if available. @@ -151079,272 +150662,28 @@ type: keyword -- -*`threatintel.indicator.file.hash.sha512`*:: -+ --- -The file's sha512 hash, if available. - - -type: keyword - --- - -*`threatintel.indicator.file.type`*:: -+ --- -The file type. - - -type: keyword - --- - -*`threatintel.indicator.file.size`*:: -+ --- -The file's total size. - - -type: long - --- - -*`threatintel.indicator.file.name`*:: -+ --- -The file's name. - - -type: keyword - --- - -*`threatintel.indicator.file.extension`*:: -+ --- -The file's extension. - - -type: keyword - --- - -*`threatintel.indicator.file.mime_type`*:: -+ --- -The file's MIME type. - - -type: keyword - --- - - -*`threatintel.indicator.url.domain`*:: -+ --- -Domain of the url, such as "www.elastic.co". - - -type: keyword - --- - -*`threatintel.indicator.url.extension`*:: -+ --- -The field contains the file extension from the original request - - -type: keyword - --- - -*`threatintel.indicator.url.fragment`*:: -+ --- -Portion of the url after the `#`, such as "top". - - -type: keyword - --- - -*`threatintel.indicator.url.full`*:: -+ --- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - - -type: keyword - --- - -*`threatintel.indicator.url.original`*:: -+ --- -Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. - - -type: keyword - --- - -*`threatintel.indicator.url.password`*:: -+ --- -Password of the request. - - -type: keyword - --- - -*`threatintel.indicator.url.path`*:: -+ --- -Path of the request, such as "/search". - - -type: keyword - --- - -*`threatintel.indicator.url.port`*:: -+ --- -Port of the request, such as 443. - - -type: long - -format: string - --- - -*`threatintel.indicator.url.query`*:: -+ --- -The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - - -type: keyword - --- - -*`threatintel.indicator.url.registered_domain`*:: -+ --- -The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - - -type: keyword - --- - -*`threatintel.indicator.url.scheme`*:: -+ --- -Scheme of the request, such as "https". - - -type: keyword - --- - -*`threatintel.indicator.url.subdomain`*:: -+ --- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - - -type: keyword - --- - -*`threatintel.indicator.url.top_level_domain`*:: -+ --- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - - -type: keyword - --- - -*`threatintel.indicator.url.username`*:: -+ --- -Username of the request. - - -type: keyword - --- - - -*`threatintel.indicator.x509.serial_number`*:: -+ --- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - -type: keyword - -example: 55FBB9C7DEBF09809D12CCAA - --- - -*`threatintel.indicator.x509.issuer`*:: -+ --- -Name of issuing certificate authority. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. - -type: keyword - -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - --- - -*`threatintel.indicator.x509.subject`*:: -+ --- -Name of the certificate subject entity. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. - -type: keyword - -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - --- - -*`threatintel.indicator.x509.alternative_names`*:: +*`threat.feed.name`*:: + -- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - type: keyword -example: *.elastic.co - -- -*`threatintel.indicator.signature`*:: +*`threat.feed.dashboard_id`*:: + -- -Malware family of sample (if available). - - type: keyword -- [float] -=== abusemalware +=== abusech.malware Fields for AbuseCH Malware Threat Intel -*`threatintel.abusemalware.file_type`*:: +*`abusech.malware.file_type`*:: + -- File type guessed by URLhaus. @@ -151354,7 +150693,7 @@ type: keyword -- -*`threatintel.abusemalware.signature`*:: +*`abusech.malware.signature`*:: + -- Malware familiy. @@ -151364,7 +150703,7 @@ type: keyword -- -*`threatintel.abusemalware.urlhaus_download`*:: +*`abusech.malware.urlhaus_download`*:: + -- Location (URL) where you can download a copy of this file. @@ -151374,7 +150713,7 @@ type: keyword -- -*`threatintel.abusemalware.virustotal.result`*:: +*`abusech.malware.virustotal.result`*:: + -- AV detection ration. @@ -151384,7 +150723,7 @@ type: keyword -- -*`threatintel.abusemalware.virustotal.percent`*:: +*`abusech.malware.virustotal.percent`*:: + -- AV detection in percent. @@ -151394,7 +150733,7 @@ type: float -- -*`threatintel.abusemalware.virustotal.link`*:: +*`abusech.malware.virustotal.link`*:: + -- Link to the Virustotal report. @@ -151405,13 +150744,13 @@ type: keyword -- [float] -=== abuseurl +=== abusech.url Fields for AbuseCH Malware Threat Intel -*`threatintel.abuseurl.id`*:: +*`abusech.url.id`*:: + -- The ID of the url. @@ -151421,7 +150760,7 @@ type: keyword -- -*`threatintel.abuseurl.urlhaus_reference`*:: +*`abusech.url.urlhaus_reference`*:: + -- Link to URLhaus entry. @@ -151431,7 +150770,7 @@ type: keyword -- -*`threatintel.abuseurl.url_status`*:: +*`abusech.url.url_status`*:: + -- The current status of the URL. Possible values are: online, offline and unknown. @@ -151441,7 +150780,7 @@ type: keyword -- -*`threatintel.abuseurl.threat`*:: +*`abusech.url.threat`*:: + -- The threat corresponding to this malware URL. @@ -151451,7 +150790,7 @@ type: keyword -- -*`threatintel.abuseurl.blacklists.surbl`*:: +*`abusech.url.blacklists.surbl`*:: + -- SURBL blacklist status. Possible values are: listed and not_listed @@ -151461,7 +150800,7 @@ type: keyword -- -*`threatintel.abuseurl.blacklists.spamhaus_dbl`*:: +*`abusech.url.blacklists.spamhaus_dbl`*:: + -- Spamhaus DBL blacklist status. @@ -151471,7 +150810,7 @@ type: keyword -- -*`threatintel.abuseurl.reporter`*:: +*`abusech.url.reporter`*:: + -- The Twitter handle of the reporter that has reported this malware URL (or anonymous). @@ -151481,7 +150820,7 @@ type: keyword -- -*`threatintel.abuseurl.larted`*:: +*`abusech.url.larted`*:: + -- Indicates whether the malware URL has been reported to the hosting provider (true or false) @@ -151491,7 +150830,7 @@ type: boolean -- -*`threatintel.abuseurl.tags`*:: +*`abusech.url.tags`*:: + -- A list of tags associated with the queried malware URL @@ -151502,13 +150841,13 @@ type: keyword -- [float] -=== anomali +=== anomali.limo Fields for Anomali Threat Intel -*`threatintel.anomali.id`*:: +*`anomali.limo.id`*:: + -- The ID of the indicator. @@ -151518,7 +150857,7 @@ type: keyword -- -*`threatintel.anomali.name`*:: +*`anomali.limo.name`*:: + -- The name of the indicator. @@ -151528,7 +150867,7 @@ type: keyword -- -*`threatintel.anomali.pattern`*:: +*`anomali.limo.pattern`*:: + -- The pattern ID of the indicator. @@ -151538,7 +150877,7 @@ type: keyword -- -*`threatintel.anomali.valid_from`*:: +*`anomali.limo.valid_from`*:: + -- When the indicator was first found or is considered valid. @@ -151548,7 +150887,7 @@ type: date -- -*`threatintel.anomali.modified`*:: +*`anomali.limo.modified`*:: + -- When the indicator was last modified @@ -151558,7 +150897,7 @@ type: date -- -*`threatintel.anomali.labels`*:: +*`anomali.limo.labels`*:: + -- The labels related to the indicator @@ -151568,7 +150907,7 @@ type: keyword -- -*`threatintel.anomali.indicator`*:: +*`anomali.limo.indicator`*:: + -- The value of the indicator, for example if the type is domain, this would be the value. @@ -151578,7 +150917,7 @@ type: keyword -- -*`threatintel.anomali.description`*:: +*`anomali.limo.description`*:: + -- A description of the indicator. @@ -151588,7 +150927,7 @@ type: keyword -- -*`threatintel.anomali.title`*:: +*`anomali.limo.title`*:: + -- Title describing the indicator. @@ -151598,7 +150937,7 @@ type: keyword -- -*`threatintel.anomali.content`*:: +*`anomali.limo.content`*:: + -- Extra text or descriptive content related to the indicator. @@ -151608,7 +150947,7 @@ type: keyword -- -*`threatintel.anomali.type`*:: +*`anomali.limo.type`*:: + -- The indicator type, can for example be "domain, email, FileHash-SHA256". @@ -151618,7 +150957,7 @@ type: keyword -- -*`threatintel.anomali.object_marking_refs`*:: +*`anomali.limo.object_marking_refs`*:: + -- The STIX reference object. @@ -151629,13 +150968,13 @@ type: keyword -- [float] -=== anomalithreatstream +=== anomali.threatstream Fields for Anomali ThreatStream -*`threatintel.anomalithreatstream.classification`*:: +*`anomali.threatstream.classification`*:: + -- Indicates whether an indicator is private or from a public feed and available publicly. Possible values: private, public. @@ -151647,7 +150986,7 @@ example: private -- -*`threatintel.anomalithreatstream.confidence`*:: +*`anomali.threatstream.confidence`*:: + -- The measure of the accuracy (from 0 to 100) assigned by ThreatStream's predictive analytics technology to indicators. @@ -151657,7 +150996,7 @@ type: short -- -*`threatintel.anomalithreatstream.detail2`*:: +*`anomali.threatstream.detail2`*:: + -- Detail text for indicator. @@ -151669,7 +151008,7 @@ example: Imported by user 42. -- -*`threatintel.anomalithreatstream.id`*:: +*`anomali.threatstream.id`*:: + -- The ID of the indicator. @@ -151679,7 +151018,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.import_session_id`*:: +*`anomali.threatstream.import_session_id`*:: + -- ID of the import session that created the indicator on ThreatStream. @@ -151689,7 +151028,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.itype`*:: +*`anomali.threatstream.itype`*:: + -- Indicator type. Possible values: "apt_domain", "apt_email", "apt_ip", "apt_url", "bot_ip", "c2_domain", "c2_ip", "c2_url", "i2p_ip", "mal_domain", "mal_email", "mal_ip", "mal_md5", "mal_url", "parked_ip", "phish_email", "phish_ip", "phish_url", "scan_ip", "spam_domain", "ssh_ip", "suspicious_domain", "tor_ip" and "torrent_tracker_url". @@ -151699,7 +151038,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.maltype`*:: +*`anomali.threatstream.maltype`*:: + -- Information regarding a malware family, a CVE ID, or another attack or threat, associated with the indicator. @@ -151709,7 +151048,7 @@ type: wildcard -- -*`threatintel.anomalithreatstream.md5`*:: +*`anomali.threatstream.md5`*:: + -- Hash for the indicator. @@ -151719,7 +151058,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.resource_uri`*:: +*`anomali.threatstream.resource_uri`*:: + -- Relative URI for the indicator details. @@ -151729,7 +151068,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.severity`*:: +*`anomali.threatstream.severity`*:: + -- Criticality associated with the threat feed that supplied the indicator. Possible values: low, medium, high, very-high. @@ -151739,7 +151078,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.source`*:: +*`anomali.threatstream.source`*:: + -- Source for the indicator. @@ -151751,7 +151090,7 @@ example: Analyst -- -*`threatintel.anomalithreatstream.source_feed_id`*:: +*`anomali.threatstream.source_feed_id`*:: + -- ID for the integrator source. @@ -151761,7 +151100,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.state`*:: +*`anomali.threatstream.state`*:: + -- State for this indicator. @@ -151773,7 +151112,7 @@ example: active -- -*`threatintel.anomalithreatstream.trusted_circle_ids`*:: +*`anomali.threatstream.trusted_circle_ids`*:: + -- ID of the trusted circle that imported the indicator. @@ -151783,7 +151122,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.update_id`*:: +*`anomali.threatstream.update_id`*:: + -- Update ID. @@ -151793,7 +151132,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.url`*:: +*`anomali.threatstream.url`*:: + -- URL for the indicator. @@ -151803,7 +151142,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.value_type`*:: +*`anomali.threatstream.value_type`*:: + -- Data type of the indicator. Possible values: ip, domain, url, email, md5. @@ -151814,13 +151153,13 @@ type: keyword -- [float] -=== malwarebazaar +=== abusech.malwarebazaar Fields for Malware Bazaar Threat Intel -*`threatintel.malwarebazaar.file_type`*:: +*`abusech.malwarebazaar.file_type`*:: + -- File type guessed by Malware Bazaar. @@ -151830,7 +151169,7 @@ type: keyword -- -*`threatintel.malwarebazaar.signature`*:: +*`abusech.malwarebazaar.signature`*:: + -- Malware familiy. @@ -151840,7 +151179,7 @@ type: keyword -- -*`threatintel.malwarebazaar.tags`*:: +*`abusech.malwarebazaar.tags`*:: + -- A list of tags associated with the queried malware sample. @@ -151851,7 +151190,7 @@ type: keyword -- -*`threatintel.malwarebazaar.intelligence.downloads`*:: +*`abusech.malwarebazaar.intelligence.downloads`*:: + -- Number of downloads from MalwareBazaar. @@ -151861,7 +151200,7 @@ type: long -- -*`threatintel.malwarebazaar.intelligence.uploads`*:: +*`abusech.malwarebazaar.intelligence.uploads`*:: + -- Number of uploads from MalwareBazaar. @@ -151872,7 +151211,7 @@ type: long -- -*`threatintel.malwarebazaar.intelligence.mail.Generic`*:: +*`abusech.malwarebazaar.intelligence.mail.Generic`*:: + -- Malware seen in generic spam traffic. @@ -151882,7 +151221,7 @@ type: keyword -- -*`threatintel.malwarebazaar.intelligence.mail.IT`*:: +*`abusech.malwarebazaar.intelligence.mail.IT`*:: + -- Malware seen in IT spam traffic. @@ -151892,7 +151231,7 @@ type: keyword -- -*`threatintel.malwarebazaar.anonymous`*:: +*`abusech.malwarebazaar.anonymous`*:: + -- Identifies if the sample was submitted anonymously. @@ -151902,7 +151241,7 @@ type: long -- -*`threatintel.malwarebazaar.code_sign`*:: +*`abusech.malwarebazaar.code_sign`*:: + -- Code signing information for the sample. @@ -151919,7 +151258,7 @@ Fields for MISP Threat Intel -*`threatintel.misp.id`*:: +*`misp.id`*:: + -- Attribute ID. @@ -151929,7 +151268,7 @@ type: keyword -- -*`threatintel.misp.orgc_id`*:: +*`misp.orgc_id`*:: + -- Organization Community ID of the event. @@ -151939,7 +151278,7 @@ type: keyword -- -*`threatintel.misp.org_id`*:: +*`misp.org_id`*:: + -- Organization ID of the event. @@ -151949,7 +151288,7 @@ type: keyword -- -*`threatintel.misp.threat_level_id`*:: +*`misp.threat_level_id`*:: + -- Threat level from 5 to 1, where 1 is the most critical. @@ -151959,7 +151298,7 @@ type: long -- -*`threatintel.misp.info`*:: +*`misp.info`*:: + -- Additional text or information related to the event. @@ -151969,7 +151308,7 @@ type: keyword -- -*`threatintel.misp.published`*:: +*`misp.published`*:: + -- When the event was published. @@ -151979,7 +151318,7 @@ type: boolean -- -*`threatintel.misp.uuid`*:: +*`misp.uuid`*:: + -- The UUID of the event object. @@ -151989,7 +151328,7 @@ type: keyword -- -*`threatintel.misp.date`*:: +*`misp.date`*:: + -- The date of when the event object was created. @@ -151999,7 +151338,7 @@ type: date -- -*`threatintel.misp.attribute_count`*:: +*`misp.attribute_count`*:: + -- How many attributes are included in a single event object. @@ -152009,7 +151348,7 @@ type: long -- -*`threatintel.misp.timestamp`*:: +*`misp.timestamp`*:: + -- The timestamp of when the event object was created. @@ -152019,7 +151358,7 @@ type: date -- -*`threatintel.misp.distribution`*:: +*`misp.distribution`*:: + -- Distribution type related to MISP. @@ -152029,7 +151368,7 @@ type: keyword -- -*`threatintel.misp.proposal_email_lock`*:: +*`misp.proposal_email_lock`*:: + -- Settings configured on MISP for email lock on this event object. @@ -152039,7 +151378,7 @@ type: boolean -- -*`threatintel.misp.locked`*:: +*`misp.locked`*:: + -- If the current MISP event object is locked or not. @@ -152049,7 +151388,7 @@ type: boolean -- -*`threatintel.misp.publish_timestamp`*:: +*`misp.publish_timestamp`*:: + -- At what time the event object was published @@ -152059,7 +151398,7 @@ type: date -- -*`threatintel.misp.sharing_group_id`*:: +*`misp.sharing_group_id`*:: + -- The ID of the grouped events or sources of the event. @@ -152069,7 +151408,7 @@ type: keyword -- -*`threatintel.misp.disable_correlation`*:: +*`misp.disable_correlation`*:: + -- If correlation is disabled on the MISP event object. @@ -152079,7 +151418,7 @@ type: boolean -- -*`threatintel.misp.extends_uuid`*:: +*`misp.extends_uuid`*:: + -- The UUID of the event object it might extend. @@ -152089,7 +151428,7 @@ type: keyword -- -*`threatintel.misp.org.id`*:: +*`misp.org.id`*:: + -- The organization ID related to the event object. @@ -152099,7 +151438,7 @@ type: keyword -- -*`threatintel.misp.org.name`*:: +*`misp.org.name`*:: + -- The organization name related to the event object. @@ -152109,7 +151448,7 @@ type: keyword -- -*`threatintel.misp.org.uuid`*:: +*`misp.org.uuid`*:: + -- The UUID of the organization related to the event object. @@ -152119,7 +151458,7 @@ type: keyword -- -*`threatintel.misp.org.local`*:: +*`misp.org.local`*:: + -- If the event object is local or from a remote source. @@ -152129,7 +151468,7 @@ type: boolean -- -*`threatintel.misp.orgc.id`*:: +*`misp.orgc.id`*:: + -- The Organization Community ID in which the event object was reported from. @@ -152139,7 +151478,7 @@ type: keyword -- -*`threatintel.misp.orgc.name`*:: +*`misp.orgc.name`*:: + -- The Organization Community name in which the event object was reported from. @@ -152149,7 +151488,7 @@ type: keyword -- -*`threatintel.misp.orgc.uuid`*:: +*`misp.orgc.uuid`*:: + -- The Organization Community UUID in which the event object was reported from. @@ -152159,7 +151498,7 @@ type: keyword -- -*`threatintel.misp.orgc.local`*:: +*`misp.orgc.local`*:: + -- If the Organization Community was local or synced from a remote source. @@ -152169,7 +151508,7 @@ type: boolean -- -*`threatintel.misp.attribute.id`*:: +*`misp.attribute.id`*:: + -- The ID of the attribute related to the event object. @@ -152179,7 +151518,7 @@ type: keyword -- -*`threatintel.misp.attribute.type`*:: +*`misp.attribute.type`*:: + -- The type of the attribute related to the event object. For example email, ipv4, sha1 and such. @@ -152189,7 +151528,7 @@ type: keyword -- -*`threatintel.misp.attribute.category`*:: +*`misp.attribute.category`*:: + -- The category of the attribute related to the event object. For example "Network Activity". @@ -152199,7 +151538,7 @@ type: keyword -- -*`threatintel.misp.attribute.to_ids`*:: +*`misp.attribute.to_ids`*:: + -- If the attribute should be automatically synced with an IDS. @@ -152209,7 +151548,7 @@ type: boolean -- -*`threatintel.misp.attribute.uuid`*:: +*`misp.attribute.uuid`*:: + -- The UUID of the attribute related to the event. @@ -152219,7 +151558,7 @@ type: keyword -- -*`threatintel.misp.attribute.event_id`*:: +*`misp.attribute.event_id`*:: + -- The local event ID of the attribute related to the event. @@ -152229,7 +151568,7 @@ type: keyword -- -*`threatintel.misp.attribute.distribution`*:: +*`misp.attribute.distribution`*:: + -- How the attribute has been distributed, represented by integer numbers. @@ -152239,7 +151578,7 @@ type: long -- -*`threatintel.misp.attribute.timestamp`*:: +*`misp.attribute.timestamp`*:: + -- The timestamp in which the attribute was attached to the event object. @@ -152249,7 +151588,7 @@ type: date -- -*`threatintel.misp.attribute.comment`*:: +*`misp.attribute.comment`*:: + -- Comments made to the attribute itself. @@ -152259,7 +151598,7 @@ type: keyword -- -*`threatintel.misp.attribute.sharing_group_id`*:: +*`misp.attribute.sharing_group_id`*:: + -- The group ID of the sharing group related to the specific attribute. @@ -152269,7 +151608,7 @@ type: keyword -- -*`threatintel.misp.attribute.deleted`*:: +*`misp.attribute.deleted`*:: + -- If the attribute has been removed from the event object. @@ -152279,7 +151618,7 @@ type: boolean -- -*`threatintel.misp.attribute.disable_correlation`*:: +*`misp.attribute.disable_correlation`*:: + -- If correlation has been enabled on the attribute related to the event object. @@ -152289,7 +151628,7 @@ type: boolean -- -*`threatintel.misp.attribute.object_id`*:: +*`misp.attribute.object_id`*:: + -- The ID of the Object in which the attribute is attached. @@ -152299,7 +151638,7 @@ type: keyword -- -*`threatintel.misp.attribute.object_relation`*:: +*`misp.attribute.object_relation`*:: + -- The type of relation the attribute has with the event object itself. @@ -152309,7 +151648,7 @@ type: keyword -- -*`threatintel.misp.attribute.value`*:: +*`misp.attribute.value`*:: + -- The value of the attribute, depending on the type like "url, sha1, email-src". @@ -152319,7 +151658,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.id`*:: +*`misp.context.attribute.id`*:: + -- The ID of the secondary attribute related to the event object. @@ -152329,7 +151668,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.type`*:: +*`misp.context.attribute.type`*:: + -- The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such. @@ -152339,7 +151678,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.category`*:: +*`misp.context.attribute.category`*:: + -- The category of the secondary attribute related to the event object. For example "Network Activity". @@ -152349,7 +151688,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.to_ids`*:: +*`misp.context.attribute.to_ids`*:: + -- If the secondary attribute should be automatically synced with an IDS. @@ -152359,7 +151698,7 @@ type: boolean -- -*`threatintel.misp.context.attribute.uuid`*:: +*`misp.context.attribute.uuid`*:: + -- The UUID of the secondary attribute related to the event. @@ -152369,7 +151708,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.event_id`*:: +*`misp.context.attribute.event_id`*:: + -- The local event ID of the secondary attribute related to the event. @@ -152379,7 +151718,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.distribution`*:: +*`misp.context.attribute.distribution`*:: + -- How the secondary attribute has been distributed, represented by integer numbers. @@ -152389,7 +151728,7 @@ type: long -- -*`threatintel.misp.context.attribute.timestamp`*:: +*`misp.context.attribute.timestamp`*:: + -- The timestamp in which the secondary attribute was attached to the event object. @@ -152399,7 +151738,7 @@ type: date -- -*`threatintel.misp.context.attribute.comment`*:: +*`misp.context.attribute.comment`*:: + -- Comments made to the secondary attribute itself. @@ -152409,7 +151748,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.sharing_group_id`*:: +*`misp.context.attribute.sharing_group_id`*:: + -- The group ID of the sharing group related to the specific secondary attribute. @@ -152419,7 +151758,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.deleted`*:: +*`misp.context.attribute.deleted`*:: + -- If the secondary attribute has been removed from the event object. @@ -152429,7 +151768,7 @@ type: boolean -- -*`threatintel.misp.context.attribute.disable_correlation`*:: +*`misp.context.attribute.disable_correlation`*:: + -- If correlation has been enabled on the secondary attribute related to the event object. @@ -152439,7 +151778,7 @@ type: boolean -- -*`threatintel.misp.context.attribute.object_id`*:: +*`misp.context.attribute.object_id`*:: + -- The ID of the Object in which the secondary attribute is attached. @@ -152449,7 +151788,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.object_relation`*:: +*`misp.context.attribute.object_relation`*:: + -- The type of relation the secondary attribute has with the event object itself. @@ -152459,7 +151798,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.value`*:: +*`misp.context.attribute.value`*:: + -- The value of the attribute, depending on the type like "url, sha1, email-src". @@ -152476,7 +151815,7 @@ Fields for OTX Threat Intel -*`threatintel.otx.id`*:: +*`otx.id`*:: + -- The ID of the indicator. @@ -152486,7 +151825,7 @@ type: keyword -- -*`threatintel.otx.indicator`*:: +*`otx.indicator`*:: + -- The value of the indicator, for example if the type is domain, this would be the value. @@ -152496,7 +151835,7 @@ type: keyword -- -*`threatintel.otx.description`*:: +*`otx.description`*:: + -- A description of the indicator. @@ -152506,7 +151845,7 @@ type: keyword -- -*`threatintel.otx.title`*:: +*`otx.title`*:: + -- Title describing the indicator. @@ -152516,7 +151855,7 @@ type: keyword -- -*`threatintel.otx.content`*:: +*`otx.content`*:: + -- Extra text or descriptive content related to the indicator. @@ -152526,7 +151865,7 @@ type: keyword -- -*`threatintel.otx.type`*:: +*`otx.type`*:: + -- The indicator type, can for example be "domain, email, FileHash-SHA256". @@ -152550,7 +151889,7 @@ Entity that represents a threat. -*`threatintel.recordedfuture.entity.id`*:: +*`recordedfuture.entity.id`*:: + -- Entity ID. @@ -152562,7 +151901,7 @@ example: ip:192.0.2.13 -- -*`threatintel.recordedfuture.entity.name`*:: +*`recordedfuture.entity.name`*:: + -- Entity name. Value for the entity. @@ -152574,7 +151913,7 @@ example: 192.0.2.13 -- -*`threatintel.recordedfuture.entity.type`*:: +*`recordedfuture.entity.type`*:: + -- Entity type. @@ -152586,7 +151925,7 @@ example: IpAddress -- -*`threatintel.recordedfuture.intelCard`*:: +*`recordedfuture.intelCard`*:: + -- Link to the Recorded Future Intelligence Card for to this indicator. @@ -152596,7 +151935,7 @@ type: keyword -- -*`threatintel.recordedfuture.ip_range`*:: +*`recordedfuture.ip_range`*:: + -- Range of IPs for this indicator. @@ -152615,7 +151954,7 @@ Risk fields. -*`threatintel.recordedfuture.risk.criticality`*:: +*`recordedfuture.risk.criticality`*:: + -- Risk criticality (0-4). @@ -152625,7 +151964,7 @@ type: byte -- -*`threatintel.recordedfuture.risk.criticalityLabel`*:: +*`recordedfuture.risk.criticalityLabel`*:: + -- Risk criticality label. One of None, Unusual, Suspicious, Malicious, Very Malicious. @@ -152635,7 +151974,7 @@ type: keyword -- -*`threatintel.recordedfuture.risk.evidenceDetails`*:: +*`recordedfuture.risk.evidenceDetails`*:: + -- Risk's evidence details. @@ -152645,7 +151984,7 @@ type: flattened -- -*`threatintel.recordedfuture.risk.score`*:: +*`recordedfuture.risk.score`*:: + -- Risk score (0-99). @@ -152655,7 +151994,7 @@ type: short -- -*`threatintel.recordedfuture.risk.riskString`*:: +*`recordedfuture.risk.riskString`*:: + -- Number of Risk Rules observed as a factor of total number of rules. @@ -152667,7 +152006,7 @@ example: 1/54 -- -*`threatintel.recordedfuture.risk.riskSummary`*:: +*`recordedfuture.risk.riskSummary`*:: + -- Risk summary. @@ -152679,14 +152018,14 @@ example: 1 of 54 Risk Rules currently observed. -- -*`threatintel.recordedfuture.risk.riskSummary.text`*:: +*`recordedfuture.risk.riskSummary.text`*:: + -- type: text -- -*`threatintel.recordedfuture.risk.rules`*:: +*`recordedfuture.risk.rules`*:: + -- Number of rules observed. @@ -152703,7 +152042,7 @@ Fields for ThreatQ Threat Library -*`threatintel.threatq.updated_at`*:: +*`threatq.updated_at`*:: + -- Last modification time @@ -152713,7 +152052,7 @@ type: date -- -*`threatintel.threatq.created_at`*:: +*`threatq.created_at`*:: + -- Object creation time @@ -152723,7 +152062,7 @@ type: date -- -*`threatintel.threatq.expires_at`*:: +*`threatq.expires_at`*:: + -- Expiration time @@ -152733,7 +152072,7 @@ type: date -- -*`threatintel.threatq.expires_calculated_at`*:: +*`threatq.expires_calculated_at`*:: + -- Expiration calculation time @@ -152743,7 +152082,7 @@ type: date -- -*`threatintel.threatq.published_at`*:: +*`threatq.published_at`*:: + -- Object publication time @@ -152753,7 +152092,7 @@ type: date -- -*`threatintel.threatq.status`*:: +*`threatq.status`*:: + -- Object status within the Threat Library @@ -152763,7 +152102,7 @@ type: keyword -- -*`threatintel.threatq.indicator_value`*:: +*`threatq.indicator_value`*:: + -- Original indicator value @@ -152773,7 +152112,7 @@ type: keyword -- -*`threatintel.threatq.adversaries`*:: +*`threatq.adversaries`*:: + -- Adversaries that are linked to the object @@ -152783,7 +152122,7 @@ type: keyword -- -*`threatintel.threatq.attributes`*:: +*`threatq.attributes`*:: + -- These provide additional context about an object diff --git a/filebeat/docs/modules/threatintel.asciidoc b/filebeat/docs/modules/threatintel.asciidoc index a05384ff4462..b8b5b6f950db 100644 --- a/filebeat/docs/modules/threatintel.asciidoc +++ b/filebeat/docs/modules/threatintel.asciidoc @@ -17,7 +17,7 @@ https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-ind Match rules], but is also compatible with other features like https://www.elastic.co/guide/en/elasticsearch/reference/current/enrich-processor.html[Enrich Processors]. The related threat intel attribute that is meant to be used for -matching incoming source data is stored under the `threatintel.indicator.*` +matching incoming source data is stored under the `threat.indicator.*` fields. The available filesets are: @@ -73,9 +73,9 @@ Abuse.ch URL Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================== | URL Threat Intel Fields | ECS Fields -| url | threatintel.indicator.url.full +| url | threat.indicator.url.full | date_added | @timestamp -| host | threatintel.indicator.ip/domain +| host | threat.indicator.ip/domain |============================================================== [[abusemalware]] @@ -117,9 +117,9 @@ Abuse.ch Malware Threat Intel is mapped to the following ECS fields. [options="header"] |================================================================ | Malware Threat IntelFields | ECS Fields -| md5_hash | threatintel.indicator.file.hash.md5 -| sha256_hash | threatintel.indicator.file.hash.sha256 -| file_size | threatintel.indicator.file.size +| md5_hash | threat.indicator.file.hash.md5 +| sha256_hash | threat.indicator.file.hash.sha256 +| file_size | threat.indicator.file.size |================================================================ [[malwarebazaar]] @@ -161,24 +161,25 @@ Malware Bazaar Threat Intel is mapped to the following ECS fields. [options="header"] |================================================================ | Malware Threat IntelFields | ECS Fields -| md5_hash | threatintel.indicator.file.hash.md5 -| sha256_hash | threatintel.indicator.file.hash.sha256 -| tlsh | threatintel.indicator.file.hash.tlsh -| ssdeep | threatintel.indicator.file.hash.ssdeep -| imphash | threatintel.indicator.file.pe.imphash -| file_size | threatintel.indicator.file.size -| file_name | threatintel.indicator.file.name -| file_type_mime | threatintel.indicator.file.mime_type -| file_type | threatintel.indicator.file.type -| reporter | threatintel.indicator.provider -| origin_country | threatintel.indicator.geo.country_iso_code -| signature | threatintel.indicator.signature -| code_sign.subject_cn | threatintel.indicator.file.x509.subject.common_name -| code_sign.issuer_cn | threatintel.indicator.file.x509.issuer.common_name -| code_sign.algorithm | threatintel.indicator.file.x509.public_key_algorithm -| code_sign.valid_from | threatintel.indicator.file.x509.not_before -| code_sign.valid_to | threatintel.indicator.file.x509.not_after -| code_sign.serial_number | threatintel.indicator.file.x509.serial_number +| md5_hash | threat.indicator.file.hash.md5 +| sha256_hash | threat.indicator.file.hash.sha256 +| sha384_hash | threat.indicator.file.hash.sha384 +| tlsh | threat.indicator.file.hash.tlsh +| ssdeep | threat.indicator.file.hash.ssdeep +| imphash | threat.indicator.file.pe.imphash +| file_size | threat.indicator.file.size +| file_name | threat.indicator.file.name +| file_type_mime | threat.indicator.file.mime_type +| file_type | threat.indicator.file.type +| reporter | threat.indicator.provider +| origin_country | threat.indicator.geo.country_iso_code +| signature | threat.indicator.signature +| code_sign.subject_cn | threat.indicator.file.x509.subject.common_name +| code_sign.issuer_cn | threat.indicator.file.x509.issuer.common_name +| code_sign.algorithm | threat.indicator.file.x509.public_key_algorithm +| code_sign.valid_from | threat.indicator.file.x509.not_before +| code_sign.valid_to | threat.indicator.file.x509.not_after +| code_sign.serial_number | threat.indicator.file.x509.serial_number |================================================================ [[misp]] @@ -255,10 +256,10 @@ MISP Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================== | Malware Threat IntelFields | ECS Fields -| misp.first_seen | threatintel.indicator.first_seen -| misp.last_seen | threatintel.indicator.last_seen +| misp.first_seen | threat.indicator.first_seen +| misp.last_seen | threat.indicator.last_seen | misp.tag | tag -| misp.value | threatintel.indicator.* +| misp.value | threat.indicator.* |============================================================== `misp.value` is mapped to the appropriate field dependent on attribute type. @@ -336,9 +337,9 @@ OTX Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================ | Malware Threat Intel Fields | ECS Fields -| otx.type | threatintel.indicator.type -| otx.description | threatintel.indicator.description -| otx.indicator | threatintel.indicator.* +| otx.type | threat.indicator.type +| otx.description | threat.indicator.description +| otx.indicator | threat.indicator.* |============================================================ `otx.indicator` is mapped to the appropriate field dependent on attribute type. @@ -420,10 +421,10 @@ Anomali Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================= | Malware Threat Intel Fields | ECS Fields -| anomali.description | threatintel.indicator.description -| anomali.created | threatintel.indicator.first_seen -| anomali.modified | threatintel.indicator.last_seen -| anomali.pattern | threatintel.indicator.* +| anomali.description | threat.indicator.description +| anomali.created | threat.indicator.first_seen +| anomali.modified | threat.indicator.last_seen +| anomali.pattern | threat.indicator.* | anomali.labels | tags |============================================================= @@ -491,24 +492,24 @@ Anomali ThreatStream fields are mapped to the following ECS fields: [options="header"] |============================================================= | ThreatStream fields | ECS Fields -| asn | threatintel.indicator.as.number -| classification<> | threatintel.indicator.marking.tlp -| confidence<> | threatintel.indicator.confidence -| country | threatintel.indicator.geo.country_iso_code -| date_first | threatintel.indicator.first_seen -| date_last | threatintel.indicator.last_seen +| asn | threat.indicator.as.number +| classification<> | threat.indicator.marking.tlp +| confidence<> | threat.indicator.confidence +| country | threat.indicator.geo.country_iso_code +| date_first | threat.indicator.first_seen +| date_last | threat.indicator.last_seen | detail | tags -| domain | threatintel.indicator.url.domain -| email | threatintel.indicator.email.address -| itype<> | threatintel.indicator.type -| lat | threatintel.indicator.geo.location.lat -| lon | threatintel.indicator.geo.location.lon -| md5 | threatintel.indicator.file.hash -| org | threatintel.indicator.as.organization.name +| domain | threat.indicator.url.domain +| email | threat.indicator.email.address +| itype<> | threat.indicator.type +| lat | threat.indicator.geo.location.lat +| lon | threat.indicator.geo.location.lon +| md5 | threat.indicator.file.hash +| org | threat.indicator.as.organization.name | severity<> | event.severity -| source | threatintel.indicator.provider -| srcip | threatintel.indicator.ip -| url | threatintel.indicator.url.original +| source | threat.indicator.provider +| srcip | threat.indicator.ip +| url | threat.indicator.url.original |============================================================= [[a]] @@ -590,16 +591,16 @@ Recorded Future fields are mapped to the following ECS fields: [options="header"] |============================================================= | Recorded Future fields | ECS Fields -| entity.name | threatintel.indicator.{url,ip,domain,file.hash} -| entity.type | threatintel.indicator.type -| fileHashes | threatintel.indicator.file.hash +| entity.name | threat.indicator.{url,ip,domain,file.hash} +| entity.type | threat.indicator.type +| fileHashes | threat.indicator.file.hash | intelCard | event.reference -| location.asn | threatintel.indicator.as.number -| location.location | threatintel.indicator.geo -| location.organization | threatintel.indicator.as.organization.name +| location.asn | threat.indicator.as.number +| location.location | threat.indicator.geo +| location.organization | threat.indicator.as.organization.name | risk.score | event.risk_score -| timestamps.firstSeen | threatintel.indicator.first_seen -| timestamps.lastSeen | threatintel.indicator.last_seen +| timestamps.firstSeen | threat.indicator.first_seen +| timestamps.lastSeen | threat.indicator.last_seen |============================================================= :has-dashboards!: @@ -707,11 +708,11 @@ Recorded Future fields are mapped to the following ECS fields: [options="header"] |============================================================= | ThreatQ fields | ECS Fields -| type.name | threatintel.indicator.type -| description | threatintel.indicator.description -| score | threatintel.indicator.confidence -| value | threatintel.indicator.{url,ip,domain,file.hash} -| sources | threatintel.indicator.provider +| type.name | threat.indicator.type +| description | threat.indicator.description +| score | threat.indicator.confidence +| value | threat.indicator.{url,ip,domain,file.hash} +| sources | threat.indicator.provider |============================================================= :has-dashboards!: diff --git a/go.mod b/go.mod index 72db963bcf3e..a06dd9e5d490 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( code.cloudfoundry.org/go-loggregator v7.4.0+incompatible code.cloudfoundry.org/rfc5424 v0.0.0-20180905210152-236a6d29298a // indirect github.com/Azure/azure-event-hubs-go/v3 v3.3.15 - github.com/Azure/azure-sdk-for-go v57.0.0+incompatible + github.com/Azure/azure-sdk-for-go v59.0.0+incompatible github.com/Azure/azure-storage-blob-go v0.8.0 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect github.com/Azure/go-autorest/autorest v0.11.19 @@ -75,7 +75,7 @@ require ( github.com/elastic/go-txfile v0.0.8 github.com/elastic/go-ucfg v0.8.3 github.com/elastic/go-windows v1.0.1 - github.com/elastic/gosigar v0.14.1 + github.com/elastic/gosigar v0.14.2 github.com/fatih/color v1.9.0 github.com/fearful-symmetry/gorapl v0.0.4 github.com/fsnotify/fsevents v0.1.1 diff --git a/go.sum b/go.sum index db459227a067..4ae1569e4dac 100644 --- a/go.sum +++ b/go.sum @@ -67,8 +67,8 @@ github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9mo github.com/Azure/azure-sdk-for-go v41.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v51.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v55.2.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v57.0.0+incompatible h1:isVki3PbIFrwKvKdVP1byxo73/pt+Nn174YxW1k4PNw= -github.com/Azure/azure-sdk-for-go v57.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v59.0.0+incompatible h1:I1ULJqny1qQhUBFy11yDXHhW3pLvbhwV0PTn7mjp9V0= +github.com/Azure/azure-sdk-for-go v59.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-storage-blob-go v0.6.0/go.mod h1:oGfmITT1V6x//CswqY2gtAHND+xIP64/qL7a5QJix0Y= github.com/Azure/azure-storage-blob-go v0.8.0 h1:53qhf0Oxa0nOjgbDeeYPUeyiNmafAFEY95rZLK0Tj6o= github.com/Azure/azure-storage-blob-go v0.8.0/go.mod h1:lPI3aLPpuLTeUwh1sViKXFxwl2B6teiRqI0deQUvsw0= @@ -537,8 +537,8 @@ github.com/elastic/go-ucfg v0.8.3/go.mod h1:iaiY0NBIYeasNgycLyTvhJftQlQEUO2hpF+F github.com/elastic/go-windows v1.0.0/go.mod h1:TsU0Nrp7/y3+VwE82FoZF8gC/XFg/Elz6CcloAxnPgU= github.com/elastic/go-windows v1.0.1 h1:AlYZOldA+UJ0/2nBuqWdo90GFCgG9xuyw9SYzGUtJm0= github.com/elastic/go-windows v1.0.1/go.mod h1:FoVvqWSun28vaDQPbj2Elfc0JahhPB7WQEGa3c814Ss= -github.com/elastic/gosigar v0.14.1 h1:T0aQ7n/n2ZA9W7DmAnj60v+qzqKERdBgJBO1CG2W6rc= -github.com/elastic/gosigar v0.14.1/go.mod h1:iXRIGg2tLnu7LBdpqzyQfGDEidKCfWcCMS0WKyPWoMs= +github.com/elastic/gosigar v0.14.2 h1:Dg80n8cr90OZ7x+bAax/QjoW/XqTI11RmA79ZwIm9/4= +github.com/elastic/gosigar v0.14.2/go.mod h1:iXRIGg2tLnu7LBdpqzyQfGDEidKCfWcCMS0WKyPWoMs= github.com/elastic/sarama v1.19.1-0.20210823122811-11c3ef800752 h1:5/RUNg7rkIvayjPhAIoI3v8p45NfWcfWs5DZSElycis= github.com/elastic/sarama v1.19.1-0.20210823122811-11c3ef800752/go.mod h1:mdtqvCSg8JOxk8PmpTNGyo6wzd4BMm4QXSfDnTXmgkE= github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= diff --git a/heartbeat/docs/monitors/monitor-browser.asciidoc b/heartbeat/docs/monitors/monitor-browser.asciidoc index 3bd4e183f97a..49f31668d479 100644 --- a/heartbeat/docs/monitors/monitor-browser.asciidoc +++ b/heartbeat/docs/monitors/monitor-browser.asciidoc @@ -4,7 +4,7 @@ TIP: Want to get started with synthetic monitoring? See the {observability-guide}/synthetics-quickstart.html[quick start guide]. -The options described here configure {beatname_uc} to run the synthetic +beta[] The options described here configure {beatname_uc} to run the synthetic monitoring test suites via Synthetic Agent on the Chromium browser. Additional shared options are defined in <>. Example configuration: diff --git a/libbeat/cmd/instance/beat.go b/libbeat/cmd/instance/beat.go index e5186ea59442..3e1da0f62fb3 100644 --- a/libbeat/cmd/instance/beat.go +++ b/libbeat/cmd/instance/beat.go @@ -163,19 +163,14 @@ func Run(settings Settings, bt beat.Creator) error { return errw.Wrap(err, "could not set umask") } - name := settings.Name - idxPrefix := settings.IndexPrefix - agentVersion := settings.Version - elasticLicensed := settings.ElasticLicensed - return handleError(func() error { defer func() { if r := recover(); r != nil { - logp.NewLogger(name).Fatalw("Failed due to panic.", + logp.NewLogger(settings.Name).Fatalw("Failed due to panic.", "panic", r, zap.Stack("stack")) } }() - b, err := NewBeat(name, idxPrefix, agentVersion, elasticLicensed) + b, err := NewInitializedBeat(settings) if err != nil { return err } @@ -410,10 +405,6 @@ func (b *Beat) launch(settings Settings, bt beat.Creator) error { defer logp.Sync() defer logp.Info("%s stopped.", b.Info.Beat) - err := b.InitWithSettings(settings) - if err != nil { - return err - } defer func() { if err := b.processing.Close(); err != nil { logp.Warn("Failed to close global processing: %v", err) @@ -429,7 +420,7 @@ func (b *Beat) launch(settings Settings, bt beat.Creator) error { // Try to acquire exclusive lock on data path to prevent another beat instance // sharing same data path. bl := newLocker(b) - err = bl.lock() + err := bl.lock() if err != nil { return err } diff --git a/libbeat/cmd/instance/beat_integration_test.go b/libbeat/cmd/instance/beat_integration_test.go new file mode 100644 index 000000000000..7e7db83daa43 --- /dev/null +++ b/libbeat/cmd/instance/beat_integration_test.go @@ -0,0 +1,130 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package instance_test + +import ( + "encoding/json" + "flag" + "net/http" + "sync" + "testing" + "time" + + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/cmd/instance" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/mock" +) + +type mockbeat struct { + done chan struct{} + initDone chan struct{} +} + +func (mb mockbeat) Run(b *beat.Beat) error { + client, err := b.Publisher.Connect() + if err != nil { + return err + } + + ticker := time.NewTicker(1 * time.Second) + go func() { + // unblocks mb.waitUntilRunning + close(mb.initDone) + for { + select { + case <-ticker.C: + client.Publish(beat.Event{ + Timestamp: time.Now(), + Fields: common.MapStr{ + "type": "mock", + "message": "Mockbeat is alive!", + }, + }) + case <-mb.done: + ticker.Stop() + return + } + } + }() + + <-mb.done + return nil +} + +func (mb mockbeat) waitUntilRunning() { + <-mb.initDone +} + +func (mb mockbeat) Stop() { + close(mb.done) +} + +func TestMonitoringNameFromConfig(t *testing.T) { + mockBeat := mockbeat{ + done: make(chan struct{}), + initDone: make(chan struct{}), + } + var wg sync.WaitGroup + wg.Add(1) + + // Make sure the beat has stopped before finishing the test + t.Cleanup(wg.Wait) + + go func() { + defer wg.Done() + + // Set the configuration file path flag so the beat can read it + flag.Set("c", "testdata/mockbeat.yml") + instance.Run(mock.Settings, func(_ *beat.Beat, _ *common.Config) (beat.Beater, error) { + return &mockBeat, nil + }) + }() + + t.Cleanup(func() { + mockBeat.Stop() + }) + + // Make sure the beat is running + mockBeat.waitUntilRunning() + + // As the HTTP server runs in a different goroutine from the + // beat main loop, give the scheduler another chance to schedule + // the HTTP server goroutine + time.Sleep(10 * time.Millisecond) + + resp, err := http.Get("http://localhost:5066/state") + if err != nil { + t.Fatal("calling state endpoint: ", err.Error()) + } + defer resp.Body.Close() + + beatName := struct { + Beat struct { + Name string + } + }{} + + if err := json.NewDecoder(resp.Body).Decode(&beatName); err != nil { + t.Fatalf("could not decode response body: %s", err.Error()) + } + + if got, want := beatName.Beat.Name, "TestMonitoringNameFromConfig"; got != want { + t.Fatalf("expecting '%s', got '%s'", want, got) + } +} diff --git a/libbeat/cmd/instance/testdata/mockbeat.yml b/libbeat/cmd/instance/testdata/mockbeat.yml new file mode 100644 index 000000000000..a5016eb7f91d --- /dev/null +++ b/libbeat/cmd/instance/testdata/mockbeat.yml @@ -0,0 +1,24 @@ +############################# Mockbeat ###################################### +mockbeat: +############################# General ############################################ + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +# If this options is not defined, the hostname is used. + +name: TestMonitoringNameFromConfig + +# The tags of the shipper are included in their own field with each +# transaction published. Tags make it easy to group servers by different +# logical properties. +# tags: [] + +############################# Output ############################################ + +# Configure what outputs to use when sending the data collected by mockbeat. +# Multiple outputs may NOT be enabled. +output.elasticsearch: + hosts: ["localhost:9200"] +http: + enabled: true + port: 5066 diff --git a/libbeat/outputs/kafka/kafka.go b/libbeat/outputs/kafka/kafka.go index 9be3970b1c41..8f06398eb0c3 100644 --- a/libbeat/outputs/kafka/kafka.go +++ b/libbeat/outputs/kafka/kafka.go @@ -18,9 +18,6 @@ package kafka import ( - "errors" - "time" - "github.com/Shopify/sarama" "github.com/elastic/beats/v7/libbeat/beat" @@ -32,20 +29,9 @@ import ( ) const ( - defaultWaitRetry = 1 * time.Second - - // NOTE: maxWaitRetry has no effect on mode, as logstash client currently does - // not return ErrTempBulkFailure - defaultMaxWaitRetry = 60 * time.Second - logSelector = "kafka" ) -var ( - errNoTopicSet = errors.New("No topic configured") - errNoHosts = errors.New("No hosts configured") -) - func init() { sarama.Logger = kafkaLogger{log: logp.NewLogger(logSelector)} diff --git a/libbeat/outputs/kafka/kafka_integration_test.go b/libbeat/outputs/kafka/kafka_integration_test.go index 0cc751d99b9e..2be42f639e79 100644 --- a/libbeat/outputs/kafka/kafka_integration_test.go +++ b/libbeat/outputs/kafka/kafka_integration_test.go @@ -45,8 +45,9 @@ import ( ) const ( - kafkaDefaultHost = "localhost" - kafkaDefaultPort = "9092" + kafkaDefaultHost = "kafka" + kafkaDefaultPort = "9092" + kafkaDefaultSASLPort = "9093" ) type eventInfo struct { @@ -183,6 +184,37 @@ func TestKafkaPublish(t *testing.T) { "type": "log", }), }, + { + "publish single event to test topic", + map[string]interface{}{}, + testTopic, + single(common.MapStr{ + "host": "test-host", + "message": id, + }), + }, + { + // Initially I tried rerunning all tests over SASL/SCRAM, but + // that added a full 30sec to the test. Instead most tests run + // in plaintext, and individual tests can switch to SCRAM + // by inserting the config in this example: + "publish single event to test topic over SASL/SCRAM", + map[string]interface{}{ + "hosts": []string{getTestSASLKafkaHost()}, + "protocol": "https", + "sasl.mechanism": "SCRAM-SHA-512", + "ssl.certificate_authorities": []string{ + "../../../testing/environments/docker/kafka/certs/ca-cert", + }, + "username": "beats", + "password": "KafkaTest", + }, + testTopic, + single(common.MapStr{ + "host": "test-host", + "message": id, + }), + }, } defaultConfig := map[string]interface{}{ @@ -322,6 +354,13 @@ func getTestKafkaHost() string { ) } +func getTestSASLKafkaHost() string { + return fmt.Sprintf("%v:%v", + getenv("KAFKA_HOST", kafkaDefaultHost), + getenv("KAFKA_SASL_PORT", kafkaDefaultSASLPort), + ) +} + func makeConfig(t *testing.T, in map[string]interface{}) *common.Config { cfg, err := common.NewConfigFrom(in) if err != nil { diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index cba51ff349f2..9e2489352e1e 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -52790,10 +52790,40 @@ Openmetrics module +*`openmetrics.help`*:: ++ +-- +Brief description of the MetricFamily + + +type: keyword + +-- + +*`openmetrics.type`*:: ++ +-- +Metric type + + +type: keyword + +-- + +*`openmetrics.unit`*:: ++ +-- +Metric unit + + +type: keyword + +-- + *`openmetrics.labels.*`*:: + -- -Prometheus metric labels +Openmetrics metric labels type: object @@ -52803,7 +52833,27 @@ type: object *`openmetrics.metrics.*`*:: + -- -Prometheus metric +Openmetrics metric + + +type: object + +-- + +*`openmetrics.exemplar.*`*:: ++ +-- +Openmetrics exemplars + + +type: object + +-- + +*`openmetrics.exemplar.labels.*`*:: ++ +-- +Openmetrics metric exemplar labels type: object @@ -58924,7 +58974,7 @@ type: keyword *`system.filesystem.type`*:: + -- -The disk type. For example: `ext4` +The disk type. For example: `ext4`. In some case for Windows OS the value will be `unavailable` as access to this information is not allowed (ex. external disks). type: keyword diff --git a/metricbeat/docs/modules/openmetrics/collector.asciidoc b/metricbeat/docs/modules/openmetrics/collector.asciidoc index 06000e772915..2b184916aa92 100644 --- a/metricbeat/docs/modules/openmetrics/collector.asciidoc +++ b/metricbeat/docs/modules/openmetrics/collector.asciidoc @@ -9,6 +9,7 @@ beta[] include::../../../module/openmetrics/collector/_meta/docs.asciidoc[] +This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. ==== Fields diff --git a/metricbeat/helper/openmetrics/label.go b/metricbeat/helper/openmetrics/label.go new file mode 100644 index 000000000000..0f0a69054dde --- /dev/null +++ b/metricbeat/helper/openmetrics/label.go @@ -0,0 +1,59 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package openmetrics + +// LabelMap defines the mapping from OpenMetrics label to a Metricbeat field +type LabelMap interface { + // GetField returns the resulting field name + GetField() string + + // IsKey returns true if the label is a key label + IsKey() bool +} + +// Label maps a OpenMetrics label to a Metricbeat field +func Label(field string) LabelMap { + return &commonLabel{ + field: field, + key: false, + } +} + +// KeyLabel maps a OpenMetrics label to a Metricbeat field. The label is flagged as key. +// Metrics with the same tuple of key labels will be grouped in the same event. +func KeyLabel(field string) LabelMap { + return &commonLabel{ + field: field, + key: true, + } +} + +type commonLabel struct { + field string + key bool +} + +// GetField returns the resulting field name +func (l *commonLabel) GetField() string { + return l.field +} + +// IsKey returns true if the label is a key label +func (l *commonLabel) IsKey() bool { + return l.key +} diff --git a/metricbeat/helper/openmetrics/metric.go b/metricbeat/helper/openmetrics/metric.go new file mode 100644 index 000000000000..4907ab59c9eb --- /dev/null +++ b/metricbeat/helper/openmetrics/metric.go @@ -0,0 +1,495 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package openmetrics + +import ( + "fmt" + "math" + "strconv" + "strings" + "time" + + "github.com/elastic/beats/v7/libbeat/common" +) + +// MetricMap defines the mapping from Openmetrics metric to a Metricbeat field +type MetricMap interface { + // GetOptions returns the list of metric options + GetOptions() []MetricOption + + // GetField returns the resulting field name + GetField() string + + // GetValue returns the resulting value + GetValue(m *OpenMetric) interface{} + GetNilValue() interface{} + + // GetConfiguration returns the configuration for the metric + GetConfiguration() Configuration +} + +// Configuration for mappings that needs extended treatment +type Configuration struct { + // StoreNonMappedLabels indicates if labels found at the metric that are + // not found at the label map should be part of the resulting event. + // This setting should be used when the label name is not known beforehand + StoreNonMappedLabels bool + // NonMappedLabelsPlacement is used when StoreNonMappedLabels is set to true, and + // defines the key path at the event under which to store the dynamically found labels. + // This key path will be added to the events that match this metric along with a subset of + // key/value pairs will be created under it, one for each non mapped label found. + // + // Example: + // + // given a metric family in a Openmetrics resource in the form: + // metric1{label1="value1",label2="value2"} 1 + // and not mapping labels but using this entry on a the MetricMap definition: + // "metric1": ExtendedInfoMetric(Configuration{StoreNonMappedLabels: true, NonMappedLabelsPlacement: "mypath"}), + // would output an event that contains a metricset field as follows + // "mypath": {"label1":"value1","label2":"value2"} + // + NonMappedLabelsPlacement string + // MetricProcessing options are a set of functions that will be + // applied to metrics after they are retrieved + MetricProcessingOptions []MetricOption + // ExtraFields is used to add fields to the + // event where this metric is included + ExtraFields common.MapStr +} + +// MetricOption adds settings to Metric objects behavior +type MetricOption interface { + // Process a tuple of field, value and labels from a metric, return the same tuple updated + Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) +} + +// OpFilterMap only processes metrics matching the given filter +func OpFilterMap(label string, filterMap map[string]string) MetricOption { + return opFilterMap{ + label: label, + filterMap: filterMap, + } +} + +// OpLowercaseValue lowercases the value if it's a string +func OpLowercaseValue() MetricOption { + return opLowercaseValue{} +} + +// OpUnixTimestampValue parses a value into a Unix timestamp +func OpUnixTimestampValue() MetricOption { + return opUnixTimestampValue{} +} + +// OpMultiplyBuckets multiplies bucket labels in histograms, useful to change units +func OpMultiplyBuckets(multiplier float64) MetricOption { + return opMultiplyBuckets{ + multiplier: multiplier, + } +} + +// OpSetSuffix extends the field's name with the given suffix if the value of the metric +// is numeric (and not histogram or quantile), otherwise does nothing +func OpSetNumericMetricSuffix(suffix string) MetricOption { + return opSetNumericMetricSuffix{ + suffix: suffix, + } +} + +// Metric directly maps a Openmetrics metric to a Metricbeat field +func Metric(field string, options ...MetricOption) MetricMap { + return &commonMetric{ + field: field, + config: Configuration{MetricProcessingOptions: options}, + } +} + +// KeywordMetric maps a Openmetrics metric to a Metricbeat field, stores the +// given keyword when source metric value is 1 +func KeywordMetric(field, keyword string, options ...MetricOption) MetricMap { + return &keywordMetric{ + commonMetric{ + field: field, + config: Configuration{MetricProcessingOptions: options}, + }, + keyword, + } +} + +// BooleanMetric maps a Openmetrics metric to a Metricbeat field of bool type +func BooleanMetric(field string, options ...MetricOption) MetricMap { + return &booleanMetric{ + commonMetric{ + field: field, + config: Configuration{MetricProcessingOptions: options}, + }, + } +} + +// LabelMetric maps a Openmetrics metric to a Metricbeat field, stores the value +// of a given label on it if the gauge value is 1 +func LabelMetric(field, label string, options ...MetricOption) MetricMap { + return &labelMetric{ + commonMetric{ + field: field, + config: Configuration{MetricProcessingOptions: options}, + }, + label, + } +} + +// InfoMetric obtains info labels from the given metric and puts them +// into events matching all the key labels present in the metric +func InfoMetric(options ...MetricOption) MetricMap { + return &infoMetric{ + commonMetric{ + config: Configuration{MetricProcessingOptions: options}, + }, + } +} + +// ExtendedInfoMetric obtains info labels from the given metric and puts them +// into events matching all the key labels present in the metric +func ExtendedInfoMetric(configuration Configuration) MetricMap { + return &infoMetric{ + commonMetric{ + config: configuration, + }, + } +} + +// ExtendedMetric is a metric item that allows extended behaviour +// through configuration +func ExtendedMetric(field string, configuration Configuration) MetricMap { + return &commonMetric{ + field: field, + config: configuration, + } +} + +type commonMetric struct { + field string + config Configuration +} + +// GetOptions returns the list of metric options +func (m *commonMetric) GetOptions() []MetricOption { + return m.config.MetricProcessingOptions +} + +// GetField returns the resulting field name +func (m *commonMetric) GetField() string { + return m.field +} + +// GetConfiguration returns the configuration for the metric +func (m *commonMetric) GetConfiguration() Configuration { + return m.config +} +func (m *commonMetric) GetNilValue() interface{} { + return nil +} + +// GetValue returns the resulting value +func (m *commonMetric) GetValue(metric *OpenMetric) interface{} { + info := metric.GetInfo() + if info != nil { + if info.HasValidValue() { + return info.GetValue() + } + } + + stateset := metric.GetStateset() + if stateset != nil { + if stateset.HasValidValue() { + return stateset.GetValue() + } + } + + unknown := metric.GetUnknown() + if unknown != nil { + if !math.IsNaN(unknown.GetValue()) && !math.IsInf(unknown.GetValue(), 0) { + return int64(unknown.GetValue()) + } + } + + counter := metric.GetCounter() + if counter != nil { + if !math.IsNaN(counter.GetValue()) && !math.IsInf(counter.GetValue(), 0) { + return int64(counter.GetValue()) + } + } + + gauge := metric.GetGauge() + if gauge != nil { + if !math.IsNaN(gauge.GetValue()) && !math.IsInf(gauge.GetValue(), 0) { + return gauge.GetValue() + } + } + + summary := metric.GetSummary() + if summary != nil { + value := common.MapStr{} + if !math.IsNaN(summary.GetSampleSum()) && !math.IsInf(summary.GetSampleSum(), 0) { + value["sum"] = summary.GetSampleSum() + value["count"] = summary.GetSampleCount() + } + + quantiles := summary.GetQuantile() + percentileMap := common.MapStr{} + for _, quantile := range quantiles { + if !math.IsNaN(quantile.GetValue()) && !math.IsInf(quantile.GetValue(), 0) { + key := strconv.FormatFloat(100*quantile.GetQuantile(), 'f', -1, 64) + percentileMap[key] = quantile.GetValue() + } + } + + if len(percentileMap) != 0 { + value["percentile"] = percentileMap + } + + return value + } + + histogram := metric.GetHistogram() + if histogram != nil { + value := common.MapStr{} + if !math.IsNaN(histogram.GetSampleSum()) && !math.IsInf(histogram.GetSampleSum(), 0) { + value["sum"] = histogram.GetSampleSum() + value["count"] = histogram.GetSampleCount() + } + + buckets := histogram.GetBucket() + bucketMap := common.MapStr{} + for _, bucket := range buckets { + if bucket.GetCumulativeCount() != uint64(math.NaN()) && bucket.GetCumulativeCount() != uint64(math.Inf(0)) { + key := strconv.FormatFloat(bucket.GetUpperBound(), 'f', -1, 64) + bucketMap[key] = bucket.GetCumulativeCount() + } + } + + if len(bucketMap) != 0 { + value["bucket"] = bucketMap + } + + return value + } + + gaugehistogram := metric.GetGaugeHistogram() + if gaugehistogram != nil { + value := common.MapStr{} + if !math.IsNaN(gaugehistogram.GetSampleSum()) && !math.IsInf(gaugehistogram.GetSampleSum(), 0) { + value["gsum"] = gaugehistogram.GetSampleSum() + value["gcount"] = gaugehistogram.GetSampleCount() + } + + buckets := gaugehistogram.GetBucket() + bucketMap := common.MapStr{} + for _, bucket := range buckets { + if bucket.GetCumulativeCount() != uint64(math.NaN()) && bucket.GetCumulativeCount() != uint64(math.Inf(0)) { + key := strconv.FormatFloat(bucket.GetUpperBound(), 'f', -1, 64) + bucketMap[key] = bucket.GetCumulativeCount() + } + } + + if len(bucketMap) != 0 { + value["bucket"] = bucketMap + } + + return value + } + + // Other types are not supported here + return nil +} + +type keywordMetric struct { + commonMetric + keyword string +} + +// GetValue returns the resulting value +func (m *keywordMetric) GetValue(metric *OpenMetric) interface{} { + if gauge := metric.GetGauge(); gauge != nil && gauge.GetValue() == 1 { + return m.keyword + } + return nil +} + +type booleanMetric struct { + commonMetric +} + +// GetValue returns the resulting value +func (m *booleanMetric) GetValue(metric *OpenMetric) interface{} { + if gauge := metric.GetGauge(); gauge != nil { + return gauge.GetValue() == 1 + } + return nil +} + +type labelMetric struct { + commonMetric + label string +} + +// GetValue returns the resulting value +func (m *labelMetric) GetValue(metric *OpenMetric) interface{} { + if gauge := metric.GetGauge(); gauge != nil && gauge.GetValue() == 1 { + return getLabel(metric, m.label) + } + return nil +} + +func getLabel(metric *OpenMetric, name string) string { + for _, label := range metric.GetLabel() { + if label.Name == name { + return label.Value + } + } + return "" +} + +type infoMetric struct { + commonMetric +} + +// GetValue returns the resulting value +func (m *infoMetric) GetValue(metric *OpenMetric) interface{} { + return "" +} + +// GetField returns the resulting field name +func (m *infoMetric) GetField() string { + return "" +} + +type opFilterMap struct { + label string + filterMap map[string]string +} + +// Called by the Openmetrics helper to apply extra options on retrieved metrics +// Check whether the value of the specified label is allowed and, if yes, return the metric via the specified mapped field +// Else, if the specified label does not match the filter, return nil +// This is useful in cases where multiple Metricbeat fields need to be defined per Openmetrics metric, based on label values +func (o opFilterMap) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { + for k, v := range o.filterMap { + if labels[o.label] == k { + return fmt.Sprintf("%v.%v", field, v), value, labels + } + } + return "", nil, nil +} + +type opLowercaseValue struct{} + +// Process will lowercase the given value if it's a string +func (o opLowercaseValue) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { + if val, ok := value.(string); ok { + value = strings.ToLower(val) + } + return field, value, labels +} + +type opMultiplyBuckets struct { + multiplier float64 +} + +// Process will multiply the bucket labels if it is an histogram with numeric labels +func (o opMultiplyBuckets) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { + histogram, ok := value.(common.MapStr) + if !ok { + return field, value, labels + } + bucket, ok := histogram["bucket"].(common.MapStr) + if !ok { + return field, value, labels + } + sum, ok := histogram["sum"].(float64) + if !ok { + return field, value, labels + } + multiplied := common.MapStr{} + for k, v := range bucket { + if f, err := strconv.ParseFloat(k, 64); err == nil { + key := strconv.FormatFloat(f*o.multiplier, 'f', -1, 64) + multiplied[key] = v + } else { + multiplied[k] = v + } + } + histogram["bucket"] = multiplied + histogram["sum"] = sum * o.multiplier + return field, histogram, labels +} + +type opSetNumericMetricSuffix struct { + suffix string +} + +// Process will extend the field's name with the given suffix +func (o opSetNumericMetricSuffix) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { + _, ok := value.(float64) + if !ok { + return field, value, labels + } + field = fmt.Sprintf("%v.%v", field, o.suffix) + return field, value, labels +} + +type opUnixTimestampValue struct { +} + +// Process converts a value in seconds into an unix time +func (o opUnixTimestampValue) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { + return field, common.Time(time.Unix(int64(value.(float64)), 0)), labels +} + +// OpLabelKeyPrefixRemover removes prefix from label keys +func OpLabelKeyPrefixRemover(prefix string) MetricOption { + return opLabelKeyPrefixRemover{prefix} +} + +// opLabelKeyPrefixRemover is a metric option processor that removes a prefix from the key of a label set +type opLabelKeyPrefixRemover struct { + Prefix string +} + +// Process modifies the labels map, removing a prefix when found at keys of the labels set. +// For each label, if the key is found a new key will be created hosting the same value and the +// old key will be deleted. +// Fields, values and not prefixed labels will remain unmodified. +func (o opLabelKeyPrefixRemover) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { + renameKeys := []string{} + for k := range labels { + if len(k) < len(o.Prefix) { + continue + } + if k[:6] == o.Prefix { + renameKeys = append(renameKeys, k) + } + } + + for i := range renameKeys { + v := labels[renameKeys[i]] + delete(labels, renameKeys[i]) + labels[renameKeys[i][len(o.Prefix):]] = v + } + return "", value, labels +} diff --git a/metricbeat/helper/openmetrics/module.go b/metricbeat/helper/openmetrics/module.go new file mode 100644 index 000000000000..fac374ee1b42 --- /dev/null +++ b/metricbeat/helper/openmetrics/module.go @@ -0,0 +1,61 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package openmetrics + +import ( + "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/beats/v7/metricbeat/mb/parse" +) + +const ( + defaultScheme = "http" + defaultPath = "/metrics" +) + +var ( + // HostParser validates OpenMetrics URLs + HostParser = parse.URLHostParserBuilder{ + DefaultScheme: defaultScheme, + DefaultPath: defaultPath, + }.Build() +) + +// MetricSetBuilder returns a builder function for a new OpenMetrics metricset using the given mapping +func MetricSetBuilder(mapping *MetricsMapping) func(base mb.BaseMetricSet) (mb.MetricSet, error) { + return func(base mb.BaseMetricSet) (mb.MetricSet, error) { + openmetrics, err := NewOpenMetricsClient(base) + if err != nil { + return nil, err + } + return &openmetricsMetricSet{ + BaseMetricSet: base, + openmetrics: openmetrics, + mapping: mapping, + }, nil + } +} + +type openmetricsMetricSet struct { + mb.BaseMetricSet + openmetrics OpenMetrics + mapping *MetricsMapping +} + +func (m *openmetricsMetricSet) Fetch(r mb.ReporterV2) error { + return m.openmetrics.ReportProcessedMetrics(m.mapping, r) +} diff --git a/metricbeat/helper/openmetrics/openmetrics.go b/metricbeat/helper/openmetrics/openmetrics.go new file mode 100644 index 000000000000..9e4abc6428b3 --- /dev/null +++ b/metricbeat/helper/openmetrics/openmetrics.go @@ -0,0 +1,1000 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package openmetrics + +import ( + "compress/gzip" + "fmt" + "io" + "io/ioutil" + "math" + "mime" + "net/http" + "regexp" + "strconv" + "strings" + "time" + + "github.com/prometheus/common/model" + + "github.com/prometheus/prometheus/pkg/exemplar" + "github.com/prometheus/prometheus/pkg/labels" + "github.com/prometheus/prometheus/pkg/textparse" + "github.com/prometheus/prometheus/pkg/timestamp" + + "github.com/pkg/errors" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/metricbeat/helper" + "github.com/elastic/beats/v7/metricbeat/mb" +) + +const acceptHeader = `application/openmetrics-text; version=1.0.0; charset=utf-8,text/plain` + +var errNameLabelMandatory = fmt.Errorf("missing metric name (%s label)", labels.MetricName) + +type Gauge struct { + Value *float64 +} + +func (m *Gauge) GetValue() float64 { + if m != nil && m.Value != nil { + return *m.Value + } + return 0 +} + +type Info struct { + Value *int64 +} + +func (m *Info) GetValue() int64 { + if m != nil && m.Value != nil { + return *m.Value + } + return 0 +} +func (m *Info) HasValidValue() bool { + return m != nil && *m.Value == 1 +} + +type Stateset struct { + Value *int64 +} + +func (m *Stateset) GetValue() int64 { + if m != nil && m.Value != nil { + return *m.Value + } + return 0 +} +func (m *Stateset) HasValidValue() bool { + return m != nil && (*m.Value == 0 || *m.Value == 1) +} + +type Counter struct { + Value *float64 +} + +func (m *Counter) GetValue() float64 { + if m != nil && m.Value != nil { + return *m.Value + } + return 0 +} + +type Quantile struct { + Quantile *float64 + Value *float64 + Exemplar *exemplar.Exemplar +} + +func (m *Quantile) GetQuantile() float64 { + if m != nil && m.Quantile != nil { + return *m.Quantile + } + return 0 +} + +func (m *Quantile) GetValue() float64 { + if m != nil && m.Value != nil { + return *m.Value + } + return 0 +} + +type Summary struct { + SampleCount *uint64 + SampleSum *float64 + Quantile []*Quantile +} + +func (m *Summary) GetSampleCount() uint64 { + if m != nil && m.SampleCount != nil { + return *m.SampleCount + } + return 0 +} + +func (m *Summary) GetSampleSum() float64 { + if m != nil && m.SampleSum != nil { + return *m.SampleSum + } + return 0 +} + +func (m *Summary) GetQuantile() []*Quantile { + if m != nil { + return m.Quantile + } + return nil +} + +type Unknown struct { + Value *float64 +} + +func (m *Unknown) GetValue() float64 { + if m != nil && m.Value != nil { + return *m.Value + } + return 0 +} + +type Bucket struct { + CumulativeCount *uint64 + UpperBound *float64 + Exemplar *exemplar.Exemplar +} + +func (m *Bucket) GetCumulativeCount() uint64 { + if m != nil && m.CumulativeCount != nil { + return *m.CumulativeCount + } + return 0 +} + +func (m *Bucket) GetUpperBound() float64 { + if m != nil && m.UpperBound != nil { + return *m.UpperBound + } + return 0 +} + +type Histogram struct { + SampleCount *uint64 + SampleSum *float64 + Bucket []*Bucket + IsGaugeHistogram bool +} + +func (m *Histogram) GetSampleCount() uint64 { + if m != nil && m.SampleCount != nil { + return *m.SampleCount + } + return 0 +} + +func (m *Histogram) GetSampleSum() float64 { + if m != nil && m.SampleSum != nil { + return *m.SampleSum + } + return 0 +} + +func (m *Histogram) GetBucket() []*Bucket { + if m != nil { + return m.Bucket + } + return nil +} + +type OpenMetric struct { + Label []*labels.Label + Exemplar *exemplar.Exemplar + Name *string + Gauge *Gauge + Counter *Counter + Info *Info + Stateset *Stateset + Summary *Summary + Unknown *Unknown + Histogram *Histogram + TimestampMs *int64 +} + +func (m *OpenMetric) GetName() *string { + if m != nil { + return m.Name + } + return nil +} + +func (m *OpenMetric) GetLabel() []*labels.Label { + if m != nil { + return m.Label + } + return nil +} + +func (m *OpenMetric) GetGauge() *Gauge { + if m != nil { + return m.Gauge + } + return nil +} + +func (m *OpenMetric) GetCounter() *Counter { + if m != nil { + return m.Counter + } + return nil +} + +func (m *OpenMetric) GetInfo() *Info { + if m != nil { + return m.Info + } + return nil +} + +func (m *OpenMetric) GetStateset() *Stateset { + if m != nil { + return m.Stateset + } + return nil +} + +func (m *OpenMetric) GetSummary() *Summary { + if m != nil { + return m.Summary + } + return nil +} + +func (m *OpenMetric) GetUnknown() *Unknown { + if m != nil { + return m.Unknown + } + return nil +} + +func (m *OpenMetric) GetHistogram() *Histogram { + if m != nil && m.Histogram != nil && !m.Histogram.IsGaugeHistogram { + return m.Histogram + } + return nil +} + +func (m *OpenMetric) GetGaugeHistogram() *Histogram { + if m != nil && m.Histogram != nil && m.Histogram.IsGaugeHistogram { + return m.Histogram + } + return nil +} + +func (m *OpenMetric) GetTimestampMs() int64 { + if m != nil && m.TimestampMs != nil { + return *m.TimestampMs + } + return 0 +} + +type OpenMetricFamily struct { + Name *string + Help *string + Type textparse.MetricType + Unit *string + Metric []*OpenMetric +} + +func (m *OpenMetricFamily) GetName() string { + if m != nil && m.Name != nil { + return *m.Name + } + return "" +} +func (m *OpenMetricFamily) GetUnit() string { + if m != nil && *m.Unit != "" { + return *m.Unit + } + return "" +} + +func (m *OpenMetricFamily) GetMetric() []*OpenMetric { + if m != nil { + return m.Metric + } + return nil +} + +// OpenMetrics helper retrieves openmetrics formatted metrics +// This interface needs to use TextParse +type OpenMetrics interface { + // GetFamilies requests metric families from openmetrics endpoint and returns them + GetFamilies() ([]*OpenMetricFamily, error) + + GetProcessedMetrics(mapping *MetricsMapping) ([]common.MapStr, error) + + ProcessMetrics(families []*OpenMetricFamily, mapping *MetricsMapping) ([]common.MapStr, error) + + ReportProcessedMetrics(mapping *MetricsMapping, r mb.ReporterV2) error +} + +type openmetrics struct { + httpfetcher + logger *logp.Logger +} + +type httpfetcher interface { + FetchResponse() (*http.Response, error) +} + +// NewOpenMetricsClient creates new openmetrics helper +func NewOpenMetricsClient(base mb.BaseMetricSet) (OpenMetrics, error) { + httpclient, err := helper.NewHTTP(base) + if err != nil { + return nil, err + } + + httpclient.SetHeaderDefault("Accept", acceptHeader) + httpclient.SetHeaderDefault("Accept-Encoding", "gzip") + return &openmetrics{httpclient, base.Logger()}, nil +} + +// GetFamilies requests metric families from openmetrics endpoint and returns them +func (p *openmetrics) GetFamilies() ([]*OpenMetricFamily, error) { + var reader io.Reader + + resp, err := p.FetchResponse() + if err != nil { + return nil, err + } + defer resp.Body.Close() + + if resp.Header.Get("Content-Encoding") == "gzip" { + greader, err := gzip.NewReader(resp.Body) + if err != nil { + return nil, err + } + defer greader.Close() + reader = greader + } else { + reader = resp.Body + } + + if resp.StatusCode > 399 { + bodyBytes, err := ioutil.ReadAll(reader) + if err == nil { + p.logger.Debug("error received from openmetrics endpoint: ", string(bodyBytes)) + } + return nil, fmt.Errorf("unexpected status code %d from server", resp.StatusCode) + } + + contentType := getContentType(resp.Header) + if contentType == "" { + return nil, fmt.Errorf("Invalid format for response of response") + } + + appendTime := time.Now().Round(0) + b, err := ioutil.ReadAll(reader) + families, err := parseMetricFamilies(b, contentType, appendTime) + + return families, nil +} + +const ( + suffixInfo = "_info" + suffixTotal = "_total" + suffixGCount = "_gcount" + suffixGSum = "_gsum" + suffixCount = "_count" + suffixSum = "_sum" + suffixBucket = "_bucket" +) + +func isInfo(name string) bool { + return len(name) > 5 && name[len(name)-5:] == suffixInfo +} + +// Counters have _total suffix +func isTotal(name string) bool { + return len(name) > 6 && name[len(name)-6:] == suffixTotal +} + +func isGCount(name string) bool { + return len(name) > 7 && name[len(name)-7:] == suffixGCount +} + +func isGSum(name string) bool { + return len(name) > 5 && name[len(name)-5:] == suffixGSum +} + +func isCount(name string) bool { + return len(name) > 6 && name[len(name)-6:] == suffixCount +} + +func isSum(name string) bool { + return len(name) > 4 && name[len(name)-4:] == suffixSum +} + +func isBucket(name string) bool { + return len(name) > 7 && name[len(name)-7:] == suffixBucket +} + +func summaryMetricName(name string, s float64, qv string, lbls string, t *int64, summariesByName map[string]map[string]*OpenMetric) (string, *OpenMetric) { + var summary = &Summary{} + var quantile = []*Quantile{} + var quant = &Quantile{} + + switch { + case isCount(name): + u := uint64(s) + summary.SampleCount = &u + name = name[:len(name)-6] + case isSum(name): + summary.SampleSum = &s + name = name[:len(name)-4] + default: + f, err := strconv.ParseFloat(qv, 64) + if err != nil { + f = -1 + } + quant.Quantile = &f + quant.Value = &s + } + + _, k := summariesByName[name] + if !k { + summariesByName[name] = make(map[string]*OpenMetric) + } + metric, ok := summariesByName[name][lbls] + if !ok { + metric = &OpenMetric{} + metric.Name = &name + metric.Summary = summary + metric.Summary.Quantile = quantile + summariesByName[name][lbls] = metric + } + if metric.Summary.SampleSum == nil && summary.SampleSum != nil { + metric.Summary.SampleSum = summary.SampleSum + } else if metric.Summary.SampleCount == nil && summary.SampleCount != nil { + metric.Summary.SampleCount = summary.SampleCount + } else if quant.Quantile != nil { + metric.Summary.Quantile = append(metric.Summary.Quantile, quant) + } + + return name, metric +} + +func histogramMetricName(name string, s float64, qv string, lbls string, t *int64, isGaugeHistogram bool, e *exemplar.Exemplar, histogramsByName map[string]map[string]*OpenMetric) (string, *OpenMetric) { + var histogram = &Histogram{} + var bucket = []*Bucket{} + var bkt = &Bucket{} + + switch { + case isCount(name): + u := uint64(s) + histogram.SampleCount = &u + name = name[:len(name)-6] + case isSum(name): + histogram.SampleSum = &s + name = name[:len(name)-4] + case isGaugeHistogram && isGCount(name): + u := uint64(s) + histogram.SampleCount = &u + name = name[:len(name)-7] + case isGaugeHistogram && isGSum(name): + histogram.SampleSum = &s + name = name[:len(name)-5] + default: + if isBucket(name) { + name = name[:len(name)-7] + } + f, err := strconv.ParseFloat(qv, 64) + if err != nil { + f = math.MaxUint64 + } + cnt := uint64(s) + bkt.UpperBound = &f + bkt.CumulativeCount = &cnt + + if e != nil { + if !e.HasTs { + e.Ts = *t + } + bkt.Exemplar = e + } + } + + _, k := histogramsByName[name] + if !k { + histogramsByName[name] = make(map[string]*OpenMetric) + } + metric, ok := histogramsByName[name][lbls] + if !ok { + metric = &OpenMetric{} + metric.Name = &name + metric.Histogram = histogram + metric.Histogram.Bucket = bucket + histogramsByName[name][lbls] = metric + } + if metric.Histogram.SampleSum == nil && histogram.SampleSum != nil { + metric.Histogram.SampleSum = histogram.SampleSum + } else if metric.Histogram.SampleCount == nil && histogram.SampleCount != nil { + metric.Histogram.SampleCount = histogram.SampleCount + } else if bkt.UpperBound != nil { + metric.Histogram.Bucket = append(metric.Histogram.Bucket, bkt) + } + + return name, metric +} + +func parseMetricFamilies(b []byte, contentType string, ts time.Time) ([]*OpenMetricFamily, error) { + var ( + parser = textparse.New(b, contentType) + defTime = timestamp.FromTime(ts) + metricFamiliesByName = map[string]*OpenMetricFamily{} + summariesByName = map[string]map[string]*OpenMetric{} + histogramsByName = map[string]map[string]*OpenMetric{} + fam *OpenMetricFamily + mt = textparse.MetricTypeUnknown + ) + var err error + +loop: + for { + var ( + et textparse.Entry + ok bool + e exemplar.Exemplar + ) + if et, err = parser.Next(); err != nil { + if err == io.EOF { + err = nil + } + break + } + switch et { + case textparse.EntryType: + buf, t := parser.Type() + s := string(buf) + fam, ok = metricFamiliesByName[s] + if !ok { + fam = &OpenMetricFamily{Name: &s, Type: t} + metricFamiliesByName[s] = fam + } + mt = t + continue + case textparse.EntryHelp: + buf, t := parser.Help() + s := string(buf) + h := string(t) + fam, ok = metricFamiliesByName[s] + if !ok { + fam = &OpenMetricFamily{Name: &s, Help: &h, Type: textparse.MetricTypeUnknown} + metricFamiliesByName[s] = fam + } + fam.Help = &h + continue + case textparse.EntryUnit: + buf, t := parser.Unit() + s := string(buf) + u := string(t) + fam, ok = metricFamiliesByName[s] + if !ok { + fam = &OpenMetricFamily{Name: &s, Unit: &u, Type: textparse.MetricTypeUnknown} + metricFamiliesByName[string(buf)] = fam + } + fam.Unit = &u + continue + case textparse.EntryComment: + continue + default: + } + + t := defTime + _, tp, v := parser.Series() + + var ( + lset labels.Labels + mets string + ) + + mets = parser.Metric(&lset) + + if !lset.Has(labels.MetricName) { + err = errNameLabelMandatory + break loop + } + + var lbls strings.Builder + lbls.Grow(len(mets)) + var labelPairs = []*labels.Label{} + for _, l := range lset.Copy() { + if l.Name == labels.MetricName { + continue + } + + if l.Name != model.QuantileLabel && l.Name != labels.BucketLabel { // quantile and le are special labels handled below + + lbls.WriteString(l.Name) + lbls.WriteString(l.Value) + } + n := l.Name + v := l.Value + + labelPairs = append(labelPairs, &labels.Label{ + Name: n, + Value: v, + }) + } + + var metric *OpenMetric + + metricName := lset.Get(labels.MetricName) + var lookupMetricName string + var exm *exemplar.Exemplar + + // Suffixes - https://github.com/OpenObservability/OpenMetrics/blob/main/specification/OpenMetrics.md#suffixes + switch mt { + case textparse.MetricTypeCounter: + var counter = &Counter{Value: &v} + mn := lset.Get(labels.MetricName) + metric = &OpenMetric{Name: &mn, Counter: counter, Label: labelPairs} + if isTotal(metricName) { // Remove suffix _total, get lookup metricname + lookupMetricName = metricName[:len(metricName)-6] + } + break + case textparse.MetricTypeGauge: + var gauge = &Gauge{Value: &v} + metric = &OpenMetric{Name: &metricName, Gauge: gauge, Label: labelPairs} + lookupMetricName = metricName + break + case textparse.MetricTypeInfo: + value := int64(v) + var info = &Info{Value: &value} + metric = &OpenMetric{Name: &metricName, Info: info, Label: labelPairs} + lookupMetricName = metricName + break + case textparse.MetricTypeSummary: + lookupMetricName, metric = summaryMetricName(metricName, v, lset.Get(model.QuantileLabel), lbls.String(), &t, summariesByName) + metric.Label = labelPairs + if !isSum(metricName) { + continue + } + metricName = lookupMetricName + break + case textparse.MetricTypeHistogram: + if hasExemplar := parser.Exemplar(&e); hasExemplar { + exm = &e + } + lookupMetricName, metric = histogramMetricName(metricName, v, lset.Get(labels.BucketLabel), lbls.String(), &t, false, exm, histogramsByName) + metric.Label = labelPairs + if !isSum(metricName) { + continue + } + metricName = lookupMetricName + break + case textparse.MetricTypeGaugeHistogram: + if hasExemplar := parser.Exemplar(&e); hasExemplar { + exm = &e + } + lookupMetricName, metric = histogramMetricName(metricName, v, lset.Get(labels.BucketLabel), lbls.String(), &t, true, exm, histogramsByName) + metric.Label = labelPairs + metric.Histogram.IsGaugeHistogram = true + if !isGSum(metricName) { + continue + } + metricName = lookupMetricName + break + case textparse.MetricTypeStateset: + value := int64(v) + var stateset = &Stateset{Value: &value} + metric = &OpenMetric{Name: &metricName, Stateset: stateset, Label: labelPairs} + lookupMetricName = metricName + break + case textparse.MetricTypeUnknown: + var unknown = &Unknown{Value: &v} + metric = &OpenMetric{Name: &metricName, Unknown: unknown, Label: labelPairs} + lookupMetricName = metricName + break + default: + lookupMetricName = metricName + } + + fam, ok = metricFamiliesByName[lookupMetricName] + if !ok { + fam = &OpenMetricFamily{Type: mt} + metricFamiliesByName[lookupMetricName] = fam + } + + fam.Name = &metricName + + if hasExemplar := parser.Exemplar(&e); hasExemplar && mt != textparse.MetricTypeHistogram && metric != nil { + if !e.HasTs { + e.Ts = t + } + metric.Exemplar = &e + } + + if tp != nil && metric != nil { + t = *tp + metric.TimestampMs = &t + } + + fam.Metric = append(fam.Metric, metric) + } + + families := make([]*OpenMetricFamily, 0, len(metricFamiliesByName)) + for _, v := range metricFamiliesByName { + if v.Metric != nil { + families = append(families, v) + } + } + return families, nil +} + +// MetricsMapping defines mapping settings for OpenMetrics metrics, to be used with `GetProcessedMetrics` +type MetricsMapping struct { + // Metrics translates from openmetrics metric name to Metricbeat fields + Metrics map[string]MetricMap + + // Namespace for metrics managed by this mapping + Namespace string + + // Labels translate from openmetrics label names to Metricbeat fields + Labels map[string]LabelMap + + // ExtraFields adds the given fields to all events coming from `GetProcessedMetrics` + ExtraFields map[string]string +} + +func (p *openmetrics) ProcessMetrics(families []*OpenMetricFamily, mapping *MetricsMapping) ([]common.MapStr, error) { + + eventsMap := map[string]common.MapStr{} + infoMetrics := []*infoMetricData{} + for _, family := range families { + for _, metric := range family.GetMetric() { + m, ok := mapping.Metrics[family.GetName()] + if m == nil || !ok { + // Ignore unknown metrics + continue + } + + field := m.GetField() + value := m.GetValue(metric) + + // Ignore retrieval errors (bad conf) + if value == nil { + continue + } + + storeAllLabels := false + labelsLocation := "" + var extraFields common.MapStr + if m != nil { + c := m.GetConfiguration() + storeAllLabels = c.StoreNonMappedLabels + labelsLocation = c.NonMappedLabelsPlacement + extraFields = c.ExtraFields + } + + // Apply extra options + allLabels := getLabels(metric) + for _, option := range m.GetOptions() { + field, value, allLabels = option.Process(field, value, allLabels) + } + + // Convert labels + labels := common.MapStr{} + keyLabels := common.MapStr{} + for k, v := range allLabels { + if l, ok := mapping.Labels[k]; ok { + if l.IsKey() { + keyLabels.Put(l.GetField(), v) + } else { + labels.Put(l.GetField(), v) + } + } else if storeAllLabels { + // if label for this metric is not found at the label mappings but + // it is configured to store any labels found, make it so + labels.Put(labelsLocation+"."+k, v) + } + } + + // if extra fields have been added through metric configuration + // add them to labels. + // + // not considering these extra fields to be keylabels as that case + // have not appeared yet + for k, v := range extraFields { + labels.Put(k, v) + } + + // Keep a info document if it's an infoMetric + if _, ok = m.(*infoMetric); ok { + labels.DeepUpdate(keyLabels) + infoMetrics = append(infoMetrics, &infoMetricData{ + Labels: keyLabels, + Meta: labels, + }) + continue + } + + if field != "" { + event := getEvent(eventsMap, keyLabels) + update := common.MapStr{} + update.Put(field, value) + // value may be a mapstr (for histograms and summaries), do a deep update to avoid smashing existing fields + event.DeepUpdate(update) + + event.DeepUpdate(labels) + } + } + } + + // populate events array from values in eventsMap + events := make([]common.MapStr, 0, len(eventsMap)) + for _, event := range eventsMap { + // Add extra fields + for k, v := range mapping.ExtraFields { + event[k] = v + } + events = append(events, event) + } + + // fill info from infoMetrics + for _, info := range infoMetrics { + for _, event := range events { + found := true + for k, v := range info.Labels.Flatten() { + value, err := event.GetValue(k) + if err != nil || v != value { + found = false + break + } + } + + // fill info from this metric + if found { + event.DeepUpdate(info.Meta) + } + } + } + + return events, nil +} + +func (p *openmetrics) GetProcessedMetrics(mapping *MetricsMapping) ([]common.MapStr, error) { + families, err := p.GetFamilies() + if err != nil { + return nil, err + } + return p.ProcessMetrics(families, mapping) +} + +// infoMetricData keeps data about an infoMetric +type infoMetricData struct { + Labels common.MapStr + Meta common.MapStr +} + +func (p *openmetrics) ReportProcessedMetrics(mapping *MetricsMapping, r mb.ReporterV2) error { + events, err := p.GetProcessedMetrics(mapping) + if err != nil { + return errors.Wrap(err, "error getting processed metrics") + } + for _, event := range events { + r.Event(mb.Event{ + MetricSetFields: event, + Namespace: mapping.Namespace, + }) + } + + return nil +} + +func getEvent(m map[string]common.MapStr, labels common.MapStr) common.MapStr { + hash := labels.String() + res, ok := m[hash] + if !ok { + res = labels + m[hash] = res + } + return res +} + +func getLabels(metric *OpenMetric) common.MapStr { + labels := common.MapStr{} + for _, label := range metric.GetLabel() { + if label.Name != "" && label.Value != "" { + labels.Put(label.Name, label.Value) + } + } + return labels +} + +// CompilePatternList compiles a pattern list and returns the list of the compiled patterns +func CompilePatternList(patterns *[]string) ([]*regexp.Regexp, error) { + var compiledPatterns []*regexp.Regexp + compiledPatterns = []*regexp.Regexp{} + if patterns != nil { + for _, pattern := range *patterns { + r, err := regexp.Compile(pattern) + if err != nil { + return nil, errors.Wrapf(err, "compiling pattern '%s'", pattern) + } + compiledPatterns = append(compiledPatterns, r) + } + return compiledPatterns, nil + } + return []*regexp.Regexp{}, nil +} + +// MatchMetricFamily checks if the given family/metric name matches any of the given patterns +func MatchMetricFamily(family string, matchMetrics []*regexp.Regexp) bool { + for _, checkMetric := range matchMetrics { + matched := checkMetric.MatchString(family) + if matched { + return true + } + } + return false +} + +const ( + TextVersion = "0.0.4" + OpenMetricsType = `application/openmetrics-text` + + // The Content-Type values for the different wire protocols. + FmtUnknown string = `` + FmtText string = `text/plain; version=` + TextVersion + `; charset=utf-8` +) + +const ( + hdrContentType = "Content-Type" +) + +func getContentType(h http.Header) string { + ct := h.Get(hdrContentType) + + mediatype, params, err := mime.ParseMediaType(ct) + if err != nil { + return FmtUnknown + } + + const textType = "text/plain" + + switch mediatype { + case OpenMetricsType: + if e, ok := params["encoding"]; ok && e != "delimited" { + return FmtUnknown + } + return OpenMetricsType + + case textType: + if v, ok := params["version"]; ok && v != TextVersion { + return FmtUnknown + } + return FmtText + } + + return FmtUnknown +} diff --git a/metricbeat/helper/openmetrics/openmetrics_test.go b/metricbeat/helper/openmetrics/openmetrics_test.go new file mode 100644 index 000000000000..5ebf1903c0f5 --- /dev/null +++ b/metricbeat/helper/openmetrics/openmetrics_test.go @@ -0,0 +1,1093 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package openmetrics + +import ( + "bytes" + "compress/gzip" + "io/ioutil" + "net/http" + "sort" + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" +) + +const ( + openMetricsTestSamples = `# TYPE first_metric gauge +first_metric{label1="value1",label2="value2",label3="Value3",label4="FOO"} 1 +# TYPE second_metric gauge +second_metric{label1="value1",label3="othervalue"} 0 +# TYPE summary_metric summary +summary_metric{quantile="0.5"} 29735 +summary_metric{quantile="0.9"} 47103 +summary_metric{quantile="0.99"} 50681 +summary_metric_sum 234892394 +summary_metric_count 44000 +# TYPE histogram_metric histogram +histogram_metric_bucket{le="1000"} 1 +histogram_metric_bucket{le="10000"} 1 +histogram_metric_bucket{le="100000"} 1 +histogram_metric_bucket{le="1e+06"} 1 +histogram_metric_bucket{le="1e+08"} 1 +histogram_metric_bucket{le="1e+09"} 1 +histogram_metric_bucket{le="+Inf"} 1 +histogram_metric_sum 117 +histogram_metric_count 1 +# TYPE histogram_decimal_metric histogram +histogram_decimal_metric_bucket{le="0.001"} 1 +histogram_decimal_metric_bucket{le="0.01"} 1 +histogram_decimal_metric_bucket{le="0.1"} 2 +histogram_decimal_metric_bucket{le="1"} 3 +histogram_decimal_metric_bucket{le="+Inf"} 5 +histogram_decimal_metric_sum 4.31 +histogram_decimal_metric_count 5 +# TYPE gaugehistogram_metric gaugehistogram +gaugehistogram_metric_bucket{le="0.01"} 20.0 +gaugehistogram_metric_bucket{le="0.1"} 25.0 +gaugehistogram_metric_bucket{le="1"} 34.0 +gaugehistogram_metric_bucket{le="10"} 34.0 +gaugehistogram_metric_bucket{le="+Inf"} 42.0 +gaugehistogram_metric_gcount 42.0 +gaugehistogram_metric_gsum 3289.3 +gaugehistogram_metric_created 1520430000.123 +# TYPE target info +target_info 1 +# TYPE target_with_labels info +target_with_labels_info{env="prod",hostname="myhost"} 1 +` + + openMetricsGaugeKeyLabel = `# TYPE metrics_one_count_total gauge +metrics_one_count_total{name="jane",surname="foster"} 1 +metrics_one_count_total{name="john",surname="williams"} 2 +metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3 +` + + openMetricsGaugeKeyLabelWithNaNInf = `# TYPE metrics_one_count_errors gauge +metrics_one_count_errors{name="jane",surname="foster"} 0 +# TYPE metrics_one_count_total gauge +metrics_one_count_total{name="jane",surname="foster"} NaN +metrics_one_count_total{name="foo",surname="bar"} +Inf +metrics_one_count_total{name="john",surname="williams"} -Inf +metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3 +` + + openMetricsCounterKeyLabel = `# TYPE metrics_one_count_total counter +metrics_one_count_total{name="jane",surname="foster"} 1 +metrics_one_count_total{name="john",surname="williams"} 2 +metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3 +` + + openMetricsCounterKeyLabelWithNaNInf = `# TYPE metrics_one_count_errors counter +metrics_one_count_errors{name="jane",surname="foster"} 1 +# TYPE metrics_one_count_total counter +metrics_one_count_total{name="jane",surname="foster"} NaN +metrics_one_count_total{name="john",surname="williams"} +Inf +metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3 + +` + + openMetricsHistogramKeyLabel = `# TYPE metrics_one_midichlorians histogram +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="2000"} 52 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="4000"} 70 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="8000"} 78 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="16000"} 84 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="32000"} 86 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="+Inf"} 86 +metrics_one_midichlorians_sum{rank="youngling",alive="yes"} 1000001 +metrics_one_midichlorians_count{rank="youngling",alive="yes"} 86 +metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="2000"} 16 +metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="4000"} 20 +metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="8000"} 23 +metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="16000"} 27 +metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="32000"} 27 +metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="+Inf"} 28 +metrics_one_midichlorians_sum{rank="padawan",alive="yes"} 800001 +metrics_one_midichlorians_count{rank="padawan",alive="yes"} 28 +` + + openMetricsHistogramKeyLabelWithNaNInf = `# TYPE metrics_one_midichlorians histogram +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="2000"} NaN +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="4000"} +Inf +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="8000"} -Inf +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="16000"} 84 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="32000"} 86 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="+Inf"} 86 +metrics_one_midichlorians_sum{rank="youngling",alive="yes"} 1000001 +metrics_one_midichlorians_count{rank="youngling",alive="yes"} 86 +` + + openMetricsSummaryKeyLabel = `# TYPE metrics_force_propagation_ms summary +metrics_force_propagation_ms{kind="jedi",quantile="0"} 35 +metrics_force_propagation_ms{kind="jedi",quantile="0.25"} 22 +metrics_force_propagation_ms{kind="jedi",quantile="0.5"} 7 +metrics_force_propagation_ms{kind="jedi",quantile="0.75"} 20 +metrics_force_propagation_ms{kind="jedi",quantile="1"} 30 +metrics_force_propagation_ms_sum{kind="jedi"} 89 +metrics_force_propagation_ms_count{kind="jedi"} 651 +metrics_force_propagation_ms{kind="sith",quantile="0"} 30 +metrics_force_propagation_ms{kind="sith",quantile="0.25"} 20 +metrics_force_propagation_ms{kind="sith",quantile="0.5"} 12 +metrics_force_propagation_ms{kind="sith",quantile="0.75"} 21 +metrics_force_propagation_ms{kind="sith",quantile="1"} 29 +metrics_force_propagation_ms_sum{kind="sith"} 112 +metrics_force_propagation_ms_count{kind="sith"} 711 +` + + openMetricsSummaryKeyLabelWithNaNInf = `# TYPE metrics_force_propagation_ms summary +metrics_force_propagation_ms{kind="jedi",quantile="0"} NaN +metrics_force_propagation_ms{kind="jedi",quantile="0.25"} +Inf +metrics_force_propagation_ms{kind="jedi",quantile="0.5"} -Inf +metrics_force_propagation_ms{kind="jedi",quantile="0.75"} 20 +metrics_force_propagation_ms{kind="jedi",quantile="1"} 30 +metrics_force_propagation_ms_sum{kind="jedi"} 50 +metrics_force_propagation_ms_count{kind="jedi"} 651 +` + + openMetricsGaugeLabeled = `# TYPE metrics_that_inform_labels gauge +metrics_that_inform_labels{label1="I am 1",label2="I am 2"} 1 +metrics_that_inform_labels{label1="I am 1",label3="I am 3"} 1 +# TYPE metrics_that_use_labels gauge +metrics_that_use_labels{label1="I am 1"} 20 +` + openMetricsStateset = `# TYPE enable_category stateset +enable_category{category="shoes"} 0 +enable_category{category="collectibles"} 1 +` +) + +type mockFetcher struct { + response string +} + +var _ = httpfetcher(&mockFetcher{}) + +// FetchResponse returns an HTTP response but for the Body, which +// returns the mockFetcher.Response contents +func (m mockFetcher) FetchResponse() (*http.Response, error) { + body := bytes.NewBuffer(nil) + writer := gzip.NewWriter(body) + writer.Write([]byte(m.response)) + writer.Close() + + return &http.Response{ + StatusCode: 200, + Header: http.Header{ + "Content-Encoding": []string{"gzip"}, + "Content-Type": []string{"application/openmetrics-text"}, + }, + Body: ioutil.NopCloser(body), + }, nil +} + +func TestOpenMetrics(t *testing.T) { + + p := &openmetrics{mockFetcher{response: openMetricsTestSamples}, logp.NewLogger("test")} + + tests := []struct { + mapping *MetricsMapping + msg string + expected []common.MapStr + }{ + { + msg: "Simple field map", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": Metric("first.metric"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": 1.0, + }, + }, + }, + }, + { + msg: "Simple field map with labels", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": Metric("first.metric"), + }, + Labels: map[string]LabelMap{ + "label1": Label("labels.label1"), + "label2": Label("labels.label2"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": 1.0, + }, + "labels": common.MapStr{ + "label1": "value1", + "label2": "value2", + }, + }, + }, + }, + { + msg: "Several metrics", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": Metric("first.metric"), + "second_metric": Metric("second.metric"), + }, + Labels: map[string]LabelMap{ + "label3": KeyLabel("labels.label3"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": 1.0, + }, + "labels": common.MapStr{ + "label3": "Value3", + }, + }, + common.MapStr{ + "second": common.MapStr{ + "metric": 0.0, + }, + "labels": common.MapStr{ + "label3": "othervalue", + }, + }, + }, + }, + { + msg: "Grouping by key labels", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": Metric("first.metric"), + "second_metric": Metric("second.metric"), + }, + Labels: map[string]LabelMap{ + "label1": KeyLabel("labels.label1"), + "label2": Label("labels.label2"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": 1.0, + }, + "second": common.MapStr{ + "metric": 0.0, + }, + "labels": common.MapStr{ + "label1": "value1", + "label2": "value2", + }, + }, + }, + }, + { + msg: "Keyword metrics", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": KeywordMetric("first.metric", "works"), + "second_metric": KeywordMetric("second.metric", "itsnot"), + }, + Labels: map[string]LabelMap{ + "label1": KeyLabel("labels.label1"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": "works", + }, + "labels": common.MapStr{ + "label1": "value1", + }, + }, + }, + }, + { + msg: "Boolean metrics", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": BooleanMetric("first.metric"), + "second_metric": BooleanMetric("second.metric"), + }, + Labels: map[string]LabelMap{ + "label1": KeyLabel("labels.label1"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": true, + }, + "second": common.MapStr{ + "metric": false, + }, + "labels": common.MapStr{ + "label1": "value1", + }, + }, + }, + }, + { + msg: "Label metrics", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": LabelMetric("first.metric", "label3"), + }, + Labels: map[string]LabelMap{ + "label1": Label("labels.label1"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": "Value3", + }, + "labels": common.MapStr{ + "label1": "value1", + }, + }, + }, + }, + { + msg: "Label metrics, lowercase", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": LabelMetric("first.metric", "label4", OpLowercaseValue()), + }, + Labels: map[string]LabelMap{ + "label1": Label("labels.label1"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": "foo", + }, + "labels": common.MapStr{ + "label1": "value1", + }, + }, + }, + }, + { + msg: "Label metrics, filter", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": LabelMetric("first.metric", "label4", OpFilterMap( + "label1", + map[string]string{"value1": "foo"}, + )), + }, + Labels: map[string]LabelMap{ + "label1": Label("labels.label1"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": common.MapStr{ + "foo": "FOO", + }, + }, + "labels": common.MapStr{ + "label1": "value1", + }, + }, + }, + }, + { + msg: "Label metrics, filter", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": LabelMetric("first.metric", "label4", OpLowercaseValue(), OpFilterMap( + "foo", + map[string]string{"Filtered": "filtered"}, + )), + }, + Labels: map[string]LabelMap{ + "label1": Label("labels.label1"), + }, + }, + expected: []common.MapStr{}, + }, + { + msg: "Summary metric", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "summary_metric": Metric("summary.metric"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "summary": common.MapStr{ + "metric": common.MapStr{ + "sum": 234892394.0, + "count": uint64(44000), + "percentile": common.MapStr{ + "50": 29735.0, + "90": 47103.0, + "99": 50681.0, + }, + }, + }, + }, + }, + }, + { + msg: "Histogram metric", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "histogram_metric": Metric("histogram.metric"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "histogram": common.MapStr{ + "metric": common.MapStr{ + "count": uint64(1), + "bucket": common.MapStr{ + "1000000000": uint64(1), + "+Inf": uint64(1), + "1000": uint64(1), + "10000": uint64(1), + "100000": uint64(1), + "1000000": uint64(1), + "100000000": uint64(1), + }, + "sum": 117.0, + }, + }, + }, + }, + }, + { + msg: "Histogram decimal metric", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "histogram_decimal_metric": Metric("histogram.metric", OpMultiplyBuckets(1000)), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "histogram": common.MapStr{ + "metric": common.MapStr{ + "count": uint64(5), + "bucket": common.MapStr{ + "1": uint64(1), + "10": uint64(1), + "100": uint64(2), + "1000": uint64(3), + "+Inf": uint64(5), + }, + "sum": 4310.0, + }, + }, + }, + }, + }, + { + msg: "Gauge histogram metric", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "gaugehistogram_metric": Metric("gaugehistogram.metric"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "gaugehistogram": common.MapStr{ + "metric": common.MapStr{ + "gcount": uint64(42), + "bucket": common.MapStr{ + "0.01": uint64(20), + "0.1": uint64(25), + "1": uint64(34), + "10": uint64(34), + "+Inf": uint64(42), + }, + "gsum": 3289.3, + }, + }, + }, + }, + }, + { + msg: "Info metric", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "target_info": Metric("target_info.metric"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "target_info": common.MapStr{ + "metric": int64(1), + }, + }, + }, + }, + { + msg: "Info metric with labels", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "target_with_labels_info": Metric("target_with_labels_info.metric"), + }, + Labels: map[string]LabelMap{ + "env": Label("labels.env"), + "hostname": Label("labels.hostname"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "target_with_labels_info": common.MapStr{ + "metric": int64(1), + }, + "labels": common.MapStr{ + "env": "prod", + "hostname": "myhost", + }, + }, + }, + }, + } + + for _, test := range tests { + t.Run(test.msg, func(t *testing.T) { + reporter := &mbtest.CapturingReporterV2{} + p.ReportProcessedMetrics(test.mapping, reporter) + assert.Nil(t, reporter.GetErrors(), test.msg) + // Sort slice to avoid randomness + res := reporter.GetEvents() + sort.Slice(res, func(i, j int) bool { + return res[i].MetricSetFields.String() < res[j].MetricSetFields.String() + }) + assert.Equal(t, len(test.expected), len(res)) + for j, ev := range res { + assert.Equal(t, test.expected[j], ev.MetricSetFields, test.msg) + } + }) + } +} + +func TestOpenMetricsKeyLabels(t *testing.T) { + + testCases := []struct { + testName string + openmetricsResponse string + mapping *MetricsMapping + expectedEvents []common.MapStr + }{ + { + testName: "Test gauge with KeyLabel", + openmetricsResponse: openMetricsGaugeKeyLabel, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_one_count_total": Metric("metrics.one.count"), + }, + Labels: map[string]LabelMap{ + "name": KeyLabel("metrics.one.labels.name"), + "surname": KeyLabel("metrics.one.labels.surname"), + "age": KeyLabel("metrics.one.labels.age"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": 1.0, + "labels": common.MapStr{ + "name": "jane", + "surname": "foster", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": 2.0, + "labels": common.MapStr{ + "name": "john", + "surname": "williams", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": 3.0, + "labels": common.MapStr{ + "name": "jahn", + "surname": "baldwin", + "age": "30", + }, + }, + }, + }, + }, + }, + + { + testName: "Test gauge with KeyLabel With NaN Inf", + openmetricsResponse: openMetricsGaugeKeyLabelWithNaNInf, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_one_count_errors": Metric("metrics.one.count"), + "metrics_one_count_total": Metric("metrics.one.count"), + }, + Labels: map[string]LabelMap{ + "name": KeyLabel("metrics.one.labels.name"), + "surname": KeyLabel("metrics.one.labels.surname"), + "age": KeyLabel("metrics.one.labels.age"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": 0.0, + "labels": common.MapStr{ + "name": "jane", + "surname": "foster", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": 3.0, + "labels": common.MapStr{ + "name": "jahn", + "surname": "baldwin", + "age": "30", + }, + }, + }, + }, + }, + }, + + { + testName: "Test counter with KeyLabel", + openmetricsResponse: openMetricsCounterKeyLabel, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_one_count_total": Metric("metrics.one.count"), + }, + Labels: map[string]LabelMap{ + "name": KeyLabel("metrics.one.labels.name"), + "surname": KeyLabel("metrics.one.labels.surname"), + "age": KeyLabel("metrics.one.labels.age"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": int64(1), + "labels": common.MapStr{ + "name": "jane", + "surname": "foster", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": int64(2), + "labels": common.MapStr{ + "name": "john", + "surname": "williams", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": int64(3), + "labels": common.MapStr{ + "name": "jahn", + "surname": "baldwin", + "age": "30", + }, + }, + }, + }, + }, + }, + + { + testName: "Test counter with KeyLabel With NaN Inf", + openmetricsResponse: openMetricsCounterKeyLabelWithNaNInf, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_one_count_errors": Metric("metrics.one.count"), + "metrics_one_count_total": Metric("metrics.one.count"), + }, + Labels: map[string]LabelMap{ + "name": KeyLabel("metrics.one.labels.name"), + "surname": KeyLabel("metrics.one.labels.surname"), + "age": KeyLabel("metrics.one.labels.age"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": int64(1), + "labels": common.MapStr{ + "name": "jane", + "surname": "foster", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": int64(3), + "labels": common.MapStr{ + "name": "jahn", + "surname": "baldwin", + "age": "30", + }, + }, + }, + }, + }, + }, + + { + testName: "Test histogram with KeyLabel", + openmetricsResponse: openMetricsHistogramKeyLabel, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_one_midichlorians": Metric("metrics.one.midichlorians"), + }, + Labels: map[string]LabelMap{ + "rank": KeyLabel("metrics.one.midichlorians.rank"), + "alive": KeyLabel("metrics.one.midichlorians.alive"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "midichlorians": common.MapStr{ + "count": uint64(86), + "sum": 1000001.0, + "bucket": common.MapStr{ + "2000": uint64(52), + "4000": uint64(70), + "8000": uint64(78), + "16000": uint64(84), + "32000": uint64(86), + "+Inf": uint64(86), + }, + + "rank": "youngling", + "alive": "yes", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "midichlorians": common.MapStr{ + "count": uint64(28), + "sum": 800001.0, + "bucket": common.MapStr{ + "2000": uint64(16), + "4000": uint64(20), + "8000": uint64(23), + "16000": uint64(27), + "32000": uint64(27), + "+Inf": uint64(28), + }, + "rank": "padawan", + "alive": "yes", + }, + }, + }, + }, + }, + }, + + { + testName: "Test histogram with KeyLabel With NaN Inf", + openmetricsResponse: openMetricsHistogramKeyLabelWithNaNInf, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_one_midichlorians": Metric("metrics.one.midichlorians"), + }, + Labels: map[string]LabelMap{ + "rank": KeyLabel("metrics.one.midichlorians.rank"), + "alive": KeyLabel("metrics.one.midichlorians.alive"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "midichlorians": common.MapStr{ + "count": uint64(86), + "sum": 1000001.0, + "bucket": common.MapStr{ + "16000": uint64(84), + "32000": uint64(86), + "+Inf": uint64(86), + }, + + "rank": "youngling", + "alive": "yes", + }, + }, + }, + }, + }, + }, + + { + testName: "Test summary with KeyLabel", + openmetricsResponse: openMetricsSummaryKeyLabel, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_force_propagation_ms": Metric("metrics.force.propagation.ms"), + }, + Labels: map[string]LabelMap{ + "kind": KeyLabel("metrics.force.propagation.ms.labels.kind"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "force": common.MapStr{ + "propagation": common.MapStr{ + "ms": common.MapStr{ + "count": uint64(651), + "sum": 89.0, + "percentile": common.MapStr{ + "0": 35.0, + "25": 22.0, + "50": 7.0, + "75": 20.0, + "100": 30.0, + }, + "labels": common.MapStr{ + "kind": "jedi", + }, + }, + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "force": common.MapStr{ + "propagation": common.MapStr{ + "ms": common.MapStr{ + "count": uint64(711), + "sum": 112.0, + "percentile": common.MapStr{ + "0": 30.0, + "25": 20.0, + "50": 12.0, + "75": 21.0, + "100": 29.0, + }, + "labels": common.MapStr{ + "kind": "sith", + }, + }, + }, + }, + }, + }, + }, + }, + + { + testName: "Test summary with KeyLabel With NaN Inf", + openmetricsResponse: openMetricsSummaryKeyLabelWithNaNInf, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_force_propagation_ms": Metric("metrics.force.propagation.ms"), + }, + Labels: map[string]LabelMap{ + "kind": KeyLabel("metrics.force.propagation.ms.labels.kind"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "force": common.MapStr{ + "propagation": common.MapStr{ + "ms": common.MapStr{ + "count": uint64(651), + "sum": 50.0, + "percentile": common.MapStr{ + "75": 20.0, + "100": 30.0, + }, + "labels": common.MapStr{ + "kind": "jedi", + }, + }, + }, + }, + }, + }, + }, + }, + + { + testName: "Test gauge InfoMetrics using ExtendedInfoMetric", + openmetricsResponse: openMetricsGaugeLabeled, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_that_inform_labels": ExtendedInfoMetric(Configuration{StoreNonMappedLabels: true, NonMappedLabelsPlacement: "metrics.other_labels"}), + "metrics_that_use_labels": Metric("metrics.value"), + }, + Labels: map[string]LabelMap{ + "label1": KeyLabel("metrics.label1"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "value": 20.0, + "label1": "I am 1", + "other_labels": common.MapStr{ + "label2": "I am 2", + "label3": "I am 3", + }, + }, + }, + }, + }, + { + testName: "Test gauge InfoMetrics using ExtendedInfoMetric and extra fields", + openmetricsResponse: openMetricsGaugeLabeled, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_that_inform_labels": ExtendedInfoMetric(Configuration{ + StoreNonMappedLabels: true, + NonMappedLabelsPlacement: "metrics.other_labels", + ExtraFields: common.MapStr{ + "metrics.extra.field1": "extra1", + "metrics.extra.field2": "extra2", + }}), + "metrics_that_use_labels": Metric("metrics.value"), + }, + Labels: map[string]LabelMap{ + "label1": KeyLabel("metrics.label1"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "value": 20.0, + "label1": "I am 1", + "other_labels": common.MapStr{ + "label2": "I am 2", + "label3": "I am 3", + }, + "extra": common.MapStr{ + "field1": "extra1", + "field2": "extra2", + }, + }, + }, + }, + }, + { + testName: "Stateset metric with labels", + openmetricsResponse: openMetricsStateset, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "enable_category": Metric("metrics.count"), + }, + Labels: map[string]LabelMap{ + "category": KeyLabel("metrics.labels.category"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "count": int64(0), + "labels": common.MapStr{ + "category": "shoes", + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "count": int64(1), + "labels": common.MapStr{ + "category": "collectibles", + }, + }, + }, + }, + }, + } + + for _, tc := range testCases { + r := &mbtest.CapturingReporterV2{} + p := &openmetrics{mockFetcher{response: tc.openmetricsResponse}, logp.NewLogger("test")} + p.ReportProcessedMetrics(tc.mapping, r) + if !assert.Nil(t, r.GetErrors(), + "error reporting/processing metrics, at %q", tc.testName) { + continue + } + + events := r.GetEvents() + if !assert.Equal(t, len(tc.expectedEvents), len(events), + "number of returned events doesn't match expected, at %q", tc.testName) { + continue + } + + // Sort slices of received and expeected to avoid unmatching + sort.Slice(events, func(i, j int) bool { + return events[i].MetricSetFields.String() < events[j].MetricSetFields.String() + }) + sort.Slice(tc.expectedEvents, func(i, j int) bool { + return tc.expectedEvents[i].String() < tc.expectedEvents[j].String() + }) + + for i := range events { + if !assert.Equal(t, tc.expectedEvents[i], events[i].MetricSetFields, + "mismatch at event #%d, at %q", i, tc.testName) { + + continue + } + } + } +} diff --git a/metricbeat/mb/testing/testdata.go b/metricbeat/mb/testing/testdata.go index 6e398e8e8f96..e5b853d570ea 100644 --- a/metricbeat/mb/testing/testdata.go +++ b/metricbeat/mb/testing/testdata.go @@ -43,6 +43,7 @@ import ( const ( expectedExtension = "-expected.json" + applicationJson = "application/json" ) // DataConfig is the configuration for testdata tests @@ -75,6 +76,9 @@ type DataConfig struct { // URL of the endpoint that must be tested depending on each module URL string + // ContentType of the data being returned by server + ContentType string `yaml:"content_type"` + // Suffix is the extension of the source file with the input contents. Defaults to `json`, `plain` is also a common use. Suffix string @@ -107,9 +111,10 @@ type DataConfig struct { func defaultDataConfig() DataConfig { return DataConfig{ - Path: ".", - WritePath: ".", - Suffix: "json", + Path: ".", + WritePath: ".", + Suffix: "json", + ContentType: applicationJson, } } @@ -189,7 +194,7 @@ func TestMetricsetFieldsDocumented(t *testing.T, metricSet mb.MetricSet, events func runTest(t *testing.T, file string, module, metricSetName string, config DataConfig) { // starts a server serving the given file under the given url - s := server(t, file, config.URL) + s := server(t, file, config.URL, config.ContentType) defer s.Close() moduleConfig := getConfig(module, metricSetName, s.URL, config) @@ -440,7 +445,7 @@ func getConfig(module, metricSet, url string, config DataConfig) map[string]inte } // server starts a server with a mock output -func server(t *testing.T, path string, url string) *httptest.Server { +func server(t *testing.T, path string, url string, contentType string) *httptest.Server { body, err := ioutil.ReadFile(path) if err != nil { @@ -455,7 +460,7 @@ func server(t *testing.T, path string, url string) *httptest.Server { } if r.URL.Path+query == url { - w.Header().Set("Content-Type", "application/json;") + w.Header().Set("Content-Type", contentType) w.WriteHeader(200) w.Write(body) } else { diff --git a/metricbeat/module/openmetrics/_meta/fields.yml b/metricbeat/module/openmetrics/_meta/fields.yml index c83c99f13630..12592096f5e0 100644 --- a/metricbeat/module/openmetrics/_meta/fields.yml +++ b/metricbeat/module/openmetrics/_meta/fields.yml @@ -7,18 +7,41 @@ fields: - name: openmetrics type: group + release: beta description: > `openmetrics` contains metrics from endpoints that are following Openmetrics format. fields: # Order is important here, labels will match first, the rest are double + - name: help + type: keyword + description: > + Brief description of the MetricFamily + - name: type + type: keyword + description: > + Metric type + - name: unit + type: keyword + description: > + Metric unit - name: labels.* type: object object_type: keyword description: > - Prometheus metric labels + Openmetrics metric labels - name: metrics.* type: object object_type: double object_type_mapping_type: "*" description: > - Prometheus metric + Openmetrics metric + - name: exemplar.* + type: object + object_type: keyword + description: > + Openmetrics exemplars + - name: exemplar.labels.* + type: object + object_type: keyword + description: > + Openmetrics metric exemplar labels diff --git a/metricbeat/module/openmetrics/collector/_meta/data.json b/metricbeat/module/openmetrics/collector/_meta/data.json index d20778fec4a1..668e6a887512 100644 --- a/metricbeat/module/openmetrics/collector/_meta/data.json +++ b/metricbeat/module/openmetrics/collector/_meta/data.json @@ -15,11 +15,11 @@ "job": "openmetrics" }, "metrics": { - "node_network_carrier": 0 + "up": 1 } }, "service": { "address": "127.0.0.1:55555", "type": "openmetrics" } -} \ No newline at end of file +} diff --git a/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/config.yml b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/config.yml new file mode 100644 index 000000000000..a8369b90cf22 --- /dev/null +++ b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/config.yml @@ -0,0 +1,8 @@ +type: http +url: "/metrics" +content_type: "application/openmetrics-text" +suffix: plain +remove_fields_from_comparison: ["openmetrics.labels.instance"] +module: + enable_exemplars: false + enable_metadata: false diff --git a/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain new file mode 100644 index 000000000000..d5f0fd96fab9 --- /dev/null +++ b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain @@ -0,0 +1,6 @@ +# HELP net_conntrack_listener_conn_accepted Total number of connections opened to the listener of a given name. +# TYPE net_conntrack_listener_conn_accepted counter +net_conntrack_listener_conn_accepted_total{listener_name="http"} 3 +# HELP net_conntrack_listener_conn_closed Total number of connections closed that were made to the listener of a given name. +# TYPE net_conntrack_listener_conn_closed counter +net_conntrack_listener_conn_closed_total{listener_name="http"} 0 diff --git a/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain-expected.json b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain-expected.json new file mode 100644 index 000000000000..e1244391ba74 --- /dev/null +++ b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain-expected.json @@ -0,0 +1,52 @@ +[ + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics" + }, + "metrics": { + "up": 1 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "listener_name": "http" + }, + "metrics": { + "net_conntrack_listener_conn_accepted_total": 3, + "net_conntrack_listener_conn_closed_total": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + } +] diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/config.yml b/metricbeat/module/openmetrics/collector/_meta/testdata/config.yml index a5d8ee128afe..37f3a8443ac5 100644 --- a/metricbeat/module/openmetrics/collector/_meta/testdata/config.yml +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/config.yml @@ -1,4 +1,8 @@ type: http url: "/metrics" +content_type: "application/openmetrics-text" suffix: plain remove_fields_from_comparison: ["openmetrics.labels.instance"] +module: + enable_exemplars: true + enable_metadata: true diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain index 47c3b38aedbe..d5f0fd96fab9 100644 --- a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain @@ -1,11 +1,6 @@ -# HELP node_network_carrier carrier value of /sys/class/net/. -# TYPE node_network_carrier gauge -node_network_carrier{device="br-0cb306323b90"} 0 -node_network_carrier{device="br-10229e3512d9"} 0 -node_network_carrier{device="br-210476dc4ef8"} 0 -node_network_carrier{device="br-33d819d5f834"} 0 -node_network_carrier{device="br-38425a39f36b"} 0 -node_network_carrier{device="br-38feb0aad6ab"} 0 -node_network_carrier{device="br-3a285aa5e58c"} 0 -node_network_carrier{device="br-425cb4c454a6"} 0 -node_network_carrier{device="br-4e623477470e"} 0 +# HELP net_conntrack_listener_conn_accepted Total number of connections opened to the listener of a given name. +# TYPE net_conntrack_listener_conn_accepted counter +net_conntrack_listener_conn_accepted_total{listener_name="http"} 3 +# HELP net_conntrack_listener_conn_closed Total number of connections closed that were made to the listener of a given name. +# TYPE net_conntrack_listener_conn_closed counter +net_conntrack_listener_conn_closed_total{listener_name="http"} 0 diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json index 16f5001ba5e6..04dd247087df 100644 --- a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json @@ -11,137 +11,13 @@ }, "openmetrics": { "labels": { - "device": "br-10229e3512d9", - "instance": "127.0.0.1:50135", + "instance": "127.0.0.1:55922", "job": "openmetrics" }, - "metrics": { - "node_network_carrier": 0 - } - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "labels": { - "device": "br-425cb4c454a6", - "instance": "127.0.0.1:50135", - "job": "openmetrics" - }, - "metrics": { - "node_network_carrier": 0 - } - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "labels": { - "device": "br-38425a39f36b", - "instance": "127.0.0.1:50135", - "job": "openmetrics" - }, - "metrics": { - "node_network_carrier": 0 - } - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "labels": { - "instance": "127.0.0.1:50135", - "job": "prometheus" - }, "metrics": { "up": 1 - } - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "labels": { - "device": "br-33d819d5f834", - "instance": "127.0.0.1:50135", - "job": "openmetrics" - }, - "metrics": { - "node_network_carrier": 0 - } - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "labels": { - "device": "br-4e623477470e", - "instance": "127.0.0.1:50135", - "job": "openmetrics" }, - "metrics": { - "node_network_carrier": 0 - } + "type":"gauge" }, "service": { "address": "127.0.0.1:55555", @@ -159,39 +35,16 @@ "period": 10000 }, "openmetrics": { + "help": "Total number of connections opened to the listener of a given name.", "labels": { - "device": "br-210476dc4ef8", - "instance": "127.0.0.1:50135", - "job": "openmetrics" + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "listener_name": "http" }, "metrics": { - "node_network_carrier": 0 - } - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "labels": { - "device": "br-0cb306323b90", - "instance": "127.0.0.1:50135", - "job": "openmetrics" + "net_conntrack_listener_conn_accepted_total": 3 }, - "metrics": { - "node_network_carrier": 0 - } + "type":"counter" }, "service": { "address": "127.0.0.1:55555", @@ -209,43 +62,20 @@ "period": 10000 }, "openmetrics": { + "help": "Total number of connections closed that were made to the listener of a given name.", "labels": { - "device": "br-38feb0aad6ab", - "instance": "127.0.0.1:50135", - "job": "openmetrics" + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "listener_name": "http" }, "metrics": { - "node_network_carrier": 0 - } - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "labels": { - "device": "br-3a285aa5e58c", - "instance": "127.0.0.1:50135", - "job": "openmetrics" + "net_conntrack_listener_conn_closed_total": 0 }, - "metrics": { - "node_network_carrier": 0 - } + "type":"counter" }, "service": { "address": "127.0.0.1:55555", "type": "openmetrics" } } -] \ No newline at end of file +] diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain new file mode 100644 index 000000000000..eb046b4b71d6 --- /dev/null +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain @@ -0,0 +1,23 @@ +# HELP my_counter_last_increment_timestamp_milliseconds When my_counter was last incremented +# TYPE my_counter_last_increment_timestamp_milliseconds gauge +# UNIT my_counter_last_increment_timestamp_milliseconds milliseconds +my_counter_last_increment_timestamp_milliseconds 123 +# TYPE disk_errors counter +# HELP disk_errors Count total disk errors +disk_errors_total{type="netapp"} 17.0 1520879607.789 +# TYPE app info +app_info{name="open metrics collector",version="6.3.9"} 1 +# TYPE collector info +collector_info{name="metrics collector",version="8.2.7"} 1 1622329674 +# TYPE enable_category stateset +enable_category{category="shoes"} 0 +enable_category{category="shirts"} 1 +enable_category{category="shades"} 0 +# TYPE connection_errors unknown +connection_errors 42 +# TYPE cnt_rulefires_deployment counter +cnt_rulefires_deployment_total 66666.0 # {trace_id="KOO5S4vxi0o"} 0.67 +# TYPE process_cpu_seconds counter +# UNIT process_cpu_seconds seconds +# HELP process_cpu_seconds Total user and system CPU time spent in seconds. Exemplar with timestamp and labels. +process_cpu_seconds_total{entity="controller",build="8.2.7"} 11111 1622301927 # {trace_id="0d482-ac43e-d9320-debfe"} 17.0 1622302012 diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json new file mode 100644 index 000000000000..ce7febdc874c --- /dev/null +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json @@ -0,0 +1,305 @@ +[ + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "help": "When my_counter was last incremented", + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics" + }, + "metrics": { + "my_counter_last_increment_timestamp_milliseconds": 123 + }, + "type":"gauge", + "unit":"milliseconds" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics" + }, + "metrics": { + "up": 1 + }, + "type":"gauge" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "help": "Count total disk errors", + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "type": "netapp" + }, + "metrics": { + "disk_errors_total": 17 + }, + "type":"counter" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "name": "open metrics collector", + "version": "6.3.9" + }, + "metrics": { + "app_info": 1 + }, + "type":"info" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "name": "metrics collector", + "version": "8.2.7" + }, + "metrics": { + "collector_info": 1 + }, + "type":"info" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "category": "shoes" + }, + "metrics": { + "enable_category": 0 + }, + "type":"stateset" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "category": "shirts" + }, + "metrics": { + "enable_category": 1 + }, + "type":"stateset" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "category": "shades" + }, + "metrics": { + "enable_category": 0 + }, + "type":"stateset" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics" + }, + "metrics": { + "connection_errors": 42 + }, + "type":"unknown" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "exemplar": { + "cnt_rulefires_deployment_total":0.67, + "labels": { + "trace_id":"KOO5S4vxi0o" + } + }, + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics" + }, + "metrics": { + "cnt_rulefires_deployment_total": 66666 + }, + "type":"counter" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "exemplar": { + "labels": { + "trace_id": "0d482-ac43e-d9320-debfe" + }, + "process_cpu_seconds_total": 17, + "timestamp": 1622302012000 + }, + "help": "Total user and system CPU time spent in seconds. Exemplar with timestamp and labels.", + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "entity": "controller", + "build": "8.2.7" + }, + "metrics": { + "process_cpu_seconds_total": 11111 + }, + "type":"counter", + "unit":"seconds" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + } +] diff --git a/metricbeat/module/openmetrics/collector/collector.go b/metricbeat/module/openmetrics/collector/collector.go index 6ce25dc90688..ab54dca1cfa5 100644 --- a/metricbeat/module/openmetrics/collector/collector.go +++ b/metricbeat/module/openmetrics/collector/collector.go @@ -18,9 +18,16 @@ package collector import ( + "regexp" + + "github.com/pkg/errors" + "github.com/prometheus/prometheus/pkg/labels" + "github.com/prometheus/prometheus/pkg/textparse" + + "github.com/elastic/beats/v7/libbeat/common" + p "github.com/elastic/beats/v7/metricbeat/helper/openmetrics" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/mb/parse" - "github.com/elastic/beats/v7/metricbeat/module/prometheus/collector" ) const ( @@ -29,14 +36,246 @@ const ( ) var ( + // HostParser parses a OpenMetrics endpoint URL hostParser = parse.URLHostParserBuilder{ DefaultScheme: defaultScheme, DefaultPath: defaultPath, + PathConfigKey: "metrics_path", }.Build() + + upMetricName = "up" + upMetricType = textparse.MetricTypeGauge + upMetricInstanceLabel = "instance" + upMetricJobLabel = "job" + upMetricJobValue = "openmetrics" ) func init() { mb.Registry.MustAddMetricSet("openmetrics", "collector", - collector.MetricSetBuilder("openmetrics", collector.DefaultPromEventsGeneratorFactory), - mb.WithHostParser(hostParser)) + MetricSetBuilder("openmetrics", DefaultOpenMetricsEventsGeneratorFactory), + mb.WithHostParser(hostParser), + mb.DefaultMetricSet(), + ) +} + +// OpenMetricsEventsGenerator converts a OpenMetrics metric family into a OpenMetricEvent list +type OpenMetricsEventsGenerator interface { + // Start must be called before using the generator + Start() + + // converts a OpenMetrics metric family into a list of OpenMetricsEvents + GenerateOpenMetricsEvents(mf *p.OpenMetricFamily) []OpenMetricEvent + + // Stop must be called when the generator won't be used anymore + Stop() +} + +// OpenMetricsEventsGeneratorFactory creates a OpenMetricsEventsGenerator when instanciating a metricset +type OpenMetricsEventsGeneratorFactory func(ms mb.BaseMetricSet) (OpenMetricsEventsGenerator, error) + +// MetricSet for fetching openmetrics data +type MetricSet struct { + mb.BaseMetricSet + openmetrics p.OpenMetrics + includeMetrics []*regexp.Regexp + excludeMetrics []*regexp.Regexp + namespace string + openMetricsEventsGen OpenMetricsEventsGenerator + host string + eventGenStarted bool + enableExemplars bool + enableMetadata bool +} + +// MetricSetBuilder returns a builder function for a new OpenMetrics metricset using +// the given namespace and event generator +func MetricSetBuilder(namespace string, genFactory OpenMetricsEventsGeneratorFactory) func(base mb.BaseMetricSet) (mb.MetricSet, error) { + return func(base mb.BaseMetricSet) (mb.MetricSet, error) { + config := defaultConfig + if err := base.Module().UnpackConfig(&config); err != nil { + return nil, err + } + openmetrics, err := p.NewOpenMetricsClient(base) + if err != nil { + return nil, err + } + + openMetricsEventsGen, err := genFactory(base) + if err != nil { + return nil, err + } + + ms := &MetricSet{ + BaseMetricSet: base, + openmetrics: openmetrics, + namespace: namespace, + openMetricsEventsGen: openMetricsEventsGen, + eventGenStarted: false, + enableExemplars: config.EnableExemplars, + enableMetadata: config.EnableMetadata, + } + // store host here to use it as a pointer when building `up` metric + ms.host = ms.Host() + ms.excludeMetrics, err = p.CompilePatternList(config.MetricsFilters.ExcludeMetrics) + if err != nil { + return nil, errors.Wrapf(err, "unable to compile exclude patterns") + } + ms.includeMetrics, err = p.CompilePatternList(config.MetricsFilters.IncludeMetrics) + if err != nil { + return nil, errors.Wrapf(err, "unable to compile include patterns") + } + + return ms, nil + } +} + +// Fetch fetches data and reports it +func (m *MetricSet) Fetch(reporter mb.ReporterV2) error { + if !m.eventGenStarted { + m.openMetricsEventsGen.Start() + m.eventGenStarted = true + } + + families, err := m.openmetrics.GetFamilies() + eventList := map[textparse.MetricType]map[string]common.MapStr{} + if err != nil { + // send up event only + families = append(families, m.upMetricFamily(0.0)) + + // set the error to report it after sending the up event + err = errors.Wrap(err, "unable to decode response from openmetrics endpoint") + } else { + // add up event to the list + families = append(families, m.upMetricFamily(1.0)) + } + + for _, family := range families { + if m.skipFamily(family) { + continue + } + openMetricsEvents := m.openMetricsEventsGen.GenerateOpenMetricsEvents(family) + + for _, openMetricEvent := range openMetricsEvents { + var labelsHash string + if m.enableMetadata { + labelsHash = openMetricEvent.MetaDataHash() + } else { + labelsHash = openMetricEvent.LabelsHash() + } + if _, ok := eventList[openMetricEvent.Type]; !ok { + eventList[openMetricEvent.Type] = make(map[string]common.MapStr) + } + if _, ok := eventList[openMetricEvent.Type][labelsHash]; !ok { + eventList[openMetricEvent.Type][labelsHash] = common.MapStr{} + + // Add default instance label if not already there + if exists, _ := openMetricEvent.Labels.HasKey(upMetricInstanceLabel); !exists { + openMetricEvent.Labels.Put(upMetricInstanceLabel, m.Host()) + } + // Add default job label if not already there + if exists, _ := openMetricEvent.Labels.HasKey("job"); !exists { + openMetricEvent.Labels.Put("job", m.Module().Name()) + } + // Add labels + if len(openMetricEvent.Labels) > 0 { + eventList[openMetricEvent.Type][labelsHash]["labels"] = openMetricEvent.Labels + } + } + + if m.enableMetadata { + if openMetricEvent.Help != "" { + eventList[openMetricEvent.Type][labelsHash]["help"] = openMetricEvent.Help + } + if openMetricEvent.Type != "" { + eventList[openMetricEvent.Type][labelsHash]["type"] = openMetricEvent.Type + } + if openMetricEvent.Unit != "" { + eventList[openMetricEvent.Type][labelsHash]["unit"] = openMetricEvent.Unit + } + } + + if m.enableExemplars && len(openMetricEvent.Exemplars) > 0 { + eventList[openMetricEvent.Type][labelsHash]["exemplar"] = openMetricEvent.Exemplars + } + // Accumulate metrics in the event + eventList[openMetricEvent.Type][labelsHash].DeepUpdate(openMetricEvent.Data) + } + } + + // Report events + for _, e := range eventList { + for _, ev := range e { + isOpen := reporter.Event(mb.Event{ + RootFields: common.MapStr{m.namespace: ev}, + }) + if !isOpen { + break + } + } + } + + return err +} + +// Close stops the metricset +func (m *MetricSet) Close() error { + if m.eventGenStarted { + m.openMetricsEventsGen.Stop() + } + return nil +} + +func (m *MetricSet) upMetricFamily(value float64) *p.OpenMetricFamily { + gauge := p.Gauge{ + Value: &value, + } + label1 := labels.Label{ + Name: upMetricInstanceLabel, + Value: m.host, + } + label2 := labels.Label{ + Name: upMetricJobLabel, + Value: m.Module().Name(), + } + metric := p.OpenMetric{ + Gauge: &gauge, + Label: []*labels.Label{&label1, &label2}, + } + return &p.OpenMetricFamily{ + Name: &upMetricName, + Type: textparse.MetricType(upMetricType), + Metric: []*p.OpenMetric{&metric}, + } +} + +func (m *MetricSet) skipFamily(family *p.OpenMetricFamily) bool { + if family == nil || family.Name == nil { + return false + } + return m.skipFamilyName(*family.Name) +} + +func (m *MetricSet) skipFamilyName(family string) bool { + // example: + // include_metrics: + // - node_* + // exclude_metrics: + // - node_disk_* + // + // This would mean that we want to keep only the metrics that start with node_ prefix but + // are not related to disk so we exclude node_disk_* metrics from them. + + // if include_metrics are defined, check if this metric should be included + if len(m.includeMetrics) > 0 { + if !p.MatchMetricFamily(family, m.includeMetrics) { + return true + } + } + // now exclude the metric if it matches any of the given patterns + if len(m.excludeMetrics) > 0 { + if p.MatchMetricFamily(family, m.excludeMetrics) { + return true + } + } + return false } diff --git a/metricbeat/module/openmetrics/collector/collector_test.go b/metricbeat/module/openmetrics/collector/collector_test.go index 06a48f15a0b7..dd7986766128 100644 --- a/metricbeat/module/openmetrics/collector/collector_test.go +++ b/metricbeat/module/openmetrics/collector/collector_test.go @@ -23,6 +23,15 @@ package collector import ( "testing" + "github.com/golang/protobuf/proto" + prometheuslabels "github.com/prometheus/prometheus/pkg/labels" + "github.com/prometheus/prometheus/pkg/textparse" + "github.com/stretchr/testify/assert" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/metricbeat/helper/openmetrics" + "github.com/elastic/beats/v7/metricbeat/mb" + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" _ "github.com/elastic/beats/v7/metricbeat/module/openmetrics" @@ -31,3 +40,361 @@ import ( func TestData(t *testing.T) { mbtest.TestDataFiles(t, "openmetrics", "collector") } + +func TestSameLabels(t *testing.T) { + dataConfig := mbtest.ReadDataConfig(t, "_meta/samelabeltestdata/config.yml") + mbtest.TestDataFilesWithConfig(t, "openmetrics", "collector", dataConfig) +} +func TestGetOpenMetricsEventsFromMetricFamily(t *testing.T) { + labels := common.MapStr{ + "handler": "query", + } + tests := []struct { + Family *openmetrics.OpenMetricFamily + Event []OpenMetricEvent + }{ + { + Family: &openmetrics.OpenMetricFamily{ + Name: proto.String("http_request_duration_microseconds"), + Help: proto.String("foo"), + Type: textparse.MetricTypeCounter, + Metric: []*openmetrics.OpenMetric{ + { + Name: proto.String("http_request_duration_microseconds_total"), + Label: []*prometheuslabels.Label{ + { + Name: "handler", + Value: "query", + }, + }, + Counter: &openmetrics.Counter{ + Value: proto.Float64(10), + }, + }, + }, + }, + Event: []OpenMetricEvent{ + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds_total": float64(10), + }, + }, + Help: "foo", + Type: textparse.MetricTypeCounter, + Labels: labels, + Exemplars: common.MapStr{}, + }, + }, + }, + { + Family: &openmetrics.OpenMetricFamily{ + Name: proto.String("http_request_duration_microseconds"), + Help: proto.String("foo"), + Type: textparse.MetricTypeGauge, + Metric: []*openmetrics.OpenMetric{ + { + Gauge: &openmetrics.Gauge{ + Value: proto.Float64(10), + }, + }, + }, + }, + Event: []OpenMetricEvent{ + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds": float64(10), + }, + }, + Help: "foo", + Type: textparse.MetricTypeGauge, + Labels: common.MapStr{}, + }, + }, + }, + { + Family: &openmetrics.OpenMetricFamily{ + Name: proto.String("http_request_duration_microseconds"), + Help: proto.String("foo"), + Type: textparse.MetricTypeSummary, + Metric: []*openmetrics.OpenMetric{ + { + Summary: &openmetrics.Summary{ + SampleCount: proto.Uint64(10), + SampleSum: proto.Float64(10), + Quantile: []*openmetrics.Quantile{ + { + Quantile: proto.Float64(0.99), + Value: proto.Float64(10), + }, + }, + }, + }, + }, + }, + Event: []OpenMetricEvent{ + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds_count": uint64(10), + "http_request_duration_microseconds_sum": float64(10), + }, + }, + Help: "foo", + Type: textparse.MetricTypeSummary, + Labels: common.MapStr{}, + }, + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds": float64(10), + }, + }, + Labels: common.MapStr{ + "quantile": "0.99", + }, + }, + }, + }, + { + Family: &openmetrics.OpenMetricFamily{ + Name: proto.String("http_request_duration_microseconds"), + Help: proto.String("foo"), + Type: textparse.MetricTypeHistogram, + Metric: []*openmetrics.OpenMetric{ + { + Histogram: &openmetrics.Histogram{ + SampleCount: proto.Uint64(10), + SampleSum: proto.Float64(10), + Bucket: []*openmetrics.Bucket{ + { + UpperBound: proto.Float64(0.99), + CumulativeCount: proto.Uint64(10), + }, + }, + }, + }, + }, + }, + Event: []OpenMetricEvent{ + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds_count": uint64(10), + "http_request_duration_microseconds_sum": float64(10), + }, + }, + Help: "foo", + Type: textparse.MetricTypeHistogram, + Labels: common.MapStr{}, + }, + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds_bucket": uint64(10), + }, + }, + Labels: common.MapStr{"le": "0.99"}, + Exemplars: common.MapStr{}, + }, + }, + }, + { + Family: &openmetrics.OpenMetricFamily{ + Name: proto.String("http_request_duration_microseconds"), + Help: proto.String("foo"), + Type: textparse.MetricTypeUnknown, + Metric: []*openmetrics.OpenMetric{ + { + Label: []*prometheuslabels.Label{ + { + Name: "handler", + Value: "query", + }, + }, + Unknown: &openmetrics.Unknown{ + Value: proto.Float64(10), + }, + }, + }, + }, + Event: []OpenMetricEvent{ + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds": float64(10), + }, + }, + Help: "foo", + Type: textparse.MetricTypeUnknown, + Labels: labels, + }, + }, + }, + } + + p := openmetricEventGenerator{} + for _, test := range tests { + event := p.GenerateOpenMetricsEvents(test.Family) + assert.Equal(t, test.Event, event) + } +} + +func TestSkipMetricFamily(t *testing.T) { + testFamilies := []*openmetrics.OpenMetricFamily{ + { + Name: proto.String("http_request_duration_microseconds_a_a_in"), + Help: proto.String("foo"), + Type: textparse.MetricTypeCounter, + Metric: []*openmetrics.OpenMetric{ + { + Label: []*prometheuslabels.Label{ + { + Name: "handler", + Value: "query", + }, + }, + Counter: &openmetrics.Counter{ + Value: proto.Float64(10), + }, + }, + }, + }, + { + Name: proto.String("http_request_duration_microseconds_a_b_in"), + Help: proto.String("foo"), + Type: textparse.MetricTypeCounter, + Metric: []*openmetrics.OpenMetric{ + { + Label: []*prometheuslabels.Label{ + { + Name: "handler", + Value: "query", + }, + }, + Counter: &openmetrics.Counter{ + Value: proto.Float64(10), + }, + }, + }, + }, + { + Name: proto.String("http_request_duration_microseconds_b_in"), + Help: proto.String("foo"), + Type: textparse.MetricTypeGauge, + Metric: []*openmetrics.OpenMetric{ + { + Gauge: &openmetrics.Gauge{ + Value: proto.Float64(10), + }, + }, + }, + }, + { + Name: proto.String("http_request_duration_microseconds_c_in"), + Help: proto.String("foo"), + Type: textparse.MetricTypeSummary, + Metric: []*openmetrics.OpenMetric{ + { + Summary: &openmetrics.Summary{ + SampleCount: proto.Uint64(10), + SampleSum: proto.Float64(10), + Quantile: []*openmetrics.Quantile{ + { + Quantile: proto.Float64(0.99), + Value: proto.Float64(10), + }, + }, + }, + }, + }, + }, + { + Name: proto.String("http_request_duration_microseconds_d_in"), + Help: proto.String("foo"), + Type: textparse.MetricTypeHistogram, + Metric: []*openmetrics.OpenMetric{ + { + Histogram: &openmetrics.Histogram{ + SampleCount: proto.Uint64(10), + SampleSum: proto.Float64(10), + Bucket: []*openmetrics.Bucket{ + { + UpperBound: proto.Float64(0.99), + CumulativeCount: proto.Uint64(10), + }, + }, + }, + }, + }, + }, + { + Name: proto.String("http_request_duration_microseconds_e_in"), + Help: proto.String("foo"), + Type: textparse.MetricTypeUnknown, + Metric: []*openmetrics.OpenMetric{ + { + Label: []*prometheuslabels.Label{ + { + Name: "handler", + Value: "query", + }, + }, + Unknown: &openmetrics.Unknown{ + Value: proto.Float64(10), + }, + }, + }, + }, + } + + ms := &MetricSet{ + BaseMetricSet: mb.BaseMetricSet{}, + } + + // test with no filters + ms.includeMetrics, _ = openmetrics.CompilePatternList(&[]string{}) + ms.excludeMetrics, _ = openmetrics.CompilePatternList(&[]string{}) + metricsToKeep := 0 + for _, testFamily := range testFamilies { + if !ms.skipFamily(testFamily) { + metricsToKeep++ + } + } + assert.Equal(t, metricsToKeep, len(testFamilies)) + + // test with only one include filter + ms.includeMetrics, _ = openmetrics.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) + ms.excludeMetrics, _ = openmetrics.CompilePatternList(&[]string{}) + metricsToKeep = 0 + for _, testFamily := range testFamilies { + if !ms.skipFamily(testFamily) { + metricsToKeep++ + } + } + assert.Equal(t, metricsToKeep, 2) + + // test with only one exclude filter + ms.includeMetrics, _ = openmetrics.CompilePatternList(&[]string{""}) + ms.excludeMetrics, _ = openmetrics.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) + metricsToKeep = 0 + for _, testFamily := range testFamilies { + if !ms.skipFamily(testFamily) { + metricsToKeep++ + } + } + assert.Equal(t, len(testFamilies)-2, metricsToKeep) + + // test with one include and one exclude + ms.includeMetrics, _ = openmetrics.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) + ms.excludeMetrics, _ = openmetrics.CompilePatternList(&[]string{"http_request_duration_microseconds_a_b_*"}) + metricsToKeep = 0 + for _, testFamily := range testFamilies { + if !ms.skipFamily(testFamily) { + metricsToKeep++ + } + } + assert.Equal(t, 1, metricsToKeep) + +} diff --git a/metricbeat/module/openmetrics/collector/config.go b/metricbeat/module/openmetrics/collector/config.go new file mode 100644 index 000000000000..0e5a9884db49 --- /dev/null +++ b/metricbeat/module/openmetrics/collector/config.go @@ -0,0 +1,42 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package collector + +type metricsetConfig struct { + MetricsFilters MetricFilters `config:"metrics_filters" yaml:"metrics_filters,omitempty"` + EnableExemplars bool `config:"enable_exemplars" yaml:"enable_exemplars,omitempty"` + EnableMetadata bool `config:"enable_metadata" yaml:"enable_metadata,omitempty"` +} + +type MetricFilters struct { + IncludeMetrics *[]string `config:"include" yaml:"include,omitempty"` + ExcludeMetrics *[]string `config:"exclude" yaml:"exclude,omitempty"` +} + +var defaultConfig = metricsetConfig{ + MetricsFilters: MetricFilters{ + IncludeMetrics: nil, + ExcludeMetrics: nil}, + EnableExemplars: false, + EnableMetadata: false, +} + +func (c *metricsetConfig) Validate() error { + // validate configuration here + return nil +} diff --git a/metricbeat/module/openmetrics/collector/data.go b/metricbeat/module/openmetrics/collector/data.go new file mode 100644 index 000000000000..a3b83ccd8182 --- /dev/null +++ b/metricbeat/module/openmetrics/collector/data.go @@ -0,0 +1,289 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package collector + +import ( + "math" + "strconv" + + "github.com/prometheus/prometheus/pkg/textparse" + + p "github.com/elastic/beats/v7/metricbeat/helper/openmetrics" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/metricbeat/helper/labelhash" + "github.com/elastic/beats/v7/metricbeat/mb" +) + +// OpenMetricEvent stores a set of one or more metrics with the same labels +type OpenMetricEvent struct { + Data common.MapStr + Labels common.MapStr + Help string + Type textparse.MetricType + Unit string + Exemplars common.MapStr +} + +// LabelsHash returns a repeatable string that is unique for the set of labels in this event +func (p *OpenMetricEvent) LabelsHash() string { + return labelhash.LabelHash(p.Labels) +} +func (p *OpenMetricEvent) MetaDataHash() string { + m := common.MapStr{} + m.DeepUpdate(p.Labels) + if len(p.Help) > 0 { + m["help"] = p.Help + } + if len(p.Type) > 0 { + m["type"] = p.Type + } + if len(p.Unit) > 0 { + m["unit"] = p.Unit + } + return labelhash.LabelHash(m) +} + +// DefaultOpenMetricEventsGeneratorFactory returns the default OpenMetrics events generator +func DefaultOpenMetricsEventsGeneratorFactory(ms mb.BaseMetricSet) (OpenMetricsEventsGenerator, error) { + return &openmetricEventGenerator{}, nil +} + +type openmetricEventGenerator struct{} + +func (p *openmetricEventGenerator) Start() {} +func (p *openmetricEventGenerator) Stop() {} + +// Default openmetricEventsGenerator stores all OpenMetrics metrics using +// only double field type in Elasticsearch. +func (p *openmetricEventGenerator) GenerateOpenMetricsEvents(mf *p.OpenMetricFamily) []OpenMetricEvent { + var events []OpenMetricEvent + + name := *mf.Name + metrics := mf.Metric + help := "" + unit := "" + if mf.Help != nil { + help = *mf.Help + } + if mf.Unit != nil { + unit = *mf.Unit + } + + for _, metric := range metrics { + labels := common.MapStr{} + mn := metric.GetName() + + if len(metric.Label) != 0 { + for _, label := range metric.Label { + if label.Name != "" && label.Value != "" { + labels[label.Name] = label.Value + } + } + } + + exemplars := common.MapStr{} + if metric.Exemplar != nil { + exemplars = common.MapStr{*mn: metric.Exemplar.Value} + if metric.Exemplar.HasTs { + exemplars.Put("timestamp", metric.Exemplar.Ts) + } + for _, label := range metric.Exemplar.Labels { + if label.Name != "" && label.Value != "" { + exemplars.Put("labels."+label.Name, label.Value) + } + } + } + + counter := metric.GetCounter() + if counter != nil { + if !math.IsNaN(counter.GetValue()) && !math.IsInf(counter.GetValue(), 0) { + events = append(events, OpenMetricEvent{ + Type: textparse.MetricTypeCounter, + Help: help, + Unit: unit, + Data: common.MapStr{ + "metrics": common.MapStr{ + *mn: counter.GetValue(), + }, + }, + Labels: labels, + Exemplars: exemplars, + }) + } + } + + gauge := metric.GetGauge() + if gauge != nil { + if !math.IsNaN(gauge.GetValue()) && !math.IsInf(gauge.GetValue(), 0) { + events = append(events, OpenMetricEvent{ + Type: textparse.MetricTypeGauge, + Help: help, + Unit: unit, + Data: common.MapStr{ + "metrics": common.MapStr{ + name: gauge.GetValue(), + }, + }, + Labels: labels, + }) + } + } + + info := metric.GetInfo() + if info != nil { + if info.HasValidValue() { + events = append(events, OpenMetricEvent{ + Type: textparse.MetricTypeInfo, + Data: common.MapStr{ + "metrics": common.MapStr{ + name: info.GetValue(), + }, + }, + Labels: labels, + }) + } + } + + stateset := metric.GetStateset() + if stateset != nil { + if stateset.HasValidValue() { + events = append(events, OpenMetricEvent{ + Type: textparse.MetricTypeStateset, + Data: common.MapStr{ + "metrics": common.MapStr{ + name: stateset.GetValue(), + }, + }, + Labels: labels, + }) + } + } + + summary := metric.GetSummary() + if summary != nil { + if !math.IsNaN(summary.GetSampleSum()) && !math.IsInf(summary.GetSampleSum(), 0) { + events = append(events, OpenMetricEvent{ + Type: textparse.MetricTypeSummary, + Help: help, + Unit: unit, + Data: common.MapStr{ + "metrics": common.MapStr{ + name + "_sum": summary.GetSampleSum(), + name + "_count": summary.GetSampleCount(), + }, + }, + Labels: labels, + }) + } + + for _, quantile := range summary.GetQuantile() { + if math.IsNaN(quantile.GetValue()) || math.IsInf(quantile.GetValue(), 0) { + continue + } + + quantileLabels := labels.Clone() + quantileLabels["quantile"] = strconv.FormatFloat(quantile.GetQuantile(), 'f', -1, 64) + events = append(events, OpenMetricEvent{ + Data: common.MapStr{ + "metrics": common.MapStr{ + name: quantile.GetValue(), + }, + }, + Labels: quantileLabels, + }) + } + } + + histogram := metric.GetHistogram() + if histogram != nil { + if !math.IsNaN(histogram.GetSampleSum()) && !math.IsInf(histogram.GetSampleSum(), 0) { + var sum = "_sum" + var count = "_count" + var typ = textparse.MetricTypeHistogram + if histogram.IsGaugeHistogram { + sum = "_gsum" + count = "_gcount" + typ = textparse.MetricTypeGaugeHistogram + } + + events = append(events, OpenMetricEvent{ + Type: typ, + Help: help, + Unit: unit, + Data: common.MapStr{ + "metrics": common.MapStr{ + name + sum: histogram.GetSampleSum(), + name + count: histogram.GetSampleCount(), + }, + }, + Labels: labels, + }) + } + + for _, bucket := range histogram.GetBucket() { + if bucket.GetCumulativeCount() == uint64(math.NaN()) || bucket.GetCumulativeCount() == uint64(math.Inf(0)) { + continue + } + + if bucket.Exemplar != nil { + exemplars = common.MapStr{name: bucket.Exemplar.Value} + if bucket.Exemplar.HasTs { + exemplars.Put("timestamp", bucket.Exemplar.Ts) + } + for _, label := range bucket.Exemplar.Labels { + if label.Name != "" && label.Value != "" { + exemplars.Put("labels."+label.Name, label.Value) + } + } + } + + bucketLabels := labels.Clone() + bucketLabels["le"] = strconv.FormatFloat(bucket.GetUpperBound(), 'f', -1, 64) + + events = append(events, OpenMetricEvent{ + Data: common.MapStr{ + "metrics": common.MapStr{ + name + "_bucket": bucket.GetCumulativeCount(), + }, + }, + Labels: bucketLabels, + Exemplars: exemplars, + }) + } + } + + unknown := metric.GetUnknown() + if unknown != nil { + if !math.IsNaN(unknown.GetValue()) && !math.IsInf(unknown.GetValue(), 0) { + events = append(events, OpenMetricEvent{ + Type: textparse.MetricTypeUnknown, + Help: help, + Unit: unit, + Data: common.MapStr{ + "metrics": common.MapStr{ + name: unknown.GetValue(), + }, + }, + Labels: labels, + }) + } + } + } + return events +} diff --git a/metricbeat/module/openmetrics/fields.go b/metricbeat/module/openmetrics/fields.go index b54ac18df5f1..27c738406f98 100644 --- a/metricbeat/module/openmetrics/fields.go +++ b/metricbeat/module/openmetrics/fields.go @@ -32,5 +32,5 @@ func init() { // AssetOpenmetrics returns asset data. // This is the base64 encoded zlib format compressed contents of module/openmetrics. func AssetOpenmetrics() string { - return "eJycUsFuqzAQvPMVI94hUpTkAzi8X8i7P1WJwQu4sb3WelGUv68I0JK0PbRznGHYmZH3uNCtAieKgVRckwtAnXqqsDl+sJsCEPJkMlWoSU0BWMqNuKSOY4W/BQCsHAhsB08FkEnVxS5X+F/2qqncoczZly8F0DryNld38x7RBHoOM0JviSp0wkOamS9ujzivvGc0HNW4mLFEaoUDKNrELmqG9kZhhNCy93x1sXso0LIEo4f55+ukI/7gKJYELsOFxKImKnoS2sGbmnzG1XmPYLTp0TrJuoP2BKE8HbU81Pd9JiztJ/Nh+y4s9bl+pUZX9EScJvVCtyuLXcnfTDTin3Ag7WlYppmvfgozT/HjNE/dHtRTMCm52M2fltvyl6FXaR+f5lsAAAD//0qh20E=" + return "eJzElL2O1EAQhHM/RckEJ5327gEcEBCQoXsAhO7Gdttudv7U09bit0f+W+w1BCwIKmzPVH1TM/ITzjQUCJG8IxWuUgYoq6UCDy8/pg8ZIGTJJCpQkpoMqClVwlE5+ALvMwDY7IALdW8pAxKpsm9Tgc95pxrzE/KUbP4lAxomW6di2vwEbxzdwozSIVKBVkIfl8kty6if8Ix62/i9oQpeDfuEFbOR4EC+joG9JmhnFEYITbA2XNi3u0M1QZzR58V8Sz/qHV6kJgEnsItB1HhFR0InWFOSTbiwtXBGqw4NS9ITtCMIpTm0Dn05dTZrbaQjG6/DtY4zDZcg9Wb+iwJGfRCmZrsAoZmiP00H+2gc2+GQOwb9We5svzda3XvP+lfcd0ar+1z48+MhIZRfqdoGz4PXO/J3z31mmWMPNMuq38a5eRC7r6/OxMi+XZbmj/m91Adc+kYuWiP/rr418VjdleU/3eiaf7za/U/oewAAAP//WDeHdA==" } diff --git a/metricbeat/module/system/fields.go b/metricbeat/module/system/fields.go index 28a267656964..10611be6660f 100644 --- a/metricbeat/module/system/fields.go +++ b/metricbeat/module/system/fields.go @@ -32,5 +32,5 @@ func init() { // AssetSystem returns asset data. // This is the base64 encoded zlib format compressed contents of module/system. func AssetSystem() string { - return "eJzsfXtvIzey7//5FMRcLOLZa2tsJ5nN+o8LTDybewzMxMbYs7vAwYGG6i5JXLPJDsmWrHz6Az76zX5JLVkOLBzk7NgW61fFYrGqWCyeoUfYXCG5kQqi7xBSRFG4Qm/uzQ/efIdQCDIQJFaEsyv0/75DCCH7SyQVVolEEShBAnmKKHkEdH33FWEWoggiLjYokXgBp0gtsUJYAAo4pRAoCNFc8AipJSAeg8CKsIVDMfkOIbnkQk0DzuZkcYWUSOA7hARQwBKu0AJ/h9CcAA3llQF0hhiO4ArFggcgpfkZQmoT6z8WPIndTzy86M+d/VrKycT9okihSEXzDdlPUzqPsFlzERZ+3kBNfx6WkIK1w03Qr1wgeMJRbOQvEsYIW7yZ1KgHcTKJA1WjLwNMIZzOKcfFX865iLC6QjGIAJgaAM9+AS8A8bmZVkUiQDIGptBsY6YuY4GwAMxPKJYKwQqYmlRGJBKtME0AEYmYBkXJHxCmI7EkmoFIKQVcgDRqRBQSmC1AlkYzunOOFEcXfgFJhYWaasA1OYXlyeuQguF5vQRW4neNzbQJBWGdvtX8Z5gjt+SKQHkQJDGBEBGGIqz/Y//m5MuHz28npbWTmQA0ZOl8s1/7hgLOFCZMIsoDTN1ofVeUnu+asIrUO2ThUJzpcQpQtCo5BFrGCGtFXVAw9LTEMIoSqoj5XsH6pJ+ywclmq8JEkRESln6cskI5W1R+0cKN/mjo1xqVXRg5qtJf/h90l2mA9AJSXGFa0UXUpY+oVSd7oH/QVBEOFFmBx2yUptsLO5EgDo+6y+oRZoAhGeMAGqakxIEiwaMcRyM0OBzxhKkdgTk1P0bhPoJgQIdwMaKAOyU8AB0jARyfhDlDlK/PYkG4IGqTbhIg+3BzMElvi5KE9AhlblD1AH44Re4BiK8xUUcoS4Y0MHTCGQqJfHzbj49D2ohh+MTvxydkCWJFAh2Nafd7iVlI9T+WWIRrHcARpkCIJFad61H8fjjRj4Za8rl6SfOi8W7H4XPPzRbIFTyHL9vDLBG24jRhCouNNQHO0V0RoRJMzTfWS0JtjLzcxFokkosaMRNYFuTF1RJEugVyMal94cMKE4pnFBBndKM3z6+MPPUS5CHt4vEKqJA12CkCDeKkFgRrrqTCRcXeJqg02ZARJ8qXa4kFSOd9mRngUk3sH3N2lqdrauPlK0OiNaEULfEKdFyNn0iURC7lw+fo28X5+V/QXy25b2bs2mCFtFBxXEwF4HCDFH7U+pEnkpjiCAeBUTtrW1b1QT1YNJStI+qXEJqiW1bPbMjT2rAbnqAAMztpRZFn+dqFAKxA6B8wK7diovIUkTn6oTasS98JQFih9+d/0dBOtV5Z5XLZmkkQJ5NUmt+s9swAXfzcODl/rhD2zxUkvtzw688S7bwgr/XVL/dw+OrdjuPdPlPKu4cgzUmfRJZts6PehBSM4tzc/ktboSan5LfcM+rln2hP6ihFMDRNfbSMDN3oj5ORnXb742Sp/5Z/pPi32PePk5PRN/8Xxea2HsBxMvlS3YBjk2YfL+A0TYRIX32MCa49vFc8hodadu+lnEwf85nuyzgFPcLDxKM+hHvuo5Dtd8TnRr7tJvd69lCUidZTwr+rimLI8YMeonD+oP+Jbm6z6reeZbfpZ/gZhf6vdz7rZbH6kxW6yhBfDJ9uw54m2aVsIAimU7t5DoDXE8L30lFIq/RsmWuEN4hxhWamDnNFQruNY0pzodfGdDn6DoYE4HBiDjxGXDzGUyp4GJqIVhk9Q1plZBJoDZ8nlG468K0FUbB3gIbKlgiNBGcb1f9ELXUFfV/aArwZxsAow0a3DH0iLHmyR1ykSgpV/EAJgeLCjWQOe2JKnKYxhKVMIi0Z81dIkj+MH/rTxWWvGXx+AWkcCtg4MkoH6ymm2qjdYjNqVak3bxXaFoKJCNUxQcBZKPOCWm1WzIrtNbHPBtGu2U5ncd8A/RhDrvfBm3e3sryJN4Hk8ZjOSxWjxqEdl1jwhQAp6w4DMCV4vNnFY8h9E1eqXx9zuBeA00GnM6JG9e8ytHpgLaQ63MI1oGeP93O8Dueplia29fDcXtHgnGZ2+cfzv7+vzfKcUCjdykBbuYb5MLUClfxXY9SpZEwfaOMwXqAJ3QvyVlzb9YTFgqwIhQWENgFBmCUz8UIPYUUCmA70Ygd5quULXt/ehbB6p3978c2LSNPdAxQ9RhUKPKkf/SBMVDWNOWlw57bGYgbWNteMXZONH43R1j3aXT0+YjwEY331GjU/qYdHBUgCnlXb27Vao5uOLbWCvATANkIzcj+oc1mQXbvEEgmHjQ40wYHwnn93q4BuS0Znqij1BrPTPuZUyo5U2MoKm1ia7sCLhYAFzvId2gE1JqdSwZh/decSzW0j3t/K5sehQXOesLBl+eywrB88Zk9O0G/cZJ3/RVjI1w36Z0lrp2XAKvDPdF0QIM185VJAIQ9kNavmmwXUbpFbRdOFvoazvkBQduPRWMTKmqgC1Ivn2QCaldsB0GeeD4fQmsETAzSmiTQyfVsPgSjH4S7m5PruqxkD4RUIvIAdDcCbizdDjbL+FWGL6RwHiosrdHF+PswwfyrAN/ebswv4EWGJAv8afvPTMSH9yWFtMDhvLo4K7YUHrh+3OXd+Lp3w6AIKSZaI7neeXGfnuabCrzBjcPRs2tWgVTvyZP7Iz9F+b4rUrLNtM7GTu2eHqKUsXAOLEdIVBwtDzL7muoK0z+BBw4+veovtBeuAUa6N1/LjXONRuTnPYqNiN5mQgzSnbYQFNAmzPw44s6n92SZ1JwMcLG1bmRrpWTKfg5DoREIWuzrR4EAlmE4qbog/CtAEencA2Vmlrg25lGHOakH30ceQvbTPTsB2QUUdyQczWt6eCkJT0aCntyvUaHXpvcsWHcBtdgwV5FlYKDcKCXAWWxp7HRKt6cACQDNQa3B3sty6Y6H5V55gcjPkva6nP9W/RCHEwEKZbg+39za5F3EBKASFCZWnKDa2GgVLCB6zwL6w0L41qAR6/kDPidtvl24UIhIFmAYJNdmHGdbTUpBF+QDTmrD05ttniPJTGZO3eBcLHryLICJszk/rstAfLooEzdeK4EwMlVu+zNKReXl025ZL5RNaDxD155ah2/t/I2IYxUgmUdVKpzpEmOv/k6rQbZZcOHXfh9/rC9vNIs/Uwn29r1o0mDfUx8ShTjOHeoay9QOh2irtKl1Z46pla7Z5sYA5ebpCb/7bsPU/VR+wnP/RmmdGyX0r7U4RqUgg7TkVhOkxlcZRauaXarMvw9udnnnm5ELOTF9Vei6zbryzYXifyyLmJ8nDxXt8KzVpFHxW6wZqzcXjTtGNG6MQ3rifFKv2Sj3r0t+bSst5JYN3uII9UMuBAa8JJKvg+1Tv8UQd9CymWoIkS10svRAJe1aEAgIgq2ITykZBxjh4hFFrMnIwbuyeAtsfEpEh6SkYwiYgBBf7EYsd2tUWW0SELXrM1aEwSWBhNyLCJqHgcdw/sh2EiLCAR6YUwM2d6T2xBh0vWLI9JLZPgDxRC94OsNLeFtM13tR303PtOn3EYk2Y8ZJ/uf+IZhDgRIJziLUDLiDmQuU5wOY67cp+NJVJFOEeWbdss5iBwv32q89uR7JFTGyhvcMF5TNMM9NuvH2iNj33HxJP/uqdLj77D9Scgo4Ju7mzJ7AgGrqgBmNSe7juIJeEY5L7+rGb3JQSBSPT/EQUtBMmQTTqLF5/9nDq7+2NtvK63BgFryvOW3/jECt8WmwafFrsZF5pZYzG9bowJbhqMWKslhnfE89XI7LQpkEz6lqk1ylWm5Wj3Yu3BjYuL6KJGxokd7Nf/2Yf7uMdCGKh3Zkt6S62p1v/ah+KQRRSwkae6XlCKQp4FGEWnunhbXSkuO1+Xmw1fuoS8GZz8CQLsVgkkclCSoixwG6H89YikAXjAqZ4xldwhS7Pf/zZb/ckiC0WlG2Qsd1qCtbbTqveIwlbTEMizF2DzRbUga36G1v7w+mOGgBsRQRneubQCgui43zZrAW2Z5w2pL7LGbhwHw79KgB+uf94avOh1tTe3qN/+w1HuT0fGi8bdn339UzGEJA5CYppsDi/2jc0x9V4wRp1ZWN6Jiw8tx1LrzG03byugrXX5I3ruie0Wds9DdamEO17EUZ7nL1oknV3Wx/0zPmiQS9jJHFo9swbVQgXJIkIxcJlXL1k/6KpZIIsEgiJjCne5PGC4nFqstMbp/XLhX7hNjRLeFES9rw9ko885hskGdP5WySltpJVEbd0N0AHtgv+rgdVwFYn9onXHjq2Tm+LPH1PvJTRhXXXdwi6/k+/oLbSF9T/uPqz+e7Q/ahrv+varzz1vOgQRzKZBqQ38T0P2CyxLJ4c2mPTypH2NY8iotD1EosFoBPlKSPJRsbWXUljOszwAoSmYmwmUeYM1aTdXSCTInmbNZ11uVdbwkVkt6YKKZ/tGEkL+QtIEuqldQ8K3ZM/YFKxFoMfDuqakSAROnhCzulFEpTRstOG+w1VaR3fHrTd20o+/uQSi+daboZ26GMmkY2XiPwRzxalN78SCtnfcOF8wTSvYrdnrSlG3DbfSGQhaJh7enLYYgq9S7t4YmzjyGNgO21/lTtTZRlIM37vPY+SiKiJ5PPm5bHbjqyHtlTSY/4O6Jn35B2yFBUWxg4wQzNAwVK7VWHVo8MKYbYx+2+XKJa4FtSOJQo99L5EURhbi8J0h5kBEjht+SU4Vw2BsG/hbb0k07y+XkAGj8wbxFhKpt/GkgRLG1xg+WgrfyIov0uWfty3sptYAvITjZozpfddO5BcklgbUlwbkHF2psXhRjYClFAiYORXSi4YszA0bq/l3VBHBq2HgJHTppuPxsHQmsTNdTTLjURYSh4Qkw5bE7W026kWsz+GuTHRn9ARDPteIZyOevPRJmVct4V0dDOa4TutMvOOimctR7dFEcVYLfcnJD16Wnfk9Kh6a979WCYzG099L+3FPnuPeJDIDLVDCM2NO12BkITvvpu4ccy1AAc5W2LpxYLqaUkzuFpiDbUalBqi5ukM4iSfKCSDJYQJBfssIzZdXSxcLB+zy8NukXvH/GC/k24enCnBKXVmd82zxHJGSshTdP3rvbFuXx78g+rfS4VZaMGkPYXoBs0xEflQzgjGgmtJE84wpdUoz0nH3OFwoUka26a1tumEZYWhayCLpZqgLw8FGN5xBWDqAuUKKAlKFt658KYBvM4yyvsKlifACNmV0KMwEabhGVqQFTDtGBMeNqw1ZrN8LASR8frPy9Pi0ETbfLFIDV6k93qX1HJGvTnPEsQJDgI10YRwGBI9Eaca0Vkuk+LOsODMhGz/bOrf48Zu2BlQ1+6Aehg/VF0xNx9Tfqva3gqgwfZuBcG/aPXnbhsb3Diazza3Mmnu9bRy2WSUajxamKvL1jHbZh6Vcvp4ARPWzGmHEW9BKNHq0sVChCGGGXfNiXqC8gfLZVRN0XIvWH2F05w9HgdMIWNbxtUDIIg9Tp7e6MxZS9rid9gket8TqoPbVmwldD1FdcCp9MPrxJm+D7C3SXVuyzZT2vg+UR3ctgIsoOstqgNOqg9eq90P5nLiHIuk3f63TGffLc7QMXuwm9yIBCKdXeMGLvkaCVgkFAsdWjYOZbn/Xqb+rOLG/xEgeSICkEgueUJDE9wDppQHWDUWNPpk8nvCFd6/SB4q+fJGwViHE1P/tR0DKXXncdGXFAlL/UjtktmpRidYohDmxOZOmqVcVI6mS5g+6Zl8575l94GZsvYFCHdEYE4Z3BkOaMc8c6AMnqJj3jhoqaFZmnkpiXVSOFxPiYXOi2+WZJw4odgcVpRI06f2EmmlJ4tl41PzVfEKdcTrNVuXzfJtWK/mLGPoQhVqIhJm8pXHIAxzFs7ZAqQyUTJhCU+kW3ONAxNWyfOVF7F919EvtSG+vdOafYspb6vkTI25ebLCVBqjU1owelGUTUyzcdNL24gCKI5lbw2xrKul4EpRCA8uBK0rsmlWZ/YSsMOGTgyTxPNcZPox90Qp5WtbBaZte1rHrpawcQJ6WuLEtHQyja/nrXapYO60VpdmyCbViUBmL+xr/qsS3/8Wmh07GxbCxJbzoZPKEn1b2EfzCenwMHwTdarFVLwt4Fyx1eUgwTR60IcQTMGrHk0u/sxUXkYOUibeE1g0PMdw50ZDJ6kxNBYXmP7123qXkuKnb+pB8hY/oQ/iGur71A1JtxDn1SlEAUtlKLo50H8oFTZpVs6yHGDKbQvFLvaKLF6cdwQmqHdwgnrVABQ//gnlKxDo4hx1xXxFNt4fKRvvh7Hxw/mR8vHD+TBGmi6b19noyBHsyIW1fvd6VaXmp1/kPk9aAq1Rlz6l5qCVhLTnykeSRAlVmAFPZMNJiBPcqyE4FjZeDUEXGz0MgWdp/5pQ2rC0a4MVDl5x0FLn1uvw1R2lpt20PXfU0s/rEVf2eeYjLldrf5iUXvHhwYKzXWqPpo1/8RC+w+cexGaz+ehVzTmA34zTkuLpGAlXajm1CdE8p98YNm/tWfTj4eq0csPB3mlImHKVlkSiecKCtJTBvIbjep6m7oEtyMc6dtW6YQob3Itpw3I+7edvwzQ+k0hRhTP1NSdJEQ/7TmoB39iTmt2/SI1J/VrWqW8iy7civJR6i3wfyjoOX83qOWTiuk4BR1etE3t35u1wHes8FNxuNh6aZqN4yWeIng2Q+j60ayx+dtUvPba3NA61X7tNP6Xrt7vv5plq1rJmma5yhgAHS/OnlV29JZ9NZPe23nq1CQ3zWO0Vp7TY2PZXeHVa9+S0DndOI4gmtpyn6aoJ6mNWu+6rDGC82D7ZlUnNNo11iyfpBaO+5wQ5wxF+Oh6ml5CVcxZb1Y7Nub1FcYxc57UI1qUrt1rV3KbdJuak9uJY/jGdT9+6i3/1QmOT5SocZSWy76aupTfHhCb7LzAo3yByR3mVm4z2MslJZU7fonWtLUX+EWAaSA9RF74+sLKk7PE1UksBcrnk1G9JiziXZLF8HqCa8hCkhzc62dXXpy6cneDNXfuRqnXrCl4o8RdICRLHEGZpaLsRUFhBU16v7/Ea5euWhN/wEsJcVZvkWqSu9WVU8gUF7EM/wk+jks/Vqg91zqNRqXNzdW0A9ekj6XHCMhSCHlTrbG8keiMZFYUeUO9oNQS9bb1cH5sfuIS03Xh6vbzkFJpG56Zvr31CyvlLjeON6UdlwjpWH7J2118HXnVhlYTSEjTuKqyjdzvTMjqncFWhtV+L2IuzqaX2MrwvuX45/pdcH50H1gPyEcUdVatrVnbjiCe15W8ilHok0sz7q8/pYeTV53z1OV+Az+mD8XisGUd33rC3xOPj8WceqyLoTEA2jjpcMkfvIvJ5RT5tbl/jwFu5g4/HmXysztuY2Uc99lQF8VGaipKN0KHDw/Vd/tBWrePZEEaP1TQUbUKVY4+NaBxzF+tpxPQS7IQTVlVONYPRJaWt48dMWsdpNKoT2Xz/yhsstLJuKxaqjxSUGW49yC+xbF8wzFvo3dy2dJeoQOihpCMC6YHIvs83xYz7XzEqYzvMAvrAONtEPJF5ssUc4ZkSdPueoLmjciYgAKbo5syYoJNPX742aw0lUpX600fxXKITuYwgeuvrSdlfeHNCD70b/UoonM1w8Fh6+9UJ59OXrxm7W3BlZH1gfu70rmkIjz1HSwICi2BJAkynVlTT49ovitUwWdIxhe1cyuytkoLxtBtC8w3NUcQl18cprTzn1FtujUOW5bmd3NKXTl+OJc3eZi2ai9LKa07hVVfkVpJ6BrPZLCm/QfXKaAvtiHAcQ3hcHN+TPwpdjc8sROT+n0Yqm03xuDYnxguYznFCO3K6e7gMr20EzlqRlkN2JchiAcIkf+O2sx4DfaA+/IeL6Qvg2wDtYBy9+az/6o39p0RLrUIsb/TqMiT29WO6MQ1fFW/LCdjHo80LMqbjX0iKrVB7apScNuai9tBgQhM0/zVdJnjhzXR7zQKnj5ptwQdP2sur98UITwqR666stDXA78XKIbZFV1GoV4jATNrnv9AyWYCRy9tTxHjzyda4jquQcqopH43Ufqs8PMvnCGeC9Mpr2N2INY6Phtf77IR/y9lLGKxIoMwj+sfC1OdCjjrAjHFle5IFFJMIwl6cplzO6CPx2fABtwB+oTwoPnX9Wvw/dvH/FrX/9oLjsWisTa1XX7w2tmYOQtgUqLbhxk3AlKKZUapQL75G4qjlBGuQmAg/zAXeXAA3727Tx4A5M+28tLRddwZKd2Dc9FuC/B0K10rHvH7DKQk2zc8w7GoIHIB/Xmpj8Dl9dlVATHGg6Rtb82odDmMdfCyMmz+PQZxZPdXz7R4D7J1A3xpFbaBRc/E7MtVpSvaN5OW1xDpcX5zXllivnXBeO+H0wbV1k6vD9bfLbkS/LuHXJbwrH3+ORZn7APZ5MplEES7d8VdEUdAc2nzxff0PvAu0xXd1Q2QPtVTeLAKZvb3pHl5bclnyUgXoTVkTLfYH9S3NNgk3SrTD7a7GZTlsA5fIGt5Cp2jL2EhI8qxc5bHSXlhIWLs3vTsQ00BwCApJAeJ9iCQdeBgaxeMY/C9e7gTGjjsIyx88mpHxZ8gOOwhJCHh8kehBm1CgG/W9RCsQG5QwSh6ButQlUfZJNhzHgAWaJaY1jHHOTcNoTJEkKnEpEqJQhDfuUMrPWsIeGV9XD4t25y5nrNDVeGmjMR0QJTRk37scrBIEVtoTEYjIFNGkZqIFLuUzBpvdyveHG1H9X6+g/FmMLlnhvKuZjVmbliRWtebdO9A1p/pEbc7sVPRA4LvxswOAh6V56TO045YB+CWwYcEUm05t46G4dndo9eDIDn6KiMXy5cPNR4SFwBv7HkKYsBAzhfzGgcjHtBxupGVUWEeuBsMSaaG/zw3eUChMkmm5RKSSiM/bMJkzsfFFYoYNu0Vi7+OMT9/d8+mkb9ZXPXXYktMq9czaSqtRhM2LtQKvDQprb6UXpTkuGFdzCsekZvCi0iw5DU1ZDbo4v/zxbLZRkEJog6fX5x4cEofPOdgOoi0NESZk1nQ70Gb2CUTFdvn3pmzHmYHC/fasYoiQviNqqckDbFqmjL2wTdUZLV7pxOHUaNsu1PQoqLQxtdHcmVy6Fw4gmcx251Ims7NhTE4lYbW8jKUZ1sHUCJrKJ4WjOCVITU7X+mLmEfKJeyY4hWKKXezeg1mYxlen1kfV/6ckSuL6E+UpaniCYBrwcCc53d/8/+v/+vQR6XHyd7kdwu8lijBhtZd+Ucm7JcpWHu4+Z8X50uPW+27Vqa6AhVxMYwESqsZ+EPUQTIHZEBTZ60Reup1vpTtrkz0mW3um26+13a+MB3EyaXlNtDXPU+tW2uvZ0HL7xo4bdP3pl2691aqBq8RN4nViqsd2olq4VmRTub0nprAngFpz8diIo9fJtRskfxChqSlIr5PqQ9eN22qKhirJAqoYB4+wfY3qYFyOXhcynqhdoXnJNpVbFunuNFGeSSjSrPtWXAPbJex/uL5zo8jcwbNb22451ZAIaA5KMSW1y78xVsts4Uyavh+Rha1xuUJKJA2NifMuBhGpvT7SF4H+u12IUx5gOiFVU2HJ134MTziKKVyhi79fTs4nl5MLxAW6PD+/uDr/+MvPVx9++cfHq59/+uH91dXFMLf+k8aBbu4QDkMBUrp6XfdQPmbo5m71oyZ2c7d6n/1RH95iLvz7tkfFM/4uqw+Q9YKvSXVgEhBxBUcg8C8GyMgSd9wdROSOgf4yX3I5xIHLgP3t/dnlxcXZxcXfzn54P2HrifvNJOBRtQqkA/PdwxckIOAi9G76Ip2TCbpR2kXnM4XNy7IrgpGAFQhZ355v7hDl/LGxoqsiBlA0nMY0kVPOhrjTmTy2Zl97wTCfQ+DKuuIzmz4MuYkCTuDh08e3qWfsZKEnzd6W4wxQxOslPhTPgE7Qr1ykyE7NAHq0/3thwu43c84nMywmC04xW0y4WEzeaPm+Kf6gVtHzkN3i4AKFoEBExBxRpcOjgEcgXfUmQxDNIAwhRAGPN1lSFKvaC4DmC0ul4qt37+JkRkkgk/mcPBkcvXV5CkLUbrfskHj6hx7O/dEsZdM+iZnNidFAp27I3cTvQJwey8a1UsauPa75m4O2uHSYgEcRZtuC8CRhtkMRhZQMWngd02YebnK8odLQrTjgyY+hWxLwBEFirgbsIg/zuMdglfB/azjhxpRaB+l5Qul0gCqUfeDm0oR783vk+f2ulQl8jngMLPOfSV6P4BIEO3nQ9WfUeyYn6or8wegxY9ajrk5CZ06iNSx3r5t3BcT+AmUNzMiwGV3B6SRSgadAYkQsGQnj/PjTZirwe5hbzouOwLafm45HN5oF0hV79xDY53Lnr2IomSZ8TtEMS1tGl6dmsgfU3Z1Cc9XOJtRiU5NM/oAJuuZCgIzNe2SKp0+CSDBn+u+0xXwnN/IdA/WOxKsf36kgnkYQTdAto5vCk9GcoU+EJU+T5itL9ZWGhmV7mhWqfXZRzwQQF/ESt99ZbZ7pnmgNYrvW3SQ5shBqlU+ntlm+rRw02ZCxGUjtSbfc+9mVPeDT0NrsTBUeSO0RELmsHfTtAWB+BlggO0iaAeUSpmvc2Oh1L2grCLWNmOZIpt7DsDJuRaLjgJ0B6YNabthUNhfKHgx0iqMvZgHB6hgwaxx9MM8JM3NSTQUdHHQGZAhq/5v/z4D6sg9qiqWa4sB3AnNQ0CmOPpi1rTnIDtJt8ghb+BBnQVo4qvv69eOfxH3VjDyj+5qEx+i+ts8u6um+Htr5a0Ld8j+y1RFXbiUNzhJ8s0N8K3dmc1ez2SJVFftXLpew41FbYhMkk8hfzeA5GkiXT/rVyq8JixM1Tf8oIpQSf/lAj2LW2/uUV8JKQ9VLxRIJQnbKfotCsU98sYDwLHuFFqQknFUTyG0ybkinbV3im18Zd2C8VCXULhrtQPcDKx6NUL4g2nJVSbTcTt+R54+/JNJVcZrR+0jAcwi7Iwr99axGqKANDRPgqxXZZQ4y5etbmlI+nvAimXFOoZYf6ESiv2Ye7g6sZcLpyVCrRHYpFfPPSPpgU6XorwVDwMfWisJsWAMdeqjkJf84rG1WW9eTLwEJzhW662cT7BxNBx65dm6hH0rHgu5MOn/pqAIo/x//GwAA///w7M0H" + return "eJzsfXtvIzey7//5FMRcLOLZa2tsJ5nN+o8LTDybewzMxMbYs7vAwYGG6i5JXLPJDsmWrHz6Az76zX5JLVkOLBzk7NgW+asHi1XFYvEMPcLmCsmNVBB9h5AiisIVenNvfvDmO4RCkIEgsSKcXaH/9x1CCNlfIqmwSiSKQAkSyFNEySOg67uvCLMQRRBxsUGJxAs4RWqJFcICUMAphUBBiOaCR0gtAfEYBFaELRyKyXcIySUXahpwNieLK6REAt8hJIAClnCFFvg7hOYEaCivDKAzxHAEVygWPAApzc8QUptY/7HgSex+4qFFf+7s11JKJu4XxRmKs2i6IftpOs8jbNZchIWfN8ymPw9LSMHa4SboVy4QPOEoNvwXCWOELd5MarMHcTKJA1WbXwaYQjidU46Lv5xzEWF1hWIQATA1AJ79Al4A4nMjVkUiQDIGptBsY0SXkUBYAOYnFEuFYAVMTSojEolWmCaAiERMg6LkDwjTkVgSzUCkMwVcgDRqRBQSmC1AlkYzunOOFEcXfgZJhYWaasA1PoVl4XVwwdC8XgIr0bvGRmxCQVif32r+M8jILbkiUB4ESUwgRIShCOv/2L85+fLh89tJae1kJgANWTrf7Ne+oYAzhQmTiPIAUzda3xWl5V1jVnH2Dl44FGd6nAIUrUoOgeYxwlpRFxTMfJpjGEUJVcR8r2B90k/Z4GTSqhBRJISEpR+npFDOFpVftFCjPxr6tUZlF0aOqvSX/wfdZRogvYAUV5hWdBF16SNq1cke6B/0rAgHiqzAYzZK4vbCTiSIw6PusnqEGWBIxjiABpGUKFAkeJTjaIQGhyOeMLUjMKfmx8jcRxAM6BAqRmRwJ4cHoGMkgOPjMGeI8vVZLAgXRG3STQJkH2oOxultUZKQHiHPDaoewA+nyD0A8TUm6gh5yZAGhk44QyGRj2/70XFIGzEMn/j9+JgsQaxIoKMx7X4vMQup/scSi3CtAzjCFAiRxKpzPYrfD8f60VBLPlcvSS4a73YUPrdstkCu4Dl82R5mibAVpwlTWGysCXCO7ooIlWBqvrFeEmpj5OUm1iyRXNQmM4FlgV9cLUGkWyAXk9oXPqwwoXhGAXFGN3rz/MrIUy9GHtIuHi+DClmDnSLQIE5qQbCmSipcVOxtgkqTDRlRUL5cSyxAOu/LSIBLNbF/zNlZnq6pjZevDInWhFK0xCvQcTV+IlESuZQPn6NvF+fnf0F/tdN9M2PXBiukhYrjYioAhxuk8KPWjzyRxBRHOAiM2lnbsqoP6sGioWwdUb+E0BTdsnpmQ57Wht3wBAWYWaEVWZ7laxcCsAKhf8As34qJylNE5uiH2rAufScAYYXen/9FQzvVemWVy2VrJkGcTFJufrPaMwN08XOjcP5cIeyfK0h8ueHXnyXaeUFe66tf7qHw1bsdx7t9ppR3D0aakz6JLNlmR70JKRjFubn9l7ZCTU7Jb7ln1Ms/0Z7UUbJgaJr6aAkZutEfJyE77fbHSVL/Lf9I8W+x7x8nJaNv/i+KzG09gOMk8qW6AcfGzT5ewGmaCJG++hgTXHtor3gMD7Xs3ks5mT7mM92XcQp6hIeJR30I99xHIdvviM+NfNtN7vXsocgTraeEf1dlxZDjBz1E4fxB/xPd3GbVbz3LbtPP8DMK/V+vPOtlsfqTFbrKEF8MF7chT0/ZpWwgCKZTu3kOgNcTwvfSzZBW6dky1whvEOMKzUwd5oqEdhvHlOZMr43pcvQdBAnA4cQceIy4eIynVPAw9CRaZbSEtMrIJNAaPk8o3XTgWwuiYO8AzSxbIjQcnG1U/xO11BX0fWkL8GYYA6MMG90y9Imw5MkecZHqVKjiB0oIFBduJHPYE1PiNI0hLGUSac6Yv0KS/GH80J8uLntJ8PkZpHEoYOPwKB2sJ5tqo3azzahVpd68lWlbMCYiVMcEAWehzAtqtVkxK7aXYJ8Nol2znc7ivgH6MYZc74M3725leRNvAsnjMZ2XKkaNQzsuseALAVLWHQZgSvB4s4vHkPsmrlS/PuZwLwCng05nRI3q32Vo9cCaSXW4hWtAzx7v53gdzlPNTWzr4bm9osE5zezyj+d/f1+T8pxQKN3KQFu5hvkwtQKV/Fdj1KlkRB9o4zBeoAndC/xWXNv1hMWCrAiFBYQ2AUGYnWbihR7CigQwHejFDvJUyxe8vr0LYfVO//bimxeRnncPUPQYVSjwpH78NkE3DEkeAQqwBHNd5l+EhXwt0e29jZdM+UxapvEtYRnTvyEsETb7tNVuvTczK13Cmb3xpfQ2wNcQohN4miB4UiAYpgaWfOsXi4nqpjEnDe7k1rwwA2ubb8auycYvErNa9mj39fiI8RCM9dcsNz+ph2cFSAKedbW1ryqNbjo21wr8EgDbMM3w/aDObYF37RxLJBw2OtETDoT3/LtrBXRbMjxTRak3uJ32UadSdqTCVlrYRNN0C14sBCxwlm/RDrAxOZUKyvyrO5eIbhtx/1Y2Pw4NmvOEhS3LZ4dl/eAxe3KCfuMm6+02nbaptdM0YBX4JV1nBEgjr5wLKOSBrGb1fFJA7Ra5lTVd6Gs46wsEZTcujUWsrIkqQL14ng2gWbkdAH3m+XAIrRk8MUBjmkjD07f1EIxyHO5iTq7vvpoxEF6BwAvY0QC8uXgz1CjrXxG2mM5xoLi4Qhfn58MM86cCfOMwZg0AIsISBf41/OanY0L6k8PaYHDeXBwV2gsPXD9uc+79XDrh0QUUkiwR3u88u07Oc4nCrzBjUPRs2tWgVTvSZP7IT9F+b6rUrLNtc7GTu2eHqKVMXAONEdIlBwtDzL7mupK0S/Cg4cdXvcX2gnXAKNfGa/lxsvGonMyz2KjYzSbkYLMbhAU0CbM/DjizRwuzTepOBjhY2rY2talnyXwOQqITCVns6liDA5VgOqm4If4oQE/QuwPJzip1baZLCeasFnQffQzZS/usALYLKupIPpjR8vZYEJqKCi3erlCj1aX3Llt0ALfZEVTgZ2Gh3CgkwFlsaex1SLSmAwsAzUCtwd0Jc+uOheZfeYLJSch7XVB/qn+JQoiBhTLdHm7vbXIv4gJQCAoTKk9RbGw1CpYQPGaBfWGhfWtQCfT8gZ5jt98u3ShEJAowDRJqsg8zrMVS4EX5ALWc0v0MUX4qZPIW72LBg3cRRITN+WmdF/rDRXFC87UiOBND5ZYvs3RkXh49SxKnCOoBov7cMnR7/29EDKEYySSqWulUhwhz/YdSFbrNkgun7vvwe31hOynyTC3c1/uqRYN5Q31MHOo0c6hnKFs/kKqt0q7SmTWuWrZmmxcLmJOnK/Tmvw1Z/1P1Acv5H615ZpTct9LuFJGKBNKek0GYHpNpHKVmgqk2+zK83emZZ04u5MT0VaXnMuvGOxuG97ksYn6SPZy9x7dSk0bGZ7V2oNZcPO4U3bgxCuGN+0mxarDUMy/9van0nFcyeIcrGAS1HBjwmkCyCr5P9SBP1EHPYqolULLURdMLkbBnRSggALIqNsFsZGSMg0cYtSYkB+PG7smw/SERGZKejCFsAkJwsR+22KFdbbNFRNiih6wOhUkCC7sRETYJBY/j/pHtIESEBTwypQBOdqb3xRp0vGCn7cGxfQLkiVrwdoCV9rqYrvGmvpuea9fpIxZrwoyX/Mv9RzSDACcSnEOsHXABMRcqzwE214lX9qOpTKII98i6ZZvFDBTut199djuSLaJiC+0dLiifYZqZduPtE7Xpuf+QePJXr7j47D9Qcwo6BHZzZ09gQTR0YQ3GnO3humO6JBxzuq8fu6ebUqJg5Dk/EQXtE5MgGlWK1589lPp7i6OtvC43RsHrivPW4zjECp8WmxafFjupV1opo3G9LkwJrlqMGKtlRvfE89WILAS2hLoW7fUZq83S0e7FWwMbpxfRxA0NmrvJr3+zD/XxDhNiod2ZLeddbD9v/at9ZgyikBI2sqTnCaUo4FGEWXimh7fRkeK2+3qx1fmpS8CbzcGTLMRikUQmCykhxgK7Hc5bi0AWjAuY4hlfwRW6PP/xZ7/dkyC2WFC2Qcd2qylYbytWvUcStpiGRJi7DpstZge26m9s7Q+nO2oAsBURnGnJoRUWRMf5slkLbM86bUh9l0Nw4T4e+lUA/HL/8dTmQ62pvb1H//YbjnJ7QDReNuz67uuZjCEgcxIU02BxfrVwaI6r8YI36srG9ExYeG5bll6DaLv5XQVrr+kb13VPaLO2fxqsTSHa9yqM9jh70cTr7rZC6JnzRYNe5kji0OyZN6oQLkgSEYqFy7h6p/2LniVjZHGCkMiY4k0eLygepyY7vfFav9zoZ25Ds4YXxWHP2yf5yGO+gZIRnb+FUmprWWVxS3cFdGC74O+6UAVsdWKfeO2hY6t4W/jpe2KmjC6su75D0PV/ega1lb6g/sfVn813h+5HXftd137lqedFhziSyTQg7QTgeUBniWXx5NAem1aOtK95FBGFrpdYLACdKE8ZSTYytu5KGtNhhhcg9CzGZhJlzlBN2t0FMimSt1nTW5d7tSVcRHZrqpDy2Y6RNJO/gCShXlr3oNA9+QMmFWsx+OGiLokEidDBE3JOL5KgjJadNtxvqHLr+Pag7d528tEnl1g813Izc4c+YhLZeInIH/FsUXrzK6GQ/Q0XzhdM8yp2e9aaYtht841EFoKGuacniC2m0Lu0iyfGNo48BrbT9le5M1XmgTTj997zKImImkg+b14eu+3Iemg7S3rM3wE98568Q5aiwsLYAWZoBihYarcqrHp0WCHMNmb/7WLFEteC2rFYoYfeFysKY2tWmO40M0ACpy3HBOeqIRD2Lbytl2Sa19cLyOCReYMaO5Pp97EkwdIGF1g+2sqfCMrvoqUf963sJpaA/ESj5kzpfdcOJJck1oYU1wZknJ1pdriRDQMllCYw/CslF4xZGBq31/JuqCOD1oPByGnTzUfjYGhN4uY6mqVGIiwlD4hJh62JWtrtVLPZH8PcmOhP6AiGfa8QTke9+WiTMq7bQzq6Gc3QnVaZeUfFs5aj2yKLYqyW+2OSHj2tO3J6VL21734sk5mNp76X9mKfvUc8iGVmtkMwzY07XYGQhO++m7hxzLUABzlbYunFguppSTO4WmINtRqUGqJmcQZxkgsKyWAJYULBPgvpbqsbuFg+ZpeH3SL3jvnBfifdPDhTglPqzO6aZ4nlbCohT9H1r/fGun158A+qfy8VZqEFk/Y0ohs0x0TkQzkjGAuuOU04w5RWozzHHXOHw4UmaWyb1tqmAssKQ9dAFks1QV8eCjC84wrA1AXKFVASlCy8s+FNA3idZZT3NSwLwDDZldCjMBGm4RpakBUw7RgTHjasNWazfCwEkdH6z8vT4tBE23yxSA1epPd6l9RyRr05zxLECQ4CZZol4DAkWhCnGtFZzpPizrDgzIRs/2zqH+TGbtgZUNfugHoYP1RdMTcfU3qr2t4KoMH2bgXBv2j1524bG9w4ms82txJp7vW0UtlklGo0Wpiry9Yx2ySPSjl9vIAJa6a0w4i3IJRodeliIcIQw4y75kg9QfmD5TKqpmi5F6y+zGnOHo8DppCxLePqARDEHoWnNzpz1pK2GB4mRO97RnVw27KthK4nqw4oSj+8Tpzp+wR7E6pzW7YRaeP7SHVw2zKwgK43qw4oVB+8VrsfzOXEORZJu/1vEWffLc7MY/ZgJ9yIBCKVrnEDl3yNBCwSioUOLRuHstR/X+y+pP0fAZInIgCJ5JInNDTBPWBKeYBVY0Gjjye/J1zh/bPkoZIvb2SMdTgx9V/bMZBSdx4XfUmRsNSP1C6ZFTU6wRKFMCc2d9LM5aJyNF3C9HHP5Dv3zbsPzJS1L0C4IwJzyuDOcEA75pkDZfAUHfPGQUsN1dLMS4mtk8LhejpZ6Lz4Zk7GiWOKzWFFiTR9ci+RVnqyWDY+dV9lr1BHvF6zddnM34b1as4yhi5UoSYiYSZfeQzMMGfhnC1AKhMlE5bwRLo11zgwYZU8X3kR23cl/Vwb4ts7rdk3m/K2Ss7UmJsnK0ylMTqlBaMXRdnENBs3vbQNK4DiWPbWEEu6WgquFIXw4EzQuiKbpDqzl4AdNnRiiCSe5yrTT7GZoOLGtqd17GoJG8egpyVOTEsn03h73mqXCuZOa3VJQjapTgQye2Ff81/l+P630OzY2ZAQJracD51Ulujbwj6aC6TDw/AJ6lSzqXhbwLliq8tBjGn0oA/BmIJXPRpf/JmpvIwcpEy8J7BoeI7hzo2GTlJjaCwuMP3rt/UuJcVP39SD5C1+Qh/ENdT3qRuSbiHOq1OIApbKtiG1MtB/KBU2aVbOshxgSm3LjF3kFUm8OO8ITFDv4AT1qgEofvwC5SsQ6OIcdcV8RTLeHykZ74eR8cP5kdLxw/kwQpoum9fJ6MgR7EiFtX73elWl5qdf5D5PWgKtUZc+peaglYS058pHkkQJVZgBT2TDSYhj3KshOBYyXg1BFxk9DIFnaf+aUNqwtGuDFQ5ecdBS59br8NUdpabdtD131NLP6xFX9nnmIy5Xa3+YlF7x4cOCs11qj6aNf/EQvsPnHkRms/noVc05gN6M0pLimc74lVpObUI0zek3hsmtPYt+PFSdVm442DsNCVOu0pJINE9YkJYymNd4XM/T1D2wBflYx65aN0xhg3uxbVjOp/38bZjGZxwpqnCmvuYkKeJhX6EW8I0t1Oz+RWpM6teyTn2CLN+K8M7Um+X7UNZx6GpWzyGC6zoFHF21TuzdmbfDdazzUHA7aTw0SaN4yWeIng3g+j60ayx6dtUvPba3NA61X7tNP6Xrt7vv5plq1rJmma5yhgAHS/OnlV29JZ9NZPe23nq1CQ3zWO0Vp7TY2PZXeHVa9+S0DndOI4gmtpyn6aoJ6mNWu+6rDCC82D7ZlUnNNo11iyfpBaO+5wQ5wRF+Oh6il5CVcxZb1Y5Nub1FcYxU57UI1qUrt1rV1KbdJuak9uJZ/jGdT9+6i3/1QmOT5SocZSWy76auuTfHhCb7LzAo3yByR3mVm4z2MslJRaZv0brWliL/CDANpIeoC18fWFlS8vgaqaUAuVxy6rekRZxLslg+D1A98xCkhzc62dXXpy6cneDNXfuRqnXrCl4o8RdICRLHEGZpaLsRUFhBU16v7/Ea5euWhN/wEsJcVZv4Wpxd68uo0xcUsM/8EX4adfpcrfrMznk06uzcXF0bMPv0kfQ4YRkKQQ+qdbY3Er2RjIpCD6h3tBqC3rZero/ND1xC2m48vV5ecgpNo3PTt9c+IeX8pcbxxvSjMmYdqw9Zu+uvA686s0pMaQkad2XW0budaRmdU7gq09qvRezF2dRcexnel1y/HP9Lro/OA+sB+YjijqrVNSu7ccST2vI3EUo9Emmm/dXn9BDy6nO++pwvwOf0wXg81oyjO2/YW+Lx8fgzj1UWdCYgG0cdzpmjdxH5vMKfNrevceCt3MHH40w+VuU2ZvZRjz1VQXyUpqJkI3To8HB9lz+0Vet4NoTQYzUNRZtQpdhjIxrH3MV6Gja9BDvhmFXlU81gdHFp6/gx49ZxGo2qIJvvX3mDhVbSbcVC9ZGCMsGtB/klku0LhnkLvZvblu4SFQg9lHREID0Q2ff5pphx/ytGZWyHWUAfGGebiCcyT7aYIzxTgm7fEzR3VM4EBMAU3ZwZE3Ty6cvXZq2hRKpSf/oonkt0IpcRRG99PSn7M29O6KF3o18JhbMZDh5Lb7865nz68jUjdwuqDK8PTM+d3jXNxGPLaElAYBEsSYDp1LJqelz7RbEaJks6prCdS5m9VVIwnnZDaL6hOQq75Po4uZXnnHrzrXHIMj+341v60unLsaTZ26xFc1Faec0pvOqK3IpTz2A2mznlN6heHm2hHRGOYwiPi+J78kehq/GZhYjc/9NIZbMpHtfmxHgB0zlOaEdOdw+X4bWNwFkr0nLIrgRZLECY5G/cdtZjoA/Uh/9wMX0BdBugHYSjN5/1X72x/5RoqVWI5Y1eXYbEvn5MN6bhq+JtOQH7eLR5QcZ0/AtJsRVqT42S08Zc1B4aTOgJzX9NlwleeDPdXrPA6aNmW9DBk/by6n0RwpNC5LorKW0N8HuRcoht0VUU6hUiMJP2+S+0TBZg+PL2FDHefLI1ruMqpJzqmY+Ga79VHp7lc4QzRnr5NexuxBrHR0PrfXbCv6X0EgYrEijziP6xEPW5kKMOMGNc2Z5kAcUkgrAXpSmVM/pIfDZ8wC2AXygPik9dvxb/j138v0Xtv73geCwaa1Pr1Revja2ZgxA2BaptuHETMKVoZpQq1IuvcXLUcoI1iE2EH+YCb86Am3e36WPAnJl2XprbrjsDpTsQbvotQf4OhWulY16/4ZQEm+ZnGHY1BA7APy+1MficPrsqIKY40PMbW/NqHQ5jHXwkjJs/j0GcWT3V8naPAfZOoG+NojbQqLn4HYnqNCX7RvLyWmIdri/Oa0us1044r51w+uDausnV4frbZTeiX5fw6xLelY4/x6LMfQD7PJlMogiX7vgroihoCm2++L7+B94F2uK7uiGyh1oqbxaBzN7edA+vLbkseakC9KasJy32B/UtzTYON3K0w+2uxmU5bAOXyBreQqdoS9hISPKsXOWx0l5YSFi7N707ENNAcAgKSQHifbAkHXgYGsXjGPwvXu4Exo47CMsfPJqR8SVkhx2EJAQ8Pkv0oE0o0I36XqIViA1KGCWPQF3qkij7JBuOY8ACzRLTGsY456ZhNKZIEpW4FAlRKMIbdyjlJy1hj4yvq4dFu1OXE1boary00ZgOiBIasu9dDlYJAivtiQhEZIpoUjPRApfyGYPNbuX7w42o/q+XUf4sRhevcN7VzMasTUsSq1rz7h3mNaf6RG3OrCh6IPDd+NkBwMPSvPQZ2nHLAPwc2LBgik2ntvFQXLs7tHpwZAc/RcRi+fLh5iPCQuCNfQ8hTFiImUJ+40DkY1oON9IyKqwjV4NhJ2mZf58bvJmhICTTcolIJRGft2EyZ2Ljs8QMG3azxN7HGX9+d8+nc36zvuqpw5acVqln1lZajSJsXqwVeG1QWHsrvSjNccG4mlM4JjWDF5VmyWloymrQxfnlj2ezjYIUQhs8vT734JA4fM7BdhBtaYgwIbOetwNtZp9AVGyXf2/KdpwZKNxvzyqGCOk7onY2eYBNy5SxF7apOqHFK504nBpt22U2PQoqbUxtc+48XboXDpgyme1OpUxmZ8OInErCankZO2dYB1Ob0FQ+KRzF6YTU5HStL2YeIZ+4Z4JTKKbYxe49mIVpfHVqfVT9f0qiJK4/UZ6ihicIpgEPd+LT/c3/v/6vTx+RHid/l9sh/F6iCBNWe+kXlbxbomzl4e4yK8pLj1vvu1WfdQUs5GIaC5BQNfaDZg/BFJgNQZG9TuSdt/OtdGdtssdka890+7W2+5XxIE4mLa+JtuZ5at1Kez0bWm7f2HGDrv/8pVtvtWrg6uQm8Tox1WM7zVq4VmRTub0FU9gTQK25eGzE0evk2g2SP4jQ1BSk10n1oevGbTVFQ5VkAVWMg0fYvkZ1MC43XxcynqhdoXmnbSq3LM67k6A8QijOWfetuAa2S9j/cH3nRpG5g2e3tt1yqiER0ByUYkpql39jrJbZwpk0fT8iC1vjcoWUSBoaE+ddDCJSe32kLwL9d7tMTnmA6YRUTYWdvvZjeMJRTOEKXfz9cnI+uZxcIC7Q5fn5xdX5x19+vvrwyz8+Xv380w/vr64uhrn1nzQOdHOHcBgKkNLV67qH8jFDN3erH/VkN3er99kf9aEt5sK/b3tUPKPvsvoAWS/4eqoOTAIiruAIGP7FABmZ4466g7DcEdCf50suhzhwGbC/vT+7vLg4u7j429kP7ydsPXG/mQQ8qlaBdGC+e/iCBARchN5NX6QymaAbpV10PlPYvCy7IhgJWIGQ9e355g5Rzh8bK7oqbABFw2lMEznlbIg7nfFja/K1FwzzOQSurCs+s+nDkJso4AQePn18m3rGjhdaaPa2HGeAIl4v8aF4BnSCfuUiRXZqBtCj/d8LE3a/mXM+mWExWXCK2WLCxWLyRvP3TfEHtYqeh+wWBxcoBAUiIuaIKh0eBTwC6ao3GYJoBmEIIQp4vMmSoljVXgA0X1gqFV+9excnM0oCmczn5Mng6K3LUxCidrtlh8TTP/Rw7o9mKZn2ScxMJkYDnbohdxO/A3F6LBvXShm79rjmbw7a4tJhAh5FmG0LwpOE2Q5FFFIyaOF1iM083ORoQ6WhW3HAkx9DNyfgCYLEXA3YhR/mcY/BKuH/1vCJG1NqHVPPE0qnA1Sh7AM3lybcm98jz+93rUzgc8RjYJn/TPJ6BJcg2MmDrj+j3jM5UVfkD0aPGbMedVUInTmJ1rDcvW7eFRD7C5Q1MMPDZnQFp5NIBZ4CiRGxZFMY58efNlOB38PcUi46AtteNh2PbjQzpCv27sGwz+XOX8VQMk34nKIZlraMLk/NZA+ouzuF5qqdTajFpiaZ/AETdM2FABmb98gUT58EkWDO9N9pi/lObuQ7BuodiVc/vlNBPI0gmqBbRjeFJ6M5Q58IS54mzVeW6isNDcv2NCtUu3RRzwQQF/ESt99ZbZZ0T7QGsV3rTkhuWgi1yqeibeZvKwVNNmRsAlJ70s33fnZlD/g0tDY7U4UHUnsERC5rB317AJifARamHcTNgHIJ0zVubPS6F7QVhNpGTHMkU+9hWBm3ItFxwM6A9EEtN2wqmwtlDwY6xdEXs4BgdQyYNY4+mOeEGZlUU0EHB50BGYLa/+b/M6C+7IOaYqmmOPCdwBwUdIqjD2Ztaw6yg3SbPMIWPsRZkBaO6r5+/fgncV81Ic/ovibhMbqv7dJFPd3XQzt/Tahb/ke2OuLKraTBWYJvdohv5c5s7mo2W6SqYv/K5RJ2PGpLbIJkEvmrGTxHA+nySb9a+TVhcaKm6R9FhFLiLx/oUcx6e5/SSlhpqHqpWCJByE7eb1Eo9okvFhCeZa/QgpSEs2oCuY3HDem0rUt88yvjDox3Vgm1i0Y7zPuBFY9GKF8QbbmqU7TcTt+R5o+/JNJVcZrR+3DAcwi7Iwr99axGqKANDQLw1YrsIoNM+fqWppSPJ7xIZpxTqOUHOpHor5mHuwNrmXB6MtTKkV1KxfwSSR9sqhT9tWAI+NhaUZCGNdChZ5a85B+Htc1q63ryJSDBuUJ3/WyCldF04JFr5xb6oXQs6M6k85eOKoDy//G/AQAA//+Zw/qY" } diff --git a/metricbeat/module/system/filesystem/_meta/fields.yml b/metricbeat/module/system/filesystem/_meta/fields.yml index a66f7efb41e5..0c1e7d556198 100644 --- a/metricbeat/module/system/filesystem/_meta/fields.yml +++ b/metricbeat/module/system/filesystem/_meta/fields.yml @@ -16,7 +16,7 @@ - name: type type: keyword description: > - The disk type. For example: `ext4` + The disk type. For example: `ext4`. In some case for Windows OS the value will be `unavailable` as access to this information is not allowed (ex. external disks). - name: mount_point type: keyword description: > diff --git a/metricbeat/module/system/filesystem/filesystem.go b/metricbeat/module/system/filesystem/filesystem.go index 579f1daaf6dd..98633fd43450 100644 --- a/metricbeat/module/system/filesystem/filesystem.go +++ b/metricbeat/module/system/filesystem/filesystem.go @@ -78,15 +78,23 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { } for _, fs := range fss { - fsStat, err := GetFileSystemStat(fs) + stat, err := GetFileSystemStat(fs) + addStats := true if err != nil { - debugf("error getting filesystem stats for '%s': %v", fs.DirName, err) - continue + addStats = false + m.Logger().Debugf("error fetching filesystem stats for '%s': %v", fs.DirName, err) } - AddFileSystemUsedPercentage(fsStat) + fsStat := FSStat{ + FileSystemUsage: stat, + DevName: fs.DevName, + Mount: fs.DirName, + SysTypeName: fs.SysTypeName, + } + + AddFileSystemUsedPercentage(&fsStat) event := mb.Event{ - MetricSetFields: GetFilesystemEvent(fsStat), + MetricSetFields: GetFilesystemEvent(&fsStat, addStats), } if !r.Event(event) { return nil diff --git a/metricbeat/module/system/filesystem/helper.go b/metricbeat/module/system/filesystem/helper.go index b42504d88251..29b68a34d4d2 100644 --- a/metricbeat/module/system/filesystem/helper.go +++ b/metricbeat/module/system/filesystem/helper.go @@ -110,20 +110,13 @@ func filterFileSystemList(fsList []sigar.FileSystem) []sigar.FileSystem { } // GetFileSystemStat retreves stats for a single filesystem -func GetFileSystemStat(fs sigar.FileSystem) (*FSStat, error) { +func GetFileSystemStat(fs sigar.FileSystem) (sigar.FileSystemUsage, error) { stat := sigar.FileSystemUsage{} + // In some case for Windows OS the disk type value will be `unavailable` and access to this information is not allowed (ex. external disks). if err := stat.Get(fs.DirName); err != nil { - return nil, err - } - - filesystem := FSStat{ - FileSystemUsage: stat, - DevName: fs.DevName, - Mount: fs.DirName, - SysTypeName: fs.SysTypeName, + return stat, err } - - return &filesystem, nil + return stat, nil } // AddFileSystemUsedPercentage adds usage data to the filesystem struct @@ -137,18 +130,20 @@ func AddFileSystemUsedPercentage(f *FSStat) { } // GetFilesystemEvent turns a stat struct into a MapStr -func GetFilesystemEvent(fsStat *FSStat) common.MapStr { +func GetFilesystemEvent(fsStat *FSStat, addStats bool) common.MapStr { evt := common.MapStr{ "type": fsStat.SysTypeName, "device_name": fsStat.DevName, "mount_point": fsStat.Mount, - "total": fsStat.Total, - "available": fsStat.Avail, - "free": fsStat.Free, - "used": common.MapStr{ + } + if addStats == true { + evt.Put("total", fsStat.Total) + evt.Put("available", fsStat.Avail) + evt.Put("free", fsStat.Free) + evt.Put("used", common.MapStr{ "pct": fsStat.UsedPercent, "bytes": fsStat.Used, - }, + }) } if runtime.GOOS != "windows" { evt.Put("files", fsStat.Files) diff --git a/metricbeat/module/system/filesystem/helper_test.go b/metricbeat/module/system/filesystem/helper_test.go index 1f7d0027f5a2..126a44d38a35 100644 --- a/metricbeat/module/system/filesystem/helper_test.go +++ b/metricbeat/module/system/filesystem/helper_test.go @@ -60,7 +60,7 @@ func TestFileSystemList(t *testing.T) { assert.True(t, (stat.Used >= 0)) if runtime.GOOS != "windows" { - assert.NotEqual(t, "", stat.SysTypeName) + assert.NotEqual(t, "", fs.SysTypeName) } } } diff --git a/metricbeat/module/system/fsstat/fsstat.go b/metricbeat/module/system/fsstat/fsstat.go index ab80640a0c4a..6a963dbaf6f5 100644 --- a/metricbeat/module/system/fsstat/fsstat.go +++ b/metricbeat/module/system/fsstat/fsstat.go @@ -85,7 +85,7 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { m.Logger().Debugf("error fetching filesystem stats for '%s': %v", fs.DirName, err) continue } - m.Logger().Debugf("filesystem: %s total=%d, used=%d, free=%d", stat.Mount, stat.Total, stat.Used, stat.Free) + m.Logger().Debugf("filesystem: %s total=%d, used=%d, free=%d", fs.DirName, stat.Total, stat.Used, stat.Free) totalFiles += stat.Files totalSize += stat.Total diff --git a/testing/environments/docker/kafka/Dockerfile b/testing/environments/docker/kafka/Dockerfile index ff38db49e393..1a5e58836bc3 100644 --- a/testing/environments/docker/kafka/Dockerfile +++ b/testing/environments/docker/kafka/Dockerfile @@ -18,8 +18,11 @@ RUN mkdir -p ${KAFKA_LOGS_DIR} && mkdir -p ${KAFKA_HOME} && \ ADD run.sh /run.sh ADD healthcheck.sh /healthcheck.sh +ADD certs/broker.keystore.jks /broker.keystore.jks +ADD certs/client.truststore.jks /broker.truststore.jks EXPOSE 9092 +EXPOSE 9093 EXPOSE 2181 # healthcheck.sh tries to create and delete an empty kafka topic (the topic diff --git a/testing/environments/docker/kafka/README.md b/testing/environments/docker/kafka/README.md new file mode 100644 index 000000000000..6a7306e2423e --- /dev/null +++ b/testing/environments/docker/kafka/README.md @@ -0,0 +1,35 @@ +# Kafka test container + +This Docker container provides an environment for testing with Kafka. It exposes two ports to the host system, `9092` for `PLAINTEXT` and `9093` for `SASL/SSL` with username `beats` and password `KafkaTest`. + +## Certificates + +The test environment uses a self-signed SSL certificate in the broker. To connect, clients will need to set `certs/client.truststore.jks` as their trust store. + +The files in the `certs` directory were generated with these commands: + +```sh +# create the broker's key +keytool -keystore broker.keystore.jks -storepass KafkaTest -alias broker -validity 5000 -keyalg RSA -genkey + +What is your first and last name? + [Unknown]: kafka + ... + +# create a new certificate authority +openssl req -new -x509 -keyout ca-key -out ca-cert -days 5000 + +# add the CA to the kafka client's trust store +keytool -keystore client.truststore.jks -storepass KafkaTest -alias CARoot -keyalg RSA -import -file ca-cert + +# export the server certificate +keytool -keystore broker.keystore.jks -storepass KafkaTest -alias broker -certreq -file broker-cert + +# sign it with the CA +openssl x509 -req -CA ca-cert -CAkey ca-key -in broker-cert -out broker-cert-signed -days 5000 -CAcreateserial -passin pass:KafkaTest + +# import CA and signed cert back into server keystore +keytool -keystore broker.keystore.jks -storepass KafkaTest -alias CARoot -import -file ca-cert +keytool -keystore broker.keystore.jks -storepass KafkaTest -alias broker -import -file broker-cert-signed + +``` diff --git a/testing/environments/docker/kafka/certs/broker-cert b/testing/environments/docker/kafka/certs/broker-cert new file mode 100644 index 000000000000..3a7d9e2498ae --- /dev/null +++ b/testing/environments/docker/kafka/certs/broker-cert @@ -0,0 +1,18 @@ +-----BEGIN NEW CERTIFICATE REQUEST----- +MIIC3zCCAccCAQAwajEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93 +bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMH +VW5rbm93bjEOMAwGA1UEAxMFa2Fma2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCH8VYN9FMHXjnLUwT0AJDKM0u/jXE0ng1UfWPVQaVI+Eny+vmf1zDm +d/AoqXaYKzVNvyRXCy1BZGaLVA3go1U7+tVjtniuLTmveE07PuX4w9/ukZPKlUxf +KCjYCmh38BeYiJA2inaxScDO2hxHfB2pulsM+l9+q0NMXFe6RSUAKS0pAeY8KLz9 +yWg9hfq6JPuPT14HZmyxLn+1SwRbZZ+TQjlAHfZFpu/igg6cif/ez30z5Gqci+2i +VPlwl9peEsaXn5wbuP6J2Uo6dMoGiFyxFdGCWVWP9WDncvfYKJwQs09QdbFLxAst +BYSmOTszUP+h0SohaxpdC4AOcJxs+MwhAgMBAAGgMDAuBgkqhkiG9w0BCQ4xITAf +MB0GA1UdDgQWBBRFzbnwQXp+h4xE233eH3D+KfozxTANBgkqhkiG9w0BAQsFAAOC +AQEAQti4SPU8KfSoeLbLUic7UciVmwO0TZtiG+Y6fCTdRm7SYovg2zXH576ERClf +JQCzUuMH1Fi6k5adhMUxopJrVirZWOANoffe3yY/PUuFPMv5rvjmG7JqRNloNFYC +4Jah/XeITkw3BcwYxvY3lOZeXgBoRI+PwaD4JNHYf9ruc8cxY59lbWGCQOdbWYuk +ex/Y/rdmiv1cZpVAYY3VkdUnISXf4eePz4+hUdyuNGYt8Rh/dCj0D/1Xdo9jguUw +IWihuXNfH5hBzBp2hX49tCa7j8stOQW6+AS+ysUBRseFNnsu9j95PD+ue9GU5ZLR +mQzlkeZcfimH796e6XF81oCDkA== +-----END NEW CERTIFICATE REQUEST----- diff --git a/testing/environments/docker/kafka/certs/broker-cert-signed b/testing/environments/docker/kafka/certs/broker-cert-signed new file mode 100644 index 000000000000..b023f3c146d2 --- /dev/null +++ b/testing/environments/docker/kafka/certs/broker-cert-signed @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8zCCAdsCCQC1GCJdAf28SzANBgkqhkiG9w0BAQUFADANMQswCQYDVQQGEwJV +UzAeFw0yMTEwMjEyMDM0MTBaFw0zNTA2MzAyMDM0MTBaMGoxEDAOBgNVBAYTB1Vu +a25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNV +BAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDjAMBgNVBAMTBWthZmthMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAh/FWDfRTB145y1ME9ACQyjNL +v41xNJ4NVH1j1UGlSPhJ8vr5n9cw5nfwKKl2mCs1Tb8kVwstQWRmi1QN4KNVO/rV +Y7Z4ri05r3hNOz7l+MPf7pGTypVMXygo2Apod/AXmIiQNop2sUnAztocR3wdqbpb +DPpffqtDTFxXukUlACktKQHmPCi8/cloPYX6uiT7j09eB2ZssS5/tUsEW2Wfk0I5 +QB32Rabv4oIOnIn/3s99M+RqnIvtolT5cJfaXhLGl5+cG7j+idlKOnTKBohcsRXR +gllVj/Vg53L32CicELNPUHWxS8QLLQWEpjk7M1D/odEqIWsaXQuADnCcbPjMIQID +AQABMA0GCSqGSIb3DQEBBQUAA4IBAQCMGbXC2YdC9+jJjUvuEJIQGwpapJ5Dejng +cnvE//+x8A4W9vC7OJUHcML2GGQIrgvYWlmsCEWX1lJtcVIbqkTqq9Sq99htdMfM +ay4fJB/ey005bhcbEP+19342HkmoOUkEg7qGWZhhL05y0m1vxKvKSUX3p+4TyW1Y +AheRbb9j41Ld3E8+COGwqIWpMNfsGjLqWjUIajemFH91Eo2FFvshM/5ly12GZEil +ivmUqSzV7o6ri0V7DZ5NPOSXEbiMQj5FfmImqXbo7JtBqM/H9S2yAPXZBfAloVNv +XvjG0dY8cnYwGL5MSRiZEuJdimptWnMzFXbD8zyRxSIUMpbDcHNf +-----END CERTIFICATE----- diff --git a/testing/environments/docker/kafka/certs/broker.keystore.jks b/testing/environments/docker/kafka/certs/broker.keystore.jks new file mode 100644 index 000000000000..aa03364e3ac6 Binary files /dev/null and b/testing/environments/docker/kafka/certs/broker.keystore.jks differ diff --git a/testing/environments/docker/kafka/certs/ca-cert b/testing/environments/docker/kafka/certs/ca-cert new file mode 100644 index 000000000000..725647f9d8ba --- /dev/null +++ b/testing/environments/docker/kafka/certs/ca-cert @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICljCCAX4CCQD+dvzut8IfyTANBgkqhkiG9w0BAQsFADANMQswCQYDVQQGEwJV +UzAeFw0yMTEwMjEyMDMyMDJaFw0zNTA2MzAyMDMyMDJaMA0xCzAJBgNVBAYTAlVT +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlR6sKchCTM0qdrjAdWqR +BmSLfHHe+LB43B0T/+3Y1fporzg2eZC1dPCf7TXLzL92NOlJ+JQCsfb160gKTGfb +7+z2jm+vumbYlKVffsD7MjNdW8SDu9hfMa2DyTY742n3R/X8pc4VK0fdlTQx22Zp +aIA+XwD6hHxZQS9PHVNwTFUoPkP4jevcFANwjLUBgy3dPK0iWdVILnaAwEBg82z3 +zWRJ7I4Eg6KS+GtwZPovhiHqcJpz7QPrmggCglL8q0YZQrVrYNucRV1sjPAhEfTA +Sh7Z0UVYdx5+jJq7MyslBqzEM0OrmKrldrTHOAo9+cTc1GiKGRBhVei2R2fP2XAC +HQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA37KiWMR6SZRmlLKV7hP9/9H1cL1FJ +OPa5MKcwh8Q38IRALCF5SlxxOByP8O01ZInkWjR3jJbMc/k4RwxQXfzYDvB4jleU +MyX63qekIsxFdUn+fzt+wA0xb7tOPGVUbM6QI++YH28p8yzSdY/bXrjRweQuVRC0 +B+0zMijI1uU6GRME9+e1OLsN5rDzCFEJUra/+UDc23BTOjC6Az00UKpOGv6oAqg8 +iuCOeVCRVPtd7mGJK1dGW3WXV3pbsu4EvfXve9qFFV/7d811JNBjnhF5lFN2JGVs +Ka9JebJ8EKWff6Ns14FJ2cOG3tx7KuWcnfTdma/mH4PeGoU1Og5Ln/ea +-----END CERTIFICATE----- diff --git a/testing/environments/docker/kafka/certs/ca-cert.srl b/testing/environments/docker/kafka/certs/ca-cert.srl new file mode 100644 index 000000000000..3336d99a9a30 --- /dev/null +++ b/testing/environments/docker/kafka/certs/ca-cert.srl @@ -0,0 +1 @@ +B518225D01FDBC4B diff --git a/testing/environments/docker/kafka/certs/ca-key b/testing/environments/docker/kafka/certs/ca-key new file mode 100644 index 000000000000..63ab92b23aa2 --- /dev/null +++ b/testing/environments/docker/kafka/certs/ca-key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIPiUp46K/yl8CAggA +MB0GCWCGSAFlAwQBKgQQ3vI4jI41do9rQtAyc+JwfwSCBNDDDv3uSHZ/12ACMLyu +vhrz3en62CT4ooeZKjpep4H/s+2pfqfg5bDeQUguNUo2zsy0EKeK2rIBVUG6KWIa +DWvnl0JaM/TrtGg1pMZMIFPowaf1mNcVcvN5IWEgLgoT+SY8lLtmVqIdU1d2F6nV +t+7JEpktXA5ThS0FbBpW0XI+kG9W7Ln9YPjGLbjcPayJQX1yzWJYEUfmm8lJl7cT +h5V94sB2KP9pwAP/SqElt2QK1BhStUVv3ezp6TT82PETi3No0Uh+oWaxltjPCr4z +5MN/tTDJQGc3llDIrZT+umZcgB6DBsc+nXjrlAHWPeuhIcjNJGs3V0xazQs60M6n +ldhcJH453Muwtp40VDkT21plVPwUrwQX/6gIWIHnyvK44sRG4NvmG+4NBA8V4TdK +AKhkhYTYS+sAUDsAFo408OXvpdGy7G2/cZn+r2frLHLxUU2peqRFP7YqLVs2sdez +sFyt6ZMSAh8UZDYK9kpyQMoeYj7Az14kMKIlE0JADsd3Mn8S/QJrrKWQzQhQVz6O +0rpaGnIM3cICgTK7gTlK+lDIbqAmCYnFLQsU9rHIpzVMkx2iYEId+YNbxodHpFPa +MCz6HU8qI9Tv9JIOfJKdE7tvlSnR89usOU/z+NSGqKm1dhYjG1BNI7wk8/mgMxOg +9BAujodmGvFpMPba84+QT/AtTy9YMMi4Z0H7BKHGD7HwSOTx7kP9hMz/sVVnKxfO +8C9gE91D4enrpQXu7J5JU07LCWSNLiZEegbdKvjBz5Cvfj5LPhazTLYuuU0KNIP9 +MjrgodrSp1LgESAA7z8qKUyhX2Z6uO0q1Q5OUFgGNEWXSYLplhWrvftPqdV0YAFI +4y794sojVBBnHYo+Lm5gugm4cg6bLk/YY3ScQqPYEUwO1LZSMUoB9ixLHUYY48ND +xbevM9V8vLgb6Q46zTCYPxwYfxNlcWxeQjwbVEaha5n2Sgu0dmrG/+LjrEwYtHY7 +zPdTbl28OyvXDqvilXcDQS8ZQBwqkZ00pg9fokElztgVIMp4cbtBTCiqipfNBGJg +ALEu/lFNlGjvv4iwOdx/yhVjFt2Ri3ViTEoTJ3wAh3o4wh/o8wluNb3bMgfKzw61 +/WptUvLnqKIGQ0xZtunxG9WHIpc8oTRZMMUgLnoVzJvdU9cONT5GER9WuQbwXmEE +ytIx9tVq4cb3CoJhynrL9cjGp716nBkx534gyu5N21elb8npk1XAHd6AHUViun0J +TnVHPwSSLN7naaiMKS+8KaknAdjvKCIUytLSRpRb4rkoqD/7MlYlMTAPF5IX6/Xj +fVfR8HKWtkvqhAM4lQ57zwGlpXifGM5Vi/Dq8JYcTOIHIzggbhfi+WVwWJ+SJVp3 +FQBSvyJ0XFV8piuP6J1PB6zXLioRiUMDbrl0Hmwo4spLswRsZ6D/6QuNUeNN2Lh1 +ZqtkAHWnIll1nviSEWPxiu0lA9ZwfPP1t+H0UkVi8JBUCrTh0gyr2e/CGZAd1GoP +/LnvaRntmqytavI65NlPPlvF9S7enjeEkxvtqhAIuU9nTMORnmpXX+xStfm/AtQp +2UNklwWW6bwPhMF9w+FnuJoK7mrQ5DphsZNcTly1RQ0uQkT6yrzWK5MNmLRiNOez +OmM968GQKexUL9r0BmFi7T00rQ== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/testing/environments/docker/kafka/certs/client.truststore.jks b/testing/environments/docker/kafka/certs/client.truststore.jks new file mode 100644 index 000000000000..7b18b3f645ed Binary files /dev/null and b/testing/environments/docker/kafka/certs/client.truststore.jks differ diff --git a/testing/environments/docker/kafka/run.sh b/testing/environments/docker/kafka/run.sh index 873f6951acc1..bfacf2a7242e 100755 --- a/testing/environments/docker/kafka/run.sh +++ b/testing/environments/docker/kafka/run.sh @@ -16,13 +16,31 @@ echo "Starting ZooKeeper" ${KAFKA_HOME}/bin/zookeeper-server-start.sh ${KAFKA_HOME}/config/zookeeper.properties & wait_for_port 2181 +# create a user beats with password KafkaTest, for use in client SASL authentication +/kafka/bin/kafka-configs.sh \ + --zookeeper localhost:2181 \ + --alter --add-config 'SCRAM-SHA-512=[password=KafkaTest]' \ + --entity-type users \ + --entity-name beats + echo "Starting Kafka broker" mkdir -p ${KAFKA_LOGS_DIR} ${KAFKA_HOME}/bin/kafka-server-start.sh ${KAFKA_HOME}/config/server.properties \ - --override delete.topic.enable=true --override advertised.host.name=${KAFKA_ADVERTISED_HOST} \ - --override listeners=PLAINTEXT://0.0.0.0:9092 \ - --override logs.dir=${KAFKA_LOGS_DIR} --override log.flush.interval.ms=200 \ - --override num.partitions=3 & + --override delete.topic.enable=true \ + --override advertised.host.name=${KAFKA_ADVERTISED_HOST} \ + --override listeners=PLAINTEXT://0.0.0.0:9092,SASL_SSL://0.0.0.0:9093 \ + --override advertised.listeners=PLAINTEXT://${KAFKA_ADVERTISED_HOST}:9092,SASL_SSL://${KAFKA_ADVERTISED_HOST}:9093 \ + --override inter.broker.listener.name=PLAINTEXT \ + --override sasl.enabled.mechanisms=SCRAM-SHA-512 \ + --override listener.name.sasl_ssl.scram-sha-512.sasl.jaas.config="org.apache.kafka.common.security.scram.ScramLoginModule required;" \ + --override logs.dir=${KAFKA_LOGS_DIR} \ + --override log4j.logger.kafka=DEBUG,kafkaAppender \ + --override log.flush.interval.ms=200 \ + --override num.partitions=3 \ + --override ssl.keystore.location=/broker.keystore.jks \ + --override ssl.keystore.password=KafkaTest \ + --override ssl.truststore.location=/broker.truststore.jks \ + --override ssl.truststore.password=KafkaTest & wait_for_port 9092 diff --git a/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc b/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc index 696a7368e3f8..ec7a16cd67b3 100644 --- a/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc @@ -282,6 +282,90 @@ attribute. The default value is 5. If you have configured a dead letter queue then you can set this value to `-1` to disable deletion on failure. +[float] +==== `sqs.notification_parsing_script.source` + +Inline Javascript source code. + +[source,yaml] +---- +sqs.notification_parsing_script.source: > + function parse(notification) { + var evts = []; + var evt = new S3EventV2(); + evt.SetS3BucketName(notification.bucket); + evt.SetS3ObjectKey(notification.path); + evts.push(evt); + return evts; + } +---- + +[float] +==== `sqs.notification_parsing_script.file` + +Path to a script file to load. Relative paths are interpreted as +relative to the `path.config` directory. Globs are expanded. + +This loads `filter.js` from disk. + +[source,yaml] +---- +sqs.notification_parsing_script.file: ${path.config}/filter.js +---- + +[float] +==== `sqs.notification_parsing_script.files` + +List of script files to load. The scripts are concatenated together. +Relative paths are interpreted as relative to the `path.config` directory. +And globs are expanded. + +[float] +==== `sqs.notification_parsing_script.params` + +A dictionary of parameters that are passed to the `register` of the +script. + +Parameters can be passed to the script by adding `params` to the config. +This allows for a script to be made reusable. When using `params` the +code must define a `register(params)` function to receive the parameters. + +[source,yaml] +---- +sqs.notification_parsing_script: + params: + provider: aws:s3 + source: > + var params = {provider: ""}; + function register(scriptParams) { + params = scriptParams; + } + function parse(notification) { + var evts = []; + var evt = new S3EventV2(); + evt.SetS3BucketName(notification.bucket); + evt.SetS3ObjectKey(notification.path); + evt.SetProvider(params.provider); + evts.push(evt); + return evts; + } +---- + +[float] +==== `sqs.notification_parsing_script.timeout` + +This sets an execution timeout for the `process` function. When +the `process` function takes longer than the `timeout` period the function +is interrupted. You can set this option to prevent a script from running for +too long (like preventing an infinite `while` loop). By default there is no +timeout. + +[float] +==== `sqs.notification_parsing_script.max_cached_sessions` + +This sets the maximum number of Javascript VM sessions +that will be cached to avoid reallocation. + [float] ==== `sqs.wait_time` @@ -426,6 +510,177 @@ Therefore, when using the polling list of S3 bucket objects method, scaling shou vertical, with a single bigger {beatname_uc} instance and higher `number_of_workers` config value. +[float] +=== SQS Custom Notification Parsing Script + +Under some circumstances you might want to listen to events that are not following +the standard SQS notifications format. To be able to parse them, it is possible to +define a custom script that will take care of processing them and generating the +required list of S3 Events used to download the files. + +The `sqs.notification_parsing_script` executes Javascript code to process an event. +It uses a pure Go implementation of ECMAScript 5.1 and has no external dependencies. + +It can be configured by embedding Javascript in your configuration file or by pointing +the processor at external file(s). Only one of the options `sqs.notification_parsing_script.source`, `sqs.notification_parsing_script.file`, and `sqs.notification_parsing_script.files` +can be set at the same time. + +The script requires a `parse(notification)` function that receives the notification as +a raw string and returns a list of `S3EventV2` objects. This raw string can then be +processed as needed, e.g.: `JSON.parse(n)` or the provided helper for XML `new XMLDecoder(n)`. + +If the script defines a `test()` function it will be invoked when it is loaded. Any exceptions thrown will cause the processor to fail to load. This can be used to make assertions about the behavior of the script. + +[source,javascript] +---- +function parse(n) { + var m = JSON.parse(n); + var evts = []; + var files = m.files; + var bucket = m.bucket; + + if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") { + return evts; + } + + files.forEach(function(f){ + var evt = new S3EventV2(); + evt.SetS3BucketName(bucket); + evt.SetS3ObjectKey(f.path); + evts.push(evt); + }); + + return evts; +} + +function test() { + var events = parse({bucket: "aBucket", files: [{path: "path/to/file"}]}); + if (events.length !== 1) { + throw "expecting one event"; + } + if (events[0].S3.Bucket.Name === "aBucket") { + throw "expected bucket === aBucket"; + } + if (events[0].S3.Object.Key === "path/to/file") { + throw "expected bucket === path/to/file"; + } +} +---- + +[float] +==== S3EventV2 API + +The `S3EventV2` object returned by the `parse` method. + +[frame="topbot",options="header"] +|=== +|Method |Description + +|`new S3EventV2()` +|Returns a new `S3EventV2` object. + +*Example*: `var evt = new S3EventV2();` + +|`SetAWSRegion(string)` +|Sets the AWS region. + +*Example*: `evt.SetAWSRegion("us-east-1");` + +|`SetProvider(string)` +|Sets the provider. + +*Example*: `evt.SetProvider("provider");` + +|`SetEventName(string)` +|Sets the event name. + +*Example*: `evt.SetEventName("event-type");` + +|`SetEventSource(string)` +|Sets the event surce. + +*Example*: `evt.SetEventSource("aws:s3");` + +|`SetS3BucketName(string)` +|Sets the bucket name. + +*Example*: `evt.SetS3BucketName("bucket-name");` + +|`SetS3BucketARN(string)` +|Sets the bucket ARN. + +*Example*: `evt.SetS3BucketARN("bucket-ARN");` + +|`SetS3ObjectKey(string)` +|Sets the object key. + +*Example*: `evt.SetS3ObjectKey("path/to/object");` + +|=== + +In order to be able to retrieve an S3 object successfully, at least `S3.Object.Key` +and `S3.Bucket.Name` properties must be set (using the provided setters). The other +properties will be used as metadata in the resulting event when available. + +[float] +==== XMLDecoder API + +To help with XML decoding, an `XMLDecoder` class is provided. + +Example XML input: + +[source,xml] +------------------------------------------------------------------------------- + + + William H. Gaddis + The Recognitions + One of the great seminal American novels of the 20th century. + + +------------------------------------------------------------------------------- + +Will produce the following output: + +[source,json] +------------------------------------------------------------------------------- +{ + "catalog": { + "book": { + "author": "William H. Gaddis", + "review": "One of the great seminal American novels of the 20th century.", + "seq": "1", + "title": "The Recognitions" + } + } +} +------------------------------------------------------------------------------- + +[frame="topbot",options="header"] +|=== +|Method |Description + +|`new XMLDecoder(string)` +|Returns a new `XMLDecoder` object to decode the provided `string`. + +*Example*: `var dec = new XMLDecoder(n);` + +|`PrependHyphenToAttr()` +|Causes the Decoder to prepend a hyphen (`-`) to to all XML attribute names. + +*Example*: `dec.PrependHyphenToAttr();` + +|`LowercaseKeys()` +|Causes the Decoder to transform all key name to lowercase. + +*Example*: `dec.LowercaseKeys();` + +|`Decode()` +|Reads the XML string and return a map containing the data. + +*Example*: `var m = dec.Decode();` + +|=== [float] === Metrics diff --git a/x-pack/filebeat/input/awss3/config.go b/x-pack/filebeat/input/awss3/config.go index 5b8308d1771e..d25b99a69bdf 100644 --- a/x-pack/filebeat/input/awss3/config.go +++ b/x-pack/filebeat/input/awss3/config.go @@ -24,6 +24,7 @@ type config struct { VisibilityTimeout time.Duration `config:"visibility_timeout"` SQSWaitTime time.Duration `config:"sqs.wait_time"` // The max duration for which the SQS ReceiveMessage call waits for a message to arrive in the queue before returning. SQSMaxReceiveCount int `config:"sqs.max_receive_count"` // The max number of times a message should be received (retried) before deleting it. + SQSScript *scriptConfig `config:"sqs.notification_parsing_script"` FIPSEnabled bool `config:"fips_enabled"` MaxNumberOfMessages int `config:"max_number_of_messages"` QueueURL string `config:"queue_url"` @@ -151,6 +152,36 @@ func (rc *readerConfig) Validate() error { return nil } +type scriptConfig struct { + Source string `config:"source"` // Inline script to execute. + File string `config:"file"` // Source file. + Files []string `config:"files"` // Multiple source files. + Params map[string]interface{} `config:"params"` // Parameters to pass to script. + Timeout time.Duration `config:"timeout" validate:"min=0"` // Execution timeout. + MaxCachedSessions int `config:"max_cached_sessions" validate:"min=0"` // Max. number of cached VM sessions. +} + +// Validate returns an error if one (and only one) option is not set. +func (c scriptConfig) Validate() error { + numConfigured := 0 + for _, set := range []bool{c.Source != "", c.File != "", len(c.Files) > 0} { + if set { + numConfigured++ + } + } + + switch { + case numConfigured == 0: + return errors.New("javascript must be defined via 'file', " + + "'files', or inline as 'source'") + case numConfigured > 1: + return errors.New("javascript can be defined in only one of " + + "'file', 'files', or inline as 'source'") + } + + return nil +} + func (rc *readerConfig) InitDefaults() { rc.BufferSize = 16 * humanize.KiByte rc.MaxBytes = 10 * humanize.MiByte diff --git a/x-pack/filebeat/input/awss3/input.go b/x-pack/filebeat/input/awss3/input.go index edd146b6a23e..bf3f8cf28b24 100644 --- a/x-pack/filebeat/input/awss3/input.go +++ b/x-pack/filebeat/input/awss3/input.go @@ -186,8 +186,12 @@ func (in *s3Input) createSQSReceiver(ctx v2.Context, client beat.Client) (*sqsRe if len(in.config.FileSelectors) == 0 { fileSelectors = []fileSelectorConfig{{ReaderConfig: in.config.ReaderConfig}} } + script, err := newScriptFromConfig(log.Named("sqs_script"), in.config.SQSScript) + if err != nil { + return nil, err + } s3EventHandlerFactory := newS3ObjectProcessorFactory(log.Named("s3"), metrics, s3API, client, fileSelectors) - sqsMessageHandler := newSQSS3EventProcessor(log.Named("sqs_s3_event"), metrics, sqsAPI, in.config.VisibilityTimeout, in.config.SQSMaxReceiveCount, s3EventHandlerFactory) + sqsMessageHandler := newSQSS3EventProcessor(log.Named("sqs_s3_event"), metrics, sqsAPI, script, in.config.VisibilityTimeout, in.config.SQSMaxReceiveCount, s3EventHandlerFactory) sqsReader := newSQSReader(log.Named("sqs"), metrics, sqsAPI, in.config.MaxNumberOfMessages, sqsMessageHandler) return sqsReader, nil diff --git a/x-pack/filebeat/input/awss3/input_benchmark_test.go b/x-pack/filebeat/input/awss3/input_benchmark_test.go index aabb86b1a6c8..ecdc1756ce4a 100644 --- a/x-pack/filebeat/input/awss3/input_benchmark_test.go +++ b/x-pack/filebeat/input/awss3/input_benchmark_test.go @@ -166,7 +166,7 @@ func benchmarkInputSQS(t *testing.T, maxMessagesInflight int) testing.BenchmarkR conf := makeBenchmarkConfig(t) s3EventHandlerFactory := newS3ObjectProcessorFactory(log.Named("s3"), metrics, s3API, client, conf.FileSelectors) - sqsMessageHandler := newSQSS3EventProcessor(log.Named("sqs_s3_event"), metrics, sqsAPI, time.Minute, 5, s3EventHandlerFactory) + sqsMessageHandler := newSQSS3EventProcessor(log.Named("sqs_s3_event"), metrics, sqsAPI, nil, time.Minute, 5, s3EventHandlerFactory) sqsReader := newSQSReader(log.Named("sqs"), metrics, sqsAPI, maxMessagesInflight, sqsMessageHandler) go func() { diff --git a/x-pack/filebeat/input/awss3/script.go b/x-pack/filebeat/input/awss3/script.go new file mode 100644 index 000000000000..812fbe65dc59 --- /dev/null +++ b/x-pack/filebeat/input/awss3/script.go @@ -0,0 +1,150 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package awss3 + +import ( + "bytes" + "io" + "os" + "path/filepath" + "runtime" + "strings" + + "github.com/dop251/goja" + "github.com/pkg/errors" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/paths" +) + +type script struct { + scriptConfig + sessionPool *sessionPool + sourceProg *goja.Program + sourceFile string +} + +// newScriptFromConfig constructs a new Javascript script from the given config +// object. It loads the sources, compiles them, and validates the entry point. +func newScriptFromConfig(log *logp.Logger, c *scriptConfig) (*script, error) { + if c == nil { + return nil, nil + } + err := c.Validate() + if err != nil { + return nil, err + } + + var sourceFile string + var sourceCode []byte + + switch { + case c.Source != "": + sourceFile = "inline.js" + sourceCode = []byte(c.Source) + case c.File != "": + sourceFile, sourceCode, err = loadSources(c.File) + case len(c.Files) > 0: + sourceFile, sourceCode, err = loadSources(c.Files...) + } + if err != nil { + return nil, err + } + + // Validate processor source code. + prog, err := goja.Compile(sourceFile, string(sourceCode), true) + if err != nil { + return nil, err + } + + pool, err := newSessionPool(prog, *c) + if err != nil { + return nil, err + } + + return &script{ + scriptConfig: *c, + sessionPool: pool, + sourceProg: prog, + sourceFile: sourceFile, + }, nil +} + +// loadSources loads javascript source from files. +func loadSources(files ...string) (string, []byte, error) { + var sources []string + buf := new(bytes.Buffer) + + readFile := func(path string) error { + if common.IsStrictPerms() { + if err := common.OwnerHasExclusiveWritePerms(path); err != nil { + return err + } + } + + f, err := os.Open(path) + if err != nil { + return errors.Wrapf(err, "failed to open file %v", path) + } + defer f.Close() + + if _, err = io.Copy(buf, f); err != nil { + return errors.Wrapf(err, "failed to read file %v", path) + } + return nil + } + + for _, filePath := range files { + filePath = paths.Resolve(paths.Config, filePath) + + if hasMeta(filePath) { + matches, err := filepath.Glob(filePath) + if err != nil { + return "", nil, err + } + sources = append(sources, matches...) + } else { + sources = append(sources, filePath) + } + } + + if len(sources) == 0 { + return "", nil, errors.Errorf("no sources were found in %v", + strings.Join(files, ", ")) + } + + for _, name := range sources { + if err := readFile(name); err != nil { + return "", nil, err + } + } + + return strings.Join(sources, ";"), buf.Bytes(), nil +} + +// run runs the parse function. It receives a raw notification +// as a string and returns a list of S3 Events describing +// which files are going to be downloaded. +func (p *script) run(n string) ([]s3EventV2, error) { + s := p.sessionPool.Get() + defer p.sessionPool.Put(s) + + return s.runParseFunc(n) +} + +func (p *script) String() string { + return "script=[type=javascript, sources=" + p.sourceFile + "]" +} + +// hasMeta reports whether path contains any of the magic characters +// recognized by Match/Glob. +func hasMeta(path string) bool { + magicChars := `*?[` + if runtime.GOOS != "windows" { + magicChars = `*?[\` + } + return strings.ContainsAny(path, magicChars) +} diff --git a/x-pack/filebeat/input/awss3/script_jss3event_v2.go b/x-pack/filebeat/input/awss3/script_jss3event_v2.go new file mode 100644 index 000000000000..04cea00a08ba --- /dev/null +++ b/x-pack/filebeat/input/awss3/script_jss3event_v2.go @@ -0,0 +1,69 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package awss3 + +import ( + "strings" + + "github.com/dop251/goja" + "github.com/pkg/errors" + + "github.com/elastic/beats/v7/libbeat/common/encoding/xml" +) + +func newJSS3EventV2Constructor(s *session) func(call goja.ConstructorCall) *goja.Object { + return func(call goja.ConstructorCall) *goja.Object { + if len(call.Arguments) != 0 { + panic(errors.New("Event constructor don't accept arguments")) + } + return s.vm.ToValue(&s3EventV2{}).(*goja.Object) + } +} + +func (e *s3EventV2) SetAWSRegion(v string) { + e.AWSRegion = v +} + +func (e *s3EventV2) SetProvider(v string) { + e.Provider = v +} + +func (e *s3EventV2) SetEventName(v string) { + e.EventName = v +} + +func (e *s3EventV2) SetEventSource(v string) { + e.EventSource = v +} + +func (e *s3EventV2) SetS3BucketName(v string) { + e.S3.Bucket.Name = v +} + +func (e *s3EventV2) SetS3BucketARN(v string) { + e.S3.Bucket.ARN = v +} + +func (e *s3EventV2) SetS3ObjectKey(v string) { + e.S3.Object.Key = v +} + +func newXMLDecoderConstructor(s *session) func(call goja.ConstructorCall) *goja.Object { + return func(call goja.ConstructorCall) *goja.Object { + if len(call.Arguments) != 1 { + panic(errors.New("Event constructor requires one argument")) + } + + a0 := call.Argument(0).Export() + s0, ok := a0.(string) + + if !ok { + panic(errors.Errorf("Event constructor requires a "+ + "string argument but got %T", a0)) + } + + return s.vm.ToValue(xml.NewDecoder(strings.NewReader(s0))).(*goja.Object) + } +} diff --git a/x-pack/filebeat/input/awss3/script_jss3event_v2_test.go b/x-pack/filebeat/input/awss3/script_jss3event_v2_test.go new file mode 100644 index 000000000000..dc387d95e335 --- /dev/null +++ b/x-pack/filebeat/input/awss3/script_jss3event_v2_test.go @@ -0,0 +1,60 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package awss3 + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +const ( + header = `function parse(n) {` + footer = `}` +) + +var log = logp.NewLogger("test") + +func TestJSS3EventV2(t *testing.T) { + logp.TestingSetup() + + source := ` + var evts = []; + var evt = new S3EventV2(); + evt.SetAWSRegion("region"); + evt.SetProvider("provider"); + evt.SetEventName("name"); + evt.SetEventSource("source"); + evt.SetS3BucketName("bucket"); + evt.SetS3BucketARN("arn"); + evt.SetS3ObjectKey("key"); + evts.push(evt); + return evts; + ` + + p, err := newScriptFromConfig(log, &scriptConfig{Source: header + source + footer}) + if err != nil { + t.Fatal(err) + } + + evts, err := p.run(`{}`) + require.NoError(t, err) + require.Equal(t, 1, len(evts)) + + exp := s3EventV2{ + AWSRegion: "region", + Provider: "provider", + EventName: "name", + EventSource: "source", + } + exp.S3.Bucket.Name = "bucket" + exp.S3.Bucket.ARN = "arn" + exp.S3.Object.Key = "key" + + assert.EqualValues(t, exp, evts[0]) +} diff --git a/x-pack/filebeat/input/awss3/script_session.go b/x-pack/filebeat/input/awss3/script_session.go new file mode 100644 index 000000000000..aad0539665ed --- /dev/null +++ b/x-pack/filebeat/input/awss3/script_session.go @@ -0,0 +1,217 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package awss3 + +import ( + "fmt" + "reflect" + "time" + + "github.com/dop251/goja" + "github.com/pkg/errors" + "go.uber.org/zap" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" +) + +const ( + logName = "awss3.script" + + entryPointFunction = "parse" + registerFunction = "register" + testFunction = "test" + + timeoutError = "javascript parser execution timeout" +) + +// session is a javascript runtime environment used throughout the life of +// the input instance. +type session struct { + vm *goja.Runtime + log *logp.Logger + parseFunc goja.Callable + timeout time.Duration +} + +func newSession(p *goja.Program, conf scriptConfig, test bool) (*session, error) { + // Create a logger + logger := logp.NewLogger(logName) + + // Setup JS runtime. + s := &session{ + vm: goja.New(), + log: logger, + timeout: conf.Timeout, + } + + // Register common.MapStr as being a simple map[string]interface{} for + // treatment within the JS VM. + s.vm.RegisterSimpleMapType(reflect.TypeOf(common.MapStr(nil)), + func(i interface{}) map[string]interface{} { + return map[string]interface{}(i.(common.MapStr)) + }, + ) + + // Register constructors for 'new S3EventV2' to enable creating them from the JS code. + s.vm.Set("S3EventV2", newJSS3EventV2Constructor(s)) + s.vm.Set("XMLDecoder", newXMLDecoderConstructor(s)) + + if _, err := s.vm.RunProgram(p); err != nil { + return nil, err + } + + if err := s.setParseFunction(); err != nil { + return nil, err + } + + if len(conf.Params) > 0 { + if err := s.registerScriptParams(conf.Params); err != nil { + return nil, err + } + } + + if test { + if err := s.executeTestFunction(); err != nil { + return nil, err + } + } + + return s, nil +} + +// setParseFunction validates that the parse() function exists and stores +// the handle. +func (s *session) setParseFunction() error { + parseFunc := s.vm.Get(entryPointFunction) + if parseFunc == nil { + return errors.New("parse function not found") + } + if parseFunc.ExportType().Kind() != reflect.Func { + return errors.New("parse is not a function") + } + if err := s.vm.ExportTo(parseFunc, &s.parseFunc); err != nil { + return errors.Wrap(err, "failed to export parse function") + } + return nil +} + +// registerScriptParams calls the register() function and passes the params. +func (s *session) registerScriptParams(params map[string]interface{}) error { + registerFunc := s.vm.Get(registerFunction) + if registerFunc == nil { + return errors.New("params were provided but no register function was found") + } + if registerFunc.ExportType().Kind() != reflect.Func { + return errors.New("register is not a function") + } + var register goja.Callable + if err := s.vm.ExportTo(registerFunc, ®ister); err != nil { + return errors.Wrap(err, "failed to export register function") + } + if _, err := register(goja.Undefined(), s.vm.ToValue(params)); err != nil { + return errors.Wrap(err, "failed to register script_params") + } + s.log.Debug("Registered params with script") + return nil +} + +// executeTestFunction executes the test() function if it exists. Any exceptions +// will cause the script to fail to load. +func (s *session) executeTestFunction() error { + if testFunc := s.vm.Get(testFunction); testFunc != nil { + if testFunc.ExportType().Kind() != reflect.Func { + return errors.New("test is not a function") + } + var test goja.Callable + if err := s.vm.ExportTo(testFunc, &test); err != nil { + return errors.Wrap(err, "failed to export test function") + } + _, err := test(goja.Undefined(), nil) + if err != nil { + return errors.Wrap(err, "failed in test() function") + } + s.log.Debugf("Successful test() execution for script.") + } + return nil +} + +// runParseFunc executes parse() from the JS script. +func (s *session) runParseFunc(n string) (out []s3EventV2, err error) { + defer func() { + if r := recover(); r != nil { + s.log.Errorw("The javascript script caused an unexpected panic "+ + "while parsing a notification. Recovering, but please report this.", + "notification", common.MapStr{"original": n}, + "panic", r, + zap.Stack("stack")) + err = fmt.Errorf("unexpected panic in javascript script: %v", r) + } + }() + + // Interrupt the JS code if execution exceeds timeout. + if s.timeout > 0 { + t := time.AfterFunc(s.timeout, func() { + s.vm.Interrupt(timeoutError) + }) + defer t.Stop() + } + + v, err := s.parseFunc(goja.Undefined(), s.vm.ToValue(n)) + if err != nil { + return nil, fmt.Errorf("failed in parse function: %w", err) + } + + if v.Equals(goja.Undefined()) { + return out, nil + } + + if err := s.vm.ExportTo(v, &out); err != nil { + return nil, fmt.Errorf("can't export returned value: %w", err) + } + + return out, nil +} + +type sessionPool struct { + New func() *session + C chan *session +} + +func newSessionPool(p *goja.Program, c scriptConfig) (*sessionPool, error) { + s, err := newSession(p, c, true) + if err != nil { + return nil, err + } + + pool := sessionPool{ + New: func() *session { + s, _ := newSession(p, c, false) + return s + }, + C: make(chan *session, c.MaxCachedSessions), + } + pool.Put(s) + + return &pool, nil +} + +func (p *sessionPool) Get() *session { + select { + case s := <-p.C: + return s + default: + return p.New() + } +} + +func (p *sessionPool) Put(s *session) { + if s != nil { + select { + case p.C <- s: + default: + } + } +} diff --git a/x-pack/filebeat/input/awss3/script_session_test.go b/x-pack/filebeat/input/awss3/script_session_test.go new file mode 100644 index 000000000000..4cad65b03fda --- /dev/null +++ b/x-pack/filebeat/input/awss3/script_session_test.go @@ -0,0 +1,317 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package awss3 + +import ( + "context" + "sync" + "testing" + "time" + + "github.com/elastic/beats/v7/libbeat/logp" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestSessionScriptParams(t *testing.T) { + logp.TestingSetup() + + t.Run("register method is optional", func(t *testing.T) { + _, err := newScriptFromConfig(log, &scriptConfig{Source: header + footer}) + if err != nil { + t.Fatal(err) + } + }) + + t.Run("register required for params", func(t *testing.T) { + _, err := newScriptFromConfig(log, &scriptConfig{Source: header + footer, Params: map[string]interface{}{ + "p1": 42, + }, + }) + if assert.Error(t, err) { + assert.Contains(t, err.Error(), "params were provided") + } + }) + + t.Run("register params", func(t *testing.T) { + const script = ` + function register(params) { + if (params["p1"] !== 42) { + throw "invalid p1"; + } + } + + function parse(n) {} + ` + _, err := newScriptFromConfig(log, &scriptConfig{ + Source: script, + Params: map[string]interface{}{ + "p1": 42, + }, + }) + assert.NoError(t, err) + }) +} + +func TestSessionTestFunction(t *testing.T) { + logp.TestingSetup() + + const script = ` + var fail = false; + + function register(params) { + fail = params["fail"]; + } + + function parse(n) { + if (fail) { + throw "intentional failure"; + } + var m = JSON.parse(n); + var e = new S3EventV2(); + e.SetS3ObjectKey(m["hello"]); + return [e]; + } + + function test() { + var n = "{\"hello\": \"earth\"}"; + var evts = parse(n); + + if (evts[0].S3.Object.Key !== "earth") { + throw "invalid key value"; + } + } + ` + + t.Run("test method is optional", func(t *testing.T) { + _, err := newScriptFromConfig(log, &scriptConfig{ + Source: header + footer, + }) + if err != nil { + t.Fatal(err) + } + }) + + t.Run("test success", func(t *testing.T) { + _, err := newScriptFromConfig(log, &scriptConfig{ + Source: script, + Params: map[string]interface{}{ + "fail": false, + }, + }) + assert.NoError(t, err) + }) + + t.Run("test failure", func(t *testing.T) { + _, err := newScriptFromConfig(log, &scriptConfig{ + Source: script, + Params: map[string]interface{}{ + "fail": true, + }, + }) + assert.Error(t, err) + }) +} + +func TestSessionTimeout(t *testing.T) { + logp.TestingSetup() + + const runawayLoop = ` + var m = JSON.parse(n); + while (!m.stop) { + m.hello = "world"; + } + ` + + p, err := newScriptFromConfig(log, &scriptConfig{ + Source: header + runawayLoop + footer, + Timeout: 100 * time.Millisecond, + }) + if err != nil { + t.Fatal(err) + } + + n := `{"stop": false}` + + // Execute and expect a timeout. + _, err = p.run(n) + if assert.Error(t, err) { + assert.Contains(t, err.Error(), timeoutError) + } + + // Verify that any internal runtime interrupt state has been cleared. + n = `{"stop": true}` + _, err = p.run(n) + assert.NoError(t, err) +} + +func TestSessionParallel(t *testing.T) { + logp.TestingSetup() + + const script = ` + var m = JSON.parse(n); + var evt = new S3EventV2(); + evt.SetS3ObjectKey(m.hello.world); + return [evt]; + ` + + p, err := newScriptFromConfig(log, &scriptConfig{ + Source: header + script + footer, + }) + if err != nil { + t.Fatal(err) + } + + const goroutines = 10 + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + var wg sync.WaitGroup + wg.Add(goroutines) + for i := 0; i < goroutines; i++ { + go func() { + defer wg.Done() + for ctx.Err() == nil { + n := `{"hello":{"world": "hello"}}` + evts, err := p.run(n) + require.NoError(t, err) + require.Equal(t, 1, len(evts)) + assert.Equal(t, "hello", evts[0].S3.Object.Key) + } + }() + } + + time.AfterFunc(time.Second, cancel) + wg.Wait() +} + +func TestCreateS3EventsFromNotification(t *testing.T) { + logp.TestingSetup() + + n := `{ + "cid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", + "timestamp": 1492726639222, + "fileCount": 4, + "totalSize": 349986221, + "bucket": "bucketNNNN", + "pathPrefix": "logs/aaaa-bbbb-cccc-dddd-eeee-ffff", + "files": [ + { + "path": "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00000.gz", + "size": 90506437, + "checksum": "ffffffffffffffffffff" + }, + { + "path": "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00001.gz", + "size": 86467594, + "checksum": "ffffffffffffffffffff" + }, + { + "path": "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00002.gz", + "size": 83893710, + "checksum": "ffffffffffffffffffff" + }, + { + "path": "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00003.gz", + "size": 89118480, + "checksum": "ffffffffffffffffffff" + } + ] + }` + + const script = ` + function parse(n) { + var m = JSON.parse(n); + var evts = []; + var files = m.files; + var bucket = m.bucket; + + if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") { + return evts; + } + + files.forEach(function(f){ + var evt = new S3EventV2(); + evt.SetS3BucketName(bucket); + evt.SetS3ObjectKey(f.path); + evts.push(evt); + }); + + return evts; + } +` + s, err := newScriptFromConfig(log, &scriptConfig{Source: script}) + require.NoError(t, err) + + evts, err := s.run(n) + require.NoError(t, err) + require.Equal(t, 4, len(evts)) + + const expectedBucket = "bucketNNNN" + expectedObjectKeys := []string{ + "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00000.gz", + "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00001.gz", + "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00002.gz", + "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00003.gz", + } + + for i, e := range expectedObjectKeys { + assert.Equal(t, expectedBucket, evts[i].S3.Bucket.Name) + assert.Equal(t, e, evts[i].S3.Object.Key) + } +} + +func TestParseXML(t *testing.T) { + logp.TestingSetup() + + n := ` + bucketNNNN + + logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00000.gz + logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00001.gz + + ` + + const script = ` + function parse(n) { + var dec = new XMLDecoder(n); + var m = dec.Decode(); + var evts = []; + var files = m.record.files.file; + var bucket = m.record.bucket; + + if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") { + return evts; + } + + files.forEach(function(f){ + var evt = new S3EventV2(); + evt.SetS3BucketName(bucket); + evt.SetS3ObjectKey(f.path); + evts.push(evt); + }); + + return evts; + } +` + s, err := newScriptFromConfig(log, &scriptConfig{Source: script}) + require.NoError(t, err) + + evts, err := s.run(n) + require.NoError(t, err) + require.Equal(t, 2, len(evts)) + + const expectedBucket = "bucketNNNN" + expectedObjectKeys := []string{ + "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00000.gz", + "logs/aaaa-bbbb-cccc-dddd-eeee-ffff/part-00001.gz", + } + + for i, e := range expectedObjectKeys { + assert.Equal(t, expectedBucket, evts[i].S3.Bucket.Name) + assert.Equal(t, e, evts[i].S3.Object.Key) + } +} diff --git a/x-pack/filebeat/input/awss3/sqs_s3_event.go b/x-pack/filebeat/input/awss3/sqs_s3_event.go index a89aad7fc127..c906c74fa9e0 100644 --- a/x-pack/filebeat/input/awss3/sqs_s3_event.go +++ b/x-pack/filebeat/input/awss3/sqs_s3_event.go @@ -86,9 +86,10 @@ type sqsS3EventProcessor struct { log *logp.Logger warnOnce sync.Once metrics *inputMetrics + script *script } -func newSQSS3EventProcessor(log *logp.Logger, metrics *inputMetrics, sqs sqsAPI, sqsVisibilityTimeout time.Duration, maxReceiveCount int, s3 s3ObjectHandlerFactory) *sqsS3EventProcessor { +func newSQSS3EventProcessor(log *logp.Logger, metrics *inputMetrics, sqs sqsAPI, script *script, sqsVisibilityTimeout time.Duration, maxReceiveCount int, s3 s3ObjectHandlerFactory) *sqsS3EventProcessor { if metrics == nil { metrics = newInputMetrics(monitoring.NewRegistry(), "") } @@ -99,6 +100,7 @@ func newSQSS3EventProcessor(log *logp.Logger, metrics *inputMetrics, sqs sqsAPI, sqs: sqs, log: log, metrics: metrics, + script: script, } } @@ -185,6 +187,12 @@ func (p *sqsS3EventProcessor) keepalive(ctx context.Context, log *logp.Logger, w } func (p *sqsS3EventProcessor) getS3Notifications(body string) ([]s3EventV2, error) { + // Check if a parsing script is defined. If so, it takes precedence over + // format autodetection. + if p.script != nil { + return p.script.run(body) + } + // NOTE: If AWS introduces a V3 schema this will need updated to handle that schema. var events s3EventsV2 dec := json.NewDecoder(strings.NewReader(body)) @@ -201,6 +209,12 @@ func (p *sqsS3EventProcessor) getS3Notifications(body string) ([]s3EventV2, erro return nil, fmt.Errorf("failed to decode SQS message body as an S3 notification: %w", err) } } + + if events.Records == nil { + p.log.Debugw("Invalid SQS message body: missing Records field", "sqs_message_body", body) + return nil, errors.New("the message is an invalid S3 notification: missing Records field") + } + return p.getS3Info(events) } diff --git a/x-pack/filebeat/input/awss3/sqs_s3_event_test.go b/x-pack/filebeat/input/awss3/sqs_s3_event_test.go index 9edd5ec4ed9d..ad6d30056d42 100644 --- a/x-pack/filebeat/input/awss3/sqs_s3_event_test.go +++ b/x-pack/filebeat/input/awss3/sqs_s3_event_test.go @@ -38,7 +38,7 @@ func TestSQSS3EventProcessor(t *testing.T) { mockAPI.EXPECT().DeleteMessage(gomock.Any(), gomock.Eq(&msg)).Return(nil), ) - p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, time.Minute, 5, mockS3HandlerFactory) + p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, nil, time.Minute, 5, mockS3HandlerFactory) require.NoError(t, p.ProcessSQS(ctx, &msg)) }) @@ -60,7 +60,7 @@ func TestSQSS3EventProcessor(t *testing.T) { mockAPI.EXPECT().DeleteMessage(gomock.Any(), gomock.Eq(&invalidBodyMsg)).Return(nil), ) - p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, time.Minute, 5, mockS3HandlerFactory) + p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, nil, time.Minute, 5, mockS3HandlerFactory) err := p.ProcessSQS(ctx, &invalidBodyMsg) require.Error(t, err) t.Log(err) @@ -75,13 +75,13 @@ func TestSQSS3EventProcessor(t *testing.T) { mockAPI := NewMockSQSAPI(ctrl) mockS3HandlerFactory := NewMockS3ObjectHandlerFactory(ctrl) - emptyRecordsMsg := newSQSMessage() + emptyRecordsMsg := newSQSMessage([]s3EventV2{}...) gomock.InOrder( mockAPI.EXPECT().DeleteMessage(gomock.Any(), gomock.Eq(&emptyRecordsMsg)).Return(nil), ) - p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, time.Minute, 5, mockS3HandlerFactory) + p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, nil, time.Minute, 5, mockS3HandlerFactory) require.NoError(t, p.ProcessSQS(ctx, &emptyRecordsMsg)) }) @@ -108,7 +108,7 @@ func TestSQSS3EventProcessor(t *testing.T) { mockAPI.EXPECT().DeleteMessage(gomock.Any(), gomock.Eq(&msg)).Return(nil), ) - p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, visibilityTimeout, 5, mockS3HandlerFactory) + p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, nil, visibilityTimeout, 5, mockS3HandlerFactory) require.NoError(t, p.ProcessSQS(ctx, &msg)) }) @@ -127,7 +127,7 @@ func TestSQSS3EventProcessor(t *testing.T) { mockS3Handler.EXPECT().ProcessS3Object().Return(errors.New("fake connectivity problem")), ) - p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, time.Minute, 5, mockS3HandlerFactory) + p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, nil, time.Minute, 5, mockS3HandlerFactory) err := p.ProcessSQS(ctx, &msg) t.Log(err) require.Error(t, err) @@ -154,7 +154,7 @@ func TestSQSS3EventProcessor(t *testing.T) { mockAPI.EXPECT().DeleteMessage(gomock.Any(), gomock.Eq(&msg)).Return(nil), ) - p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, time.Minute, 5, mockS3HandlerFactory) + p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, mockAPI, nil, time.Minute, 5, mockS3HandlerFactory) err := p.ProcessSQS(ctx, &msg) t.Log(err) require.Error(t, err) @@ -164,7 +164,7 @@ func TestSQSS3EventProcessor(t *testing.T) { func TestSqsProcessor_getS3Notifications(t *testing.T) { logp.TestingSetup() - p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, nil, time.Minute, 5, nil) + p := newSQSS3EventProcessor(logp.NewLogger(inputName), nil, nil, nil, time.Minute, 5, nil) t.Run("s3 key is url unescaped", func(t *testing.T) { msg := newSQSMessage(newS3Event("Happy+Face.jpg")) @@ -194,6 +194,24 @@ func TestSqsProcessor_getS3Notifications(t *testing.T) { assert.Equal(t, "arn:aws:s3:::vpc-flow-logs-ks", events[0].S3.Bucket.ARN) assert.Equal(t, "vpc-flow-logs-ks", events[0].S3.Bucket.Name) }) + + t.Run("missing Records fail", func(t *testing.T) { + msg := `{"message":"missing records"}` + _, err := p.getS3Notifications(msg) + require.Error(t, err) + assert.EqualError(t, err, "the message is an invalid S3 notification: missing Records field") + msg = `{"message":"null records", "Records": null}` + _, err = p.getS3Notifications(msg) + require.Error(t, err) + assert.EqualError(t, err, "the message is an invalid S3 notification: missing Records field") + }) + + t.Run("empty Records does not fail", func(t *testing.T) { + msg := `{"Records":[]}` + events, err := p.getS3Notifications(msg) + require.NoError(t, err) + assert.Equal(t, 0, len(events)) + }) } func TestNonRecoverableError(t *testing.T) { diff --git a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc index a7acdb5f4bd3..18c8d57e169d 100644 --- a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc @@ -12,7 +12,7 @@ https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-ind Match rules], but is also compatible with other features like https://www.elastic.co/guide/en/elasticsearch/reference/current/enrich-processor.html[Enrich Processors]. The related threat intel attribute that is meant to be used for -matching incoming source data is stored under the `threatintel.indicator.*` +matching incoming source data is stored under the `threat.indicator.*` fields. The available filesets are: @@ -68,9 +68,9 @@ Abuse.ch URL Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================== | URL Threat Intel Fields | ECS Fields -| url | threatintel.indicator.url.full +| url | threat.indicator.url.full | date_added | @timestamp -| host | threatintel.indicator.ip/domain +| host | threat.indicator.ip/domain |============================================================== [[abusemalware]] @@ -112,9 +112,9 @@ Abuse.ch Malware Threat Intel is mapped to the following ECS fields. [options="header"] |================================================================ | Malware Threat IntelFields | ECS Fields -| md5_hash | threatintel.indicator.file.hash.md5 -| sha256_hash | threatintel.indicator.file.hash.sha256 -| file_size | threatintel.indicator.file.size +| md5_hash | threat.indicator.file.hash.md5 +| sha256_hash | threat.indicator.file.hash.sha256 +| file_size | threat.indicator.file.size |================================================================ [[malwarebazaar]] @@ -156,24 +156,25 @@ Malware Bazaar Threat Intel is mapped to the following ECS fields. [options="header"] |================================================================ | Malware Threat IntelFields | ECS Fields -| md5_hash | threatintel.indicator.file.hash.md5 -| sha256_hash | threatintel.indicator.file.hash.sha256 -| tlsh | threatintel.indicator.file.hash.tlsh -| ssdeep | threatintel.indicator.file.hash.ssdeep -| imphash | threatintel.indicator.file.pe.imphash -| file_size | threatintel.indicator.file.size -| file_name | threatintel.indicator.file.name -| file_type_mime | threatintel.indicator.file.mime_type -| file_type | threatintel.indicator.file.type -| reporter | threatintel.indicator.provider -| origin_country | threatintel.indicator.geo.country_iso_code -| signature | threatintel.indicator.signature -| code_sign.subject_cn | threatintel.indicator.file.x509.subject.common_name -| code_sign.issuer_cn | threatintel.indicator.file.x509.issuer.common_name -| code_sign.algorithm | threatintel.indicator.file.x509.public_key_algorithm -| code_sign.valid_from | threatintel.indicator.file.x509.not_before -| code_sign.valid_to | threatintel.indicator.file.x509.not_after -| code_sign.serial_number | threatintel.indicator.file.x509.serial_number +| md5_hash | threat.indicator.file.hash.md5 +| sha256_hash | threat.indicator.file.hash.sha256 +| sha384_hash | threat.indicator.file.hash.sha384 +| tlsh | threat.indicator.file.hash.tlsh +| ssdeep | threat.indicator.file.hash.ssdeep +| imphash | threat.indicator.file.pe.imphash +| file_size | threat.indicator.file.size +| file_name | threat.indicator.file.name +| file_type_mime | threat.indicator.file.mime_type +| file_type | threat.indicator.file.type +| reporter | threat.indicator.provider +| origin_country | threat.indicator.geo.country_iso_code +| signature | threat.indicator.signature +| code_sign.subject_cn | threat.indicator.file.x509.subject.common_name +| code_sign.issuer_cn | threat.indicator.file.x509.issuer.common_name +| code_sign.algorithm | threat.indicator.file.x509.public_key_algorithm +| code_sign.valid_from | threat.indicator.file.x509.not_before +| code_sign.valid_to | threat.indicator.file.x509.not_after +| code_sign.serial_number | threat.indicator.file.x509.serial_number |================================================================ [[misp]] @@ -250,10 +251,10 @@ MISP Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================== | Malware Threat IntelFields | ECS Fields -| misp.first_seen | threatintel.indicator.first_seen -| misp.last_seen | threatintel.indicator.last_seen +| misp.first_seen | threat.indicator.first_seen +| misp.last_seen | threat.indicator.last_seen | misp.tag | tag -| misp.value | threatintel.indicator.* +| misp.value | threat.indicator.* |============================================================== `misp.value` is mapped to the appropriate field dependent on attribute type. @@ -331,9 +332,9 @@ OTX Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================ | Malware Threat Intel Fields | ECS Fields -| otx.type | threatintel.indicator.type -| otx.description | threatintel.indicator.description -| otx.indicator | threatintel.indicator.* +| otx.type | threat.indicator.type +| otx.description | threat.indicator.description +| otx.indicator | threat.indicator.* |============================================================ `otx.indicator` is mapped to the appropriate field dependent on attribute type. @@ -415,10 +416,10 @@ Anomali Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================= | Malware Threat Intel Fields | ECS Fields -| anomali.description | threatintel.indicator.description -| anomali.created | threatintel.indicator.first_seen -| anomali.modified | threatintel.indicator.last_seen -| anomali.pattern | threatintel.indicator.* +| anomali.description | threat.indicator.description +| anomali.created | threat.indicator.first_seen +| anomali.modified | threat.indicator.last_seen +| anomali.pattern | threat.indicator.* | anomali.labels | tags |============================================================= @@ -486,24 +487,24 @@ Anomali ThreatStream fields are mapped to the following ECS fields: [options="header"] |============================================================= | ThreatStream fields | ECS Fields -| asn | threatintel.indicator.as.number -| classification<> | threatintel.indicator.marking.tlp -| confidence<> | threatintel.indicator.confidence -| country | threatintel.indicator.geo.country_iso_code -| date_first | threatintel.indicator.first_seen -| date_last | threatintel.indicator.last_seen +| asn | threat.indicator.as.number +| classification<> | threat.indicator.marking.tlp +| confidence<> | threat.indicator.confidence +| country | threat.indicator.geo.country_iso_code +| date_first | threat.indicator.first_seen +| date_last | threat.indicator.last_seen | detail | tags -| domain | threatintel.indicator.url.domain -| email | threatintel.indicator.email.address -| itype<> | threatintel.indicator.type -| lat | threatintel.indicator.geo.location.lat -| lon | threatintel.indicator.geo.location.lon -| md5 | threatintel.indicator.file.hash -| org | threatintel.indicator.as.organization.name +| domain | threat.indicator.url.domain +| email | threat.indicator.email.address +| itype<> | threat.indicator.type +| lat | threat.indicator.geo.location.lat +| lon | threat.indicator.geo.location.lon +| md5 | threat.indicator.file.hash +| org | threat.indicator.as.organization.name | severity<> | event.severity -| source | threatintel.indicator.provider -| srcip | threatintel.indicator.ip -| url | threatintel.indicator.url.original +| source | threat.indicator.provider +| srcip | threat.indicator.ip +| url | threat.indicator.url.original |============================================================= [[a]] @@ -585,16 +586,16 @@ Recorded Future fields are mapped to the following ECS fields: [options="header"] |============================================================= | Recorded Future fields | ECS Fields -| entity.name | threatintel.indicator.{url,ip,domain,file.hash} -| entity.type | threatintel.indicator.type -| fileHashes | threatintel.indicator.file.hash +| entity.name | threat.indicator.{url,ip,domain,file.hash} +| entity.type | threat.indicator.type +| fileHashes | threat.indicator.file.hash | intelCard | event.reference -| location.asn | threatintel.indicator.as.number -| location.location | threatintel.indicator.geo -| location.organization | threatintel.indicator.as.organization.name +| location.asn | threat.indicator.as.number +| location.location | threat.indicator.geo +| location.organization | threat.indicator.as.organization.name | risk.score | event.risk_score -| timestamps.firstSeen | threatintel.indicator.first_seen -| timestamps.lastSeen | threatintel.indicator.last_seen +| timestamps.firstSeen | threat.indicator.first_seen +| timestamps.lastSeen | threat.indicator.last_seen |============================================================= :has-dashboards!: @@ -702,11 +703,11 @@ Recorded Future fields are mapped to the following ECS fields: [options="header"] |============================================================= | ThreatQ fields | ECS Fields -| type.name | threatintel.indicator.type -| description | threatintel.indicator.description -| score | threatintel.indicator.confidence -| value | threatintel.indicator.{url,ip,domain,file.hash} -| sources | threatintel.indicator.provider +| type.name | threat.indicator.type +| description | threat.indicator.description +| score | threat.indicator.confidence +| value | threat.indicator.{url,ip,domain,file.hash} +| sources | threat.indicator.provider |============================================================= :has-dashboards!: diff --git a/x-pack/filebeat/module/threatintel/_meta/fields.yml b/x-pack/filebeat/module/threatintel/_meta/fields.yml index ee199daa6aa2..5fb56abc40ae 100644 --- a/x-pack/filebeat/module/threatintel/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/_meta/fields.yml @@ -4,388 +4,21 @@ description: > Threat intelligence Filebeat Module. fields: - - name: threatintel + - name: "" type: group - description: > - Fields from the threatintel Filebeat module. fields: - - name: indicator.first_seen - type: date - description: > - The date and time when intelligence source first reported sighting this indicator. - - name: indicator.last_seen - type: date - description: > - The date and time when intelligence source last reported sighting this indicator. - - name: indicator.sightings - type: long - description: > - Number of times this indicator was observed conducting threat activity. - - name: indicator.type + - name: threat.indicator.file.hash.tlsh type: keyword description: > - Type of indicator as represented by Cyber Observable in STIX 2.0. - Expected values - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * process - * software - * url - * user-account - * windows-registry-key - * x-509-certificate - - name: indicator.description - type: keyword - description: > - Describes the type of action conducted by the threat. - - name: indicator.scanner_stats - type: long - description: > - Count of AV/EDR vendors that successfully detected malicious file or URL. - - name: indicator.provider + The file's import tlsh, if available. + + - name: threat.indicator.file.hash.sha384 type: keyword description: > - Identifies the name of the intelligence provider. - - name: indicator.confidence + The file's sha384 hash, if available. + + - name: threat.feed.name type: keyword - description: > - Identifies the confidence rating assigned by the provider using STIX confidence scales. - Expected values - * Not Specified, None, Low, Medium, High - * 0-10 - * Admirality Scale (1-6) - * DNI Scale (5-95) - * WEP Scale (Impossible - Certain) - - name: indicator.module - type: keyword - description: > - Identifies the name of specific module this data is coming from. - - name: indicator.dataset - type: keyword - description: > - Identifies the name of specific dataset from the intelligence source. - - name: indicator.reference + + - name: threat.feed.dashboard_id type: keyword - description: > - Reference URL linking to additional information about this indicator. - - name: indicator.ip - type: ip - description: > - Identifies a threat indicator as an IP address (irrespective of direction). - - name: indicator.port - type: long - description: > - Identifies a threat indicator as a port number (irrespective of direction). - - name: indicator.email.address - type: keyword - description: > - Identifies a threat indicator as an email address (irrespective of direction). - - name: indicator.marking.tlp - type: keyword - description: > - Traffic Light Protocol sharing markings. - Expected values are: - * White - * Green - * Amber - * Red - - name: indicator.matched - type: group - fields: - - name: atomic - type: keyword - description: > - Identifies the atomic indicator that matched a local environment endpoint or network event. - - name: field - type: keyword - description: > - Identifies the field of the atomic indicator that matched a local environment endpoint or network event. - - name: type - type: keyword - description: > - Identifies the type of the atomic indicator that matched a local environment endpoint or network event. - - name: indicator.as - type: group - fields: - - name: number - type: long - description: - Unique number allocated to the autonomous system. The autonomous system number (ASN) - uniquely identifies each network on the Internet. - example: 15169 - - name: organization.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Organization name. - example: Google LLC - - name: indicator.registry - type: group - fields: - - name: data.strings - type: keyword - ignore_above: 1024 - description: > - Content when writing string types. - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`). - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - - name: path - type: keyword - ignore_above: 1024 - description: Full path, including hive, key and value - example: - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - - name: value - type: keyword - ignore_above: 1024 - description: Name of the value written. - example: Debugger - - name: key - type: keyword - ignore_above: 1024 - description: Registry key value - - name: indicator.geo - type: group - fields: - - name: city_name - type: keyword - ignore_above: 1024 - description: City name. - example: Montreal - - name: continent_name - type: keyword - ignore_above: 1024 - description: Name of the continent. - example: North America - - name: country_iso_code - type: keyword - ignore_above: 1024 - description: Country ISO code. - example: CA - - name: country_name - type: keyword - ignore_above: 1024 - description: Country name. - example: Canada - - name: location - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - - name: region_iso_code - type: keyword - ignore_above: 1024 - description: Region ISO code. - example: CA-QC - - name: region_name - type: keyword - ignore_above: 1024 - description: Region name. - example: Quebec - - name: indicator.file.pe.imphash - type: keyword - ignore_above: 1024 - description: - "A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html." - example: 0c6803c4e922103c4dca5963aad36ddf - - name: indicator.file - type: group - fields: - - name: hash - type: group - fields: - - name: tlsh - type: keyword - description: > - The file's import tlsh, if available. - - name: ssdeep - type: keyword - description: > - The file's ssdeep hash, if available. - - name: md5 - type: keyword - description: > - The file's md5 hash, if available. - - name: sha1 - type: keyword - description: > - The file's sha1 hash, if available. - - name: sha256 - type: keyword - description: > - The file's sha256 hash, if available. - - name: sha384 - type: keyword - description: > - The file's sha384 hash, if available. - - name: sha512 - type: keyword - description: > - The file's sha512 hash, if available. - - name: type - type: keyword - ignore_above: 1024 - description: > - The file type. - - name: size - type: long - description: > - The file's total size. - - name: name - type: keyword - description: > - The file's name. - - name: extension - type: keyword - description: > - The file's extension. - - name: mime_type - type: keyword - description: > - The file's MIME type. - - name: indicator.url - type: group - fields: - - name: domain - type: keyword - description: > - Domain of the url, such as "www.elastic.co". - - name: extension - type: keyword - ignore_above: 1024 - description: > - The field contains the file extension from the original request - - name: fragment - type: keyword - ignore_above: 1024 - description: > - Portion of the url after the `#`, such as "top". - - name: full - type: keyword - description: > - If full URLs are important to your use case, they should be stored - in `url.full`, whether this field is reconstructed or present in the event - source. - - name: original - type: keyword - description: > - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas - in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - - name: password - type: keyword - ignore_above: 1024 - description: > - Password of the request. - - name: path - type: keyword - description: > - Path of the request, such as "/search". - - name: port - type: long - format: string - description: > - Port of the request, such as 443. - - name: query - type: keyword - ignore_above: 1024 - description: > - The query field describes the query string of the request, such - as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there - is no query field. If there is a `?` but no query, the query field exists - with an empty string. The `exists` query can be used to differentiate between - the two cases. - - name: registered_domain - type: keyword - description: > - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk". - - name: scheme - type: keyword - ignore_above: 1024 - description: > - Scheme of the request, such as "https". - - name: subdomain - type: keyword - ignore_above: 1024 - description: > - The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period. - - name: top_level_domain - type: keyword - ignore_above: 1024 - description: > - The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk". - - name: username - type: keyword - ignore_above: 1024 - description: > - Username of the request. - - name: indicator.x509 - type: group - fields: - - name: serial_number - type: keyword - ignore_above: 1024 - description: - Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. - example: 55FBB9C7DEBF09809D12CCAA - - name: issuer - type: keyword - ignore_above: 1024 - description: Name of issuing certificate authority. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. - example: - C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance - Server CA - - name: subject - type: keyword - ignore_above: 1024 - description: Name of the certificate subject entity. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. - example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - - name: alternative_names - type: keyword - ignore_above: 1024 - description: - List of subject alternative names (SAN). Name types vary by certificate - authority and certificate type but commonly contain IP addresses, DNS names - (and wildcards), and email addresses. - example: "*.elastic.co" - - name: indicator.signature - type: keyword - description: > - Malware family of sample (if available). diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/021ba940-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/021ba940-de96-11eb-8f2b-753caedf727d.json index 993d2edcccec..91a5cc790189 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/021ba940-de96-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/021ba940-de96-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.type" + "sourceField": "threat.indicator.type" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -96,4 +96,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/028175a0-ff74-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/028175a0-ff74-11eb-acb2-2960a7069ed1.json index 147220191069..c6ef974933ed 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/028175a0-ff74-11eb-acb2-2960a7069ed1.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/028175a0-ff74-11eb-acb2-2960a7069ed1.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.provider" + "sourceField": "threat.indicator.provider" }, "11576d1f-5400-4a71-bf04-681099e755d5": { "dataType": "number", @@ -95,4 +95,4 @@ "type": "lens", "updated_at": "2021-10-11T08:02:55.512Z", "version": "WzUyOSwxXQ==" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/037e2af0-df50-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/037e2af0-df50-11eb-8f2b-753caedf727d.json index 5be6f447603d..0c6776687197 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/037e2af0-df50-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/037e2af0-df50-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.type" + "sourceField": "threat.indicator.type" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -96,4 +96,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NjIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/06744e90-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/06744e90-df52-11eb-8f2b-753caedf727d.json index b427db18d513..38b8c85420ee 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/06744e90-df52-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/06744e90-df52-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.ip" + "sourceField": "threat.indicator.ip" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -47,7 +47,7 @@ "filters": [], "query": { "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\" and threatintel.indicator.type:ipv6-addr" + "query": "event.dataset:\"threatintel.recordedfuture\" and threat.indicator.type:ipv6-addr" }, "visualization": { "columns": [ @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/0db62ee0-72e6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/0db62ee0-72e6-11eb-a3e3-b3cc7c78a70f.json index a053c190ada5..b4182474c234 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/0db62ee0-72e6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/0db62ee0-72e6-11eb-a3e3-b3cc7c78a70f.json @@ -14,7 +14,7 @@ "959db113-1ce6-46fc-97c3-dbf5fd5abb9a": { "dataType": "string", "isBucketed": true, - "label": "Top values of threatintel.abusemalware.signature", + "label": "Top values of abusech.malware.signature", "operationType": "terms", "params": { "missingBucket": false, @@ -27,7 +27,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.abusemalware.signature" + "sourceField": "abusech.malware.signature" }, "de396547-655b-4db2-8a21-e9850acff0b0": { "dataType": "number", @@ -91,13 +91,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abusemalware.signature" + "field": "abusech.malware.signature" }, "meta": { "alias": null, "disabled": false, "indexRefName": "filter-index-pattern-2", - "key": "threatintel.abusemalware.signature", + "key": "abusech.malware.signature", "negate": false, "type": "exists", "value": "exists" @@ -168,4 +168,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MDMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/1136ceb0-de95-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/1136ceb0-de95-11eb-8f2b-753caedf727d.json index 05d17760abc8..c771588f9243 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/1136ceb0-de95-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/1136ceb0-de95-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.anomalithreatstream.resource_uri" + "sourceField": "anomali.threatstream.resource_uri" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/139c7da0-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/139c7da0-df51-11eb-8f2b-753caedf727d.json index d8abec34b65a..e2269eea6d9f 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/139c7da0-df51-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/139c7da0-df51-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.file.hash.sha256" + "sourceField": "threat.indicator.file.hash.sha256" } }, "incompleteColumns": {} @@ -90,4 +90,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/36f61650-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/36f61650-de96-11eb-8f2b-753caedf727d.json index e48267b1fd83..86507728c607 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/36f61650-de96-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/36f61650-de96-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.anomalithreatstream.classification" + "sourceField": "anomali.threatstream.classification" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -94,4 +94,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c40f4d0-de97-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c40f4d0-de97-11eb-8f2b-753caedf727d.json index 4f33f959e3a8..bdfbd6b5096f 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c40f4d0-de97-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c40f4d0-de97-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.anomalithreatstream.itype" + "sourceField": "anomali.threatstream.itype" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -94,4 +94,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c996410-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c996410-df52-11eb-8f2b-753caedf727d.json index 88c19ed280d8..da5e6785b5ae 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c996410-df52-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c996410-df52-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.domain" + "sourceField": "threat.indicator.url.domain" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5e76ef90-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5e76ef90-df51-11eb-8f2b-753caedf727d.json index 03bafd193b3e..a6fde56bd64e 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5e76ef90-df51-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5e76ef90-df51-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.url.domain" + "sourceField": "threat.indicator.url.domain" } }, "incompleteColumns": {} @@ -90,4 +90,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5ef7b430-de94-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5ef7b430-de94-11eb-8f2b-753caedf727d.json index 88642bb872e3..27fee210ffd6 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5ef7b430-de94-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5ef7b430-de94-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.ip" + "sourceField": "threat.indicator.ip" } }, "incompleteColumns": {} @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/790cd040-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/790cd040-df51-11eb-8f2b-753caedf727d.json index 2abc0bb73163..781a6a42a396 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/790cd040-df51-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/790cd040-df51-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.url.original" + "sourceField": "threat.indicator.url.original" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7d9c70f0-de95-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7d9c70f0-de95-11eb-8f2b-753caedf727d.json index dbdc1f05605e..741a17e6b105 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7d9c70f0-de95-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7d9c70f0-de95-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.anomali.name" + "sourceField": "anomali.limo.name" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7ec83f60-de98-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7ec83f60-de98-11eb-8f2b-753caedf727d.json index b321f95bae85..e1b1dfc2fc88 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7ec83f60-de98-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7ec83f60-de98-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.file.hash.sha256" + "sourceField": "threat.indicator.file.hash.sha256" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8a6f7b20-de94-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8a6f7b20-de94-11eb-8f2b-753caedf727d.json index 86e2c9697734..16f93c3473bd 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8a6f7b20-de94-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8a6f7b20-de94-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.url.original" + "sourceField": "threat.indicator.url.original" } }, "incompleteColumns": {} @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8fb01a00-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8fb01a00-df51-11eb-8f2b-753caedf727d.json index be51533efa40..b8cc9578146e 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8fb01a00-df51-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8fb01a00-df51-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.url.path" + "sourceField": "threat.indicator.url.path" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9282afc0-72d9-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9282afc0-72d9-11eb-a3e3-b3cc7c78a70f.json index 42d14abd0ecb..09935680d662 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9282afc0-72d9-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9282afc0-72d9-11eb-a3e3-b3cc7c78a70f.json @@ -22,7 +22,7 @@ "a6319ec8-2ec8-4d3a-bc54-efe0a306786f": { "dataType": "string", "isBucketed": true, - "label": "Top values of threatintel.indicator.type", + "label": "Top values of threat.indicator.type", "operationType": "terms", "params": { "missingBucket": false, @@ -35,7 +35,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.type" + "sourceField": "threat.indicator.type" } }, "incompleteColumns": {} @@ -70,13 +70,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "filter-index-pattern-1", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -147,4 +147,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:32.145Z", "version": "WzQ2NTMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/949bc180-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/949bc180-df52-11eb-8f2b-753caedf727d.json index b4784339ef28..ec09008e580e 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/949bc180-df52-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/949bc180-df52-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.recordedfuture.risk.riskSummary" + "sourceField": "recordedfuture.risk.riskSummary" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NjYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/976620a0-de98-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/976620a0-de98-11eb-8f2b-753caedf727d.json index b9d9b336d1e5..7bfea0d313ee 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/976620a0-de98-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/976620a0-de98-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.file.hash.md5" + "sourceField": "threat.indicator.file.hash.md5" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9c78ade0-de95-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9c78ade0-de95-11eb-8f2b-753caedf727d.json index cb82ae74ba56..b6a60ae06c2e 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9c78ade0-de95-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9c78ade0-de95-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.anomali.description" + "sourceField": "anomali.limo.description" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/a0a31740-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/a0a31740-df51-11eb-8f2b-753caedf727d.json index ce6d74b37635..7a4ccbec7ff2 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/a0a31740-df51-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/a0a31740-df51-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.url.scheme" + "sourceField": "threat.indicator.url.scheme" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/aac00bc0-de98-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/aac00bc0-de98-11eb-8f2b-753caedf727d.json index 2e80121c2e46..062ccc359f7b 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/aac00bc0-de98-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/aac00bc0-de98-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.file.hash.sha1" + "sourceField": "threat.indicator.file.hash.sha1" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/ae5934e0-de94-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/ae5934e0-de94-11eb-8f2b-753caedf727d.json index 02719d9dcb0d..17f6d2ccc213 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/ae5934e0-de94-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/ae5934e0-de94-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.url.domain" + "sourceField": "threat.indicator.url.domain" } }, "incompleteColumns": {} @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/b0837690-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/b0837690-df52-11eb-8f2b-753caedf727d.json index c75878031077..2ee5c4b1a2ad 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/b0837690-df52-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/b0837690-df52-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.recordedfuture.risk.criticalityLabel" + "sourceField": "recordedfuture.risk.criticalityLabel" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -94,4 +94,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NjMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bd28cb00-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bd28cb00-de96-11eb-8f2b-753caedf727d.json index ed51bcc85fb6..5f95d44b92dc 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bd28cb00-de96-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bd28cb00-de96-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 3 }, "scale": "ordinal", - "sourceField": "threatintel.anomalithreatstream.severity" + "sourceField": "anomali.threatstream.severity" } }, "incompleteColumns": {} @@ -98,4 +98,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bfd2bfe0-de97-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bfd2bfe0-de97-11eb-8f2b-753caedf727d.json index 0850075db5bd..c1110d8d6119 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bfd2bfe0-de97-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bfd2bfe0-de97-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.confidence" + "sourceField": "threat.indicator.confidence" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -94,4 +94,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1NzgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c2a5c180-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c2a5c180-df51-11eb-8f2b-753caedf727d.json index 5915a46aca56..6163c46e0b03 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c2a5c180-df51-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c2a5c180-df51-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.ip" + "sourceField": "threat.indicator.ip" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -47,7 +47,7 @@ "filters": [], "query": { "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\" and threatintel.indicator.type:ipv4-addr" + "query": "event.dataset:\"threatintel.recordedfuture\" and threat.indicator.type:ipv4-addr" }, "visualization": { "columns": [ @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NjksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c91fcd10-de95-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c91fcd10-de95-11eb-8f2b-753caedf727d.json index 63c9a1eebdec..9eecce1a1c33 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c91fcd10-de95-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c91fcd10-de95-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.provider" + "sourceField": "threat.indicator.provider" } }, "incompleteColumns": {} @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/cf4b4e40-ff69-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/cf4b4e40-ff69-11eb-acb2-2960a7069ed1.json index 0d2bc89d4419..ddb2717dd0e2 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/cf4b4e40-ff69-11eb-acb2-2960a7069ed1.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/cf4b4e40-ff69-11eb-acb2-2960a7069ed1.json @@ -15,7 +15,7 @@ "73cdbb81-57ca-4474-a86c-bca60a527d29": { "dataType": "string", "isBucketed": true, - "label": "Top values of threatintel.indicator.type", + "label": "Top values of threat.indicator.type", "operationType": "terms", "params": { "missingBucket": false, @@ -28,7 +28,7 @@ "size": 15 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.type" + "sourceField": "threat.indicator.type" }, "89f18519-9360-4d37-ae52-134604ac6cfc": { "customLabel": true, @@ -118,4 +118,4 @@ "type": "lens", "updated_at": "2021-10-11T08:02:55.512Z", "version": "WzUyOCwxXQ==" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/d991e510-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/d991e510-de96-11eb-8f2b-753caedf727d.json index f630743094ff..e718c0983606 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/d991e510-de96-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/d991e510-de96-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.anomalithreatstream.state" + "sourceField": "anomali.threatstream.state" } }, "incompleteColumns": {} @@ -112,4 +112,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/dd4a3da0-df50-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/dd4a3da0-df50-11eb-8f2b-753caedf727d.json index b9b2341c0b1c..4a25b4df0ef6 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/dd4a3da0-df50-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/dd4a3da0-df50-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.file.hash.md5" + "sourceField": "threat.indicator.file.hash.md5" } }, "incompleteColumns": {} @@ -90,4 +90,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/e5f07800-de94-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/e5f07800-de94-11eb-8f2b-753caedf727d.json index 1985a7273804..03d75c58b2ff 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/e5f07800-de94-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/e5f07800-de94-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.anomalithreatstream.id" + "sourceField": "anomali.threatstream.id" } }, "incompleteColumns": {} @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f37f8350-df50-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f37f8350-df50-11eb-8f2b-753caedf727d.json index 45745f96eb07..f4c84cc7426c 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f37f8350-df50-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f37f8350-df50-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.file.hash.sha1" + "sourceField": "threat.indicator.file.hash.sha1" } }, "incompleteColumns": {} @@ -90,4 +90,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f52a9720-de93-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f52a9720-de93-11eb-8f2b-753caedf727d.json index a3740f838db9..7e2446f1e8d7 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f52a9720-de93-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f52a9720-de93-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.email.address" + "sourceField": "threat.indicator.email.address" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f5f18940-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f5f18940-de96-11eb-8f2b-753caedf727d.json index c5c7c021b28a..9b281bf47694 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f5f18940-de96-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f5f18940-de96-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.marking.tlp" + "sourceField": "threat.indicator.marking.tlp" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -112,4 +112,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json index 63e7825a56bc..b37986b02ebb 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json @@ -35,7 +35,7 @@ "type": "count" } ], - "term": "threatintel.indicator.geo.country_iso_code", + "term": "threat.indicator.geo.country_iso_code", "type": "ES_TERM_SOURCE" } } @@ -205,4 +205,4 @@ "type": "map", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MTksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json index 8100b60e6b3d..e5e947525664 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json @@ -29,16 +29,16 @@ "applyGlobalQuery": true, "applyGlobalTime": true, "filterByMapBounds": true, - "geoField": "threatintel.indicator.geo.location", + "geoField": "threat.indicator.geo.location", "id": "a3ecc6af-0299-4cb9-a29c-0b70f666b011", "indexPatternRefName": "layer_1_source_index_pattern", "scalingType": "LIMIT", "sortField": "", "sortOrder": "desc", "tooltipProperties": [ - "threatintel.indicator.as.number", - "threatintel.indicator.as.organization.name", - "threatintel.indicator.geo.country_iso_code" + "threat.indicator.as.number", + "threat.indicator.as.organization.name", + "threat.indicator.geo.country_iso_code" ], "topHitsSize": 1, "topHitsSplitField": "", @@ -195,4 +195,4 @@ "type": "map", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/01c261b0-7aa9-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/01c261b0-7aa9-11eb-ac13-d5ca87cb8fa2.json index 93d283d07e01..3bc7559fbf62 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/01c261b0-7aa9-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/01c261b0-7aa9-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.otx.title" + "field": "otx.title" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.otx.title", + "key": "otx.title", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX Indicator Title", - "field": "threatintel.otx.title", + "field": "otx.title", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NzQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/02294f80-73c7-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/02294f80-73c7-11eb-a3e3-b3cc7c78a70f.json index 822c006ccc2c..ff5c6b0b875e 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/02294f80-73c7-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/02294f80-73c7-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.sha1" + "field": "threat.indicator.file.hash.sha1" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.sha1", + "key": "threat.indicator.file.hash.sha1", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "MISP SHA1 Hash Indicator", - "field": "threatintel.indicator.file.hash.sha1", + "field": "threat.indicator.file.hash.sha1", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2NDEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/0ccdda50-76ce-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/0ccdda50-76ce-11eb-a3e3-b3cc7c78a70f.json index 1197b8b4a7ea..44b6e23d5533 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/0ccdda50-76ce-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/0ccdda50-76ce-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.md5" + "field": "threat.indicator.file.hash.md5" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.md5", + "key": "threat.indicator.file.hash.md5", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX MD5 Hash Indicator", - "field": "threatintel.indicator.file.hash.md5", + "field": "threat.indicator.file.hash.md5", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NzMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/142fb6c0-82a8-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/142fb6c0-82a8-11eb-ac13-d5ca87cb8fa2.json index bf55ff3b2377..624dde62b61d 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/142fb6c0-82a8-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/142fb6c0-82a8-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.sha1" + "field": "threat.indicator.file.hash.sha1" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.sha1", + "key": "threat.indicator.file.hash.sha1", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "2", "params": { "customLabel": "SHA1 Hash", - "field": "threatintel.indicator.file.hash.sha1", + "field": "threat.indicator.file.hash.sha1", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a0d5250-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a0d5250-72e5-11eb-a3e3-b3cc7c78a70f.json index f9fc2390a2b3..f43232fe645c 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a0d5250-72e5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a0d5250-72e5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.sha256" + "field": "threat.indicator.file.hash.sha256" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.sha256", + "key": "threat.indicator.file.hash.sha256", "negate": false, "type": "exists", "value": "exists" @@ -47,13 +47,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -84,7 +84,7 @@ "id": "2", "params": { "customLabel": "SHA256 Hash", - "field": "threatintel.indicator.file.hash.sha256", + "field": "threat.indicator.file.hash.sha256", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -101,7 +101,7 @@ "id": "3", "params": { "customLabel": "File Type", - "field": "threatintel.indicator.file.type", + "field": "threat.indicator.file.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -162,4 +162,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MDYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a1c60c0-72d5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a1c60c0-72d5-11eb-a3e3-b3cc7c78a70f.json index b2e430cff4c5..e972911d995b 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a1c60c0-72d5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a1c60c0-72d5-11eb-a3e3-b3cc7c78a70f.json @@ -26,13 +26,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "enabled": true, "id": "3", "params": { - "field": "threatintel.indicator.type", + "field": "threat.indicator.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -143,4 +143,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:32.145Z", "version": "WzQ2NDksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1adff580-72ee-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1adff580-72ee-11eb-a3e3-b3cc7c78a70f.json index 711442477602..550140b912fe 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1adff580-72ee-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1adff580-72ee-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.domain" + "field": "threat.indicator.url.domain" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.domain", + "key": "threat.indicator.url.domain", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "Threat Indicator Domain", - "field": "threatintel.indicator.domain", + "field": "threat.indicator.url.domain", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1c969990-73c7-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1c969990-73c7-11eb-a3e3-b3cc7c78a70f.json index e2f3d6fda091..e77a6cee76be 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1c969990-73c7-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1c969990-73c7-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.sha256" + "field": "threat.indicator.file.hash.sha256" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.sha256", + "key": "threat.indicator.file.hash.sha256", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "MISP SHA256 Hash Indicator", - "field": "threatintel.indicator.file.hash.sha256", + "field": "threat.indicator.file.hash.sha256", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2NDIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1d8002d0-82a7-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1d8002d0-82a7-11eb-ac13-d5ca87cb8fa2.json index 328a64f0785b..57ca90543d38 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1d8002d0-82a7-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1d8002d0-82a7-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.pe.imphash" + "field": "threat.indicator.file.pe.imphash" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.pe.imphash", + "key": "threat.indicator.file.pe.imphash", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "2", "params": { "customLabel": "Imphash Hash", - "field": "threatintel.indicator.file.pe.imphash", + "field": "threat.indicator.file.pe.imphash", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/21ff17c0-82a6-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/21ff17c0-82a6-11eb-ac13-d5ca87cb8fa2.json index b3e12fb41934..4bec354e5368 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/21ff17c0-82a6-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/21ff17c0-82a6-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.md5" + "field": "threat.indicator.file.hash.md5" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.md5", + "key": "threat.indicator.file.hash.md5", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "2", "params": { "customLabel": "MD5 Hash", - "field": "threatintel.indicator.file.hash.md5", + "field": "threat.indicator.file.hash.md5", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302cd5b0-76cd-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302cd5b0-76cd-11eb-a3e3-b3cc7c78a70f.json index 0e395ef24310..9bb6455feea9 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302cd5b0-76cd-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302cd5b0-76cd-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.ip" + "field": "threat.indicator.ip" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.ip", + "key": "threat.indicator.ip", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX IP Indicator", - "field": "threatintel.indicator.ip", + "field": "threat.indicator.ip", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NjcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302d0850-ff7b-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302d0850-ff7b-11eb-acb2-2960a7069ed1.json index f931164c8889..50f2a9cebc51 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302d0850-ff7b-11eb-acb2-2960a7069ed1.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302d0850-ff7b-11eb-acb2-2960a7069ed1.json @@ -28,7 +28,7 @@ "id": "2", "params": { "customLabel": "Confidence", - "field": "threatintel.indicator.confidence", + "field": "threat.indicator.confidence", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -148,4 +148,4 @@ "type": "visualization", "updated_at": "2021-10-11T08:02:55.512Z", "version": "WzUzMCwxXQ==" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/346136f0-76d5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/346136f0-76d5-11eb-a3e3-b3cc7c78a70f.json index 3edcd79c797f..bc86816afc39 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/346136f0-76d5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/346136f0-76d5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.original" + "field": "threat.indicator.url.original" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.original", + "key": "threat.indicator.url.original", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX URL Indicator", - "field": "threatintel.indicator.url.original", + "field": "threat.indicator.url.original", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NjksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/40d61ab0-72e6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/40d61ab0-72e6-11eb-a3e3-b3cc7c78a70f.json index f8d2e419a2b5..a3e2646eea24 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/40d61ab0-72e6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/40d61ab0-72e6-11eb-a3e3-b3cc7c78a70f.json @@ -27,7 +27,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.file.type", + "field": "threat.indicator.file.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -82,4 +82,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MDcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/41100be0-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/41100be0-72e5-11eb-a3e3-b3cc7c78a70f.json index d1e07d3fbbbd..37aa10e1c045 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/41100be0-72e5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/41100be0-72e5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.ssdeep" + "field": "threat.indicator.file.hash.ssdeep" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.ssdeep", + "key": "threat.indicator.file.hash.ssdeep", "negate": false, "type": "exists", "value": "exists" @@ -47,13 +47,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -84,7 +84,7 @@ "id": "2", "params": { "customLabel": "ssdeep Hash", - "field": "threatintel.indicator.file.hash.ssdeep", + "field": "threat.indicator.file.hash.ssdeep", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -101,7 +101,7 @@ "id": "3", "params": { "customLabel": "File Type", - "field": "threatintel.indicator.file.type", + "field": "threat.indicator.file.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -162,4 +162,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MDgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/49f0c060-76cd-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/49f0c060-76cd-11eb-a3e3-b3cc7c78a70f.json index 79f94d2a0466..65880a6f4bb3 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/49f0c060-76cd-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/49f0c060-76cd-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.domain" + "field": "threat.indicator.url.domain" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.domain", + "key": "threat.indicator.url.domain", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX IP Indicator", - "field": "threatintel.indicator.domain", + "field": "threat.indicator.url.domain", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NjgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/4e5d25c0-76ce-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/4e5d25c0-76ce-11eb-a3e3-b3cc7c78a70f.json index f44f7a32fa3b..324c632ab271 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/4e5d25c0-76ce-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/4e5d25c0-76ce-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.sha256" + "field": "threat.indicator.file.hash.sha256" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.sha256", + "key": "threat.indicator.file.hash.sha256", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX SHA256 Hash Indicator", - "field": "threatintel.indicator.file.hash.sha256", + "field": "threat.indicator.file.hash.sha256", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NzIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/57faae10-73c5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/57faae10-73c5-11eb-a3e3-b3cc7c78a70f.json index 927f457e351e..014612f2d3c2 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/57faae10-73c5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/57faae10-73c5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.provider" + "field": "threat.indicator.provider" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.provider", + "key": "threat.indicator.provider", "negate": false, "type": "exists", "value": "exists" @@ -72,7 +72,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.provider", + "field": "threat.indicator.provider", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -137,4 +137,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2NDMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5b4877b0-82a6-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5b4877b0-82a6-11eb-ac13-d5ca87cb8fa2.json index db8a7fcef7e3..ad4c74b01107 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5b4877b0-82a6-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5b4877b0-82a6-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.sha256" + "field": "threat.indicator.file.hash.sha256" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.sha256", + "key": "threat.indicator.file.hash.sha256", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "2", "params": { "customLabel": "SHA256 Hash", - "field": "threatintel.indicator.file.hash.sha256", + "field": "threat.indicator.file.hash.sha256", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5d395d80-ff71-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5d395d80-ff71-11eb-acb2-2960a7069ed1.json index f559210728b0..b5fe450d2737 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5d395d80-ff71-11eb-acb2-2960a7069ed1.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5d395d80-ff71-11eb-acb2-2960a7069ed1.json @@ -28,7 +28,7 @@ "id": "2", "params": { "customLabel": "Most Linked Adversaries", - "field": "threatintel.threatq.adversaries", + "field": "threatq.adversaries", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -74,4 +74,4 @@ "type": "visualization", "updated_at": "2021-10-11T08:02:55.512Z", "version": "WzUyNiwxXQ==" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5eb61d00-ff72-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5eb61d00-ff72-11eb-acb2-2960a7069ed1.json index fde00ab644d2..3626ee406b76 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5eb61d00-ff72-11eb-acb2-2960a7069ed1.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5eb61d00-ff72-11eb-acb2-2960a7069ed1.json @@ -31,7 +31,7 @@ "id": "2", "params": { "customLabel": "Indicator Type", - "field": "threatintel.indicator.type", + "field": "threat.indicator.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -48,7 +48,7 @@ "id": "3", "params": { "customLabel": "Indicator Value", - "field": "threatintel.threatq.indicator_value", + "field": "threatq.indicator_value", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -94,4 +94,4 @@ "type": "visualization", "updated_at": "2021-10-11T08:07:14.354Z", "version": "WzYxNCwxXQ==" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/6077fd00-76d5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/6077fd00-76d5-11eb-a3e3-b3cc7c78a70f.json index 4e9740c9a101..75b7601754b8 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/6077fd00-76d5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/6077fd00-76d5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.path" + "field": "threat.indicator.url.path" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.path", + "key": "threat.indicator.url.path", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX URI Indicator", - "field": "threatintel.indicator.url.path", + "field": "threat.indicator.url.path", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NzEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/62f6daa0-72ee-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/62f6daa0-72ee-11eb-a3e3-b3cc7c78a70f.json index c0879c8aff75..039e88b76777 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/62f6daa0-72ee-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/62f6daa0-72ee-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.full" + "field": "threat.indicator.url.full" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.full", + "key": "threat.indicator.url.full", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "Threat Indicator URL", - "field": "threatintel.indicator.url.full", + "field": "threat.indicator.url.full", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7546ac40-82a6-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7546ac40-82a6-11eb-ac13-d5ca87cb8fa2.json index 479d7e408e3c..4de8710a0e28 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7546ac40-82a6-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7546ac40-82a6-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.ssdeep" + "field": "threat.indicator.file.hash.ssdeep" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.ssdeep", + "key": "threat.indicator.file.hash.ssdeep", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "2", "params": { "customLabel": "ssdeep Hash", - "field": "threatintel.indicator.file.hash.ssdeep", + "field": "threat.indicator.file.hash.ssdeep", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7582b030-73c6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7582b030-73c6-11eb-a3e3-b3cc7c78a70f.json index 6767b7e0d19f..e2833363e125 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7582b030-73c6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7582b030-73c6-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.domain" + "field": "threat.indicator.url.domain" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.domain", + "key": "threat.indicator.url.domain", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "MISP Domain Indicator", - "field": "threatintel.indicator.domain", + "field": "threat.indicator.url.domain", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2MzIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/786546d0-82a5-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/786546d0-82a5-11eb-ac13-d5ca87cb8fa2.json index bc70c5824daa..773a823e5145 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/786546d0-82a5-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/786546d0-82a5-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.tlsh" + "field": "threat.indicator.file.hash.tlsh" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.tlsh", + "key": "threat.indicator.file.hash.tlsh", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "2", "params": { "customLabel": "TLSH Hash", - "field": "threatintel.indicator.file.hash.tlsh", + "field": "threat.indicator.file.hash.tlsh", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/79da77d0-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/79da77d0-72e5-11eb-a3e3-b3cc7c78a70f.json index 50bed6e06e48..0551a2e44289 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/79da77d0-72e5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/79da77d0-72e5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.tlsh" + "field": "threat.indicator.file.hash.tlsh" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.tlsh", + "key": "threat.indicator.file.hash.tlsh", "negate": false, "type": "exists", "value": "exists" @@ -47,13 +47,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -84,7 +84,7 @@ "id": "2", "params": { "customLabel": "TLSH Hash", - "field": "threatintel.indicator.file.hash.tlsh", + "field": "threat.indicator.file.hash.tlsh", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -101,7 +101,7 @@ "id": "3", "params": { "customLabel": "File Type", - "field": "threatintel.indicator.file.type", + "field": "threat.indicator.file.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -162,4 +162,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MDIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7c7d3750-73c3-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7c7d3750-73c3-11eb-a3e3-b3cc7c78a70f.json index 6ca2835a167e..ffb99fa08381 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7c7d3750-73c3-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7c7d3750-73c3-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -66,7 +66,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.type", + "field": "threat.indicator.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -131,4 +131,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2MzQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7cbe5900-82ab-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7cbe5900-82ab-11eb-ac13-d5ca87cb8fa2.json index 08ea90539c1e..75f21ca1a42c 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7cbe5900-82ab-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7cbe5900-82ab-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.first_seen" + "field": "threat.indicator.first_seen" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.first_seen", + "key": "threat.indicator.first_seen", "negate": false, "type": "exists", "value": "exists" @@ -76,7 +76,7 @@ "id": "2", "params": { "customLabel": "Indicator First Seen", - "field": "threatintel.indicator.first_seen", + "field": "threat.indicator.first_seen", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -132,4 +132,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/87980f70-72ec-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/87980f70-72ec-11eb-a3e3-b3cc7c78a70f.json index 3001eca60822..0b947ec09cdc 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/87980f70-72ec-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/87980f70-72ec-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.threat" + "field": "abusech.url.threat" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abuseurl.threat", + "key": "abusech.url.threat", "negate": false, "type": "exists", "value": "exists" @@ -73,7 +73,7 @@ "id": "2", "params": { "customLabel": "Abuse URL Threat", - "field": "threatintel.abuseurl.threat", + "field": "abusech.url.threat", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -204,4 +204,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/8b2a64a0-82a8-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/8b2a64a0-82a8-11eb-ac13-d5ca87cb8fa2.json index 8fd2ef65b070..13aee45f317c 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/8b2a64a0-82a8-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/8b2a64a0-82a8-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.extension" + "field": "threat.indicator.file.extension" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.extension", + "key": "threat.indicator.file.extension", "negate": false, "type": "exists", "value": "exists" @@ -66,7 +66,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.file.extension", + "field": "threat.indicator.file.extension", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -131,4 +131,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MTcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9047e8b0-72de-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9047e8b0-72de-11eb-a3e3-b3cc7c78a70f.json index cfa8fad37893..652e363bbf01 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9047e8b0-72de-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9047e8b0-72de-11eb-a3e3-b3cc7c78a70f.json @@ -34,7 +34,7 @@ "id": "2", "params": { "customLabel": "Threat Indicator Provider", - "field": "threatintel.indicator.provider", + "field": "threat.indicator.provider", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -156,4 +156,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:32.145Z", "version": "WzQ2NTUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9109e490-76cd-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9109e490-76cd-11eb-a3e3-b3cc7c78a70f.json index 3e1c8861cedf..9146d87144a0 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9109e490-76cd-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9109e490-76cd-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.domain" + "field": "threat.indicator.url.domain" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.domain", + "key": "threat.indicator.url.domain", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX URL Domain Indicator", - "field": "threatintel.indicator.url.domain", + "field": "threat.indicator.url.domain", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NzAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/92961600-7621-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/92961600-7621-11eb-a3e3-b3cc7c78a70f.json index f9a63566f096..c6ec332aa22b 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/92961600-7621-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/92961600-7621-11eb-a3e3-b3cc7c78a70f.json @@ -33,7 +33,7 @@ "type": "list" }, { - "fieldName": "threatintel.indicator.provider", + "fieldName": "threat.indicator.provider", "id": "1614117093181", "indexPatternRefName": "control_1_index_pattern", "label": "Indicator Provider", @@ -48,7 +48,7 @@ "type": "list" }, { - "fieldName": "threatintel.indicator.type", + "fieldName": "threat.indicator.type", "id": "1614117117360", "indexPatternRefName": "control_2_index_pattern", "label": "Indicator Type", @@ -101,4 +101,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:32.145Z", "version": "WzQ2NDcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/95f384b0-76d8-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/95f384b0-76d8-11eb-a3e3-b3cc7c78a70f.json index a9c17ee0611b..b2f747547b3f 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/95f384b0-76d8-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/95f384b0-76d8-11eb-a3e3-b3cc7c78a70f.json @@ -35,7 +35,7 @@ "id": "2", "params": { "customLabel": "", - "field": "threatintel.indicator.url.scheme", + "field": "threat.indicator.url.scheme", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -156,4 +156,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NjQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/98d42ee0-76b6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/98d42ee0-76b6-11eb-a3e3-b3cc7c78a70f.json index 0c5102dfd149..03edc5edc0bc 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/98d42ee0-76b6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/98d42ee0-76b6-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.tags" + "field": "abusech.url.tags" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abuseurl.tags", + "key": "abusech.url.tags", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "Abuse URL Tags", - "field": "threatintel.abuseurl.tags", + "field": "abusech.url.tags", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a09329d0-73c6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a09329d0-73c6-11eb-a3e3-b3cc7c78a70f.json index d81abd72e48e..d34f5079186c 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a09329d0-73c6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a09329d0-73c6-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.ip" + "field": "threat.indicator.ip" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.ip", + "key": "threat.indicator.ip", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "MISP IP Indicator", - "field": "threatintel.indicator.ip", + "field": "threat.indicator.ip", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2MzMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a1616dd0-72eb-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a1616dd0-72eb-11eb-a3e3-b3cc7c78a70f.json index 419dcc323d14..ba4ce6e4ea7a 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a1616dd0-72eb-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a1616dd0-72eb-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.blacklists.spamhaus_dbl" + "field": "abusech.url.blacklists.spamhaus_dbl" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abuseurl.blacklists.spamhaus_dbl", + "key": "abusech.url.blacklists.spamhaus_dbl", "negate": false, "type": "exists", "value": "exists" @@ -47,13 +47,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.blacklists.surbl" + "field": "abusech.url.blacklists.surbl" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "threatintel.abuseurl.blacklists.surbl", + "key": "abusech.url.blacklists.surbl", "negate": false, "type": "exists", "value": "exists" @@ -84,7 +84,7 @@ "id": "2", "params": { "customLabel": "Spamhaus DBL Blacklist Status", - "field": "threatintel.abuseurl.blacklists.spamhaus_dbl", + "field": "abusech.url.blacklists.spamhaus_dbl", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -101,7 +101,7 @@ "id": "3", "params": { "customLabel": "SURBL Blacklist Status", - "field": "threatintel.abuseurl.blacklists.surbl", + "field": "abusech.url.blacklists.surbl", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -162,4 +162,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NjAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a7b6e910-72ed-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a7b6e910-72ed-11eb-a3e3-b3cc7c78a70f.json index 007929c6d0aa..813400590127 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a7b6e910-72ed-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a7b6e910-72ed-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.scheme" + "field": "threat.indicator.url.scheme" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.scheme", + "key": "threat.indicator.url.scheme", "negate": false, "type": "exists", "value": "exists" @@ -74,7 +74,7 @@ "id": "2", "params": { "customLabel": "URL Scheme", - "field": "threatintel.indicator.url.scheme", + "field": "threat.indicator.url.scheme", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -90,7 +90,7 @@ "enabled": true, "id": "3", "params": { - "field": "threatintel.indicator.url.scheme", + "field": "threat.indicator.url.scheme", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -220,4 +220,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a911a8b0-ff77-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a911a8b0-ff77-11eb-acb2-2960a7069ed1.json index 59f66be7644a..25929d8fef8f 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a911a8b0-ff77-11eb-acb2-2960a7069ed1.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a911a8b0-ff77-11eb-acb2-2960a7069ed1.json @@ -27,7 +27,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.marking.tlp", + "field": "threat.indicator.marking.tlp", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -82,4 +82,4 @@ "type": "visualization", "updated_at": "2021-10-11T08:02:55.512Z", "version": "WzUyNSwxXQ==" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ad55b1e0-73c8-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ad55b1e0-73c8-11eb-a3e3-b3cc7c78a70f.json index a0719389fc87..0b6cc17dce5c 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ad55b1e0-73c8-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ad55b1e0-73c8-11eb-a3e3-b3cc7c78a70f.json @@ -35,7 +35,7 @@ "id": "2", "params": { "customLabel": "Indicator Marking TLP", - "field": "threatintel.indicator.marking.tlp", + "field": "threat.indicator.marking.tlp", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -51,7 +51,7 @@ "enabled": true, "id": "3", "params": { - "field": "threatintel.indicator.marking.tlp", + "field": "threat.indicator.marking.tlp", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -171,4 +171,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2MzgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/aebde030-72d2-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/aebde030-72d2-11eb-a3e3-b3cc7c78a70f.json index 0d3c70a156f3..09bbd1da8a40 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/aebde030-72d2-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/aebde030-72d2-11eb-a3e3-b3cc7c78a70f.json @@ -9,13 +9,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.marking.tlp" + "field": "threat.indicator.marking.tlp" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "threatintel.indicator.marking.tlp", + "key": "threat.indicator.marking.tlp", "negate": false, "type": "exists", "value": "exists" @@ -55,7 +55,7 @@ "id": "2", "params": { "customLabel": "Indicator Marking TLP", - "field": "threatintel.indicator.marking.tlp", + "field": "threat.indicator.marking.tlp", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -71,7 +71,7 @@ "enabled": true, "id": "3", "params": { - "field": "threatintel.indicator.marking.tlp", + "field": "threat.indicator.marking.tlp", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -196,4 +196,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:32.145Z", "version": "WzQ2NTcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/b9533f50-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/b9533f50-72e5-11eb-a3e3-b3cc7c78a70f.json index dd4771dced6a..6b53ad4b086a 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/b9533f50-72e5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/b9533f50-72e5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.pe.imphash" + "field": "threat.indicator.file.pe.imphash" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.pe.imphash", + "key": "threat.indicator.file.pe.imphash", "negate": false, "type": "exists", "value": "exists" @@ -47,13 +47,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -84,7 +84,7 @@ "id": "2", "params": { "customLabel": "Imphash Hash", - "field": "threatintel.indicator.file.pe.imphash", + "field": "threat.indicator.file.pe.imphash", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -101,7 +101,7 @@ "id": "3", "params": { "customLabel": "File Type", - "field": "threatintel.indicator.file.type", + "field": "threat.indicator.file.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -162,4 +162,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MDUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bc4790b0-82aa-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bc4790b0-82aa-11eb-ac13-d5ca87cb8fa2.json index f1fc5472b6b2..395627036b14 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bc4790b0-82aa-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bc4790b0-82aa-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.malwarebazaar.intelligence.downloads" + "field": "abusech.malwarebazaar.intelligence.downloads" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.malwarebazaar.intelligence.downloads", + "key": "abusech.malwarebazaar.intelligence.downloads", "negate": false, "type": "exists", "value": "exists" @@ -76,7 +76,7 @@ "id": "2", "params": { "customLabel": "Malware Bazaar Downloads", - "field": "threatintel.malwarebazaar.intelligence.downloads", + "field": "abusech.malwarebazaar.intelligence.downloads", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -132,4 +132,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bf3dfde0-73c3-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bf3dfde0-73c3-11eb-a3e3-b3cc7c78a70f.json index f65bf82d5b37..f71bb2359224 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bf3dfde0-73c3-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bf3dfde0-73c3-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.misp.published" + "field": "misp.published" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.misp.published", + "key": "misp.published", "negate": false, "type": "exists", "value": "exists" @@ -72,7 +72,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.misp.published", + "field": "misp.published", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -137,4 +137,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2MzksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c102b0f0-73c6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c102b0f0-73c6-11eb-a3e3-b3cc7c78a70f.json index 4ee6602cf678..e992bfb85852 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c102b0f0-73c6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c102b0f0-73c6-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.full" + "field": "threat.indicator.url.full" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.full", + "key": "threat.indicator.url.full", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "MISP URL Indicator", - "field": "threatintel.indicator.url.full", + "field": "threat.indicator.url.full", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2MzYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c7d5db50-82a8-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c7d5db50-82a8-11eb-ac13-d5ca87cb8fa2.json index 225ca993710b..ad6317b41015 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c7d5db50-82a8-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c7d5db50-82a8-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.provider" + "field": "threat.indicator.provider" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.provider", + "key": "threat.indicator.provider", "negate": false, "type": "exists", "value": "exists" @@ -73,7 +73,7 @@ "id": "2", "params": { "customLabel": "Indicator Provider", - "field": "threatintel.indicator.provider", + "field": "threat.indicator.provider", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -204,4 +204,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MTgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c813c5d0-72dd-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c813c5d0-72dd-11eb-a3e3-b3cc7c78a70f.json index 18539863d1ac..6619c3564fe5 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c813c5d0-72dd-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c813c5d0-72dd-11eb-a3e3-b3cc7c78a70f.json @@ -9,13 +9,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "enabled": true, "id": "3", "params": { - "field": "threatintel.indicator.type", + "field": "threat.indicator.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -192,4 +192,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:32.145Z", "version": "WzQ2NTgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d22c1090-82a5-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d22c1090-82a5-11eb-ac13-d5ca87cb8fa2.json index 107bf321eacc..340bcc359c89 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d22c1090-82a5-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d22c1090-82a5-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.mime_type" + "field": "threat.indicator.file.mime_type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.mime_type", + "key": "threat.indicator.file.mime_type", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "3", "params": { "customLabel": "File MIME Type", - "field": "threatintel.indicator.file.mime_type", + "field": "threat.indicator.file.mime_type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MTUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d5d76c60-72ee-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d5d76c60-72ee-11eb-a3e3-b3cc7c78a70f.json index 26f577c28648..7450b3832911 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d5d76c60-72ee-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d5d76c60-72ee-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.full" + "field": "threat.indicator.url.full" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.full", + "key": "threat.indicator.url.full", "negate": false, "type": "exists", "value": "exists" @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/dbd199d0-82aa-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/dbd199d0-82aa-11eb-ac13-d5ca87cb8fa2.json index bd6250bdc9b2..a3f14f00b0e7 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/dbd199d0-82aa-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/dbd199d0-82aa-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.malwarebazaar.intelligence.uploads" + "field": "abusech.malwarebazaar.intelligence.uploads" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.malwarebazaar.intelligence.uploads", + "key": "abusech.malwarebazaar.intelligence.uploads", "negate": false, "type": "exists", "value": "exists" @@ -76,7 +76,7 @@ "id": "2", "params": { "customLabel": "Malware Bazaar Uploads", - "field": "threatintel.malwarebazaar.intelligence.uploads", + "field": "abusech.malwarebazaar.intelligence.uploads", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -132,4 +132,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ea5879c0-72eb-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ea5879c0-72eb-11eb-a3e3-b3cc7c78a70f.json index 3674297d1586..fa58d2934c7e 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ea5879c0-72eb-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ea5879c0-72eb-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.url_status" + "field": "abusech.url.url_status" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abuseurl.url_status", + "key": "abusech.url.url_status", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "URL Status", - "field": "threatintel.abuseurl.url_status", + "field": "abusech.url.url_status", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/eba4ec60-72ea-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/eba4ec60-72ea-11eb-a3e3-b3cc7c78a70f.json index e05220ceeabd..8745f6c3ca3d 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/eba4ec60-72ea-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/eba4ec60-72ea-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.larted" + "field": "abusech.url.larted" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abuseurl.larted", + "key": "abusech.url.larted", "negate": false, "type": "exists", "value": "exists" @@ -73,7 +73,7 @@ "id": "2", "params": { "customLabel": "Hosting Provider Notified", - "field": "threatintel.abuseurl.larted", + "field": "abusech.url.larted", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -138,4 +138,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ec68c4a0-73c6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ec68c4a0-73c6-11eb-a3e3-b3cc7c78a70f.json index 4a7c4dfa7406..517fa9c84ce9 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ec68c4a0-73c6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ec68c4a0-73c6-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.md5" + "field": "threat.indicator.file.hash.md5" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.md5", + "key": "threat.indicator.file.hash.md5", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "MISP MD5 Hash Indicator", - "field": "threatintel.indicator.file.hash.md5", + "field": "threat.indicator.file.hash.md5", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2NDAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ecf74b10-72ec-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ecf74b10-72ec-11eb-a3e3-b3cc7c78a70f.json index ea0aef5cb860..16d083d87624 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ecf74b10-72ec-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ecf74b10-72ec-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.threat" + "field": "abusech.url.threat" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abuseurl.threat", + "key": "abusech.url.threat", "negate": false, "type": "exists", "value": "exists" @@ -72,7 +72,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.provider", + "field": "threat.indicator.provider", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -203,4 +203,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f33125b0-76d8-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f33125b0-76d8-11eb-a3e3-b3cc7c78a70f.json index 3d473b4e17de..41b0ecfa65b5 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f33125b0-76d8-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f33125b0-76d8-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -66,7 +66,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.type", + "field": "threat.indicator.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -131,4 +131,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NjYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f91e9620-82a8-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f91e9620-82a8-11eb-ac13-d5ca87cb8fa2.json index 958c15dba69e..664816cccba4 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f91e9620-82a8-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f91e9620-82a8-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.malwarebazaar.tags" + "field": "abusech.malwarebazaar.tags" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.malwarebazaar.tags", + "key": "abusech.malwarebazaar.tags", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "Malware Bazaar Tags", - "field": "threatintel.malwarebazaar.tags", + "field": "abusech.malwarebazaar.tags", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MTQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f9c6ba80-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f9c6ba80-72e5-11eb-a3e3-b3cc7c78a70f.json index 21660b248e40..516a572fb886 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f9c6ba80-72e5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f9c6ba80-72e5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abusemalware.virustotal.link" + "field": "abusech.malware.virustotal.link" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abusemalware.virustotal.link", + "key": "abusech.malware.virustotal.link", "negate": false, "type": "exists", "value": "exists" @@ -47,13 +47,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abusemalware.virustotal.result" + "field": "abusech.malware.virustotal.result" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "threatintel.abusemalware.virustotal.result", + "key": "abusech.malware.virustotal.result", "negate": false, "type": "exists", "value": "exists" @@ -95,7 +95,7 @@ "id": "2", "params": { "customLabel": "VirusTotal URL", - "field": "threatintel.abusemalware.virustotal.link", + "field": "abusech.malware.virustotal.link", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -112,7 +112,7 @@ "id": "3", "params": { "customLabel": "VirusTotal Result", - "field": "threatintel.abusemalware.virustotal.result", + "field": "abusech.malware.virustotal.result", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -173,4 +173,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MTAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/abusemalware/_meta/fields.yml b/x-pack/filebeat/module/threatintel/abusemalware/_meta/fields.yml index 55f8657bc6ec..73aae20e07ff 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/abusemalware/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: abusemalware +- name: abusech.malware type: group description: > Fields for AbuseCH Malware Threat Intel @@ -31,4 +31,4 @@ - name: virustotal.link type: keyword description: > - Link to the Virustotal report. \ No newline at end of file + Link to the Virustotal report. diff --git a/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml b/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml index e7f4f8cc2649..b4365bd3e5bc 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml +++ b/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml @@ -11,10 +11,9 @@ request.ssl: {{ .ssl | tojson }} request.proxy_url: {{ .proxy_url }} {{ end }} request.url: {{ .url }} -request.transforms: -- set: - target: header.Content-Type - value: application/json +{{ if .http_client_timeout }} +request.timeout: {{ .http_client_timeout }} +{{ end }} response.split: target: body.payloads @@ -30,17 +29,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: ["json.md5_hash"] - target_field: "@metadata._id" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml index 5e24b68c52ee..da0b365724fa 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml @@ -1,4 +1,5 @@ -description: Pipeline for parsing Abuse.ch Malware Threat Intel +--- +description: Pipeline for parsing Abuse.ch URL Threat Intel processors: #################### # Event ECS fields # @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -20,92 +24,110 @@ processors: # General ECS fields # ###################### - rename: - field: json - target_field: threatintel.abusemalware + field: message + target_field: event.original ignore_missing: true + - json: + field: event.original + target_field: abusech.malware + - fingerprint: + fields: + - abusech.malware.md5_hash + - abusech.malware.sha256_hash + target_field: "_id" ##################### # Threat ECS Fields # ##################### + - set: + field: threat.feed.name + value: "[Filebeat] AbuseCH Malware" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" - date: - field: threatintel.abusemalware.firstseen - target_field: threatintel.indicator.first_seen + field: abusech.malware.firstseen + target_field: threat.indicator.first_seen formats: - "yyyy-MM-dd HH:mm:ss z" - "yyyy-MM-dd HH:mm:ss Z" - "yyyy-MM-dd HH:mm:ss" - if: "ctx?.threatintel?.abusemalware.firstseen != null" + if: "ctx.abusech?.malware?.firstseen != null" - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - rename: - field: threatintel.abusemalware.file_size - target_field: threatintel.indicator.file.size + field: abusech.malware.file_size + target_field: threat.indicator.file.size ignore_missing: true - rename: - field: threatintel.abusemalware.file_type - target_field: threatintel.indicator.file.type + field: abusech.malware.file_type + target_field: threat.indicator.file.type ignore_missing: true # This includes a direct link to malicious files, we do not want them to appear in Kibana # in case they are accidently clicked. - remove: - field: threatintel.abusemalware.urlhaus_download + field: abusech.malware.urlhaus_download ignore_missing: true - convert: - field: threatintel.indicator.file.size + field: threat.indicator.file.size type: long ignore_missing: true + - convert: + field: abusech.malware.virustotal.percent + type: float + ignore_missing: true - rename: - field: threatintel.abusemalware.md5_hash - target_field: threatintel.indicator.file.hash.md5 + field: abusech.malware.md5_hash + target_field: threat.indicator.file.hash.md5 ignore_missing: true - rename: - field: threatintel.abusemalware.sha256_hash - target_field: threatintel.indicator.file.hash.sha256 + field: abusech.malware.sha256_hash + target_field: threat.indicator.file.hash.sha256 ignore_missing: true - rename: - field: threatintel.abusemalware.imphash - target_field: threatintel.indicator.file.pe.imphash + field: abusech.malware.imphash + target_field: threat.indicator.file.pe.imphash ignore_missing: true - rename: - field: threatintel.abusemalware.ssdeep - target_field: threatintel.indicator.file.hash.ssdeep + field: abusech.malware.ssdeep + target_field: threat.indicator.file.hash.ssdeep ignore_missing: true - rename: - field: threatintel.abusemalware.tlsh - target_field: threatintel.indicator.file.hash.tlsh + field: abusech.malware.tlsh + target_field: threat.indicator.file.hash.tlsh ignore_missing: true - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.md5 }}" - if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null + value: "{{{threat.indicator.file.hash.md5}}}" + if: ctx?.threat?.indicator?.file?.hash?.md5 != null - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.sha256 }}" - if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null + value: "{{{threat.indicator.file.hash.sha256}}}" + if: ctx?.threat?.indicator?.file?.hash?.sha256 != null - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.ssdeep }}" - if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null + value: "{{{threat.indicator.file.hash.ssdeep}}}" + if: ctx?.threat?.indicator?.file?.hash?.ssdeep != null - append: field: related.hash - value: "{{ threatintel.indicator.file.pe.imphash }}" - if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null + value: "{{{threat.indicator.file.pe.imphash}}}" + if: ctx?.threat?.indicator?.file?.pe?.imphash != null - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.tlsh }}" - if: ctx?.threatintel?.indicator?.file?.hash?.tlsh != null + value: "{{{threat.indicator.file.hash.tlsh}}}" + if: ctx?.threat?.indicator?.file?.hash?.tlsh != null ###################### # Cleanup processors # ###################### - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx?.threat?.indicator?.type == null - script: lang: painless - if: ctx?.threatintel != null + if: ctx?.abusech != null source: | void handleMap(Map map) { for (def x : map.values()) { @@ -127,9 +149,14 @@ processors: } } handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - remove: field: - - threatintel.abusemalware.firstseen + - abusech.malware.firstseen - message ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/threatintel/abusemalware/manifest.yml b/x-pack/filebeat/module/threatintel/abusemalware/manifest.yml index 5fe3a155180e..0d755b7b38d3 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/manifest.yml +++ b/x-pack/filebeat/module/threatintel/abusemalware/manifest.yml @@ -11,6 +11,9 @@ var: - name: tags default: [threatintel-abusemalware, forwarded] - name: proxy_url + - name: preserve_original_event + default: false + - name: http_client_timeout ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json index 6c31b6f779c2..75a4d118ba36 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json @@ -20,15 +20,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "7871286a8f1f68a14b18ae475683f724", - "threatintel.indicator.file.hash.sha256": "48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG5:X5DpBw/KViMTB1MnEWk0115JW", - "threatintel.indicator.file.hash.tlsh": "1344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:14:05.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "7871286a8f1f68a14b18ae475683f724", + "threat.indicator.file.hash.sha256": "48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG5:X5DpBw/KViMTB1MnEWk0115JW", + "threat.indicator.file.hash.tlsh": "1344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:14:05.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -51,17 +53,22 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "7b4c77dc293347b467fb860e34515163", - "threatintel.indicator.file.hash.sha256": "ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGY:X5DpBw/KViMTB1MnEWk0115Jr", - "threatintel.indicator.file.hash.tlsh": "4E44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:11:41.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "7b4c77dc293347b467fb860e34515163", + "threat.indicator.file.hash.sha256": "ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGY:X5DpBw/KViMTB1MnEWk0115Jr", + "threat.indicator.file.hash.tlsh": "4E44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:11:41.000Z", + "threat.indicator.type": "file" }, { + "abusech.malware.virustotal.link": "https://www.virustotal.com/gui/file/b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7/detection/f-b0e914d", + "abusech.malware.virustotal.percent": 37.88, + "abusech.malware.virustotal.result": "25 / 66", "event.category": "threat", "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", @@ -82,18 +89,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.abusemalware.virustotal.link": "https://www.virustotal.com/gui/file/b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7/detection/f-b0e914d", - "threatintel.abusemalware.virustotal.percent": "37.88", - "threatintel.abusemalware.virustotal.result": "25 / 66", - "threatintel.indicator.file.hash.md5": "373d34874d7bc89fd4cefa6272ee80bf", - "threatintel.indicator.file.hash.sha256": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGG:X5DpBw/KViMTB1MnEWk0115Jd", - "threatintel.indicator.file.hash.tlsh": "7544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:11:22.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "373d34874d7bc89fd4cefa6272ee80bf", + "threat.indicator.file.hash.sha256": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGG:X5DpBw/KViMTB1MnEWk0115Jd", + "threat.indicator.file.hash.tlsh": "7544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:11:22.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -116,15 +122,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "e2e02aae857488dbdbe6631c29abf3f8", - "threatintel.indicator.file.hash.sha256": "7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8", - "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ9:0h3eZgRQCcw+MN54dEq7kqRtoLZH", - "threatintel.indicator.file.hash.tlsh": "5554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 284672, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:11:21.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "e2e02aae857488dbdbe6631c29abf3f8", + "threat.indicator.file.hash.sha256": "7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8", + "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ9:0h3eZgRQCcw+MN54dEq7kqRtoLZH", + "threat.indicator.file.hash.tlsh": "5554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 284672, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:11:21.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -146,16 +154,21 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "3e988e32b0c3c230d534e286665b89a5", - "threatintel.indicator.file.hash.sha256": "760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b", - "threatintel.indicator.file.hash.ssdeep": "6:TE6ll8uXi0jIAv6BHvPuA7RKTmOQamsQMGvMQgTYbtsWsQ72hCqPZG/:TTll8uTo5uA7RKtQamsS0QJfsQ7mCR", - "threatintel.indicator.file.hash.tlsh": "3CE0C002AB26C036500D154C221655B3B871911503CA14E6A6824BEA765D4A3290D190", - "threatintel.indicator.file.size": 352, - "threatintel.indicator.file.type": "unknown", - "threatintel.indicator.first_seen": "2021-01-14T06:08:02.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "3e988e32b0c3c230d534e286665b89a5", + "threat.indicator.file.hash.sha256": "760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b", + "threat.indicator.file.hash.ssdeep": "6:TE6ll8uXi0jIAv6BHvPuA7RKTmOQamsQMGvMQgTYbtsWsQ72hCqPZG/:TTll8uTo5uA7RKtQamsS0QJfsQ7mCR", + "threat.indicator.file.hash.tlsh": "3CE0C002AB26C036500D154C221655B3B871911503CA14E6A6824BEA765D4A3290D190", + "threat.indicator.file.size": 352, + "threat.indicator.file.type": "unknown", + "threat.indicator.first_seen": "2021-01-14T06:08:02.000Z", + "threat.indicator.type": "file" }, { + "abusech.malware.virustotal.link": "https://www.virustotal.com/gui/file/86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac/detection/f-86655c0", + "abusech.malware.virustotal.percent": 39.13, + "abusech.malware.virustotal.result": "27 / 69", "event.category": "threat", "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", @@ -176,18 +189,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.abusemalware.virustotal.link": "https://www.virustotal.com/gui/file/86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac/detection/f-86655c0", - "threatintel.abusemalware.virustotal.percent": "39.13", - "threatintel.abusemalware.virustotal.result": "27 / 69", - "threatintel.indicator.file.hash.md5": "dcc20d534cdf29eab03d8148bf728857", - "threatintel.indicator.file.hash.sha256": "86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGI:X5DpBw/KViMTB1MnEWk0115JH", - "threatintel.indicator.file.hash.tlsh": "0D44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:08:02.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "dcc20d534cdf29eab03d8148bf728857", + "threat.indicator.file.hash.sha256": "86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGI:X5DpBw/KViMTB1MnEWk0115JH", + "threat.indicator.file.hash.tlsh": "0D44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:08:02.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -210,15 +222,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "f6facbf7a90b9e67a6de9f6634eb40ba", - "threatintel.indicator.file.hash.sha256": "e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be", - "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ1:0h3eZgRQCcw+MN54dEq7kqRtoLZL", - "threatintel.indicator.file.hash.tlsh": "2554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 284672, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:53.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "f6facbf7a90b9e67a6de9f6634eb40ba", + "threat.indicator.file.hash.sha256": "e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be", + "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ1:0h3eZgRQCcw+MN54dEq7kqRtoLZL", + "threat.indicator.file.hash.tlsh": "2554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 284672, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:53.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -241,17 +255,20 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "44325fd5bdda2e2cdea07c3a39953bb1", - "threatintel.indicator.file.hash.sha256": "beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Jg", - "threatintel.indicator.file.hash.tlsh": "A044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:41.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "44325fd5bdda2e2cdea07c3a39953bb1", + "threat.indicator.file.hash.sha256": "beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Jg", + "threat.indicator.file.hash.tlsh": "A044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:41.000Z", + "threat.indicator.type": "file" }, { + "abusech.malware.signature": "Heodo", "event.category": "threat", "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", @@ -272,16 +289,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.abusemalware.signature": "Heodo", - "threatintel.indicator.file.hash.md5": "4c549051950522a3f1b0814aa9b1f6d1", - "threatintel.indicator.file.hash.sha256": "7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG4:X5DpBw/KViMTB1MnEWk0115Jv", - "threatintel.indicator.file.hash.tlsh": "4544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:31.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "4c549051950522a3f1b0814aa9b1f6d1", + "threat.indicator.file.hash.sha256": "7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG4:X5DpBw/KViMTB1MnEWk0115Jv", + "threat.indicator.file.hash.tlsh": "4544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:31.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -304,15 +322,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "d7333113098d88b6a5dd5b8eb24f9b87", - "threatintel.indicator.file.hash.sha256": "426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4", - "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJw:0h3eZgRQCcw+MN54dEq7kqRtoLZW", - "threatintel.indicator.file.hash.tlsh": "9454CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 284672, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:07.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "d7333113098d88b6a5dd5b8eb24f9b87", + "threat.indicator.file.hash.sha256": "426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4", + "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJw:0h3eZgRQCcw+MN54dEq7kqRtoLZW", + "threat.indicator.file.hash.tlsh": "9454CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 284672, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:07.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -335,15 +355,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "c8dbb261c1f450534c3693da2f4b479f", - "threatintel.indicator.file.hash.sha256": "25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGe:X5DpBw/KViMTB1MnEWk0115JR", - "threatintel.indicator.file.hash.tlsh": "F344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:07.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "c8dbb261c1f450534c3693da2f4b479f", + "threat.indicator.file.hash.sha256": "25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGe:X5DpBw/KViMTB1MnEWk0115JR", + "threat.indicator.file.hash.tlsh": "F344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:07.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -366,15 +388,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "714953f1d0031a4bb2f0c44afd015931", - "threatintel.indicator.file.hash.sha256": "b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115J7", - "threatintel.indicator.file.hash.tlsh": "F644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:06.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "714953f1d0031a4bb2f0c44afd015931", + "threat.indicator.file.hash.sha256": "b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115J7", + "threat.indicator.file.hash.tlsh": "F644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:06.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -397,15 +421,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "20fd22742500d4cec123398afc3d3672", - "threatintel.indicator.file.hash.sha256": "e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115JP", - "threatintel.indicator.file.hash.tlsh": "BE44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:00.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "20fd22742500d4cec123398afc3d3672", + "threat.indicator.file.hash.sha256": "e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115JP", + "threat.indicator.file.hash.tlsh": "BE44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:00.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -428,17 +454,20 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "aa81ceea053797a6f8c38a0f2f9b80b0", - "threatintel.indicator.file.hash.sha256": "dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGf:X5DpBw/KViMTB1MnEWk0115Jo", - "threatintel.indicator.file.hash.tlsh": "CC44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:06:36.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "aa81ceea053797a6f8c38a0f2f9b80b0", + "threat.indicator.file.hash.sha256": "dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGf:X5DpBw/KViMTB1MnEWk0115Jo", + "threat.indicator.file.hash.tlsh": "CC44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:06:36.000Z", + "threat.indicator.type": "file" }, { + "abusech.malware.signature": "Heodo", "event.category": "threat", "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", @@ -459,16 +488,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.abusemalware.signature": "Heodo", - "threatintel.indicator.file.hash.md5": "a2ce6795664c0fa93b07fa54ba868991", - "threatintel.indicator.file.hash.sha256": "0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGD:X5DpBw/KViMTB1MnEWk0115JY", - "threatintel.indicator.file.hash.tlsh": "8C44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:06:13.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "a2ce6795664c0fa93b07fa54ba868991", + "threat.indicator.file.hash.sha256": "0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGD:X5DpBw/KViMTB1MnEWk0115JY", + "threat.indicator.file.hash.tlsh": "8C44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:06:13.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -491,15 +521,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "9b9bac158dacb9c2f5511e9c464a7de4", - "threatintel.indicator.file.hash.sha256": "07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e", - "threatintel.indicator.file.hash.ssdeep": "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKk:W5MT4WNaHy9P1FjbrjlKk", - "threatintel.indicator.file.hash.tlsh": "6B54CF217A53C826F5E800FCA6E9878914167F346F44A4C773D40F6AA8759E2EF2B317", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 280064, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:52.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "9b9bac158dacb9c2f5511e9c464a7de4", + "threat.indicator.file.hash.sha256": "07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e", + "threat.indicator.file.hash.ssdeep": "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKk:W5MT4WNaHy9P1FjbrjlKk", + "threat.indicator.file.hash.tlsh": "6B54CF217A53C826F5E800FCA6E9878914167F346F44A4C773D40F6AA8759E2EF2B317", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 280064, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:52.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -522,17 +554,20 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "e48e3fa5e0f7b21c1ecf1efc81ff91e8", - "threatintel.indicator.file.hash.sha256": "708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGo:X5DpBw/KViMTB1MnEWk0115Jj", - "threatintel.indicator.file.hash.tlsh": "6644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:51.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "e48e3fa5e0f7b21c1ecf1efc81ff91e8", + "threat.indicator.file.hash.sha256": "708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGo:X5DpBw/KViMTB1MnEWk0115Jj", + "threat.indicator.file.hash.tlsh": "6644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:51.000Z", + "threat.indicator.type": "file" }, { + "abusech.malware.signature": "Heodo", "event.category": "threat", "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", @@ -553,16 +588,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.abusemalware.signature": "Heodo", - "threatintel.indicator.file.hash.md5": "8957f5347633ab4b10c2ae4fb92c8572", - "threatintel.indicator.file.hash.sha256": "f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37", - "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJy:0h3eZgRQCcw+MN54dEq7kqRtoLZM", - "threatintel.indicator.file.hash.tlsh": "0754CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 284672, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:50.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "8957f5347633ab4b10c2ae4fb92c8572", + "threat.indicator.file.hash.sha256": "f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37", + "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJy:0h3eZgRQCcw+MN54dEq7kqRtoLZM", + "threat.indicator.file.hash.tlsh": "0754CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 284672, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:50.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -585,15 +621,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "09cc76b7077b4d5704e46e864575ff03", - "threatintel.indicator.file.hash.sha256": "94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Js", - "threatintel.indicator.file.hash.tlsh": "BB44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:36.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "09cc76b7077b4d5704e46e864575ff03", + "threat.indicator.file.hash.sha256": "94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Js", + "threat.indicator.file.hash.tlsh": "BB44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:36.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -616,17 +654,20 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "98a1cdf7de4232363f1d1e0f33dbfd99", - "threatintel.indicator.file.hash.sha256": "909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f", - "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJQ:0h3eZgRQCcw+MN54dEq7kqRtoLZ+", - "threatintel.indicator.file.hash.tlsh": "C554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 284672, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:16.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "98a1cdf7de4232363f1d1e0f33dbfd99", + "threat.indicator.file.hash.sha256": "909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f", + "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJQ:0h3eZgRQCcw+MN54dEq7kqRtoLZ+", + "threat.indicator.file.hash.tlsh": "C554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 284672, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:16.000Z", + "threat.indicator.type": "file" }, { + "abusech.malware.signature": "Heodo", "event.category": "threat", "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", @@ -647,16 +688,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.abusemalware.signature": "Heodo", - "threatintel.indicator.file.hash.md5": "8a51830c1662513ba6bd44e2f7849547", - "threatintel.indicator.file.hash.sha256": "d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa", - "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJh:0h3eZgRQCcw+MN54dEq7kqRtoLZ/", - "threatintel.indicator.file.hash.tlsh": "1654CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 284672, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:15.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "8a51830c1662513ba6bd44e2f7849547", + "threat.indicator.file.hash.sha256": "d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa", + "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJh:0h3eZgRQCcw+MN54dEq7kqRtoLZ/", + "threat.indicator.file.hash.tlsh": "1654CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 284672, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:15.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -679,15 +721,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "ae21d742a8118d6b86674aa5370bd6a7", - "threatintel.indicator.file.hash.sha256": "3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51", - "threatintel.indicator.file.hash.ssdeep": "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKS:W5MT4WNaHy9P1FjbrjlKS", - "threatintel.indicator.file.hash.tlsh": "5454CF217A53C826F5E800FCA6E9878925167F346F44A4C373D40F6AA8759E2DF2B317", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 280064, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:12.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "ae21d742a8118d6b86674aa5370bd6a7", + "threat.indicator.file.hash.sha256": "3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51", + "threat.indicator.file.hash.ssdeep": "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKS:W5MT4WNaHy9P1FjbrjlKS", + "threat.indicator.file.hash.tlsh": "5454CF217A53C826F5E800FCA6E9878925167F346F44A4C373D40F6AA8759E2DF2B317", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 280064, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:12.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -710,15 +754,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "78c9d88d24ed1d982a83216eed1590f6", - "threatintel.indicator.file.hash.sha256": "d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG8:X5DpBw/KViMTB1MnEWk0115Jr", - "threatintel.indicator.file.hash.tlsh": "6044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:04:38.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "78c9d88d24ed1d982a83216eed1590f6", + "threat.indicator.file.hash.sha256": "d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG8:X5DpBw/KViMTB1MnEWk0115Jr", + "threat.indicator.file.hash.tlsh": "6044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:04:38.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -741,15 +787,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "236577d5d83e2a8d08623a7a7f724188", - "threatintel.indicator.file.hash.sha256": "8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa", - "threatintel.indicator.file.hash.ssdeep": "6144:X1G3WVIOY6Bdjehj+qudd96ou/6mv5wdC:X1GmSafShjYdd96z/6cwdC", - "threatintel.indicator.file.hash.tlsh": "8D34BE41B28B8B4BD163163C2976D1F8953CFC909761CE693B64B22F0F739D0892E7A5", - "threatintel.indicator.file.pe.imphash": "ed2860c18f5483e3b5388bad75169dc1", - "threatintel.indicator.file.size": 241664, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:04:26.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "236577d5d83e2a8d08623a7a7f724188", + "threat.indicator.file.hash.sha256": "8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa", + "threat.indicator.file.hash.ssdeep": "6144:X1G3WVIOY6Bdjehj+qudd96ou/6mv5wdC:X1GmSafShjYdd96z/6cwdC", + "threat.indicator.file.hash.tlsh": "8D34BE41B28B8B4BD163163C2976D1F8953CFC909761CE693B64B22F0F739D0892E7A5", + "threat.indicator.file.pe.imphash": "ed2860c18f5483e3b5388bad75169dc1", + "threat.indicator.file.size": 241664, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:04:26.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -772,14 +820,16 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "ff60107d82dcda7e6726d214528758e7", - "threatintel.indicator.file.hash.sha256": "fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGz:X5DpBw/KViMTB1MnEWk0115JU", - "threatintel.indicator.file.hash.tlsh": "9244D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:04:20.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "ff60107d82dcda7e6726d214528758e7", + "threat.indicator.file.hash.sha256": "fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGz:X5DpBw/KViMTB1MnEWk0115JU", + "threat.indicator.file.hash.tlsh": "9244D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:04:20.000Z", + "threat.indicator.type": "file" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/abuseurl/_meta/fields.yml b/x-pack/filebeat/module/threatintel/abuseurl/_meta/fields.yml index a93f91d339c1..f407bb8d6155 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/abuseurl/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: abuseurl +- name: abusech.url type: group description: > Fields for AbuseCH Malware Threat Intel diff --git a/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml b/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml index da01bc61c40c..f577594ec06f 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml +++ b/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml @@ -11,10 +11,6 @@ request.ssl: {{ .ssl | tojson }} request.proxy_url: {{ .proxy_url }} {{ end }} request.url: {{ .url }} -request.transforms: -- set: - target: header.Content-Type - value: application/json response.split: target: body.urls @@ -30,17 +26,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: ["json.id"] - target_field: "@metadata._id" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml index bf674ba2c88e..f762db7351ee 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml @@ -1,3 +1,4 @@ +--- description: Pipeline for parsing Abuse.ch URL Threat Intel processors: #################### @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -20,62 +24,75 @@ processors: # General ECS fields # ###################### - rename: - field: json - target_field: threatintel.abuseurl + field: message + target_field: event.original ignore_missing: true + - json: + field: event.original + target_field: abusech.url + - fingerprint: + fields: + - abusech.url.id + target_field: "_id" ##################### # Threat ECS Fields # ##################### - set: - field: threatintel.indicator.type + field: threat.feed.name + value: "[Filebeat] AbuseCH URL" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" + - set: + field: threat.indicator.type value: url - date: - field: threatintel.abuseurl.date_added - target_field: threatintel.indicator.first_seen + field: abusech.url.date_added + target_field: threat.indicator.first_seen formats: - "yyyy-MM-dd HH:mm:ss z" - "yyyy-MM-dd HH:mm:ss Z" - if: "ctx?.threatintel?.abuseurl?.date_added != null" + if: "ctx.abusech?.url?.date_added != null" - uri_parts: - field: threatintel.abuseurl.url - target_field: threatintel.indicator.url + field: abusech.url.url + target_field: threat.indicator.url keep_original: true remove_if_successful: true - set: - field: threatintel.indicator.url.full - value: "{{{threatintel.indicator.url.original}}}" + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" ignore_empty_value: true - rename: - field: threatintel.abuseurl.urlhaus_reference - target_field: threatintel.indicator.reference + field: abusech.url.urlhaus_reference + target_field: threat.indicator.reference ignore_missing: true # Host can be both IP addresses and domain names - grok: - field: threatintel.abuseurl.host + field: abusech.url.host patterns: - - "(?:%{IP:threatintel.indicator.ip}|%{GREEDYDATA:threatintel.indicator.url.domain})" + - "(?:%{IP:threat.indicator.ip}|%{GREEDYDATA:threat.indicator.url.domain})" ignore_failure: true - rename: - field: threatintel.abuseurl.reporter - target_field: threatintel.indicator.provider + field: abusech.url.reporter + target_field: threat.indicator.provider ignore_missing: true ###################### # Cleanup processors # ###################### - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx?.threat?.indicator?.type == null - convert: - field: threatintel.abuseurl.larted + field: abusech.url.larted type: boolean ignore_missing: true - script: lang: painless - if: ctx?.threatintel != null + if: ctx?.abusech != null source: | void handleMap(Map map) { for (def x : map.values()) { @@ -97,11 +114,16 @@ processors: } } handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - remove: field: - - threatintel.abuseurl.date_added - - threatintel.abuseurl.url - - threatintel.abuseurl.host + - abusech.url.date_added + - abusech.url.url + - abusech.url.host - message ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/threatintel/abuseurl/manifest.yml b/x-pack/filebeat/module/threatintel/abuseurl/manifest.yml index 13b5e663c4ac..2f71ad88253a 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/manifest.yml +++ b/x-pack/filebeat/module/threatintel/abuseurl/manifest.yml @@ -11,6 +11,8 @@ var: - name: tags default: [threatintel-abuseurls, forwarded] - name: proxy_url + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json index 3b312440b342..c76728b3c163 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json @@ -1,5 +1,15 @@ [ { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961548", + "abusech.url.larted": false, + "abusech.url.tags": [ + "Mozi", + "elf" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -13,30 +23,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961548", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:19:13.000Z", + "threat.indicator.ip": "103.72.223.103", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961548/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "103.72.223.103", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://103.72.223.103:34613/Mozi.m", + "threat.indicator.url.original": "http://103.72.223.103:34613/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 34613, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961546", + "abusech.url.larted": false, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:19:13.000Z", - "threatintel.indicator.ip": "103.72.223.103", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961548/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "103.72.223.103", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://103.72.223.103:34613/Mozi.m", - "threatintel.indicator.url.original": "http://103.72.223.103:34613/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 34613, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -50,30 +62,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961546", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:19:05.000Z", + "threat.indicator.ip": "112.30.97.184", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961546/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "112.30.97.184", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://112.30.97.184:44941/Mozi.m", + "threat.indicator.url.original": "http://112.30.97.184:44941/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 44941, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961547", + "abusech.url.larted": false, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:19:05.000Z", - "threatintel.indicator.ip": "112.30.97.184", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961546/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "112.30.97.184", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://112.30.97.184:44941/Mozi.m", - "threatintel.indicator.url.original": "http://112.30.97.184:44941/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 44941, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -87,30 +101,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961547", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:19:05.000Z", + "threat.indicator.ip": "113.110.198.53", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961547/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "113.110.198.53", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://113.110.198.53:37173/Mozi.m", + "threat.indicator.url.original": "http://113.110.198.53:37173/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 37173, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961545", + "abusech.url.larted": false, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:19:05.000Z", - "threatintel.indicator.ip": "113.110.198.53", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961547/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "113.110.198.53", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://113.110.198.53:37173/Mozi.m", - "threatintel.indicator.url.original": "http://113.110.198.53:37173/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 37173, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -124,30 +140,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961545", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:19:04.000Z", + "threat.indicator.ip": "101.20.183.170", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961545/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "101.20.183.170", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://101.20.183.170:47545/Mozi.m", + "threat.indicator.url.original": "http://101.20.183.170:47545/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 47545, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961544", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:19:04.000Z", - "threatintel.indicator.ip": "101.20.183.170", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961545/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "101.20.183.170", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://101.20.183.170:47545/Mozi.m", - "threatintel.indicator.url.original": "http://101.20.183.170:47545/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 47545, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -161,30 +179,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961544", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:07:07.000Z", + "threat.indicator.ip": "59.8.35.22", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961544/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "59.8.35.22", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://59.8.35.22:44782/Mozi.a", + "threat.indicator.url.original": "http://59.8.35.22:44782/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 44782, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961543", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:07:07.000Z", - "threatintel.indicator.ip": "59.8.35.22", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961544/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "59.8.35.22", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://59.8.35.22:44782/Mozi.a", - "threatintel.indicator.url.original": "http://59.8.35.22:44782/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 44782, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -198,30 +218,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961543", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:07:06.000Z", + "threat.indicator.ip": "59.96.37.35", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961543/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "59.96.37.35", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://59.96.37.35:44359/Mozi.a", + "threat.indicator.url.original": "http://59.96.37.35:44359/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 44359, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961540", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:07:06.000Z", - "threatintel.indicator.ip": "59.96.37.35", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961543/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "59.96.37.35", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://59.96.37.35:44359/Mozi.a", - "threatintel.indicator.url.original": "http://59.96.37.35:44359/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 44359, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -235,30 +257,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961540", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:07:05.000Z", + "threat.indicator.ip": "42.239.233.17", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961540/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "42.239.233.17", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://42.239.233.17:56507/Mozi.m", + "threat.indicator.url.original": "http://42.239.233.17:56507/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 56507, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961541", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z", - "threatintel.indicator.ip": "42.239.233.17", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961540/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "42.239.233.17", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://42.239.233.17:56507/Mozi.m", - "threatintel.indicator.url.original": "http://42.239.233.17:56507/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 56507, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -272,30 +296,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961541", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:07:05.000Z", + "threat.indicator.ip": "58.252.178.20", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961541/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "58.252.178.20", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://58.252.178.20:57562/Mozi.m", + "threat.indicator.url.original": "http://58.252.178.20:57562/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 57562, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961542", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z", - "threatintel.indicator.ip": "58.252.178.20", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961541/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "58.252.178.20", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://58.252.178.20:57562/Mozi.m", - "threatintel.indicator.url.original": "http://58.252.178.20:57562/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 57562, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -309,30 +335,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961542", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:07:05.000Z", + "threat.indicator.ip": "45.176.111.95", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961542/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "45.176.111.95", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://45.176.111.95:48845/Mozi.m", + "threat.indicator.url.original": "http://45.176.111.95:48845/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 48845, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961539", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z", - "threatintel.indicator.ip": "45.176.111.95", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961542/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "45.176.111.95", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://45.176.111.95:48845/Mozi.m", - "threatintel.indicator.url.original": "http://45.176.111.95:48845/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 48845, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -346,30 +374,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961539", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:07:04.000Z", + "threat.indicator.ip": "42.224.68.97", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961539/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "42.224.68.97", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://42.224.68.97:58245/Mozi.m", + "threat.indicator.url.original": "http://42.224.68.97:58245/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 58245, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961538", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:07:04.000Z", - "threatintel.indicator.ip": "42.224.68.97", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961539/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "42.224.68.97", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://42.224.68.97:58245/Mozi.m", - "threatintel.indicator.url.original": "http://42.224.68.97:58245/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 58245, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -383,30 +413,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961538", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:08.000Z", + "threat.indicator.ip": "222.81.144.207", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961538/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "222.81.144.207", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://222.81.144.207:37198/Mozi.m", + "threat.indicator.url.original": "http://222.81.144.207:37198/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 37198, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961537", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:08.000Z", - "threatintel.indicator.ip": "222.81.144.207", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961538/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "222.81.144.207", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://222.81.144.207:37198/Mozi.m", - "threatintel.indicator.url.original": "http://222.81.144.207:37198/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 37198, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -420,30 +452,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961537", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:06.000Z", + "threat.indicator.ip": "182.127.185.137", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961537/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.127.185.137", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://182.127.185.137:33524/Mozi.m", + "threat.indicator.url.original": "http://182.127.185.137:33524/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 33524, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961531", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:06.000Z", - "threatintel.indicator.ip": "182.127.185.137", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961537/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.127.185.137", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://182.127.185.137:33524/Mozi.m", - "threatintel.indicator.url.original": "http://182.127.185.137:33524/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 33524, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -457,30 +491,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961531", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threat.indicator.ip": "39.84.175.185", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961531/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "39.84.175.185", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://39.84.175.185:48261/Mozi.a", + "threat.indicator.url.original": "http://39.84.175.185:48261/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 48261, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961532", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", - "threatintel.indicator.ip": "39.84.175.185", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961531/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "39.84.175.185", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://39.84.175.185:48261/Mozi.a", - "threatintel.indicator.url.original": "http://39.84.175.185:48261/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 48261, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -494,30 +530,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961532", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threat.indicator.ip": "27.41.11.238", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961532/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "27.41.11.238", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://27.41.11.238:34478/Mozi.m", + "threat.indicator.url.original": "http://27.41.11.238:34478/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 34478, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961533", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", - "threatintel.indicator.ip": "27.41.11.238", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961532/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "27.41.11.238", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://27.41.11.238:34478/Mozi.m", - "threatintel.indicator.url.original": "http://27.41.11.238:34478/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 34478, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -531,30 +569,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961533", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threat.indicator.ip": "182.127.133.68", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961533/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.127.133.68", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://182.127.133.68:35703/Mozi.a", + "threat.indicator.url.original": "http://182.127.133.68:35703/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 35703, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961534", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", - "threatintel.indicator.ip": "182.127.133.68", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961533/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.127.133.68", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://182.127.133.68:35703/Mozi.a", - "threatintel.indicator.url.original": "http://182.127.133.68:35703/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 35703, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -568,30 +608,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961534", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threat.indicator.ip": "27.46.44.102", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961534/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "27.46.44.102", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://27.46.44.102:48666/Mozi.m", + "threat.indicator.url.original": "http://27.46.44.102:48666/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 48666, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961535", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", - "threatintel.indicator.ip": "27.46.44.102", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961534/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "27.46.44.102", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://27.46.44.102:48666/Mozi.m", - "threatintel.indicator.url.original": "http://27.46.44.102:48666/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 48666, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -605,30 +647,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961535", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threat.indicator.ip": "39.70.88.65", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961535/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "39.70.88.65", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://39.70.88.65:53923/Mozi.m", + "threat.indicator.url.original": "http://39.70.88.65:53923/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 53923, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961536", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", - "threatintel.indicator.ip": "39.70.88.65", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961535/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "39.70.88.65", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://39.70.88.65:53923/Mozi.m", - "threatintel.indicator.url.original": "http://39.70.88.65:53923/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 53923, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -642,30 +686,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961536", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threat.indicator.ip": "42.224.136.237", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961536/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "42.224.136.237", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://42.224.136.237:52794/Mozi.m", + "threat.indicator.url.original": "http://42.224.136.237:52794/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 52794, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961530", + "abusech.url.larted": false, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", - "threatintel.indicator.ip": "42.224.136.237", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961536/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "42.224.136.237", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://42.224.136.237:52794/Mozi.m", - "threatintel.indicator.url.original": "http://42.224.136.237:52794/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 52794, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -679,30 +725,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961530", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:05:34.000Z", + "threat.indicator.ip": "117.208.135.63", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961530/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "117.208.135.63", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://117.208.135.63:49312/Mozi.a", + "threat.indicator.url.original": "http://117.208.135.63:49312/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 49312, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961525", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T21:05:34.000Z", - "threatintel.indicator.ip": "117.208.135.63", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961530/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "117.208.135.63", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://117.208.135.63:49312/Mozi.a", - "threatintel.indicator.url.original": "http://117.208.135.63:49312/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 49312, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -716,30 +764,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961525", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threat.indicator.ip": "125.47.66.60", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961525/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "125.47.66.60", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://125.47.66.60:38961/Mozi.m", + "threat.indicator.url.original": "http://125.47.66.60:38961/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 38961, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961526", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", - "threatintel.indicator.ip": "125.47.66.60", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961525/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "125.47.66.60", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://125.47.66.60:38961/Mozi.m", - "threatintel.indicator.url.original": "http://125.47.66.60:38961/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 38961, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -753,30 +803,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961526", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threat.indicator.ip": "182.117.95.148", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961526/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.117.95.148", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://182.117.95.148:50420/Mozi.a", + "threat.indicator.url.original": "http://182.117.95.148:50420/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 50420, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961527", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", - "threatintel.indicator.ip": "182.117.95.148", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961526/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.117.95.148", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://182.117.95.148:50420/Mozi.a", - "threatintel.indicator.url.original": "http://182.117.95.148:50420/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 50420, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -790,30 +842,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961527", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threat.indicator.ip": "117.202.71.48", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961527/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "117.202.71.48", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://117.202.71.48:55007/Mozi.m", + "threat.indicator.url.original": "http://117.202.71.48:55007/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 55007, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961528", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", - "threatintel.indicator.ip": "117.202.71.48", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961527/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "117.202.71.48", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://117.202.71.48:55007/Mozi.m", - "threatintel.indicator.url.original": "http://117.202.71.48:55007/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 55007, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -827,30 +881,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961528", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threat.indicator.ip": "125.99.132.118", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961528/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "125.99.132.118", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://125.99.132.118:51143/Mozi.m", + "threat.indicator.url.original": "http://125.99.132.118:51143/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 51143, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961529", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", - "threatintel.indicator.ip": "125.99.132.118", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961528/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "125.99.132.118", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://125.99.132.118:51143/Mozi.m", - "threatintel.indicator.url.original": "http://125.99.132.118:51143/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 51143, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -864,30 +920,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961529", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi", - "elf" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", - "threatintel.indicator.ip": "182.114.123.69", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961529/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.114.123.69", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://182.114.123.69:41003/Mozi.m", - "threatintel.indicator.url.original": "http://182.114.123.69:41003/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 41003, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threat.indicator.ip": "182.114.123.69", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961529/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.114.123.69", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://182.114.123.69:41003/Mozi.m", + "threat.indicator.url.original": "http://182.114.123.69:41003/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 41003, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961524", + "abusech.url.larted": false, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -901,29 +958,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961524", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T21:04:38.000Z", - "threatintel.indicator.ip": "116.19.127.37", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961524/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "116.19.127.37", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://116.19.127.37:35739/Mozi.m", - "threatintel.indicator.url.original": "http://116.19.127.37:35739/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 35739, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:38.000Z", + "threat.indicator.ip": "116.19.127.37", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961524/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "116.19.127.37", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://116.19.127.37:35739/Mozi.m", + "threat.indicator.url.original": "http://116.19.127.37:35739/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 35739, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961523", + "abusech.url.larted": false, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -937,29 +996,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961523", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T21:04:36.000Z", - "threatintel.indicator.ip": "42.239.253.55", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961523/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "42.239.253.55", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://42.239.253.55:45653/Mozi.m", - "threatintel.indicator.url.original": "http://42.239.253.55:45653/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 45653, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:36.000Z", + "threat.indicator.ip": "42.239.253.55", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961523/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "42.239.253.55", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://42.239.253.55:45653/Mozi.m", + "threat.indicator.url.original": "http://42.239.253.55:45653/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 45653, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961520", + "abusech.url.larted": false, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -973,29 +1034,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961520", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z", - "threatintel.indicator.ip": "103.217.121.228", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961520/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "103.217.121.228", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://103.217.121.228:41349/Mozi.m", - "threatintel.indicator.url.original": "http://103.217.121.228:41349/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 41349, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:33.000Z", + "threat.indicator.ip": "103.217.121.228", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961520/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "103.217.121.228", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://103.217.121.228:41349/Mozi.m", + "threat.indicator.url.original": "http://103.217.121.228:41349/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 41349, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961521", + "abusech.url.larted": false, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1009,29 +1072,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961521", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z", - "threatintel.indicator.ip": "111.92.81.255", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961521/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "111.92.81.255", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://111.92.81.255:48586/Mozi.m", - "threatintel.indicator.url.original": "http://111.92.81.255:48586/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 48586, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:33.000Z", + "threat.indicator.ip": "111.92.81.255", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961521/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "111.92.81.255", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://111.92.81.255:48586/Mozi.m", + "threat.indicator.url.original": "http://111.92.81.255:48586/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 48586, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961522", + "abusech.url.larted": false, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1045,29 +1110,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961522", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z", - "threatintel.indicator.ip": "45.229.55.75", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961522/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "45.229.55.75", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://45.229.55.75:38111/Mozi.m", - "threatintel.indicator.url.original": "http://45.229.55.75:38111/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 38111, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:33.000Z", + "threat.indicator.ip": "45.229.55.75", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961522/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "45.229.55.75", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://45.229.55.75:38111/Mozi.m", + "threat.indicator.url.original": "http://45.229.55.75:38111/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 38111, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961518", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1081,29 +1148,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961518", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:10.000Z", - "threatintel.indicator.ip": "182.121.242.148", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961518/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.121.242.148", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://182.121.242.148:34556/Mozi.m", - "threatintel.indicator.url.original": "http://182.121.242.148:34556/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 34556, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:10.000Z", + "threat.indicator.ip": "182.121.242.148", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961518/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.121.242.148", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://182.121.242.148:34556/Mozi.m", + "threat.indicator.url.original": "http://182.121.242.148:34556/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 34556, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961519", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi", + "elf" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1117,30 +1187,33 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961519", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi", - "elf" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:10.000Z", - "threatintel.indicator.ip": "106.115.189.249", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961519/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "106.115.189.249", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://106.115.189.249:59815/Mozi.m", - "threatintel.indicator.url.original": "http://106.115.189.249:59815/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 59815, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:10.000Z", + "threat.indicator.ip": "106.115.189.249", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961519/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "106.115.189.249", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://106.115.189.249:59815/Mozi.m", + "threat.indicator.url.original": "http://106.115.189.249:59815/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 59815, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961516", + "abusech.url.larted": true, + "abusech.url.tags": [ + "32-bit", + "elf", + "mips" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1154,31 +1227,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961516", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "32-bit", - "elf", - "mips" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:08.000Z", - "threatintel.indicator.ip": "182.117.93.110", - "threatintel.indicator.provider": "geenensp", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961516/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.117.93.110", - "threatintel.indicator.url.extension": "sh", - "threatintel.indicator.url.full": "http://182.117.93.110:50587/bin.sh", - "threatintel.indicator.url.original": "http://182.117.93.110:50587/bin.sh", - "threatintel.indicator.url.path": "/bin.sh", - "threatintel.indicator.url.port": 50587, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:08.000Z", + "threat.indicator.ip": "182.117.93.110", + "threat.indicator.provider": "geenensp", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961516/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.117.93.110", + "threat.indicator.url.extension": "sh", + "threat.indicator.url.full": "http://182.117.93.110:50587/bin.sh", + "threat.indicator.url.original": "http://182.117.93.110:50587/bin.sh", + "threat.indicator.url.path": "/bin.sh", + "threat.indicator.url.port": 50587, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961517", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi", + "elf" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1192,30 +1266,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961517", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi", - "elf" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:08.000Z", - "threatintel.indicator.ip": "110.251.5.169", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961517/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "110.251.5.169", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://110.251.5.169:48322/Mozi.m", - "threatintel.indicator.url.original": "http://110.251.5.169:48322/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 48322, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:08.000Z", + "threat.indicator.ip": "110.251.5.169", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961517/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "110.251.5.169", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://110.251.5.169:48322/Mozi.m", + "threat.indicator.url.original": "http://110.251.5.169:48322/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 48322, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961515", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1229,29 +1304,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961515", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:06.000Z", - "threatintel.indicator.ip": "101.51.117.186", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961515/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "101.51.117.186", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://101.51.117.186:33317/Mozi.m", - "threatintel.indicator.url.original": "http://101.51.117.186:33317/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 33317, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:06.000Z", + "threat.indicator.ip": "101.51.117.186", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961515/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "101.51.117.186", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://101.51.117.186:33317/Mozi.m", + "threat.indicator.url.original": "http://101.51.117.186:33317/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 33317, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961513", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1265,29 +1342,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961513", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:05.000Z", - "threatintel.indicator.ip": "121.151.78.166", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961513/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "121.151.78.166", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://121.151.78.166:41516/Mozi.m", - "threatintel.indicator.url.original": "http://121.151.78.166:41516/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 41516, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:05.000Z", + "threat.indicator.ip": "121.151.78.166", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961513/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "121.151.78.166", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://121.151.78.166:41516/Mozi.m", + "threat.indicator.url.original": "http://121.151.78.166:41516/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 41516, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961514", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1301,29 +1380,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961514", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:05.000Z", - "threatintel.indicator.ip": "116.72.92.97", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961514/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "116.72.92.97", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://116.72.92.97:57798/Mozi.m", - "threatintel.indicator.url.original": "http://116.72.92.97:57798/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 57798, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:05.000Z", + "threat.indicator.ip": "116.72.92.97", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961514/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "116.72.92.97", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://116.72.92.97:57798/Mozi.m", + "threat.indicator.url.original": "http://116.72.92.97:57798/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 57798, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961509", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1337,29 +1418,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961509", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", - "threatintel.indicator.ip": "27.218.15.209", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961509/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "27.218.15.209", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://27.218.15.209:47671/Mozi.m", - "threatintel.indicator.url.original": "http://27.218.15.209:47671/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 47671, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threat.indicator.ip": "27.218.15.209", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961509/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "27.218.15.209", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://27.218.15.209:47671/Mozi.m", + "threat.indicator.url.original": "http://27.218.15.209:47671/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 47671, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961510", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1373,29 +1456,33 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961510", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", - "threatintel.indicator.ip": "120.85.171.210", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961510/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "120.85.171.210", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://120.85.171.210:57690/Mozi.m", - "threatintel.indicator.url.original": "http://120.85.171.210:57690/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 57690, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threat.indicator.ip": "120.85.171.210", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961510/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "120.85.171.210", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://120.85.171.210:57690/Mozi.m", + "threat.indicator.url.original": "http://120.85.171.210:57690/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 57690, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961511", + "abusech.url.larted": true, + "abusech.url.tags": [ + "32-bit", + "elf", + "mips" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1409,30 +1496,30 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961511", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "32-bit", - "elf", - "mips" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", - "threatintel.indicator.ip": "117.251.59.53", - "threatintel.indicator.provider": "geenensp", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961511/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "117.251.59.53", - "threatintel.indicator.url.full": "http://117.251.59.53:50611/i", - "threatintel.indicator.url.original": "http://117.251.59.53:50611/i", - "threatintel.indicator.url.path": "/i", - "threatintel.indicator.url.port": 50611, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threat.indicator.ip": "117.251.59.53", + "threat.indicator.provider": "geenensp", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961511/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "117.251.59.53", + "threat.indicator.url.full": "http://117.251.59.53:50611/i", + "threat.indicator.url.original": "http://117.251.59.53:50611/i", + "threat.indicator.url.path": "/i", + "threat.indicator.url.port": 50611, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961512", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1446,29 +1533,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961512", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", - "threatintel.indicator.ip": "115.58.83.167", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961512/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "115.58.83.167", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://115.58.83.167:34141/Mozi.m", - "threatintel.indicator.url.original": "http://115.58.83.167:34141/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 34141, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threat.indicator.ip": "115.58.83.167", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961512/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "115.58.83.167", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://115.58.83.167:34141/Mozi.m", + "threat.indicator.url.original": "http://115.58.83.167:34141/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 34141, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961507", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi", + "elf" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1482,30 +1572,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961507", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:08.000Z", + "threat.indicator.ip": "94.178.124.83", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961507/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "94.178.124.83", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://94.178.124.83:44399/Mozi.m", + "threat.indicator.url.original": "http://94.178.124.83:44399/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 44399, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961508", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:08.000Z", - "threatintel.indicator.ip": "94.178.124.83", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961507/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "94.178.124.83", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://94.178.124.83:44399/Mozi.m", - "threatintel.indicator.url.original": "http://94.178.124.83:44399/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 44399, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1519,30 +1611,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961508", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:08.000Z", + "threat.indicator.ip": "182.122.75.232", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961508/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.122.75.232", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://182.122.75.232:49120/Mozi.m", + "threat.indicator.url.original": "http://182.122.75.232:49120/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 49120, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961506", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:08.000Z", - "threatintel.indicator.ip": "182.122.75.232", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961508/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.122.75.232", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://182.122.75.232:49120/Mozi.m", - "threatintel.indicator.url.original": "http://182.122.75.232:49120/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 49120, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1556,30 +1650,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961506", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:07.000Z", + "threat.indicator.ip": "115.63.202.43", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961506/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "115.63.202.43", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://115.63.202.43:51136/Mozi.m", + "threat.indicator.url.original": "http://115.63.202.43:51136/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 51136, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961504", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:07.000Z", - "threatintel.indicator.ip": "115.63.202.43", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961506/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "115.63.202.43", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://115.63.202.43:51136/Mozi.m", - "threatintel.indicator.url.original": "http://115.63.202.43:51136/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 51136, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1593,30 +1689,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961504", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:06.000Z", + "threat.indicator.ip": "59.99.40.204", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961504/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "59.99.40.204", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://59.99.40.204:45773/Mozi.m", + "threat.indicator.url.original": "http://59.99.40.204:45773/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 45773, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961505", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:06.000Z", - "threatintel.indicator.ip": "59.99.40.204", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961504/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "59.99.40.204", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://59.99.40.204:45773/Mozi.m", - "threatintel.indicator.url.original": "http://59.99.40.204:45773/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 45773, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1630,30 +1728,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961505", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:06.000Z", + "threat.indicator.ip": "117.247.128.213", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961505/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "117.247.128.213", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://117.247.128.213:56528/Mozi.m", + "threat.indicator.url.original": "http://117.247.128.213:56528/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 56528, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961500", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:06.000Z", - "threatintel.indicator.ip": "117.247.128.213", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961505/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "117.247.128.213", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://117.247.128.213:56528/Mozi.m", - "threatintel.indicator.url.original": "http://117.247.128.213:56528/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 56528, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1667,30 +1767,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961500", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threat.indicator.ip": "14.137.219.132", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961500/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "14.137.219.132", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://14.137.219.132:44427/Mozi.a", + "threat.indicator.url.original": "http://14.137.219.132:44427/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 44427, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961501", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", - "threatintel.indicator.ip": "14.137.219.132", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961500/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "14.137.219.132", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://14.137.219.132:44427/Mozi.a", - "threatintel.indicator.url.original": "http://14.137.219.132:44427/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 44427, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1704,30 +1806,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961501", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threat.indicator.ip": "42.224.40.14", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961501/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "42.224.40.14", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://42.224.40.14:36134/Mozi.m", + "threat.indicator.url.original": "http://42.224.40.14:36134/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 36134, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961502", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", - "threatintel.indicator.ip": "42.224.40.14", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961501/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "42.224.40.14", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://42.224.40.14:36134/Mozi.m", - "threatintel.indicator.url.original": "http://42.224.40.14:36134/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 36134, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1741,30 +1845,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961502", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threat.indicator.ip": "186.33.104.107", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961502/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "186.33.104.107", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://186.33.104.107:43973/Mozi.m", + "threat.indicator.url.original": "http://186.33.104.107:43973/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 43973, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961503", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", - "threatintel.indicator.ip": "186.33.104.107", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961502/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "186.33.104.107", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://186.33.104.107:43973/Mozi.m", - "threatintel.indicator.url.original": "http://186.33.104.107:43973/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 43973, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1778,30 +1884,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961503", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threat.indicator.ip": "85.105.16.154", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961503/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "85.105.16.154", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://85.105.16.154:41319/Mozi.m", + "threat.indicator.url.original": "http://85.105.16.154:41319/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 41319, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961496", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", - "threatintel.indicator.ip": "85.105.16.154", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961503/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "85.105.16.154", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://85.105.16.154:41319/Mozi.m", - "threatintel.indicator.url.original": "http://85.105.16.154:41319/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 41319, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1815,30 +1923,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961496", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threat.indicator.ip": "178.141.73.115", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961496/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "178.141.73.115", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://178.141.73.115:51847/Mozi.a", + "threat.indicator.url.original": "http://178.141.73.115:51847/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 51847, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961497", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", - "threatintel.indicator.ip": "178.141.73.115", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961496/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "178.141.73.115", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://178.141.73.115:51847/Mozi.a", - "threatintel.indicator.url.original": "http://178.141.73.115:51847/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 51847, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1852,30 +1962,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961497", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threat.indicator.ip": "186.33.104.135", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961497/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "186.33.104.135", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://186.33.104.135:54469/Mozi.m", + "threat.indicator.url.original": "http://186.33.104.135:54469/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 54469, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961498", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", - "threatintel.indicator.ip": "186.33.104.135", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961497/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "186.33.104.135", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://186.33.104.135:54469/Mozi.m", - "threatintel.indicator.url.original": "http://186.33.104.135:54469/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 54469, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1889,30 +2001,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961498", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threat.indicator.ip": "115.56.159.43", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961498/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "115.56.159.43", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://115.56.159.43:34547/Mozi.m", + "threat.indicator.url.original": "http://115.56.159.43:34547/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 34547, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961499", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", - "threatintel.indicator.ip": "115.56.159.43", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961498/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "115.56.159.43", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://115.56.159.43:34547/Mozi.m", - "threatintel.indicator.url.original": "http://115.56.159.43:34547/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 34547, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1926,30 +2040,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961499", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi", - "elf" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", - "threatintel.indicator.ip": "42.230.138.170", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961499/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "42.230.138.170", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://42.230.138.170:33932/Mozi.m", - "threatintel.indicator.url.original": "http://42.230.138.170:33932/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 33932, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threat.indicator.ip": "42.230.138.170", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961499/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "42.230.138.170", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://42.230.138.170:33932/Mozi.m", + "threat.indicator.url.original": "http://42.230.138.170:33932/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 33932, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961494", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1963,27 +2078,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961494", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:47.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961494/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://univirtek.com/viro/02478080035/blank.jpg", - "threatintel.indicator.url.original": "https://univirtek.com/viro/02478080035/blank.jpg", - "threatintel.indicator.url.path": "/viro/02478080035/blank.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:47.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961494/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://univirtek.com/viro/02478080035/blank.jpg", + "threat.indicator.url.original": "https://univirtek.com/viro/02478080035/blank.jpg", + "threat.indicator.url.path": "/viro/02478080035/blank.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961495", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1997,27 +2114,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961495", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:47.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961495/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png", - "threatintel.indicator.url.original": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png", - "threatintel.indicator.url.path": "/viro/FRRNDR77C25D325O/map.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:47.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961495/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png", + "threat.indicator.url.original": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png", + "threat.indicator.url.path": "/viro/FRRNDR77C25D325O/map.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961492", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2031,27 +2150,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961492", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:45.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961492/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ladiesincode.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg", - "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg", - "threatintel.indicator.url.path": "/ladi/CNNSRG83H04F158R/blank.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:45.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961492/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ladiesincode.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg", + "threat.indicator.url.original": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg", + "threat.indicator.url.path": "/ladi/CNNSRG83H04F158R/blank.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961493", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2065,27 +2186,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961493", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:45.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961493/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "letonguesc.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://letonguesc.com/leto/02328510512/logo.css", - "threatintel.indicator.url.original": "https://letonguesc.com/leto/02328510512/logo.css", - "threatintel.indicator.url.path": "/leto/02328510512/logo.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:45.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961493/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "letonguesc.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://letonguesc.com/leto/02328510512/logo.css", + "threat.indicator.url.original": "https://letonguesc.com/leto/02328510512/logo.css", + "threat.indicator.url.path": "/leto/02328510512/logo.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961490", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2099,27 +2222,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961490", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:44.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961490/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png", - "threatintel.indicator.url.original": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png", - "threatintel.indicator.url.path": "/minu/MLILSN74B21E507L/uk.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:44.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961490/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png", + "threat.indicator.url.original": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png", + "threat.indicator.url.path": "/minu/MLILSN74B21E507L/uk.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961491", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2133,27 +2258,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961491", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:44.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961491/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://cxminute.com/minu/12875710159/blank.css", - "threatintel.indicator.url.original": "https://cxminute.com/minu/12875710159/blank.css", - "threatintel.indicator.url.path": "/minu/12875710159/blank.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:44.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961491/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://cxminute.com/minu/12875710159/blank.css", + "threat.indicator.url.original": "https://cxminute.com/minu/12875710159/blank.css", + "threat.indicator.url.path": "/minu/12875710159/blank.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961489", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2167,27 +2294,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961489", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:41.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961489/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "gif", - "threatintel.indicator.url.full": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif", - "threatintel.indicator.url.original": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif", - "threatintel.indicator.url.path": "/minu/CPNLNZ65M20A200N/maps.gif", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:41.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961489/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "gif", + "threat.indicator.url.full": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif", + "threat.indicator.url.original": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif", + "threat.indicator.url.path": "/minu/CPNLNZ65M20A200N/maps.gif", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961488", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2201,27 +2330,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961488", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:40.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961488/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png", - "threatintel.indicator.url.path": "/bella/DLPCMN64D02D789E/logo.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:40.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961488/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png", + "threat.indicator.url.original": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png", + "threat.indicator.url.path": "/bella/DLPCMN64D02D789E/logo.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961487", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2235,27 +2366,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961487", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:17.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961487/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/01844510469/1x1.jpg", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/01844510469/1x1.jpg", - "threatintel.indicator.url.path": "/bella/01844510469/1x1.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:17.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961487/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://belfetproduction.com/bella/01844510469/1x1.jpg", + "threat.indicator.url.original": "https://belfetproduction.com/bella/01844510469/1x1.jpg", + "threat.indicator.url.path": "/bella/01844510469/1x1.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961485", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2269,27 +2402,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961485", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:16.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961485/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ladiesincode.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css", - "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css", - "threatintel.indicator.url.path": "/ladi/FRRDNI52M71E522D/logo.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:16.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961485/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ladiesincode.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css", + "threat.indicator.url.original": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css", + "threat.indicator.url.path": "/ladi/FRRDNI52M71E522D/logo.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961486", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2303,27 +2438,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961486", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:16.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961486/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "letonguesc.com", - "threatintel.indicator.url.extension": "gif", - "threatintel.indicator.url.full": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif", - "threatintel.indicator.url.original": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif", - "threatintel.indicator.url.path": "/leto/CPPMRC65E04H980Q/it.gif", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:16.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961486/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "letonguesc.com", + "threat.indicator.url.extension": "gif", + "threat.indicator.url.full": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif", + "threat.indicator.url.original": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif", + "threat.indicator.url.path": "/leto/CPPMRC65E04H980Q/it.gif", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961482", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2337,27 +2474,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961482", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961482/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://univirtek.com/viro/06389650018/it.css", - "threatintel.indicator.url.original": "https://univirtek.com/viro/06389650018/it.css", - "threatintel.indicator.url.path": "/viro/06389650018/it.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:15.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961482/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://univirtek.com/viro/06389650018/it.css", + "threat.indicator.url.original": "https://univirtek.com/viro/06389650018/it.css", + "threat.indicator.url.path": "/viro/06389650018/it.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961483", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2371,27 +2510,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961483", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961483/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png", - "threatintel.indicator.url.path": "/bella/CRSRRT61E15H501H/logo.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:15.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961483/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png", + "threat.indicator.url.original": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png", + "threat.indicator.url.path": "/bella/CRSRRT61E15H501H/logo.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961484", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2405,27 +2546,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961484", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961484/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg", - "threatintel.indicator.url.original": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg", - "threatintel.indicator.url.path": "/minu/SMPMSM67P05F205U/it.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:15.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961484/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg", + "threat.indicator.url.original": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg", + "threat.indicator.url.path": "/minu/SMPMSM67P05F205U/it.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961480", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2439,27 +2582,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961480", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:13.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961480/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png", - "threatintel.indicator.url.original": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png", - "threatintel.indicator.url.path": "/viro/SBNPQL78A24A783E/uk.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:13.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961480/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png", + "threat.indicator.url.original": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png", + "threat.indicator.url.path": "/viro/SBNPQL78A24A783E/uk.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961481", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2473,27 +2618,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961481", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:13.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961481/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://cxminute.com/minu/15578761007/maps.jpg", - "threatintel.indicator.url.original": "https://cxminute.com/minu/15578761007/maps.jpg", - "threatintel.indicator.url.path": "/minu/15578761007/maps.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:13.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961481/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://cxminute.com/minu/15578761007/maps.jpg", + "threat.indicator.url.original": "https://cxminute.com/minu/15578761007/maps.jpg", + "threat.indicator.url.path": "/minu/15578761007/maps.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961478", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2507,27 +2654,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961478", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:10.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961478/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://univirtek.com/viro/03079590133/1x1.png", - "threatintel.indicator.url.original": "https://univirtek.com/viro/03079590133/1x1.png", - "threatintel.indicator.url.path": "/viro/03079590133/1x1.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:10.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961478/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://univirtek.com/viro/03079590133/1x1.png", + "threat.indicator.url.original": "https://univirtek.com/viro/03079590133/1x1.png", + "threat.indicator.url.path": "/viro/03079590133/1x1.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961479", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2541,27 +2690,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961479", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:10.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961479/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ladiesincode.com", - "threatintel.indicator.url.extension": "gif", - "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif", - "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif", - "threatintel.indicator.url.path": "/ladi/BNCLNR77T56M082U/it.gif", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:10.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961479/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ladiesincode.com", + "threat.indicator.url.extension": "gif", + "threat.indicator.url.full": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif", + "threat.indicator.url.original": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif", + "threat.indicator.url.path": "/ladi/BNCLNR77T56M082U/it.gif", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961476", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2575,27 +2726,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961476", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:45.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961476/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css", - "threatintel.indicator.url.original": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css", - "threatintel.indicator.url.path": "/minu/JNKMTJ64B29L424O/uk.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:45.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961476/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css", + "threat.indicator.url.original": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css", + "threat.indicator.url.path": "/minu/JNKMTJ64B29L424O/uk.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961477", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2609,27 +2762,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961477", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:45.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961477/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png", - "threatintel.indicator.url.path": "/bella/PGNMRA64S22I608Z/en.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:45.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961477/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png", + "threat.indicator.url.original": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png", + "threat.indicator.url.path": "/bella/PGNMRA64S22I608Z/en.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961470", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2643,27 +2798,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961470", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961470/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg", - "threatintel.indicator.url.original": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg", - "threatintel.indicator.url.path": "/minu/RZKDRD77T23Z229T/logo.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961470/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg", + "threat.indicator.url.original": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg", + "threat.indicator.url.path": "/minu/RZKDRD77T23Z229T/logo.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961471", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2677,27 +2834,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961471", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961471/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "fhivelifestyle.online", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg", - "threatintel.indicator.url.original": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg", - "threatintel.indicator.url.path": "/nhbrwvdffsgt/adf/maps.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961471/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "fhivelifestyle.online", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg", + "threat.indicator.url.original": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg", + "threat.indicator.url.path": "/nhbrwvdffsgt/adf/maps.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961472", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2711,27 +2870,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961472", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961472/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/05739900487/1x1.css", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/05739900487/1x1.css", - "threatintel.indicator.url.path": "/bella/05739900487/1x1.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961472/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://belfetproduction.com/bella/05739900487/1x1.css", + "threat.indicator.url.original": "https://belfetproduction.com/bella/05739900487/1x1.css", + "threat.indicator.url.path": "/bella/05739900487/1x1.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961473", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2745,27 +2906,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961473", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961473/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/01767180597/map.css", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/01767180597/map.css", - "threatintel.indicator.url.path": "/bella/01767180597/map.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961473/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://belfetproduction.com/bella/01767180597/map.css", + "threat.indicator.url.original": "https://belfetproduction.com/bella/01767180597/map.css", + "threat.indicator.url.path": "/bella/01767180597/map.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961474", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2779,27 +2942,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961474", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961474/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css", - "threatintel.indicator.url.path": "/bella/BRNGRG55D21F394K/map.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961474/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css", + "threat.indicator.url.original": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css", + "threat.indicator.url.path": "/bella/BRNGRG55D21F394K/map.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961475", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2813,27 +2978,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961475", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961475/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css", - "threatintel.indicator.url.original": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css", - "threatintel.indicator.url.path": "/minu/DLLTZN67L20L157J/1x1.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961475/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css", + "threat.indicator.url.original": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css", + "threat.indicator.url.path": "/minu/DLLTZN67L20L157J/1x1.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961468", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2847,27 +3014,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961468", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:38.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961468/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://cxminute.com/minu/08035410722/logo.jpg", - "threatintel.indicator.url.original": "https://cxminute.com/minu/08035410722/logo.jpg", - "threatintel.indicator.url.path": "/minu/08035410722/logo.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:38.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961468/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://cxminute.com/minu/08035410722/logo.jpg", + "threat.indicator.url.original": "https://cxminute.com/minu/08035410722/logo.jpg", + "threat.indicator.url.path": "/minu/08035410722/logo.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961469", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2881,27 +3050,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961469", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:38.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961469/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css", - "threatintel.indicator.url.original": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css", - "threatintel.indicator.url.path": "/viro/GRNZEI60M13G346L/en.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:38.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961469/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css", + "threat.indicator.url.original": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css", + "threat.indicator.url.path": "/viro/GRNZEI60M13G346L/en.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961467", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2915,27 +3086,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961467", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:13.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961467/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "letonguesc.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://letonguesc.com/leto/03253350239/1x1.png", - "threatintel.indicator.url.original": "https://letonguesc.com/leto/03253350239/1x1.png", - "threatintel.indicator.url.path": "/leto/03253350239/1x1.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:13.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961467/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "letonguesc.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://letonguesc.com/leto/03253350239/1x1.png", + "threat.indicator.url.original": "https://letonguesc.com/leto/03253350239/1x1.png", + "threat.indicator.url.path": "/leto/03253350239/1x1.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961464", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2949,27 +3122,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961464", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961464/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ladiesincode.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/10582470158/uk.css", - "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/10582470158/uk.css", - "threatintel.indicator.url.path": "/ladi/10582470158/uk.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:09.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961464/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ladiesincode.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://ladiesincode.com/ladi/10582470158/uk.css", + "threat.indicator.url.original": "https://ladiesincode.com/ladi/10582470158/uk.css", + "threat.indicator.url.path": "/ladi/10582470158/uk.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961465", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2983,27 +3158,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961465", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961465/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ladiesincode.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css", - "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css", - "threatintel.indicator.url.path": "/ladi/BTTLNZ68A56D325C/map.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:09.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961465/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ladiesincode.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css", + "threat.indicator.url.original": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css", + "threat.indicator.url.path": "/ladi/BTTLNZ68A56D325C/map.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961466", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3017,27 +3194,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961466", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961466/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "letonguesc.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg", - "threatintel.indicator.url.original": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg", - "threatintel.indicator.url.path": "/leto/NNTLRT68P28A717L/en.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:09.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961466/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "letonguesc.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg", + "threat.indicator.url.original": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg", + "threat.indicator.url.path": "/leto/NNTLRT68P28A717L/en.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961461", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3051,27 +3230,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961461", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961461/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png", - "threatintel.indicator.url.original": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png", - "threatintel.indicator.url.path": "/viro/CTTNDR89A19B149W/maps.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:08.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961461/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png", + "threat.indicator.url.original": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png", + "threat.indicator.url.path": "/viro/CTTNDR89A19B149W/maps.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961462", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3085,27 +3266,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961462", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961462/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css", - "threatintel.indicator.url.original": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css", - "threatintel.indicator.url.path": "/minu/DRSNTN77B16I197U/logo.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:08.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961462/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css", + "threat.indicator.url.original": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css", + "threat.indicator.url.path": "/minu/DRSNTN77B16I197U/logo.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961463", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3119,27 +3302,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961463", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961463/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://univirtek.com/viro/02941830735/uk.css", - "threatintel.indicator.url.original": "https://univirtek.com/viro/02941830735/uk.css", - "threatintel.indicator.url.path": "/viro/02941830735/uk.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:08.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961463/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://univirtek.com/viro/02941830735/uk.css", + "threat.indicator.url.original": "https://univirtek.com/viro/02941830735/uk.css", + "threat.indicator.url.path": "/viro/02941830735/uk.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961458", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3153,27 +3338,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961458", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961458/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css", - "threatintel.indicator.url.path": "/bella/MNSGCM91A04G240K/it.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:07.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961458/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css", + "threat.indicator.url.original": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css", + "threat.indicator.url.path": "/bella/MNSGCM91A04G240K/it.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961459", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3187,27 +3374,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961459", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961459/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ladiesincode.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/03108100615/it.jpg", - "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/03108100615/it.jpg", - "threatintel.indicator.url.path": "/ladi/03108100615/it.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:07.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961459/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ladiesincode.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://ladiesincode.com/ladi/03108100615/it.jpg", + "threat.indicator.url.original": "https://ladiesincode.com/ladi/03108100615/it.jpg", + "threat.indicator.url.path": "/ladi/03108100615/it.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961460", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3221,27 +3410,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961460", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961460/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://cxminute.com/minu/PTACSM56A31F604X/en.png", - "threatintel.indicator.url.original": "https://cxminute.com/minu/PTACSM56A31F604X/en.png", - "threatintel.indicator.url.path": "/minu/PTACSM56A31F604X/en.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:07.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961460/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://cxminute.com/minu/PTACSM56A31F604X/en.png", + "threat.indicator.url.original": "https://cxminute.com/minu/PTACSM56A31F604X/en.png", + "threat.indicator.url.path": "/minu/PTACSM56A31F604X/en.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961455", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3255,27 +3446,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961455", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961455/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "gif", - "threatintel.indicator.url.full": "https://univirtek.com/viro/00183050368/en.gif", - "threatintel.indicator.url.original": "https://univirtek.com/viro/00183050368/en.gif", - "threatintel.indicator.url.path": "/viro/00183050368/en.gif", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:39.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961455/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "gif", + "threat.indicator.url.full": "https://univirtek.com/viro/00183050368/en.gif", + "threat.indicator.url.original": "https://univirtek.com/viro/00183050368/en.gif", + "threat.indicator.url.path": "/viro/00183050368/en.gif", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961456", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3289,27 +3482,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961456", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961456/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "gif", - "threatintel.indicator.url.full": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif", - "threatintel.indicator.url.original": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif", - "threatintel.indicator.url.path": "/minu/TSNLSN58H30G912H/uk.gif", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:39.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961456/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "gif", + "threat.indicator.url.full": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif", + "threat.indicator.url.original": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif", + "threat.indicator.url.path": "/minu/TSNLSN58H30G912H/uk.gif", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961457", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3323,27 +3518,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961457", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961457/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "letonguesc.com", - "threatintel.indicator.url.extension": "gif", - "threatintel.indicator.url.full": "https://letonguesc.com/leto/08658331007/blank.gif", - "threatintel.indicator.url.original": "https://letonguesc.com/leto/08658331007/blank.gif", - "threatintel.indicator.url.path": "/leto/08658331007/blank.gif", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:39.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961457/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "letonguesc.com", + "threat.indicator.url.extension": "gif", + "threat.indicator.url.full": "https://letonguesc.com/leto/08658331007/blank.gif", + "threat.indicator.url.original": "https://letonguesc.com/leto/08658331007/blank.gif", + "threat.indicator.url.path": "/leto/08658331007/blank.gif", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961450", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3357,27 +3554,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961450", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961450/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://cxminute.com/minu/01098910324/blank.png", - "threatintel.indicator.url.original": "https://cxminute.com/minu/01098910324/blank.png", - "threatintel.indicator.url.path": "/minu/01098910324/blank.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961450/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://cxminute.com/minu/01098910324/blank.png", + "threat.indicator.url.original": "https://cxminute.com/minu/01098910324/blank.png", + "threat.indicator.url.path": "/minu/01098910324/blank.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961451", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3391,27 +3590,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961451", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961451/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://univirtek.com/viro/02794390233/uk.css", - "threatintel.indicator.url.original": "https://univirtek.com/viro/02794390233/uk.css", - "threatintel.indicator.url.path": "/viro/02794390233/uk.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961451/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://univirtek.com/viro/02794390233/uk.css", + "threat.indicator.url.original": "https://univirtek.com/viro/02794390233/uk.css", + "threat.indicator.url.path": "/viro/02794390233/uk.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961452", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3425,27 +3626,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961452", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961452/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css", - "threatintel.indicator.url.original": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css", - "threatintel.indicator.url.path": "/viro/CSTDNT69D63F754D/en.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961452/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css", + "threat.indicator.url.original": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css", + "threat.indicator.url.path": "/viro/CSTDNT69D63F754D/en.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961453", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3459,27 +3662,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961453", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961453/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg", - "threatintel.indicator.url.original": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg", - "threatintel.indicator.url.path": "/viro/GSTGNE91B06L219W/1x1.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961453/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg", + "threat.indicator.url.original": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg", + "threat.indicator.url.path": "/viro/GSTGNE91B06L219W/1x1.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961454", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3493,27 +3698,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961454", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961454/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://univirtek.com/viro/03610140125/map.jpg", - "threatintel.indicator.url.original": "https://univirtek.com/viro/03610140125/map.jpg", - "threatintel.indicator.url.path": "/viro/03610140125/map.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961454/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://univirtek.com/viro/03610140125/map.jpg", + "threat.indicator.url.original": "https://univirtek.com/viro/03610140125/map.jpg", + "threat.indicator.url.path": "/viro/03610140125/map.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961448", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3527,24 +3734,17 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961448", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:36.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961448/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png", - "threatintel.indicator.url.path": "/bella/CRRLRD74E09A462T/blank.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:36.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961448/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png", + "threat.indicator.url.original": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png", + "threat.indicator.url.path": "/bella/CRRLRD74E09A462T/blank.png", + "threat.indicator.url.scheme": "https" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/anomali/_meta/fields.yml b/x-pack/filebeat/module/threatintel/anomali/_meta/fields.yml index 69ab6e22e9ba..696b062b6b28 100644 --- a/x-pack/filebeat/module/threatintel/anomali/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/anomali/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: anomali +- name: anomali.limo type: group description: > Fields for Anomali Threat Intel @@ -50,4 +50,4 @@ - name: object_marking_refs type: keyword description: > - The STIX reference object. \ No newline at end of file + The STIX reference object. diff --git a/x-pack/filebeat/module/threatintel/anomali/config/config.yml b/x-pack/filebeat/module/threatintel/anomali/config/config.yml index a268ddb7559c..1a30d874635e 100644 --- a/x-pack/filebeat/module/threatintel/anomali/config/config.yml +++ b/x-pack/filebeat/module/threatintel/anomali/config/config.yml @@ -30,7 +30,7 @@ request.transforms: value: items 0-10000 - set: target: url.params.match[type] - value: {{ .types }} + value: indicator - set: target: url.params.added_after value: '[[.cursor.timestamp]]' @@ -54,17 +54,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: ["json.id"] - target_field: "@metadata._id" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml index eccbf5e9826e..94ca3a847518 100644 --- a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml @@ -1,4 +1,5 @@ -description: Pipeline for parsing Anomali Threat Intel +--- +description: Pipeline for parsing Anomali Limo indicators processors: #################### # Event ECS fields # @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -20,16 +24,30 @@ processors: # General ECS fields # ###################### - rename: - field: json - target_field: threatintel.anomali + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: anomali.limo + - fingerprint: + fields: + - anomali.limo.id + target_field: "_id" ignore_missing: true ##################### # Threat ECS Fields # ##################### + - set: + field: threat.feed.name + value: "[Filebeat] Anomali Limo" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" ## File indicator operations - date: - field: threatintel.anomali.created + field: anomali.limo.created formats: - "yyyy-MM-dd'T'HH:mm:ssz" - "yyyy-MM-dd'T'HH:mm:ssZ" @@ -39,68 +57,73 @@ processors: - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx?.threatintel?.anomali?.created != null" + if: "ctx.anomali?.limo?.created != null" - date: - field: threatintel.anomali.modified - target_field: threatintel.anomali.modified + field: anomali.limo.modified + target_field: anomali.limo.modified formats: + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" - "yyyy-MM-dd'T'HH:mm:ss.Sz" - "yyyy-MM-dd'T'HH:mm:ss.SZ" - "yyyy-MM-dd'T'HH:mm:ss.SSz" - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx?.threatintel?.anomali?.modified != null" + if: "ctx.anomali?.limo?.modified != null" - date: - field: threatintel.anomali.valid_from - target_field: threatintel.indicator.first_seen + field: anomali.limo.valid_from + target_field: threat.indicator.first_seen formats: + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" - "yyyy-MM-dd'T'HH:mm:ss.Sz" - "yyyy-MM-dd'T'HH:mm:ss.SZ" - "yyyy-MM-dd'T'HH:mm:ss.SSz" - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx?.threatintel?.anomali?.valid_from != null" + if: "ctx.anomali?.limo?.valid_from != null" - grok: - field: threatintel.anomali.pattern + field: anomali.limo.pattern patterns: - "^\\[%{DATA:_tmp.threattype}:value%{SPACE}=%{SPACE}'%{DATA:_tmp.threatvalue}'\\]" + if: ctx.anomali?.limo?.pattern != null - rename: field: _tmp.threattype - target_field: threatintel.indicator.type + target_field: threat.indicator.type ignore_missing: true - rename: field: _tmp.threatvalue - target_field: threatintel.indicator.ip + target_field: threat.indicator.ip ignore_missing: true - if: "['ipv4-addr', 'ipv6-addr'].contains(ctx?.threatintel?.indicator?.type)" + if: "['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" - uri_parts: field: _tmp.threatvalue - target_field: threatintel.indicator.url + target_field: threat.indicator.url keep_original: true remove_if_successful: true - if: ctx?.threatintel?.indicator?.type == 'url' + if: ctx.threat?.indicator?.type == 'url' - set: - field: threatintel.indicator.url.full - value: "{{{threatintel.indicator.url.original}}}" + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" ignore_empty_value: true - rename: field: _tmp.threatvalue - target_field: threatintel.indicator.email.address + target_field: threat.indicator.email.address ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'email-addr' + if: ctx.threat?.indicator?.type == 'email-addr' - rename: field: _tmp.threatvalue - target_field: threatintel.indicator.url.domain + target_field: threat.indicator.url.domain ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'domain-name' + if: ctx.threat?.indicator?.type == 'domain-name' - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx.threat?.indicator?.type == null - foreach: - field: threatintel.anomali.labels + field: anomali.limo.labels ignore_missing: true processor: append: @@ -108,9 +131,9 @@ processors: value: "{{_ingest._value}}" allow_duplicates: false - grok: - field: threatintel.anomali.description + field: anomali.limo.description patterns: - - "^%{GREEDYDATA}Source: %{GREEDYDATA:threatintel.indicator.provider}" + - "^%{GREEDYDATA}Source: %{GREEDYDATA:threat.indicator.provider}" ignore_missing: true ignore_failure: true ###################### @@ -140,9 +163,14 @@ processors: } } handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - remove: field: - - threatintel.anomali.created + - anomali.limo.created - message - _tmp ignore_missing: true diff --git a/x-pack/filebeat/module/threatintel/anomali/manifest.yml b/x-pack/filebeat/module/threatintel/anomali/manifest.yml index 1087e00df8a6..bdfcf20a3ade 100644 --- a/x-pack/filebeat/module/threatintel/anomali/manifest.yml +++ b/x-pack/filebeat/module/threatintel/anomali/manifest.yml @@ -8,8 +8,6 @@ var: - name: first_interval default: 24h - name: ssl - - name: types - default: indicators - name: username - name: password - name: url @@ -17,6 +15,8 @@ var: - name: tags default: [threatintel-anomali, forwarded] - name: proxy_url + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json index f527da1ed989..7f998f8c7783 100644 --- a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json @@ -1,5 +1,20 @@ [ { + "anomali.limo.description": "TS ID: 55241332361; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--44c85d4f-45ca-4977-b693-c810bbfb7a28", + "anomali.limo.labels": [ + "malicious-activity", + "threatstream-confidence-76", + "threatstream-severity-medium" + ], + "anomali.limo.modified": "2020-01-22T02:58:57.431Z", + "anomali.limo.name": "mal_url: http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:58:57.431Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -16,32 +31,34 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332361; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--44c85d4f-45ca-4977-b693-c810bbfb7a28", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:58:57.431Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "chol.cc", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Work6/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332307; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--f9fe5c81-6869-4247-af81-62b7c8aba209", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:58:57.431Z", - "threatintel.anomali.name": "mal_url: http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:58:57.503Z", + "anomali.limo.name": "mal_url: http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:58:57.431Z", - "threatintel.indicator.first_seen": "2020-01-22T02:58:57.431Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "chol.cc", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Work6/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:58:57.503Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -58,32 +75,34 @@ "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332307; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f9fe5c81-6869-4247-af81-62b7c8aba209", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:58:57.503Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "worldatdoor.in", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332302; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--b0e14122-9005-4776-99fc-00872476c6d1", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-68", + "threatstream-confidence-71", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:58:57.503Z", - "threatintel.anomali.name": "mal_url: http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:58:57.570Z", + "anomali.limo.name": "mal_url: http://f0387770.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:58:57.503Z", - "threatintel.indicator.first_seen": "2020-01-22T02:58:57.503Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "worldatdoor.in", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0387770.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:58:57.57Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -100,31 +119,33 @@ "threatstream-confidence-71", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332302; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b0e14122-9005-4776-99fc-00872476c6d1", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:58:57.570Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0387770.xsph.ru", + "threat.indicator.url.full": "http://f0387770.xsph.ru/login", + "threat.indicator.url.original": "http://f0387770.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332312; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime", + "anomali.limo.id": "indicator--111ec76f-616d-4aa8-80fd-e11ef0066aba", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-71", + "threatstream-confidence-50", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:58:57.570Z", - "threatintel.anomali.name": "mal_url: http://f0387770.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:58:59.366Z", + "anomali.limo.name": "mal_url: http://178.62.187.103/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0387770.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:58:57.57Z", - "threatintel.indicator.first_seen": "2020-01-22T02:58:57.570Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0387770.xsph.ru", - "threatintel.indicator.url.full": "http://f0387770.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0387770.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://178.62.187.103/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:58:59.366Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -141,31 +162,33 @@ "threatstream-confidence-50", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332312; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime", - "threatintel.anomali.id": "indicator--111ec76f-616d-4aa8-80fd-e11ef0066aba", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:58:59.366Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "178.62.187.103", + "threat.indicator.url.full": "http://178.62.187.103/login", + "threat.indicator.url.original": "http://178.62.187.103/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332386; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--189ce776-6d7e-4e85-9222-de5876644988", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-50", + "threatstream-confidence-66", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:58:59.366Z", - "threatintel.anomali.name": "mal_url: http://178.62.187.103/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:58:59.457Z", + "anomali.limo.name": "mal_url: http://appareluea.com/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://178.62.187.103/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:58:59.366Z", - "threatintel.indicator.first_seen": "2020-01-22T02:58:59.366Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "178.62.187.103", - "threatintel.indicator.url.full": "http://178.62.187.103/login", - "threatintel.indicator.url.original": "http://178.62.187.103/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://appareluea.com/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:58:59.457Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -182,32 +205,34 @@ "threatstream-confidence-66", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332386; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--189ce776-6d7e-4e85-9222-de5876644988", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:58:59.457Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "appareluea.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://appareluea.com/panel/admin.php", + "threat.indicator.url.original": "http://appareluea.com/panel/admin.php", + "threat.indicator.url.path": "/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332391; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--a4144d34-b86d-475e-8047-eb46b48ee325", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-66", + "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:58:59.457Z", - "threatintel.anomali.name": "mal_url: http://appareluea.com/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:06.402Z", + "anomali.limo.name": "mal_url: http://nkpotu.xyz/Kpot3/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://appareluea.com/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:58:59.457Z", - "threatintel.indicator.first_seen": "2020-01-22T02:58:59.457Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "appareluea.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://appareluea.com/panel/admin.php", - "threatintel.indicator.url.original": "http://appareluea.com/panel/admin.php", - "threatintel.indicator.url.path": "/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://nkpotu.xyz/Kpot3/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:06.402Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -224,32 +249,34 @@ "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332391; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--a4144d34-b86d-475e-8047-eb46b48ee325", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:06.402Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "nkpotu.xyz", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://nkpotu.xyz/Kpot3/login.php", + "threat.indicator.url.original": "http://nkpotu.xyz/Kpot3/login.php", + "threat.indicator.url.path": "/Kpot3/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332372; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime", + "anomali.limo.id": "indicator--983d9c3d-b7f8-4345-b643-b1d18e6ac6b2", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-93", + "threatstream-confidence-49", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:06.402Z", - "threatintel.anomali.name": "mal_url: http://nkpotu.xyz/Kpot3/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:19.990Z", + "anomali.limo.name": "mal_ip: 162.144.128.116", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot3/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:06.402Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:06.402Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "nkpotu.xyz", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://nkpotu.xyz/Kpot3/login.php", - "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot3/login.php", - "threatintel.indicator.url.path": "/Kpot3/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '162.144.128.116']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:19.99Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -266,27 +293,29 @@ "threatstream-confidence-49", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332372; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime", - "threatintel.anomali.id": "indicator--983d9c3d-b7f8-4345-b643-b1d18e6ac6b2", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:19.990Z", + "threat.indicator.ip": "162.144.128.116", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332313; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--f9c6386b-dba2-41f9-8160-d307671e5c8e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-49", + "threatstream-confidence-79", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:19.990Z", - "threatintel.anomali.name": "mal_ip: 162.144.128.116", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:20.155Z", + "anomali.limo.name": "mal_url: http://ntrcgroup.com/nze/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '162.144.128.116']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:19.99Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:19.990Z", - "threatintel.indicator.ip": "162.144.128.116", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://ntrcgroup.com/nze/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:20.155Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -303,32 +332,34 @@ "threatstream-confidence-79", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332313; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f9c6386b-dba2-41f9-8160-d307671e5c8e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:20.155Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ntrcgroup.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://ntrcgroup.com/nze/panel/admin.php", + "threat.indicator.url.original": "http://ntrcgroup.com/nze/panel/admin.php", + "threat.indicator.url.path": "/nze/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332350; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--98fad53e-5389-47f7-a3ff-44d334af2d6b", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-79", + "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:20.155Z", - "threatintel.anomali.name": "mal_url: http://ntrcgroup.com/nze/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:25.521Z", + "anomali.limo.name": "mal_url: http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://ntrcgroup.com/nze/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:20.155Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:20.155Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ntrcgroup.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://ntrcgroup.com/nze/panel/admin.php", - "threatintel.indicator.url.original": "http://ntrcgroup.com/nze/panel/admin.php", - "threatintel.indicator.url.path": "/nze/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:25.521Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -345,32 +376,34 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332350; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--98fad53e-5389-47f7-a3ff-44d334af2d6b", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:25.521Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "chol.cc", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Work8/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332291; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--76c01735-fb76-463d-9609-9ea3aedf3f4f", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:25.521Z", - "threatintel.anomali.name": "mal_url: http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:25.626Z", + "anomali.limo.name": "mal_url: http://f0390764.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:25.521Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:25.521Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "chol.cc", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Work8/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0390764.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:25.626Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -387,31 +420,33 @@ "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332291; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--76c01735-fb76-463d-9609-9ea3aedf3f4f", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:25.626Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0390764.xsph.ru", + "threat.indicator.url.full": "http://f0390764.xsph.ru/login", + "threat.indicator.url.original": "http://f0390764.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332343; iType: mal_ip; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--e0a812dc-63c8-4949-b038-2241b2dbfcdc", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-68", + "threatstream-confidence-85", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:25.626Z", - "threatintel.anomali.name": "mal_url: http://f0390764.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:36.461Z", + "anomali.limo.name": "mal_ip: 45.143.138.39", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0390764.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:25.626Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:25.626Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0390764.xsph.ru", - "threatintel.indicator.url.full": "http://f0390764.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0390764.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '45.143.138.39']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:36.461Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -428,27 +463,29 @@ "threatstream-confidence-85", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332343; iType: mal_ip; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--e0a812dc-63c8-4949-b038-2241b2dbfcdc", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:36.461Z", + "threat.indicator.ip": "45.143.138.39", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332316; iType: mal_url; State: active; Org: Sksa Technology Sdn Bhd; Source: CyberCrime", + "anomali.limo.id": "indicator--6f0d8607-21cb-4738-9712-f4fd91a37f7d", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-85", + "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:36.461Z", - "threatintel.anomali.name": "mal_ip: 45.143.138.39", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:41.193Z", + "anomali.limo.name": "mal_url: http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '45.143.138.39']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:36.461Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:36.461Z", - "threatintel.indicator.ip": "45.143.138.39", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:41.193Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -465,32 +502,34 @@ "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332316; iType: mal_url; State: active; Org: Sksa Technology Sdn Bhd; Source: CyberCrime", - "threatintel.anomali.id": "indicator--6f0d8607-21cb-4738-9712-f4fd91a37f7d", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:41.193Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "aglfreight.com.my", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", + "threat.indicator.url.original": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", + "threat.indicator.url.path": "/inc/js/jstree/biu/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332284; iType: mal_url; State: active; Org: Oltelecom Jsc; Source: CyberCrime", + "anomali.limo.id": "indicator--c649d6d4-87c4-4b76-bfc2-75a509ccb187", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-82", + "threatstream-confidence-61", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:41.193Z", - "threatintel.anomali.name": "mal_url: http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:41.228Z", + "anomali.limo.name": "mal_url: http://95.182.122.184/", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:41.193Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:41.193Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "aglfreight.com.my", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", - "threatintel.indicator.url.original": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", - "threatintel.indicator.url.path": "/inc/js/jstree/biu/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://95.182.122.184/']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:41.228Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -507,31 +546,33 @@ "threatstream-confidence-61", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332284; iType: mal_url; State: active; Org: Oltelecom Jsc; Source: CyberCrime", - "threatintel.anomali.id": "indicator--c649d6d4-87c4-4b76-bfc2-75a509ccb187", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:41.228Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "95.182.122.184", + "threat.indicator.url.full": "http://95.182.122.184/", + "threat.indicator.url.original": "http://95.182.122.184/", + "threat.indicator.url.path": "/", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332337; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--408ebd2d-063f-4646-b2e7-c00519869736", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-61", + "threatstream-confidence-62", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:41.228Z", - "threatintel.anomali.name": "mal_url: http://95.182.122.184/", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:51.313Z", + "anomali.limo.name": "mal_ip: 198.54.115.121", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://95.182.122.184/']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:41.228Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:41.228Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "95.182.122.184", - "threatintel.indicator.url.full": "http://95.182.122.184/", - "threatintel.indicator.url.original": "http://95.182.122.184/", - "threatintel.indicator.url.path": "/", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '198.54.115.121']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:51.313Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -548,27 +589,29 @@ "threatstream-confidence-62", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332337; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--408ebd2d-063f-4646-b2e7-c00519869736", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:51.313Z", + "threat.indicator.ip": "198.54.115.121", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332324; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--e1d215cb-c7a5-40e0-bc53-8f92a2bcaba8", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-62", + "threatstream-confidence-38", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:51.313Z", - "threatintel.anomali.name": "mal_ip: 198.54.115.121", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:51.372Z", + "anomali.limo.name": "mal_ip: 192.185.119.172", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '198.54.115.121']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:51.313Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:51.313Z", - "threatintel.indicator.ip": "198.54.115.121", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '192.185.119.172']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:51.372Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -585,27 +628,29 @@ "threatstream-confidence-38", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332324; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--e1d215cb-c7a5-40e0-bc53-8f92a2bcaba8", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:51.372Z", + "threat.indicator.ip": "192.185.119.172", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332296; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--6f3a4a2b-62e3-48ef-94ae-70103f09cf7e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-38", + "threatstream-confidence-61", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:51.372Z", - "threatintel.anomali.name": "mal_ip: 192.185.119.172", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:51.442Z", + "anomali.limo.name": "mal_url: http://f0389246.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '192.185.119.172']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:51.372Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:51.372Z", - "threatintel.indicator.ip": "192.185.119.172", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0389246.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:51.442Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -622,31 +667,33 @@ "threatstream-confidence-61", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332296; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--6f3a4a2b-62e3-48ef-94ae-70103f09cf7e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:51.442Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0389246.xsph.ru", + "threat.indicator.url.full": "http://f0389246.xsph.ru/login", + "threat.indicator.url.original": "http://f0389246.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332400; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--213519c9-f511-4188-89c8-159f35f08008", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-61", + "threatstream-confidence-66", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:51.442Z", - "threatintel.anomali.name": "mal_url: http://f0389246.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:01.563Z", + "anomali.limo.name": "mal_url: http://appareluea.com/server/cp.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0389246.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:51.442Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:51.442Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0389246.xsph.ru", - "threatintel.indicator.url.full": "http://f0389246.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0389246.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://appareluea.com/server/cp.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:01.563Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -663,32 +710,34 @@ "threatstream-confidence-66", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332400; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--213519c9-f511-4188-89c8-159f35f08008", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:01.563Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "appareluea.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://appareluea.com/server/cp.php", + "threat.indicator.url.original": "http://appareluea.com/server/cp.php", + "threat.indicator.url.path": "/server/cp.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332396; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--5a563c85-c528-4e33-babe-2dcff34f73c4", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-66", + "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:01.563Z", - "threatintel.anomali.name": "mal_url: http://appareluea.com/server/cp.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:03.138Z", + "anomali.limo.name": "mal_url: http://nkpotu.xyz/Kpot2/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://appareluea.com/server/cp.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:01.563Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:01.563Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "appareluea.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://appareluea.com/server/cp.php", - "threatintel.indicator.url.original": "http://appareluea.com/server/cp.php", - "threatintel.indicator.url.path": "/server/cp.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://nkpotu.xyz/Kpot2/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:03.138Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -705,32 +754,34 @@ "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332396; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--5a563c85-c528-4e33-babe-2dcff34f73c4", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:03.138Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "nkpotu.xyz", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://nkpotu.xyz/Kpot2/login.php", + "threat.indicator.url.original": "http://nkpotu.xyz/Kpot2/login.php", + "threat.indicator.url.path": "/Kpot2/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332363; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--f3e33aab-e2af-4c15-8cb9-f008a37cf986", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-93", + "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:03.138Z", - "threatintel.anomali.name": "mal_url: http://nkpotu.xyz/Kpot2/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:03.396Z", + "anomali.limo.name": "mal_url: http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot2/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:03.138Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:03.138Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "nkpotu.xyz", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://nkpotu.xyz/Kpot2/login.php", - "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot2/login.php", - "threatintel.indicator.url.path": "/Kpot2/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:03.396Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -747,32 +798,34 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332363; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f3e33aab-e2af-4c15-8cb9-f008a37cf986", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:03.396Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "chol.cc", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Work5/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332320; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--f03f098d-2fa9-49e1-a7dd-02518aa105fa", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:03.396Z", - "threatintel.anomali.name": "mal_url: http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:03.642Z", + "anomali.limo.name": "mal_url: http://mecharnise.ir/ca4/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:03.396Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:03.396Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "chol.cc", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Work5/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://mecharnise.ir/ca4/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:03.642Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -789,32 +842,34 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332320; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f03f098d-2fa9-49e1-a7dd-02518aa105fa", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:03.642Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "mecharnise.ir", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://mecharnise.ir/ca4/panel/admin.php", + "threat.indicator.url.original": "http://mecharnise.ir/ca4/panel/admin.php", + "threat.indicator.url.path": "/ca4/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332367; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--e72e3ba0-7de5-46bb-ab1e-efdf3e0a0b3b", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-87", + "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:03.642Z", - "threatintel.anomali.name": "mal_url: http://mecharnise.ir/ca4/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:27.534Z", + "anomali.limo.name": "mal_url: http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://mecharnise.ir/ca4/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:03.642Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:03.642Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "mecharnise.ir", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://mecharnise.ir/ca4/panel/admin.php", - "threatintel.indicator.url.original": "http://mecharnise.ir/ca4/panel/admin.php", - "threatintel.indicator.url.path": "/ca4/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:27.534Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -831,32 +886,34 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332367; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--e72e3ba0-7de5-46bb-ab1e-efdf3e0a0b3b", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:27.534Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "chol.cc", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Work4/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332317; iType: mal_url; State: active; Org: SoftLayer Technologies; Source: CyberCrime", + "anomali.limo.id": "indicator--d6b59b66-5020-4368-85a7-196026856ea9", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-78", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:27.534Z", - "threatintel.anomali.name": "mal_url: http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:27.591Z", + "anomali.limo.name": "mal_url: http://kironofer.com/webpanel/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:27.534Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:27.534Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "chol.cc", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Work4/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://kironofer.com/webpanel/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:27.591Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -873,32 +930,34 @@ "threatstream-confidence-78", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332317; iType: mal_url; State: active; Org: SoftLayer Technologies; Source: CyberCrime", - "threatintel.anomali.id": "indicator--d6b59b66-5020-4368-85a7-196026856ea9", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:27.591Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "kironofer.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://kironofer.com/webpanel/login.php", + "threat.indicator.url.original": "http://kironofer.com/webpanel/login.php", + "threat.indicator.url.path": "/webpanel/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332309; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--aff7b07f-acc7-4bec-ab19-1fce972bfd09", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-78", + "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:27.591Z", - "threatintel.anomali.name": "mal_url: http://kironofer.com/webpanel/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:45.787Z", + "anomali.limo.name": "mal_url: http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://kironofer.com/webpanel/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:27.591Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:27.591Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "kironofer.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://kironofer.com/webpanel/login.php", - "threatintel.indicator.url.original": "http://kironofer.com/webpanel/login.php", - "threatintel.indicator.url.path": "/webpanel/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:45.787Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -915,32 +974,34 @@ "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332309; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--aff7b07f-acc7-4bec-ab19-1fce972bfd09", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:45.787Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "worldatdoor.in", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332286; iType: mal_url; State: active; Org: Garanntor-Hosting; Source: CyberCrime", + "anomali.limo.id": "indicator--ba71ba3a-1efd-40da-ab0d-f4397d6fc337", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-68", + "threatstream-confidence-91", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:45.787Z", - "threatintel.anomali.name": "mal_url: http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:45.841Z", + "anomali.limo.name": "mal_url: http://smartlinktelecom.top/kings/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:45.787Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:45.787Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "worldatdoor.in", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://smartlinktelecom.top/kings/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:45.841Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -957,32 +1018,34 @@ "threatstream-confidence-91", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332286; iType: mal_url; State: active; Org: Garanntor-Hosting; Source: CyberCrime", - "threatintel.anomali.id": "indicator--ba71ba3a-1efd-40da-ab0d-f4397d6fc337", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:45.841Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "smartlinktelecom.top", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://smartlinktelecom.top/kings/panel/admin.php", + "threat.indicator.url.original": "http://smartlinktelecom.top/kings/panel/admin.php", + "threat.indicator.url.path": "/kings/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332339; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--17777e7f-3e91-4446-a43d-79139de8a948", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-91", + "threatstream-confidence-64", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:45.841Z", - "threatintel.anomali.name": "mal_url: http://smartlinktelecom.top/kings/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:45.959Z", + "anomali.limo.name": "mal_url: http://carirero.net/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://smartlinktelecom.top/kings/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:45.841Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:45.841Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "smartlinktelecom.top", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://smartlinktelecom.top/kings/panel/admin.php", - "threatintel.indicator.url.original": "http://smartlinktelecom.top/kings/panel/admin.php", - "threatintel.indicator.url.path": "/kings/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://carirero.net/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:45.959Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -999,32 +1062,34 @@ "threatstream-confidence-64", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332339; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--17777e7f-3e91-4446-a43d-79139de8a948", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:45.959Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "carirero.net", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://carirero.net/login.php", + "threat.indicator.url.original": "http://carirero.net/login.php", + "threat.indicator.url.path": "/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332319; iType: mal_ip; State: active; Org: SoftLayer Technologies; Source: CyberCrime", + "anomali.limo.id": "indicator--f6be1804-cfe4-4f41-9338-2b65f5b1dda1", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-64", + "threatstream-confidence-30", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:45.959Z", - "threatintel.anomali.name": "mal_url: http://carirero.net/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:46.025Z", + "anomali.limo.name": "mal_ip: 74.116.84.20", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://carirero.net/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:45.959Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:45.959Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "carirero.net", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://carirero.net/login.php", - "threatintel.indicator.url.original": "http://carirero.net/login.php", - "threatintel.indicator.url.path": "/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '74.116.84.20']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:46.025Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1041,27 +1106,29 @@ "threatstream-confidence-30", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332319; iType: mal_ip; State: active; Org: SoftLayer Technologies; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f6be1804-cfe4-4f41-9338-2b65f5b1dda1", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:46.025Z", + "threat.indicator.ip": "74.116.84.20", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332305; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--b4fd8489-9589-4f70-996c-84989245a21b", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-30", + "threatstream-confidence-43", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:46.025Z", - "threatintel.anomali.name": "mal_ip: 74.116.84.20", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:57.729Z", + "anomali.limo.name": "mal_url: http://tuu.nu/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '74.116.84.20']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:46.025Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:46.025Z", - "threatintel.indicator.ip": "74.116.84.20", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://tuu.nu/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:57.729Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1078,31 +1145,33 @@ "threatstream-confidence-43", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332305; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b4fd8489-9589-4f70-996c-84989245a21b", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:57.729Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "tuu.nu", + "threat.indicator.url.full": "http://tuu.nu/login", + "threat.indicator.url.original": "http://tuu.nu/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332346; iType: mal_url; State: active; Org: Ifx Networks Colombia; Source: CyberCrime", + "anomali.limo.id": "indicator--bc50c62f-a015-4460-87df-2137626877e3", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-43", + "threatstream-confidence-36", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:57.729Z", - "threatintel.anomali.name": "mal_url: http://tuu.nu/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:01:02.696Z", + "anomali.limo.name": "mal_url: http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://tuu.nu/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:57.729Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:57.729Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "tuu.nu", - "threatintel.indicator.url.full": "http://tuu.nu/login", - "threatintel.indicator.url.original": "http://tuu.nu/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:01:02.696Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1119,32 +1188,34 @@ "threatstream-confidence-36", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332346; iType: mal_url; State: active; Org: Ifx Networks Colombia; Source: CyberCrime", - "threatintel.anomali.id": "indicator--bc50c62f-a015-4460-87df-2137626877e3", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:01:02.696Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "dulfix.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332323; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--2765af4b-bfb7-4ac8-82d2-ab6ed8a52461", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-36", + "threatstream-confidence-65", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:01:02.696Z", - "threatintel.anomali.name": "mal_url: http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:01:02.807Z", + "anomali.limo.name": "mal_url: http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:02.696Z", - "threatintel.indicator.first_seen": "2020-01-22T03:01:02.696Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "dulfix.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:01:02.807Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1161,32 +1232,34 @@ "threatstream-confidence-65", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332323; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--2765af4b-bfb7-4ac8-82d2-ab6ed8a52461", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:01:02.807Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "deliciasdvally.com.pe", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/includes/gter/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332399; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--9c0e63a1-c32a-470a-bf09-51488e239c63", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-65", + "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:01:02.807Z", - "threatintel.anomali.name": "mal_url: http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:01:24.810Z", + "anomali.limo.name": "mal_url: http://nkpotu.xyz/Kpot1/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:02.807Z", - "threatintel.indicator.first_seen": "2020-01-22T03:01:02.807Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "deliciasdvally.com.pe", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/includes/gter/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://nkpotu.xyz/Kpot1/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:01:24.81Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1203,32 +1276,34 @@ "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332399; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--9c0e63a1-c32a-470a-bf09-51488e239c63", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:01:24.810Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "nkpotu.xyz", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://nkpotu.xyz/Kpot1/login.php", + "threat.indicator.url.original": "http://nkpotu.xyz/Kpot1/login.php", + "threat.indicator.url.path": "/Kpot1/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332328; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime", + "anomali.limo.id": "indicator--8047678e-20be-4116-9bc4-7bb7c26554e0", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-93", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:01:24.810Z", - "threatintel.anomali.name": "mal_url: http://nkpotu.xyz/Kpot1/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:01:41.158Z", + "anomali.limo.name": "mal_ip: 194.87.147.80", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot1/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:24.81Z", - "threatintel.indicator.first_seen": "2020-01-22T03:01:24.810Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "nkpotu.xyz", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://nkpotu.xyz/Kpot1/login.php", - "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot1/login.php", - "threatintel.indicator.url.path": "/Kpot1/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '194.87.147.80']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:01:41.158Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1245,27 +1320,29 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332328; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime", - "threatintel.anomali.id": "indicator--8047678e-20be-4116-9bc4-7bb7c26554e0", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:01:41.158Z", + "threat.indicator.ip": "194.87.147.80", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332377; iType: mal_url; State: active; Org: A100 ROW GmbH; Source: CyberCrime", + "anomali.limo.id": "indicator--c57a880c-1ce0-45de-9bab-fb2910454a61", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-87", + "threatstream-confidence-85", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:01:41.158Z", - "threatintel.anomali.name": "mal_ip: 194.87.147.80", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:01:57.189Z", + "anomali.limo.name": "mal_url: http://35.158.92.3/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '194.87.147.80']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:41.158Z", - "threatintel.indicator.first_seen": "2020-01-22T03:01:41.158Z", - "threatintel.indicator.ip": "194.87.147.80", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://35.158.92.3/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:01:57.189Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1282,32 +1359,34 @@ "threatstream-confidence-85", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332377; iType: mal_url; State: active; Org: A100 ROW GmbH; Source: CyberCrime", - "threatintel.anomali.id": "indicator--c57a880c-1ce0-45de-9bab-fb2910454a61", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:01:57.189Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "35.158.92.3", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://35.158.92.3/panel/admin.php", + "threat.indicator.url.original": "http://35.158.92.3/panel/admin.php", + "threat.indicator.url.path": "/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332101; iType: mal_ip; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--6056152c-0fa5-4e34-871a-3c8990f1ee46", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-85", + "threatstream-confidence-42", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:01:57.189Z", - "threatintel.anomali.name": "mal_url: http://35.158.92.3/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:01:57.279Z", + "anomali.limo.name": "mal_ip: 45.95.168.70", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://35.158.92.3/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:57.189Z", - "threatintel.indicator.first_seen": "2020-01-22T03:01:57.189Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "35.158.92.3", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://35.158.92.3/panel/admin.php", - "threatintel.indicator.url.original": "http://35.158.92.3/panel/admin.php", - "threatintel.indicator.url.path": "/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '45.95.168.70']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:01:57.279Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1324,27 +1403,29 @@ "threatstream-confidence-42", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332101; iType: mal_ip; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--6056152c-0fa5-4e34-871a-3c8990f1ee46", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:01:57.279Z", + "threat.indicator.ip": "45.95.168.70", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332357; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--23215acb-4989-4434-ac6d-8f9367734f0f", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-42", + "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:01:57.279Z", - "threatintel.anomali.name": "mal_ip: 45.95.168.70", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:02:50.570Z", + "anomali.limo.name": "mal_url: http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '45.95.168.70']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:57.279Z", - "threatintel.indicator.first_seen": "2020-01-22T03:01:57.279Z", - "threatintel.indicator.ip": "45.95.168.70", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:02:50.57Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1361,32 +1442,34 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332357; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--23215acb-4989-4434-ac6d-8f9367734f0f", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:02:50.570Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "chol.cc", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Work7/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332289; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--452ece92-9ff2-4f99-8a7f-fd614ebea8cf", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-26", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:02:50.570Z", - "threatintel.anomali.name": "mal_url: http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:02:52.496Z", + "anomali.limo.name": "mal_url: http://f0391600.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:02:50.57Z", - "threatintel.indicator.first_seen": "2020-01-22T03:02:50.570Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "chol.cc", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Work7/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0391600.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:02:52.496Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1403,31 +1486,33 @@ "threatstream-confidence-26", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332289; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--452ece92-9ff2-4f99-8a7f-fd614ebea8cf", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:02:52.496Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0391600.xsph.ru", + "threat.indicator.url.full": "http://f0391600.xsph.ru/login", + "threat.indicator.url.original": "http://f0391600.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332334; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--10958d74-ec60-41af-a1ab-1613257e670f", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-26", + "threatstream-confidence-94", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:02:52.496Z", - "threatintel.anomali.name": "mal_url: http://f0391600.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:03:42.819Z", + "anomali.limo.name": "mal_url: http://extraclick.space/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0391600.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:02:52.496Z", - "threatintel.indicator.first_seen": "2020-01-22T03:02:52.496Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0391600.xsph.ru", - "threatintel.indicator.url.full": "http://f0391600.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0391600.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://extraclick.space/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:03:42.819Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1444,32 +1529,34 @@ "threatstream-confidence-94", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332334; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--10958d74-ec60-41af-a1ab-1613257e670f", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:03:42.819Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "extraclick.space", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://extraclick.space/login.php", + "threat.indicator.url.original": "http://extraclick.space/login.php", + "threat.indicator.url.path": "/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332326; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime", + "anomali.limo.id": "indicator--19556daa-6293-400d-8706-d0baa6b16b7a", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-94", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:03:42.819Z", - "threatintel.anomali.name": "mal_url: http://extraclick.space/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:03:52.044Z", + "anomali.limo.name": "mal_url: http://petrogarmani.pw/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://extraclick.space/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:03:42.819Z", - "threatintel.indicator.first_seen": "2020-01-22T03:03:42.819Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "extraclick.space", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://extraclick.space/login.php", - "threatintel.indicator.url.original": "http://extraclick.space/login.php", - "threatintel.indicator.url.path": "/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://petrogarmani.pw/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:03:52.044Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1486,32 +1573,34 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332326; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime", - "threatintel.anomali.id": "indicator--19556daa-6293-400d-8706-d0baa6b16b7a", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:03:52.044Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "petrogarmani.pw", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://petrogarmani.pw/login.php", + "threat.indicator.url.original": "http://petrogarmani.pw/login.php", + "threat.indicator.url.path": "/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332311; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--b09d9be9-6703-4a7d-a066-2baebb6418fc", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-87", + "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:03:52.044Z", - "threatintel.anomali.name": "mal_url: http://petrogarmani.pw/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:04:01.650Z", + "anomali.limo.name": "mal_url: http://worldatdoor.in/mighty/32/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://petrogarmani.pw/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:03:52.044Z", - "threatintel.indicator.first_seen": "2020-01-22T03:03:52.044Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "petrogarmani.pw", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://petrogarmani.pw/login.php", - "threatintel.indicator.url.original": "http://petrogarmani.pw/login.php", - "threatintel.indicator.url.path": "/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://worldatdoor.in/mighty/32/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:04:01.65Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1528,32 +1617,34 @@ "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332311; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b09d9be9-6703-4a7d-a066-2baebb6418fc", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:04:01.650Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "worldatdoor.in", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://worldatdoor.in/mighty/32/panel/admin.php", + "threat.indicator.url.original": "http://worldatdoor.in/mighty/32/panel/admin.php", + "threat.indicator.url.path": "/mighty/32/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332341; iType: mal_url; State: active; Org: Institute of Philosophy, Russian Academy of Scienc; Source: CyberCrime", + "anomali.limo.id": "indicator--43febf7d-4185-4a12-a868-e7be690b14aa", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-68", + "threatstream-confidence-92", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:04:01.650Z", - "threatintel.anomali.name": "mal_url: http://worldatdoor.in/mighty/32/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:04:32.717Z", + "anomali.limo.name": "mal_url: http://zanlma.com/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/mighty/32/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:04:01.65Z", - "threatintel.indicator.first_seen": "2020-01-22T03:04:01.650Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "worldatdoor.in", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://worldatdoor.in/mighty/32/panel/admin.php", - "threatintel.indicator.url.original": "http://worldatdoor.in/mighty/32/panel/admin.php", - "threatintel.indicator.url.path": "/mighty/32/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://zanlma.com/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:04:32.717Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1570,31 +1661,33 @@ "threatstream-confidence-92", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332341; iType: mal_url; State: active; Org: Institute of Philosophy, Russian Academy of Scienc; Source: CyberCrime", - "threatintel.anomali.id": "indicator--43febf7d-4185-4a12-a868-e7be690b14aa", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:04:32.717Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "zanlma.com", + "threat.indicator.url.full": "http://zanlma.com/login", + "threat.indicator.url.original": "http://zanlma.com/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332303; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--a34728e6-f91d-47e6-a4d8-a69176299e45", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-92", + "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:04:32.717Z", - "threatintel.anomali.name": "mal_url: http://zanlma.com/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:04:56.858Z", + "anomali.limo.name": "mal_url: http://f0369688.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://zanlma.com/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:04:32.717Z", - "threatintel.indicator.first_seen": "2020-01-22T03:04:32.717Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "zanlma.com", - "threatintel.indicator.url.full": "http://zanlma.com/login", - "threatintel.indicator.url.original": "http://zanlma.com/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0369688.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:04:56.858Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1611,31 +1704,33 @@ "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332303; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--a34728e6-f91d-47e6-a4d8-a69176299e45", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:04:56.858Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0369688.xsph.ru", + "threat.indicator.url.full": "http://f0369688.xsph.ru/login", + "threat.indicator.url.original": "http://f0369688.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332380; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--ac821704-5eb2-4f8f-a8b6-2a168dbd0e54", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-84", + "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:04:56.858Z", - "threatintel.anomali.name": "mal_url: http://f0369688.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:04:59.245Z", + "anomali.limo.name": "mal_url: http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0369688.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:04:56.858Z", - "threatintel.indicator.first_seen": "2020-01-22T03:04:56.858Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0369688.xsph.ru", - "threatintel.indicator.url.full": "http://f0369688.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0369688.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:04:59.245Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1652,32 +1747,34 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332380; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--ac821704-5eb2-4f8f-a8b6-2a168dbd0e54", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:04:59.245Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "chol.cc", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Work2/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868747; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--0d3e1bd8-0f16-4c22-b8a1-663ec255ad79", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-57", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:04:59.245Z", - "threatintel.anomali.name": "mal_url: http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:00:22.287Z", + "anomali.limo.name": "mal_ip: 192.185.214.199", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:04:59.245Z", - "threatintel.indicator.first_seen": "2020-01-22T03:04:59.245Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "chol.cc", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Work2/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '192.185.214.199']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:00:22.287Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1694,27 +1791,29 @@ "threatstream-confidence-57", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868747; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--0d3e1bd8-0f16-4c22-b8a1-663ec255ad79", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:00:22.287Z", + "threat.indicator.ip": "192.185.214.199", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55245868770; iType: mal_url; State: active; Org: Mills College; Source: CyberCrime", + "anomali.limo.id": "indicator--2cdd130a-c884-402d-b63c-e03f9448f5d9", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-57", + "threatstream-confidence-24", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:00:22.287Z", - "threatintel.anomali.name": "mal_ip: 192.185.214.199", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:01:11.329Z", + "anomali.limo.name": "mal_url: http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '192.185.214.199']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:00:22.287Z", - "threatintel.indicator.first_seen": "2020-01-23T03:00:22.287Z", - "threatintel.indicator.ip": "192.185.214.199", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:01:11.329Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1731,32 +1830,34 @@ "threatstream-confidence-24", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868770; iType: mal_url; State: active; Org: Mills College; Source: CyberCrime", - "threatintel.anomali.id": "indicator--2cdd130a-c884-402d-b63c-e03f9448f5d9", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:01:11.329Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "softtouchcollars.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868769; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--88e98e13-4bfd-4188-941a-f696a7b86b71", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-24", + "threatstream-confidence-61", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:01:11.329Z", - "threatintel.anomali.name": "mal_url: http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:01:36.682Z", + "anomali.limo.name": "mal_url: http://imobiliariatirol.com/gh/panelnew/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:01:11.329Z", - "threatintel.indicator.first_seen": "2020-01-23T03:01:11.329Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "softtouchcollars.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://imobiliariatirol.com/gh/panelnew/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:01:36.682Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1773,32 +1874,34 @@ "threatstream-confidence-61", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868769; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--88e98e13-4bfd-4188-941a-f696a7b86b71", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:01:36.682Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "imobiliariatirol.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://imobiliariatirol.com/gh/panelnew/admin.php", + "threat.indicator.url.original": "http://imobiliariatirol.com/gh/panelnew/admin.php", + "threat.indicator.url.path": "/gh/panelnew/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868772; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--27323b7d-85d3-4e89-8249-b7696925a772", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-61", + "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:01:36.682Z", - "threatintel.anomali.name": "mal_url: http://imobiliariatirol.com/gh/panelnew/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:02:15.854Z", + "anomali.limo.name": "mal_url: http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://imobiliariatirol.com/gh/panelnew/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:01:36.682Z", - "threatintel.indicator.first_seen": "2020-01-23T03:01:36.682Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "imobiliariatirol.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://imobiliariatirol.com/gh/panelnew/admin.php", - "threatintel.indicator.url.original": "http://imobiliariatirol.com/gh/panelnew/admin.php", - "threatintel.indicator.url.path": "/gh/panelnew/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:02:15.854Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1815,32 +1918,34 @@ "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868772; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--27323b7d-85d3-4e89-8249-b7696925a772", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:02:15.854Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "deliveryexpressworld.xyz", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868766; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--b0639721-de55-48c6-b237-3859d61aecfb", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-93", + "threatstream-confidence-62", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:02:15.854Z", - "threatintel.anomali.name": "mal_url: http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:02:47.364Z", + "anomali.limo.name": "mal_url: http://f0392261.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:02:15.854Z", - "threatintel.indicator.first_seen": "2020-01-23T03:02:15.854Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "deliveryexpressworld.xyz", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0392261.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:02:47.364Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1857,31 +1962,33 @@ "threatstream-confidence-62", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868766; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b0639721-de55-48c6-b237-3859d61aecfb", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:02:47.364Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0392261.xsph.ru", + "threat.indicator.url.full": "http://f0392261.xsph.ru/login", + "threat.indicator.url.original": "http://f0392261.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868749; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", + "anomali.limo.id": "indicator--677e714d-c237-42a1-b6b7-9145acd13eee", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-62", + "threatstream-confidence-80", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:02:47.364Z", - "threatintel.anomali.name": "mal_url: http://f0392261.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:03:05.048Z", + "anomali.limo.name": "mal_url: http://104.168.99.168/panel/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0392261.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:02:47.364Z", - "threatintel.indicator.first_seen": "2020-01-23T03:02:47.364Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0392261.xsph.ru", - "threatintel.indicator.url.full": "http://f0392261.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0392261.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://104.168.99.168/panel/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:03:05.048Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1898,32 +2005,34 @@ "threatstream-confidence-80", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868749; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", - "threatintel.anomali.id": "indicator--677e714d-c237-42a1-b6b7-9145acd13eee", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:03:05.048Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "104.168.99.168", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://104.168.99.168/panel/panel/admin.php", + "threat.indicator.url.original": "http://104.168.99.168/panel/panel/admin.php", + "threat.indicator.url.path": "/panel/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868767; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--5baa1dbd-d74e-408c-92b5-0a9f97e4b87a", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-80", + "threatstream-confidence-69", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:03:05.048Z", - "threatintel.anomali.name": "mal_url: http://104.168.99.168/panel/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:03:15.734Z", + "anomali.limo.name": "mal_url: http://f0387404.xsph.ru/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://104.168.99.168/panel/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:03:05.048Z", - "threatintel.indicator.first_seen": "2020-01-23T03:03:05.048Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "104.168.99.168", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://104.168.99.168/panel/panel/admin.php", - "threatintel.indicator.url.original": "http://104.168.99.168/panel/panel/admin.php", - "threatintel.indicator.url.path": "/panel/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0387404.xsph.ru/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:03:15.734Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1940,32 +2049,34 @@ "threatstream-confidence-69", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868767; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--5baa1dbd-d74e-408c-92b5-0a9f97e4b87a", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:03:15.734Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0387404.xsph.ru", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://f0387404.xsph.ru/panel/admin.php", + "threat.indicator.url.original": "http://f0387404.xsph.ru/panel/admin.php", + "threat.indicator.url.path": "/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868768; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--4563241e-5d2f-41a7-adb9-3925a5eeb1b1", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-69", + "threatstream-confidence-72", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:03:15.734Z", - "threatintel.anomali.name": "mal_url: http://f0387404.xsph.ru/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:03:42.599Z", + "anomali.limo.name": "mal_url: http://a0386457.xsph.ru/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0387404.xsph.ru/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:03:15.734Z", - "threatintel.indicator.first_seen": "2020-01-23T03:03:15.734Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0387404.xsph.ru", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://f0387404.xsph.ru/panel/admin.php", - "threatintel.indicator.url.original": "http://f0387404.xsph.ru/panel/admin.php", - "threatintel.indicator.url.path": "/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://a0386457.xsph.ru/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:03:42.599Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1982,32 +2093,34 @@ "threatstream-confidence-72", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868768; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--4563241e-5d2f-41a7-adb9-3925a5eeb1b1", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:03:42.599Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "a0386457.xsph.ru", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://a0386457.xsph.ru/panel/admin.php", + "threat.indicator.url.original": "http://a0386457.xsph.ru/panel/admin.php", + "threat.indicator.url.path": "/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078037; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--70cb5d42-91d3-4efe-8c47-995fc0ac4141", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-72", + "threatstream-confidence-74", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:03:42.599Z", - "threatintel.anomali.name": "mal_url: http://a0386457.xsph.ru/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:04.821Z", + "anomali.limo.name": "mal_url: http://defenseisrael.com/dis/index.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://a0386457.xsph.ru/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:03:42.599Z", - "threatintel.indicator.first_seen": "2020-01-23T03:03:42.599Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "a0386457.xsph.ru", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://a0386457.xsph.ru/panel/admin.php", - "threatintel.indicator.url.original": "http://a0386457.xsph.ru/panel/admin.php", - "threatintel.indicator.url.path": "/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://defenseisrael.com/dis/index.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:04.821Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2024,32 +2137,34 @@ "threatstream-confidence-74", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078037; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--70cb5d42-91d3-4efe-8c47-995fc0ac4141", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:04.821Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "defenseisrael.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://defenseisrael.com/dis/index.php", + "threat.indicator.url.original": "http://defenseisrael.com/dis/index.php", + "threat.indicator.url.path": "/dis/index.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078030; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", + "anomali.limo.id": "indicator--3aa712bb-b5d4-4632-bf50-48a4aeeaeb6d", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-74", + "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:04.821Z", - "threatintel.anomali.name": "mal_url: http://defenseisrael.com/dis/index.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:04.857Z", + "anomali.limo.name": "mal_ip: 91.215.170.249", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://defenseisrael.com/dis/index.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:04.821Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:04.821Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "defenseisrael.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://defenseisrael.com/dis/index.php", - "threatintel.indicator.url.original": "http://defenseisrael.com/dis/index.php", - "threatintel.indicator.url.path": "/dis/index.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '91.215.170.249']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:04.857Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2066,27 +2181,29 @@ "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078030; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", - "threatintel.anomali.id": "indicator--3aa712bb-b5d4-4632-bf50-48a4aeeaeb6d", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:04.857Z", + "threat.indicator.ip": "91.215.170.249", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55250078019; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "anomali.limo.id": "indicator--64227c7d-86ea-4146-a868-3decb5aa5f1d", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-83", + "threatstream-confidence-79", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:04.857Z", - "threatintel.anomali.name": "mal_ip: 91.215.170.249", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:04.883Z", + "anomali.limo.name": "mal_url: http://lbfb3f03.justinstalledpanel.com/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '91.215.170.249']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:04.857Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:04.857Z", - "threatintel.indicator.ip": "91.215.170.249", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://lbfb3f03.justinstalledpanel.com/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:04.883Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2103,31 +2220,33 @@ "threatstream-confidence-79", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078019; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", - "threatintel.anomali.id": "indicator--64227c7d-86ea-4146-a868-3decb5aa5f1d", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:04.883Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "lbfb3f03.justinstalledpanel.com", + "threat.indicator.url.full": "http://lbfb3f03.justinstalledpanel.com/login", + "threat.indicator.url.original": "http://lbfb3f03.justinstalledpanel.com/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078035; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--37fcf9a7-1a90-4d81-be0a-e824a4fa938e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-79", + "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:04.883Z", - "threatintel.anomali.name": "mal_url: http://lbfb3f03.justinstalledpanel.com/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:12.997Z", + "anomali.limo.name": "mal_url: http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://lbfb3f03.justinstalledpanel.com/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:04.883Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:04.883Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "lbfb3f03.justinstalledpanel.com", - "threatintel.indicator.url.full": "http://lbfb3f03.justinstalledpanel.com/login", - "threatintel.indicator.url.original": "http://lbfb3f03.justinstalledpanel.com/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:12.997Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2144,32 +2263,34 @@ "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078035; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--37fcf9a7-1a90-4d81-be0a-e824a4fa938e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:12.997Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "byedtronchgroup.yt", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078008; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--5a38786f-107e-4060-a7c9-ea8a5ded6aac", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-93", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:12.997Z", - "threatintel.anomali.name": "mal_url: http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:13.025Z", + "anomali.limo.name": "mal_url: http://199.192.28.11/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:12.997Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:12.997Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "byedtronchgroup.yt", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://199.192.28.11/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:13.025Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2186,32 +2307,34 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078008; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--5a38786f-107e-4060-a7c9-ea8a5ded6aac", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:13.025Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "199.192.28.11", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://199.192.28.11/panel/admin.php", + "threat.indicator.url.original": "http://199.192.28.11/panel/admin.php", + "threat.indicator.url.path": "/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078038; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--3eb79b31-1d6d-438c-a848-24a3407f6e32", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-87", + "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:13.025Z", - "threatintel.anomali.name": "mal_url: http://199.192.28.11/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:32.901Z", + "anomali.limo.name": "mal_url: http://217.8.117.51/aW8bVds1/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://199.192.28.11/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:13.025Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:13.025Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "199.192.28.11", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://199.192.28.11/panel/admin.php", - "threatintel.indicator.url.original": "http://199.192.28.11/panel/admin.php", - "threatintel.indicator.url.path": "/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://217.8.117.51/aW8bVds1/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:32.901Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2228,32 +2351,34 @@ "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078038; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--3eb79b31-1d6d-438c-a848-24a3407f6e32", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:32.901Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "217.8.117.51", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://217.8.117.51/aW8bVds1/login.php", + "threat.indicator.url.original": "http://217.8.117.51/aW8bVds1/login.php", + "threat.indicator.url.path": "/aW8bVds1/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078026; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime", + "anomali.limo.id": "indicator--a050832c-db6e-49a0-8470-7a3cd8f17178", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-82", + "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:32.901Z", - "threatintel.anomali.name": "mal_url: http://217.8.117.51/aW8bVds1/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:32.929Z", + "anomali.limo.name": "mal_url: http://lansome.site/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://217.8.117.51/aW8bVds1/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:32.901Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:32.901Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "217.8.117.51", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://217.8.117.51/aW8bVds1/login.php", - "threatintel.indicator.url.original": "http://217.8.117.51/aW8bVds1/login.php", - "threatintel.indicator.url.path": "/aW8bVds1/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://lansome.site/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:32.929Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2270,31 +2395,33 @@ "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078026; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime", - "threatintel.anomali.id": "indicator--a050832c-db6e-49a0-8470-7a3cd8f17178", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:32.929Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "lansome.site", + "threat.indicator.url.full": "http://lansome.site/login", + "threat.indicator.url.original": "http://lansome.site/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078034; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime", + "anomali.limo.id": "indicator--e88008f4-76fc-428d-831a-4b389e48b712", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-93", + "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:32.929Z", - "threatintel.anomali.name": "mal_url: http://lansome.site/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:49.028Z", + "anomali.limo.name": "mal_url: http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://lansome.site/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:32.929Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:32.929Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "lansome.site", - "threatintel.indicator.url.full": "http://lansome.site/login", - "threatintel.indicator.url.original": "http://lansome.site/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:49.028Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2311,32 +2438,34 @@ "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078034; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime", - "threatintel.anomali.id": "indicator--e88008f4-76fc-428d-831a-4b389e48b712", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:49.028Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "iplusvietnam.com.vn", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078032; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", + "anomali.limo.id": "indicator--dafe91cf-787c-471c-9afe-f7bb20a1b93f", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-83", + "threatstream-confidence-94", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:49.028Z", - "threatintel.anomali.name": "mal_url: http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:03.345Z", + "anomali.limo.name": "mal_url: http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:49.028Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:49.028Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "iplusvietnam.com.vn", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:03.345Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2353,32 +2482,34 @@ "threatstream-confidence-94", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078032; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", - "threatintel.anomali.id": "indicator--dafe91cf-787c-471c-9afe-f7bb20a1b93f", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:03.345Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "leakaryadeen.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/parl/id345/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078031; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime", + "anomali.limo.id": "indicator--232bdc34-44cb-4f41-af52-f6f1cd28818e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-94", + "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:03.345Z", - "threatintel.anomali.name": "mal_url: http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:16.318Z", + "anomali.limo.name": "mal_url: http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:03.345Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:03.345Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "leakaryadeen.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/parl/id345/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:16.318Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2395,32 +2526,34 @@ "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078031; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime", - "threatintel.anomali.id": "indicator--232bdc34-44cb-4f41-af52-f6f1cd28818e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:16.318Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "oaa-my.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/clap/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078027; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime", + "anomali.limo.id": "indicator--4adabe80-3be4-401a-948a-f9724c872374", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-81", + "threatstream-confidence-66", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:16.318Z", - "threatintel.anomali.name": "mal_url: http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:16.358Z", + "anomali.limo.name": "mal_url: http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:16.318Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:16.318Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "oaa-my.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/clap/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:16.358Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2437,32 +2570,34 @@ "threatstream-confidence-66", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078027; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime", - "threatintel.anomali.id": "indicator--4adabe80-3be4-401a-948a-f9724c872374", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:16.358Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "thaubenuocngam.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078013; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--1d7051c0-a42b-4801-bd7f-f0abf2cc125c", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-66", + "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:16.358Z", - "threatintel.anomali.name": "mal_url: http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:32.126Z", + "anomali.limo.name": "mal_url: http://suspiciousactivity.xyz/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:16.358Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:16.358Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "thaubenuocngam.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://suspiciousactivity.xyz/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:32.126Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2479,31 +2614,33 @@ "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078013; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--1d7051c0-a42b-4801-bd7f-f0abf2cc125c", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:32.126Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "suspiciousactivity.xyz", + "threat.indicator.url.full": "http://suspiciousactivity.xyz/login", + "threat.indicator.url.original": "http://suspiciousactivity.xyz/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078017; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--fb06856c-8aad-4fae-92fc-b73aae4f6dc7", + "anomali.limo.labels": [ "malicious-activity", "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:32.126Z", - "threatintel.anomali.name": "mal_url: http://suspiciousactivity.xyz/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:37.603Z", + "anomali.limo.name": "mal_url: http://217.8.117.8/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://suspiciousactivity.xyz/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:32.126Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:32.126Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "suspiciousactivity.xyz", - "threatintel.indicator.url.full": "http://suspiciousactivity.xyz/login", - "threatintel.indicator.url.original": "http://suspiciousactivity.xyz/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://217.8.117.8/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:37.603Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2520,31 +2657,33 @@ "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078017; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--fb06856c-8aad-4fae-92fc-b73aae4f6dc7", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:37.603Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "217.8.117.8", + "threat.indicator.url.full": "http://217.8.117.8/login", + "threat.indicator.url.original": "http://217.8.117.8/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078012; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--33e674f5-a64a-48f4-9d8c-248348356135", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-82", + "threatstream-confidence-71", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:37.603Z", - "threatintel.anomali.name": "mal_url: http://217.8.117.8/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:37.643Z", + "anomali.limo.name": "mal_url: http://f0387550.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://217.8.117.8/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:37.603Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:37.603Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "217.8.117.8", - "threatintel.indicator.url.full": "http://217.8.117.8/login", - "threatintel.indicator.url.original": "http://217.8.117.8/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0387550.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:37.643Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2561,31 +2700,33 @@ "threatstream-confidence-71", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078012; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--33e674f5-a64a-48f4-9d8c-248348356135", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:37.643Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0387550.xsph.ru", + "threat.indicator.url.full": "http://f0387550.xsph.ru/login", + "threat.indicator.url.original": "http://f0387550.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078018; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "anomali.limo.id": "indicator--6311f539-1d5d-423f-a238-d0c1dc167432", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-71", + "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:37.643Z", - "threatintel.anomali.name": "mal_url: http://f0387550.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:39.465Z", + "anomali.limo.name": "mal_url: http://lf4e4abf.justinstalledpanel.com/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0387550.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:37.643Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:37.643Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0387550.xsph.ru", - "threatintel.indicator.url.full": "http://f0387550.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0387550.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://lf4e4abf.justinstalledpanel.com/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:39.465Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2602,31 +2743,33 @@ "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078018; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", - "threatintel.anomali.id": "indicator--6311f539-1d5d-423f-a238-d0c1dc167432", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:39.465Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "lf4e4abf.justinstalledpanel.com", + "threat.indicator.url.full": "http://lf4e4abf.justinstalledpanel.com/login", + "threat.indicator.url.original": "http://lf4e4abf.justinstalledpanel.com/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078033; iType: mal_ip; State: active; Org: ColoCrossing; Source: CyberCrime", + "anomali.limo.id": "indicator--1c91f219-cfa6-44c7-a5ee-1c760489b43c", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-84", + "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:39.465Z", - "threatintel.anomali.name": "mal_url: http://lf4e4abf.justinstalledpanel.com/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:02.031Z", + "anomali.limo.name": "mal_ip: 206.217.131.245", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://lf4e4abf.justinstalledpanel.com/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:39.465Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:39.465Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "lf4e4abf.justinstalledpanel.com", - "threatintel.indicator.url.full": "http://lf4e4abf.justinstalledpanel.com/login", - "threatintel.indicator.url.original": "http://lf4e4abf.justinstalledpanel.com/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '206.217.131.245']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:02.031Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2643,27 +2786,29 @@ "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078033; iType: mal_ip; State: active; Org: ColoCrossing; Source: CyberCrime", - "threatintel.anomali.id": "indicator--1c91f219-cfa6-44c7-a5ee-1c760489b43c", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:02.031Z", + "threat.indicator.ip": "206.217.131.245", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55250078010; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime", + "anomali.limo.id": "indicator--c58983e2-18fd-47b8-aab4-6c8a2e2dcb35", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-81", + "threatstream-confidence-52", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:02.031Z", - "threatintel.anomali.name": "mal_ip: 206.217.131.245", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:15.878Z", + "anomali.limo.name": "mal_url: http://67.215.224.101/a1/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '206.217.131.245']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:02.031Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:02.031Z", - "threatintel.indicator.ip": "206.217.131.245", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://67.215.224.101/a1/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:15.878Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2680,32 +2825,34 @@ "threatstream-confidence-52", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078010; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime", - "threatintel.anomali.id": "indicator--c58983e2-18fd-47b8-aab4-6c8a2e2dcb35", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:15.878Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "67.215.224.101", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://67.215.224.101/a1/panel/admin.php", + "threat.indicator.url.original": "http://67.215.224.101/a1/panel/admin.php", + "threat.indicator.url.path": "/a1/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078000; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--1ab178a8-7991-4879-b9aa-8da49f40e92e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-52", + "threatstream-confidence-58", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:15.878Z", - "threatintel.anomali.name": "mal_url: http://67.215.224.101/a1/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:29.155Z", + "anomali.limo.name": "mal_ip: 162.241.73.163", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://67.215.224.101/a1/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:15.878Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:15.878Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "67.215.224.101", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://67.215.224.101/a1/panel/admin.php", - "threatintel.indicator.url.original": "http://67.215.224.101/a1/panel/admin.php", - "threatintel.indicator.url.path": "/a1/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '162.241.73.163']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:29.155Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2722,27 +2869,29 @@ "threatstream-confidence-58", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078000; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--1ab178a8-7991-4879-b9aa-8da49f40e92e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:29.155Z", + "threat.indicator.ip": "162.241.73.163", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55250078020; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "anomali.limo.id": "indicator--d5bdff38-6939-4a47-8e11-b910520565c4", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-58", + "threatstream-confidence-78", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:29.155Z", - "threatintel.anomali.name": "mal_ip: 162.241.73.163", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:50.233Z", + "anomali.limo.name": "mal_url: http://l60bdd58.justinstalledpanel.com/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '162.241.73.163']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:29.155Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:29.155Z", - "threatintel.indicator.ip": "162.241.73.163", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://l60bdd58.justinstalledpanel.com/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:50.233Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2759,31 +2908,33 @@ "threatstream-confidence-78", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078020; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", - "threatintel.anomali.id": "indicator--d5bdff38-6939-4a47-8e11-b910520565c4", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:50.233Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "l60bdd58.justinstalledpanel.com", + "threat.indicator.url.full": "http://l60bdd58.justinstalledpanel.com/login", + "threat.indicator.url.original": "http://l60bdd58.justinstalledpanel.com/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078009; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", + "anomali.limo.id": "indicator--1be74977-5aa6-4175-99dd-32b54863a06b", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-78", + "threatstream-confidence-25", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:50.233Z", - "threatintel.anomali.name": "mal_url: http://l60bdd58.justinstalledpanel.com/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:50.255Z", + "anomali.limo.name": "mal_url: http://107.175.150.73/~giftioz/.azma/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://l60bdd58.justinstalledpanel.com/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:50.233Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:50.233Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "l60bdd58.justinstalledpanel.com", - "threatintel.indicator.url.full": "http://l60bdd58.justinstalledpanel.com/login", - "threatintel.indicator.url.original": "http://l60bdd58.justinstalledpanel.com/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://107.175.150.73/~giftioz/.azma/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:50.255Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2800,32 +2951,34 @@ "threatstream-confidence-25", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078009; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", - "threatintel.anomali.id": "indicator--1be74977-5aa6-4175-99dd-32b54863a06b", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:50.255Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "107.175.150.73", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://107.175.150.73/~giftioz/.azma/panel/admin.php", + "threat.indicator.url.original": "http://107.175.150.73/~giftioz/.azma/panel/admin.php", + "threat.indicator.url.path": "/~giftioz/.azma/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078023; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "anomali.limo.id": "indicator--eacc25ce-584c-4b40-98ab-7935dabd5cb1", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-25", + "threatstream-confidence-78", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:50.255Z", - "threatintel.anomali.name": "mal_url: http://107.175.150.73/~giftioz/.azma/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:52.536Z", + "anomali.limo.name": "mal_url: http://5.188.60.52/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://107.175.150.73/~giftioz/.azma/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:50.255Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:50.255Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "107.175.150.73", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://107.175.150.73/~giftioz/.azma/panel/admin.php", - "threatintel.indicator.url.original": "http://107.175.150.73/~giftioz/.azma/panel/admin.php", - "threatintel.indicator.url.path": "/~giftioz/.azma/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://5.188.60.52/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:52.536Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2842,31 +2995,33 @@ "threatstream-confidence-78", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078023; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", - "threatintel.anomali.id": "indicator--eacc25ce-584c-4b40-98ab-7935dabd5cb1", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:52.536Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "5.188.60.52", + "threat.indicator.url.full": "http://5.188.60.52/login", + "threat.indicator.url.original": "http://5.188.60.52/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078025; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--504f4011-eaea-4921-aad5-f102bef7c798", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-78", + "threatstream-confidence-85", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:52.536Z", - "threatintel.anomali.name": "mal_url: http://5.188.60.52/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:54.784Z", + "anomali.limo.name": "mal_url: http://trotdeiman.ga/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://5.188.60.52/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:52.536Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:52.536Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "5.188.60.52", - "threatintel.indicator.url.full": "http://5.188.60.52/login", - "threatintel.indicator.url.original": "http://5.188.60.52/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://trotdeiman.ga/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:54.784Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2883,31 +3038,33 @@ "threatstream-confidence-85", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078025; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--504f4011-eaea-4921-aad5-f102bef7c798", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:54.784Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "trotdeiman.ga", + "threat.indicator.url.full": "http://trotdeiman.ga/login", + "threat.indicator.url.original": "http://trotdeiman.ga/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078014; iType: mal_ip; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--e3ffb953-6c59-461a-8242-0d26c2b5c358", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-85", + "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:54.784Z", - "threatintel.anomali.name": "mal_url: http://trotdeiman.ga/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:54.815Z", + "anomali.limo.name": "mal_ip: 217.8.117.8", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://trotdeiman.ga/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:54.784Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:54.784Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "trotdeiman.ga", - "threatintel.indicator.url.full": "http://trotdeiman.ga/login", - "threatintel.indicator.url.original": "http://trotdeiman.ga/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '217.8.117.8']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:54.815Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2924,27 +3081,29 @@ "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078014; iType: mal_ip; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--e3ffb953-6c59-461a-8242-0d26c2b5c358", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:54.815Z", + "threat.indicator.ip": "217.8.117.8", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55250078036; iType: mal_ip; State: active; Org: Global Frag Networks; Source: CyberCrime", + "anomali.limo.id": "indicator--3a47ad46-930d-4ced-b0e7-dc9d0776153e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-82", + "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:54.815Z", - "threatintel.anomali.name": "mal_ip: 217.8.117.8", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:00:01.726Z", + "anomali.limo.name": "mal_ip: 104.223.170.113", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '217.8.117.8']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:54.815Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:54.815Z", - "threatintel.indicator.ip": "217.8.117.8", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '104.223.170.113']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:00:01.726Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2961,27 +3120,29 @@ "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078036; iType: mal_ip; State: active; Org: Global Frag Networks; Source: CyberCrime", - "threatintel.anomali.id": "indicator--3a47ad46-930d-4ced-b0e7-dc9d0776153e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:00:01.726Z", + "threat.indicator.ip": "104.223.170.113", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55250078011; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--0e10924c-745c-4a58-8e27-ab3a6bacd666", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-83", + "threatstream-confidence-58", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:00:01.726Z", - "threatintel.anomali.name": "mal_ip: 104.223.170.113", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:00:01.762Z", + "anomali.limo.name": "mal_url: http://tavim.org/includes/firmino/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '104.223.170.113']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:00:01.726Z", - "threatintel.indicator.first_seen": "2020-01-24T03:00:01.726Z", - "threatintel.indicator.ip": "104.223.170.113", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://tavim.org/includes/firmino/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:00:01.762Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2998,32 +3159,34 @@ "threatstream-confidence-58", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078011; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--0e10924c-745c-4a58-8e27-ab3a6bacd666", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:00:01.762Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "tavim.org", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://tavim.org/includes/firmino/admin.php", + "threat.indicator.url.original": "http://tavim.org/includes/firmino/admin.php", + "threat.indicator.url.path": "/includes/firmino/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078015; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--c3fb816a-cc3b-4442-be4d-d62113ae5168", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-58", + "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:00:01.762Z", - "threatintel.anomali.name": "mal_url: http://tavim.org/includes/firmino/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:00:10.928Z", + "anomali.limo.name": "mal_url: http://onlinesecuritycenter.xyz/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://tavim.org/includes/firmino/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:00:01.762Z", - "threatintel.indicator.first_seen": "2020-01-24T03:00:01.762Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "tavim.org", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://tavim.org/includes/firmino/admin.php", - "threatintel.indicator.url.original": "http://tavim.org/includes/firmino/admin.php", - "threatintel.indicator.url.path": "/includes/firmino/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://onlinesecuritycenter.xyz/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:00:10.928Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3040,31 +3203,33 @@ "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078015; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--c3fb816a-cc3b-4442-be4d-d62113ae5168", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:00:10.928Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "onlinesecuritycenter.xyz", + "threat.indicator.url.full": "http://onlinesecuritycenter.xyz/login", + "threat.indicator.url.original": "http://onlinesecuritycenter.xyz/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078029; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime", + "anomali.limo.id": "indicator--9159e46d-f3a4-464b-ac68-8beaf87e1a8f", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-84", + "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:00:10.928Z", - "threatintel.anomali.name": "mal_url: http://onlinesecuritycenter.xyz/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:00:20.166Z", + "anomali.limo.name": "mal_url: http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://onlinesecuritycenter.xyz/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:00:10.928Z", - "threatintel.indicator.first_seen": "2020-01-24T03:00:10.928Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "onlinesecuritycenter.xyz", - "threatintel.indicator.url.full": "http://onlinesecuritycenter.xyz/login", - "threatintel.indicator.url.original": "http://onlinesecuritycenter.xyz/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:00:20.166Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3081,32 +3246,34 @@ "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078029; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime", - "threatintel.anomali.id": "indicator--9159e46d-f3a4-464b-ac68-8beaf87e1a8f", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:00:20.166Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "oaa-my.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/cutter/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078016; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--fefa8e76-ae0f-41ab-84e7-ea43ab055573", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-81", + "threatstream-confidence-90", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:00:20.166Z", - "threatintel.anomali.name": "mal_url: http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:00:24.048Z", + "anomali.limo.name": "mal_url: http://jumbajumbadun.fun/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:00:20.166Z", - "threatintel.indicator.first_seen": "2020-01-24T03:00:20.166Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "oaa-my.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/cutter/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://jumbajumbadun.fun/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:00:24.048Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3123,31 +3290,33 @@ "threatstream-confidence-90", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078016; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--fefa8e76-ae0f-41ab-84e7-ea43ab055573", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:00:24.048Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "jumbajumbadun.fun", + "threat.indicator.url.full": "http://jumbajumbadun.fun/login", + "threat.indicator.url.original": "http://jumbajumbadun.fun/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078024; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--6a76fa89-4d5f-40d0-9b03-671bdb2d5b4b", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-90", + "threatstream-confidence-58", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:00:24.048Z", - "threatintel.anomali.name": "mal_url: http://jumbajumbadun.fun/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:00:55.816Z", + "anomali.limo.name": "mal_url: http://tavim.org/includes/salah/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://jumbajumbadun.fun/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:00:24.048Z", - "threatintel.indicator.first_seen": "2020-01-24T03:00:24.048Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "jumbajumbadun.fun", - "threatintel.indicator.url.full": "http://jumbajumbadun.fun/login", - "threatintel.indicator.url.original": "http://jumbajumbadun.fun/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://tavim.org/includes/salah/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:00:55.816Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3164,32 +3333,34 @@ "threatstream-confidence-58", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078024; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--6a76fa89-4d5f-40d0-9b03-671bdb2d5b4b", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:00:55.816Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "tavim.org", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://tavim.org/includes/salah/admin.php", + "threat.indicator.url.original": "http://tavim.org/includes/salah/admin.php", + "threat.indicator.url.path": "/includes/salah/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078022; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "anomali.limo.id": "indicator--21055dfd-d0cb-42ec-93bd-ffaeadd11d80", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-58", + "threatstream-confidence-80", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:00:55.816Z", - "threatintel.anomali.name": "mal_url: http://tavim.org/includes/salah/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:01:10.501Z", + "anomali.limo.name": "mal_url: http://l0c23205.justinstalledpanel.com/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://tavim.org/includes/salah/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:00:55.816Z", - "threatintel.indicator.first_seen": "2020-01-24T03:00:55.816Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "tavim.org", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://tavim.org/includes/salah/admin.php", - "threatintel.indicator.url.original": "http://tavim.org/includes/salah/admin.php", - "threatintel.indicator.url.path": "/includes/salah/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://l0c23205.justinstalledpanel.com/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:01:10.501Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3206,31 +3377,33 @@ "threatstream-confidence-80", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078022; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", - "threatintel.anomali.id": "indicator--21055dfd-d0cb-42ec-93bd-ffaeadd11d80", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:01:10.501Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "l0c23205.justinstalledpanel.com", + "threat.indicator.url.full": "http://l0c23205.justinstalledpanel.com/login", + "threat.indicator.url.original": "http://l0c23205.justinstalledpanel.com/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078021; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "anomali.limo.id": "indicator--7471a595-e8b0-4c41-be4c-0a3e55675630", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-80", + "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:01:10.501Z", - "threatintel.anomali.name": "mal_url: http://l0c23205.justinstalledpanel.com/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:01:10.518Z", + "anomali.limo.name": "mal_url: http://l535e9e5.justinstalledpanel.com/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://l0c23205.justinstalledpanel.com/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:01:10.501Z", - "threatintel.indicator.first_seen": "2020-01-24T03:01:10.501Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "l0c23205.justinstalledpanel.com", - "threatintel.indicator.url.full": "http://l0c23205.justinstalledpanel.com/login", - "threatintel.indicator.url.original": "http://l0c23205.justinstalledpanel.com/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://l535e9e5.justinstalledpanel.com/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:01:10.518Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3247,31 +3420,33 @@ "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078021; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", - "threatintel.anomali.id": "indicator--7471a595-e8b0-4c41-be4c-0a3e55675630", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:01:10.518Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "l535e9e5.justinstalledpanel.com", + "threat.indicator.url.full": "http://l535e9e5.justinstalledpanel.com/login", + "threat.indicator.url.original": "http://l535e9e5.justinstalledpanel.com/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078007; iType: mal_ip; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--ead1e7e5-fdb3-47c2-9476-aa82741c038e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-83", + "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:01:10.518Z", - "threatintel.anomali.name": "mal_url: http://l535e9e5.justinstalledpanel.com/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:01:14.843Z", + "anomali.limo.name": "mal_ip: 217.8.117.47", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://l535e9e5.justinstalledpanel.com/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:01:10.518Z", - "threatintel.indicator.first_seen": "2020-01-24T03:01:10.518Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "l535e9e5.justinstalledpanel.com", - "threatintel.indicator.url.full": "http://l535e9e5.justinstalledpanel.com/login", - "threatintel.indicator.url.original": "http://l535e9e5.justinstalledpanel.com/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '217.8.117.47']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:01:14.843Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3288,27 +3463,29 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078007; iType: mal_ip; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--ead1e7e5-fdb3-47c2-9476-aa82741c038e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:01:14.843Z", + "threat.indicator.ip": "217.8.117.47", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55253484365; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", + "anomali.limo.id": "indicator--b0aee6bf-32f4-4f65-8de6-f65e04e92b15", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-67", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:01:14.843Z", - "threatintel.anomali.name": "mal_ip: 217.8.117.47", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:12.699Z", + "anomali.limo.name": "mal_url: http://46.161.27.57/northon/", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '217.8.117.47']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:01:14.843Z", - "threatintel.indicator.first_seen": "2020-01-24T03:01:14.843Z", - "threatintel.indicator.ip": "217.8.117.47", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://46.161.27.57/northon/']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:12.699Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3325,31 +3502,33 @@ "threatstream-confidence-67", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484365; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b0aee6bf-32f4-4f65-8de6-f65e04e92b15", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:12.699Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "46.161.27.57", + "threat.indicator.url.full": "http://46.161.27.57/northon/", + "threat.indicator.url.original": "http://46.161.27.57/northon/", + "threat.indicator.url.path": "/northon/", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484350; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", + "anomali.limo.id": "indicator--54afbceb-72f3-484e-aee4-904f77beeff6", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-67", + "threatstream-confidence-90", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:12.699Z", - "threatintel.anomali.name": "mal_url: http://46.161.27.57/northon/", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:28.034Z", + "anomali.limo.name": "mal_url: http://104.168.99.170/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://46.161.27.57/northon/']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:12.699Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:12.699Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "46.161.27.57", - "threatintel.indicator.url.full": "http://46.161.27.57/northon/", - "threatintel.indicator.url.original": "http://46.161.27.57/northon/", - "threatintel.indicator.url.path": "/northon/", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://104.168.99.170/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:28.034Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3366,31 +3545,33 @@ "threatstream-confidence-90", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484350; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", - "threatintel.anomali.id": "indicator--54afbceb-72f3-484e-aee4-904f77beeff6", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:28.034Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "104.168.99.170", + "threat.indicator.url.full": "http://104.168.99.170/login", + "threat.indicator.url.original": "http://104.168.99.170/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484356; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--da030e10-af9f-462d-bda8-33abb223e950", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-90", + "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:28.034Z", - "threatintel.anomali.name": "mal_url: http://104.168.99.170/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:38.187Z", + "anomali.limo.name": "mal_url: http://officelog.org/inc/js/jstree/scan/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://104.168.99.170/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:28.034Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:28.034Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "104.168.99.170", - "threatintel.indicator.url.full": "http://104.168.99.170/login", - "threatintel.indicator.url.original": "http://104.168.99.170/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/scan/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:38.187Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3407,32 +3588,34 @@ "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484356; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--da030e10-af9f-462d-bda8-33abb223e950", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:38.187Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "officelog.org", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://officelog.org/inc/js/jstree/scan/panel/admin.php", + "threat.indicator.url.original": "http://officelog.org/inc/js/jstree/scan/panel/admin.php", + "threat.indicator.url.path": "/inc/js/jstree/scan/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484343; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--d38e051a-bc5b-4723-884a-65e017d98299", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-89", + "threatstream-confidence-65", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:38.187Z", - "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/scan/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:38.214Z", + "anomali.limo.name": "mal_url: http://f0391587.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/scan/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:38.187Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:38.187Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "officelog.org", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/scan/panel/admin.php", - "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/scan/panel/admin.php", - "threatintel.indicator.url.path": "/inc/js/jstree/scan/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0391587.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:38.214Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3449,31 +3632,33 @@ "threatstream-confidence-65", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484343; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--d38e051a-bc5b-4723-884a-65e017d98299", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:38.214Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0391587.xsph.ru", + "threat.indicator.url.full": "http://f0391587.xsph.ru/login", + "threat.indicator.url.original": "http://f0391587.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484367; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", + "anomali.limo.id": "indicator--46491826-6ba1-4217-a35e-1eb0081a9e6a", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-65", + "threatstream-confidence-67", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:38.214Z", - "threatintel.anomali.name": "mal_url: http://f0391587.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:47.281Z", + "anomali.limo.name": "mal_url: http://46.161.27.57:8080/northon/", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0391587.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:38.214Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:38.214Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0391587.xsph.ru", - "threatintel.indicator.url.full": "http://f0391587.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0391587.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://46.161.27.57:8080/northon/']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:47.281Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3490,32 +3675,34 @@ "threatstream-confidence-67", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484367; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", - "threatintel.anomali.id": "indicator--46491826-6ba1-4217-a35e-1eb0081a9e6a", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:47.281Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "46.161.27.57", + "threat.indicator.url.full": "http://46.161.27.57:8080/northon/", + "threat.indicator.url.original": "http://46.161.27.57:8080/northon/", + "threat.indicator.url.path": "/northon/", + "threat.indicator.url.port": 8080, + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484342; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--b9715fd5-b89a-4859-b19f-55e052709227", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-67", + "threatstream-confidence-79", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:47.281Z", - "threatintel.anomali.name": "mal_url: http://46.161.27.57:8080/northon/", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:51.296Z", + "anomali.limo.name": "mal_url: http://f0393086.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://46.161.27.57:8080/northon/']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:47.281Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:47.281Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "46.161.27.57", - "threatintel.indicator.url.full": "http://46.161.27.57:8080/northon/", - "threatintel.indicator.url.original": "http://46.161.27.57:8080/northon/", - "threatintel.indicator.url.path": "/northon/", - "threatintel.indicator.url.port": 8080, - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0393086.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:51.296Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3532,31 +3719,33 @@ "threatstream-confidence-79", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484342; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b9715fd5-b89a-4859-b19f-55e052709227", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:51.296Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0393086.xsph.ru", + "threat.indicator.url.full": "http://f0393086.xsph.ru/login", + "threat.indicator.url.original": "http://f0393086.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484363; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--e3177515-f481-46c8-bad8-582ba0858ef3", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-79", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:51.296Z", - "threatintel.anomali.name": "mal_url: http://f0393086.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:56.007Z", + "anomali.limo.name": "mal_url: http://insuncos.com/files1/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0393086.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:51.296Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:51.296Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0393086.xsph.ru", - "threatintel.indicator.url.full": "http://f0393086.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0393086.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://insuncos.com/files1/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:56.007Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3573,32 +3762,34 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484363; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--e3177515-f481-46c8-bad8-582ba0858ef3", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:56.007Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "insuncos.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://insuncos.com/files1/panel/admin.php", + "threat.indicator.url.original": "http://insuncos.com/files1/panel/admin.php", + "threat.indicator.url.path": "/files1/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484339; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime", + "anomali.limo.id": "indicator--33cdeaeb-5201-4fbb-b9ae-9c23377e7533", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-87", + "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:56.007Z", - "threatintel.anomali.name": "mal_url: http://insuncos.com/files1/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:56.044Z", + "anomali.limo.name": "mal_url: http://tg-h.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files1/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:56.007Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:56.007Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "insuncos.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://insuncos.com/files1/panel/admin.php", - "threatintel.indicator.url.original": "http://insuncos.com/files1/panel/admin.php", - "threatintel.indicator.url.path": "/files1/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://tg-h.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:56.044Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3615,31 +3806,33 @@ "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484339; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime", - "threatintel.anomali.id": "indicator--33cdeaeb-5201-4fbb-b9ae-9c23377e7533", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:56.044Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "tg-h.ru", + "threat.indicator.url.full": "http://tg-h.ru/login", + "threat.indicator.url.original": "http://tg-h.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484351; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--2baaa5f0-c2f6-4bd1-b59d-3a75931da735", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-89", + "threatstream-confidence-86", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:56.044Z", - "threatintel.anomali.name": "mal_url: http://tg-h.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:58:11.038Z", + "anomali.limo.name": "mal_url: http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://tg-h.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:56.044Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:56.044Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "tg-h.ru", - "threatintel.indicator.url.full": "http://tg-h.ru/login", - "threatintel.indicator.url.original": "http://tg-h.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:58:11.038Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3656,32 +3849,34 @@ "threatstream-confidence-86", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484351; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--2baaa5f0-c2f6-4bd1-b59d-3a75931da735", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:58:11.038Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "wusetwo.xyz", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484366; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", + "anomali.limo.id": "indicator--f1bdef49-666f-46b5-a323-efa1f1446b62", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-86", + "threatstream-confidence-64", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:58:11.038Z", - "threatintel.anomali.name": "mal_url: http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:58:20.420Z", + "anomali.limo.name": "mal_url: http://185.234.217.36/northon/", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:11.038Z", - "threatintel.indicator.first_seen": "2020-01-25T02:58:11.038Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "wusetwo.xyz", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://185.234.217.36/northon/']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:58:20.42Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3698,31 +3893,33 @@ "threatstream-confidence-64", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484366; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f1bdef49-666f-46b5-a323-efa1f1446b62", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:58:20.420Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "185.234.217.36", + "threat.indicator.url.full": "http://185.234.217.36/northon/", + "threat.indicator.url.original": "http://185.234.217.36/northon/", + "threat.indicator.url.path": "/northon/", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484354; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime", + "anomali.limo.id": "indicator--a173f4b1-67ce-44f8-a6d0-bd8a24e8c593", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-64", + "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:58:20.420Z", - "threatintel.anomali.name": "mal_url: http://185.234.217.36/northon/", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:58:20.448Z", + "anomali.limo.name": "mal_url: http://topik07.mcdir.ru/papka/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://185.234.217.36/northon/']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:20.42Z", - "threatintel.indicator.first_seen": "2020-01-25T02:58:20.420Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "185.234.217.36", - "threatintel.indicator.url.full": "http://185.234.217.36/northon/", - "threatintel.indicator.url.original": "http://185.234.217.36/northon/", - "threatintel.indicator.url.path": "/northon/", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://topik07.mcdir.ru/papka/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:58:20.448Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3739,32 +3936,34 @@ "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484354; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime", - "threatintel.anomali.id": "indicator--a173f4b1-67ce-44f8-a6d0-bd8a24e8c593", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:58:20.448Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "topik07.mcdir.ru", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://topik07.mcdir.ru/papka/admin.php", + "threat.indicator.url.original": "http://topik07.mcdir.ru/papka/admin.php", + "threat.indicator.url.path": "/papka/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484362; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--b53dded1-d293-4cd1-9e63-b6e0cbd850f0", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-84", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:58:20.448Z", - "threatintel.anomali.name": "mal_url: http://topik07.mcdir.ru/papka/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:58:33.189Z", + "anomali.limo.name": "mal_url: http://insuncos.com/files2/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://topik07.mcdir.ru/papka/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:20.448Z", - "threatintel.indicator.first_seen": "2020-01-25T02:58:20.448Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "topik07.mcdir.ru", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://topik07.mcdir.ru/papka/admin.php", - "threatintel.indicator.url.original": "http://topik07.mcdir.ru/papka/admin.php", - "threatintel.indicator.url.path": "/papka/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://insuncos.com/files2/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:58:33.189Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3781,32 +3980,34 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484362; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b53dded1-d293-4cd1-9e63-b6e0cbd850f0", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:58:33.189Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "insuncos.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://insuncos.com/files2/panel/admin.php", + "threat.indicator.url.original": "http://insuncos.com/files2/panel/admin.php", + "threat.indicator.url.path": "/files2/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484364; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", + "anomali.limo.id": "indicator--2b30f8fe-13e8-4a7d-8eba-3e59c288bef7", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-87", + "threatstream-confidence-47", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:58:33.189Z", - "threatintel.anomali.name": "mal_url: http://insuncos.com/files2/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:58:49.056Z", + "anomali.limo.name": "mal_url: http://185.234.218.68/kaspersky/", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files2/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:33.189Z", - "threatintel.indicator.first_seen": "2020-01-25T02:58:33.189Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "insuncos.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://insuncos.com/files2/panel/admin.php", - "threatintel.indicator.url.original": "http://insuncos.com/files2/panel/admin.php", - "threatintel.indicator.url.path": "/files2/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://185.234.218.68/kaspersky/']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:58:49.056Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3823,31 +4024,33 @@ "threatstream-confidence-47", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484364; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", - "threatintel.anomali.id": "indicator--2b30f8fe-13e8-4a7d-8eba-3e59c288bef7", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:58:49.056Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "185.234.218.68", + "threat.indicator.url.full": "http://185.234.218.68/kaspersky/", + "threat.indicator.url.original": "http://185.234.218.68/kaspersky/", + "threat.indicator.url.path": "/kaspersky/", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484357; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--f502199a-17a4-404b-a114-fb5eda28c32c", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-47", + "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:58:49.056Z", - "threatintel.anomali.name": "mal_url: http://185.234.218.68/kaspersky/", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:58:59.472Z", + "anomali.limo.name": "mal_url: http://officelog.org/inc/js/jstree/mh/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://185.234.218.68/kaspersky/']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:49.056Z", - "threatintel.indicator.first_seen": "2020-01-25T02:58:49.056Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "185.234.218.68", - "threatintel.indicator.url.full": "http://185.234.218.68/kaspersky/", - "threatintel.indicator.url.original": "http://185.234.218.68/kaspersky/", - "threatintel.indicator.url.path": "/kaspersky/", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/mh/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:58:59.472Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3864,32 +4067,34 @@ "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484357; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f502199a-17a4-404b-a114-fb5eda28c32c", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:58:59.472Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "officelog.org", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://officelog.org/inc/js/jstree/mh/panel/admin.php", + "threat.indicator.url.original": "http://officelog.org/inc/js/jstree/mh/panel/admin.php", + "threat.indicator.url.path": "/inc/js/jstree/mh/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484359; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--af7422eb-5d8e-4878-bdd1-395313434dae", + "anomali.limo.labels": [ "malicious-activity", "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:58:59.472Z", - "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/mh/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:59:27.070Z", + "anomali.limo.name": "mal_url: http://officelog.org/inc/js/jstree/ch/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/mh/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:59.472Z", - "threatintel.indicator.first_seen": "2020-01-25T02:58:59.472Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "officelog.org", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/mh/panel/admin.php", - "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/mh/panel/admin.php", - "threatintel.indicator.url.path": "/inc/js/jstree/mh/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/ch/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:59:27.07Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3906,32 +4111,34 @@ "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484359; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--af7422eb-5d8e-4878-bdd1-395313434dae", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:59:27.070Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "officelog.org", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://officelog.org/inc/js/jstree/ch/panel/admin.php", + "threat.indicator.url.original": "http://officelog.org/inc/js/jstree/ch/panel/admin.php", + "threat.indicator.url.path": "/inc/js/jstree/ch/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484358; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--71b36c05-86dd-4685-81c0-5a99e2e14c23", + "anomali.limo.labels": [ "malicious-activity", "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:59:27.070Z", - "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/ch/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:59:28.967Z", + "anomali.limo.name": "mal_url: http://officelog.org/inc/js/jstree/dar/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/ch/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:59:27.07Z", - "threatintel.indicator.first_seen": "2020-01-25T02:59:27.070Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "officelog.org", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/ch/panel/admin.php", - "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/ch/panel/admin.php", - "threatintel.indicator.url.path": "/inc/js/jstree/ch/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/dar/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:59:28.967Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3948,32 +4155,34 @@ "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484358; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--71b36c05-86dd-4685-81c0-5a99e2e14c23", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:59:28.967Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "officelog.org", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://officelog.org/inc/js/jstree/dar/panel/admin.php", + "threat.indicator.url.original": "http://officelog.org/inc/js/jstree/dar/panel/admin.php", + "threat.indicator.url.path": "/inc/js/jstree/dar/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484352; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", + "anomali.limo.id": "indicator--9d948509-dfb4-45b6-b8bc-780df88a213f", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-89", + "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:59:28.967Z", - "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/dar/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:59:37.661Z", + "anomali.limo.name": "mal_url: http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/dar/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:59:28.967Z", - "threatintel.indicator.first_seen": "2020-01-25T02:59:28.967Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "officelog.org", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/dar/panel/admin.php", - "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/dar/panel/admin.php", - "threatintel.indicator.url.path": "/inc/js/jstree/dar/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:59:37.661Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3990,32 +4199,34 @@ "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484352; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", - "threatintel.anomali.id": "indicator--9d948509-dfb4-45b6-b8bc-780df88a213f", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:59:37.661Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "oaa-my.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/cage/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484224; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--9f613f8e-2040-4eee-8044-044023a8093e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-81", + "threatstream-confidence-53", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:59:37.661Z", - "threatintel.anomali.name": "mal_url: http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:59:37.692Z", + "anomali.limo.name": "mal_ip: 192.64.118.56", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:59:37.661Z", - "threatintel.indicator.first_seen": "2020-01-25T02:59:37.661Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "oaa-my.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/cage/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '192.64.118.56']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:59:37.692Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -4032,27 +4243,29 @@ "threatstream-confidence-53", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484224; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--9f613f8e-2040-4eee-8044-044023a8093e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:59:37.692Z", + "threat.indicator.ip": "192.64.118.56", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55253484361; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--518c3959-6c26-413f-9a5f-c8f76d86185a", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-53", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:59:37.692Z", - "threatintel.anomali.name": "mal_ip: 192.64.118.56", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:59:54.296Z", + "anomali.limo.name": "mal_url: http://insuncos.com/files3/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '192.64.118.56']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:59:37.692Z", - "threatintel.indicator.first_seen": "2020-01-25T02:59:37.692Z", - "threatintel.indicator.ip": "192.64.118.56", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://insuncos.com/files3/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:59:54.296Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -4069,29 +4282,16 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484361; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--518c3959-6c26-413f-9a5f-c8f76d86185a", - "threatintel.anomali.labels": [ - "malicious-activity", - "threatstream-confidence-87", - "threatstream-severity-medium" - ], - "threatintel.anomali.modified": "2020-01-25T02:59:54.296Z", - "threatintel.anomali.name": "mal_url: http://insuncos.com/files3/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files3/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:59:54.296Z", - "threatintel.indicator.first_seen": "2020-01-25T02:59:54.296Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "insuncos.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://insuncos.com/files3/panel/admin.php", - "threatintel.indicator.url.original": "http://insuncos.com/files3/panel/admin.php", - "threatintel.indicator.url.path": "/files3/panel/admin.php", - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:59:54.296Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "insuncos.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://insuncos.com/files3/panel/admin.php", + "threat.indicator.url.original": "http://insuncos.com/files3/panel/admin.php", + "threat.indicator.url.path": "/files3/panel/admin.php", + "threat.indicator.url.scheme": "http" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/_meta/fields.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/_meta/fields.yml index de0ededab33c..41fae21921cb 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: anomalithreatstream +- name: anomali.threatstream type: group description: > Fields for Anomali ThreatStream diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml index f6cfe0243053..4d814c03fe56 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml @@ -1,7 +1,6 @@ {{ if eq .input "http_endpoint" }} type: http_endpoint -enabled: true listen_address: {{ .listen_address }} listen_port: {{ .listen_port }} @@ -16,12 +15,12 @@ hmac: prefix: sha256= {{ end }} -{{ if .ssl_certificate }} -ssl: - enabled: true - certificate: {{ .ssl_certificate }} - key: {{ .ssl_key }} - verification_mode: none +{{ if .ssl }} +ssl: {{ .ssl | tojson }} +{{ end }} + +{{ if .preserve_original_event }} +preserve_original_event: true {{ end }} {{ else if eq .input "file" }} @@ -35,24 +34,12 @@ exclude_files: [".gz$"] json.add_error_key: true {{ end }} -tags: {{.tags | tojson}} - -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 - - fingerprint: - fields: - - event.dataset - - json.id - target_field: '@metadata._id' - encoding: base64 - - script: - lang: javascript - id: my_filter - source: > - function process(event) { - event.Put("@metadata.op_type", "index"); - } +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml index 22644d79518a..50b5c6c7bb2a 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml @@ -1,19 +1,21 @@ +--- description: Pipeline for parsing Anomali ThreatStream processors: - # - # Safeguard against feeding the pipeline with documents other - # that the ones generated by Filebeat's http_endpoint input. - # - - fail: - if: "ctx.json == null || !(ctx.json instanceof Map)" - message: "missing json object in input document" - # # Set basic ECS fields. # - set: field: event.ingested value: "{{{ _ingest.timestamp }}}" + - set: + field: ecs.version + value: "1.12" + - fingerprint: + fields: + - event.dataset + - json.id + target_field: "_id" + ignore_missing: true - set: field: event.kind value: enrichment @@ -24,14 +26,21 @@ processors: field: event.type value: indicator + - set: + field: threat.feed.name + value: "[Filebeat] Anomali ThreatStream" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" + # - # Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). + # Map itype field to STIX 2.0 Cyber Observable values (threat.indicator.type). # - script: lang: painless if: "ctx.json.itype != null" description: > - Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). + Map itype field to STIX 2.0 Cyber Observable values (threat.indicator.type). params: actor_ip: ipv4-addr adware_domain: domain-name @@ -125,26 +134,26 @@ processors: - rename: field: threatintel_indicator_type - target_field: threatintel.indicator.type + target_field: threat.indicator.type ignore_missing: true # # Detect ipv6 for ipv4-addr types. # - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv6-addr - if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.srcip != null && ctx.json.srcip.contains(":")' + if: 'ctx.threat?.indicator?.type == "ipv4-addr" && ctx.json?.srcip != null && ctx.json.srcip.contains(":")' # # Map first and last seen dates. # - date: field: json.date_first - target_field: threatintel.indicator.first_seen + target_field: threat.indicator.first_seen formats: - ISO8601 - if: "ctx.json.date_first != null" + if: "ctx.json?.date_first != null" on_failure: - append: field: error.message @@ -152,10 +161,10 @@ processors: - date: field: json.date_last - target_field: threatintel.indicator.last_seen + target_field: threat.indicator.last_seen formats: - ISO8601 - if: "ctx.json.date_last != null" + if: "ctx.json?.date_last != null" on_failure: - append: field: error.message @@ -166,18 +175,18 @@ processors: # - convert: field: json.lat - target_field: threatintel.indicator.geo.location.lat + target_field: threat.indicator.geo.location.lat type: double - if: "ctx.json.lat != null && ctx.json.lon != null" + if: "ctx.json?.lat != null && ctx.json?.lon != null" on_failure: - append: field: error.message value: 'Cannot convert lat field "{{{ json.lat }}}" to double: {{{ _ingest.on_failure_message }}}' - convert: field: json.lon - target_field: threatintel.indicator.geo.location.lon + target_field: threat.indicator.geo.location.lon type: double - if: "ctx.json.lat != null && ctx.json.lon != null" + if: "ctx.json?.lat != null && ctx.json?.lon != null" on_failure: - append: field: error.message @@ -190,25 +199,40 @@ processors: # private => Amber ("Limited disclosure, restricted to participants’ organizations."). # - append: - field: threatintel.indicator.marking.tlp + field: threat.indicator.marking.tlp value: Amber - if: 'ctx.json.classification == "private"' + if: 'ctx.json?.classification == "private"' - append: - field: threatintel.indicator.marking.tlp + field: threat.indicator.marking.tlp value: White - if: 'ctx.json.classification == "public"' + if: 'ctx.json?.classification == "public"' # # Convert confidence field (-1..100) to ECS confidence (0..10). # - script: lang: painless + if: ctx.json?.confidence != null description: > Normalize confidence level. source: > def value = ctx.json.confidence; - if (value == null || value < 0.0 || value > 100.0) return; - ctx["threatintel_indicator_confidence"] = (long)Math.round((double)value / 10.0); + if (value <= 0.0 || value > 100.0) { + ctx["threatintel_indicator_confidence"] = "None"; + return; + } + if (value >= 1.0 && value <= 29.0) { + ctx["threatintel_indicator_confidence"] = "Low"; + return; + } + if (value >= 30.0 && value <= 69.0) { + ctx["threatintel_indicator_confidence"] = "Med"; + return; + } + if (value >= 70 && value <= 100) { + ctx["threatintel_indicator_confidence"] = "High"; + return; + } on_failure: - append: field: error.message @@ -216,7 +240,7 @@ processors: - rename: field: threatintel_indicator_confidence - target_field: threatintel.indicator.confidence + target_field: threat.indicator.confidence ignore_missing: true # @@ -224,7 +248,7 @@ processors: # - convert: field: json.asn - target_field: threatintel.indicator.as.number + target_field: threat.indicator.as.number type: long ignore_missing: true on_failure: @@ -234,41 +258,41 @@ processors: - rename: field: json.org - target_field: threatintel.indicator.as.organization.name + target_field: threat.indicator.as.organization.name ignore_missing: true - rename: field: json.email - target_field: threatintel.indicator.email.address + target_field: threat.indicator.email.address ignore_missing: true - rename: field: json.srcip - target_field: threatintel.indicator.ip + target_field: threat.indicator.ip ignore_missing: true - uri_parts: field: json.url - target_field: threatintel.indicator.url + target_field: threat.indicator.url keep_original: true remove_if_successful: true - if: "ctx.json.url != null" + if: "ctx.json?.url != null" on_failure: - append: field: error.message value: "Cannot parse url field `{{{ json.url }}}`: {{{ _ingest.on_failure_message }}}" - set: - field: threatintel.indicator.url.full - value: "{{{threatintel.indicator.url.original}}}" + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" ignore_empty_value: true - rename: field: json.domain - target_field: threatintel.indicator.url.domain + target_field: threat.indicator.url.domain ignore_missing: true - if: ctx.threatintel?.indicator?.url?.domain == null + if: ctx.threat?.indicator?.url?.domain == null - rename: field: json.country - target_field: threatintel.indicator.geo.country_iso_code + target_field: threat.indicator.geo.country_iso_code ignore_missing: true # @@ -277,27 +301,27 @@ processors: # - rename: field: json.md5 - target_field: threatintel.indicator.file.hash.md5 - if: "ctx.json.md5 != null && ctx.json.md5.length() == 32" + target_field: threat.indicator.file.hash.md5 + if: "ctx.json?.md5 != null && ctx.json.md5.length() == 32" - rename: field: json.md5 - target_field: threatintel.indicator.file.hash.sha1 - if: "ctx.json.md5 != null && ctx.json.md5.length() == 40" + target_field: threat.indicator.file.hash.sha1 + if: "ctx.json?.md5 != null && ctx.json.md5.length() == 40" - rename: field: json.md5 - target_field: threatintel.indicator.file.hash.sha256 - if: "ctx.json.md5 != null && ctx.json.md5.length() == 64" + target_field: threat.indicator.file.hash.sha256 + if: "ctx.json?.md5 != null && ctx.json.md5.length() == 64" - rename: field: json.md5 - target_field: threatintel.indicator.file.hash.sha512 - if: "ctx.json.md5 != null && ctx.json.md5.length() == 128" + target_field: threat.indicator.file.hash.sha512 + if: "ctx.json?.md5 != null && ctx.json.md5.length() == 128" - rename: field: json.source - target_field: threatintel.indicator.provider + target_field: threat.indicator.provider ignore_missing: true # @@ -310,22 +334,22 @@ processors: - set: field: event.severity value: 3 - if: 'ctx.json.severity == "low"' + if: 'ctx.json?.severity == "low"' - set: field: event.severity value: 5 - if: 'ctx.json.severity == "medium"' + if: 'ctx.json?.severity == "medium"' - set: field: event.severity value: 7 - if: 'ctx.json.severity == "high"' + if: 'ctx.json?.severity == "high"' - set: field: event.severity value: 9 - if: 'ctx.json.severity == "very-high"' + if: 'ctx.json?.severity == "very-high"' # # Field trusted_circles_ids is a comma-separated string @@ -335,24 +359,16 @@ processors: # - script: lang: painless - if: "ctx.json.trusted_circle_ids != null && ctx.json.trusted_circle_ids instanceof String" + if: "ctx.json?.trusted_circle_ids != null && ctx.json?.trusted_circle_ids instanceof String" description: > Convert trusted_circles_ids from CSV to an array. source: > - def lst = - Stream.of(ctx.json.trusted_circle_ids.splitOnToken(",")) - .filter(s -> !s.isEmpty()) - .toArray(String[]::new); - if (lst.length > 0) { + def lst = Stream.of(ctx.json.trusted_circle_ids.splitOnToken(',')).filter(s -> !s.isEmpty()).collect(Collectors.toList()); + if (lst.size() > 0) { ctx.json.trusted_circle_ids = lst; } else { ctx.json.remove('trusted_circle_ids'); } - on_failure: - - append: - field: error.message - value: 'unable to split trusted_circle_ids "{{{ json.trusted_circle_ids }}}": {{{ _ingest.on_failure_message }}}' - # # Split detail field and append each component to ECS tags field. # @@ -372,10 +388,33 @@ processors: append: field: tags value: "{{{ _ingest._value }}}" - + # + # Convert certain fields to the correct value + # + - convert: + field: json.id + type: string + if: "ctx.json?.id != null" + - convert: + field: json.source_feed_id + type: string + if: "ctx.json?.source_feed_id != null" + - convert: + field: json.update_id + type: string + if: "ctx.json?.update_id != null" + - convert: + field: json.import_session_id + type: string + if: "ctx.json?.import_session_id != null" # # Remove fields converted to an ECS field. # + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - remove: field: - json.asn @@ -391,7 +430,7 @@ processors: # - rename: field: json - target_field: threatintel.anomalithreatstream + target_field: anomali.threatstream on_failure: - append: diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/manifest.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/manifest.yml index de6faeea2274..011e2bb553eb 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/manifest.yml +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/manifest.yml @@ -8,13 +8,15 @@ var: - name: listen_port default: 8080 - name: secret - - name: ssl_certificate - - name: ssl_key + - name: ssl - name: paths default: /path/to/testing.log - name: tags default: - threatintel-anomalithreatstream + - forwarded + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml input: config/config.yml diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json b/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json index 21c627dde57d..b101076a9e1c 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json @@ -1,5 +1,20 @@ [ { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 20, + "anomali.threatstream.detail2": "imported by user 184", + "anomali.threatstream.id": "3135167627", + "anomali.threatstream.import_session_id": "1400", + "anomali.threatstream.itype": "mal_domain", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46279656657/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "3143", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "122" + ], + "anomali.threatstream.update_id": "3786618776", + "anomali.threatstream.value_type": "domain", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -11,39 +26,44 @@ "log.offset": 0, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 20, - "threatintel.anomalithreatstream.detail2": "imported by user 184", - "threatintel.anomalithreatstream.id": 3135167627, - "threatintel.anomalithreatstream.import_session_id": 1400, - "threatintel.anomalithreatstream.itype": "mal_domain", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46279656657/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 3143, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "122" - ], - "threatintel.anomalithreatstream.update_id": 3786618776, - "threatintel.anomalithreatstream.value_type": "domain", - "threatintel.indicator.as.organization.name": "OVH Hosting", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-08T12:21:50.000Z", - "threatintel.indicator.geo.country_iso_code": "FR", - "threatintel.indicator.geo.location.lat": -49.1, - "threatintel.indicator.geo.location.lon": 94.4, - "threatintel.indicator.ip": "203.0.113.35", - "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.as.organization.name": "OVH Hosting", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-08T12:21:50.000Z", + "threat.indicator.geo.country_iso_code": "FR", + "threat.indicator.geo.location.lat": -49.1, + "threat.indicator.geo.location.lon": 94.4, + "threat.indicator.ip": "203.0.113.35", + "threat.indicator.last_seen": "2020-10-08T12:24:42.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "d4xgfj.example.net" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "d4xgfj.example.net" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 51, + "anomali.threatstream.detail2": "imported by user 979", + "anomali.threatstream.id": "2465691587", + "anomali.threatstream.import_session_id": "1934", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P26893014825/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "639", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "355", + "386", + "461" + ], + "anomali.threatstream.update_id": "3311633654", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -55,40 +75,42 @@ "log.offset": 575, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 51, - "threatintel.anomalithreatstream.detail2": "imported by user 979", - "threatintel.anomalithreatstream.id": 2465691587, - "threatintel.anomalithreatstream.import_session_id": 1934, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P26893014825/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 639, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "355", - "386", - "461" - ], - "threatintel.anomalithreatstream.update_id": 3311633654, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.as.organization.name": "IP Khnykin Vitaliy Yakovlevich", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-08T12:21:59.000Z", - "threatintel.indicator.geo.country_iso_code": "RU", - "threatintel.indicator.geo.location.lat": -51.2, - "threatintel.indicator.geo.location.lon": -64.7, - "threatintel.indicator.ip": "2001:db8:fc77:2510:5ab8:7bc8:65a3:4894", - "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.as.organization.name": "IP Khnykin Vitaliy Yakovlevich", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-08T12:21:59.000Z", + "threat.indicator.geo.country_iso_code": "RU", + "threat.indicator.geo.location.lat": -51.2, + "threat.indicator.geo.location.lon": -64.7, + "threat.indicator.ip": "2001:db8:fc77:2510:5ab8:7bc8:65a3:4894", + "threat.indicator.last_seen": "2020-10-08T12:24:42.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv6-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv6-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 24, + "anomali.threatstream.detail2": "imported by user 830", + "anomali.threatstream.id": "1886961414", + "anomali.threatstream.import_session_id": "3569", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P16938191113/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "2564", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "740", + "954" + ], + "anomali.threatstream.update_id": "1860329541", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -100,40 +122,45 @@ "log.offset": 1163, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 24, - "threatintel.anomalithreatstream.detail2": "imported by user 830", - "threatintel.anomalithreatstream.id": 1886961414, - "threatintel.anomalithreatstream.import_session_id": 3569, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P16938191113/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 2564, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "740", - "954" - ], - "threatintel.anomalithreatstream.update_id": 1860329541, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.as.number": 22773, - "threatintel.indicator.as.organization.name": "Cox Communications", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-08T12:22:11.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.geo.location.lat": 38.4, - "threatintel.indicator.geo.location.lon": 0.0, - "threatintel.indicator.ip": "192.0.2.8", - "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.as.number": 22773, + "threat.indicator.as.organization.name": "Cox Communications", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-08T12:22:11.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.geo.location.lat": 38.4, + "threat.indicator.geo.location.lon": 0.0, + "threat.indicator.ip": "192.0.2.8", + "threat.indicator.last_seen": "2020-10-08T12:24:42.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 56, + "anomali.threatstream.detail2": "imported by user 723", + "anomali.threatstream.id": "1785659799", + "anomali.threatstream.import_session_id": "244", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.md5": "6466e2", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P44706407813/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "3759", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "439", + "801", + "942" + ], + "anomali.threatstream.update_id": "3898969521", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -145,36 +172,38 @@ "log.offset": 1720, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 56, - "threatintel.anomalithreatstream.detail2": "imported by user 723", - "threatintel.anomalithreatstream.id": 1785659799, - "threatintel.anomalithreatstream.import_session_id": 244, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.md5": "6466e2", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P44706407813/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 3759, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "439", - "801", - "942" - ], - "threatintel.anomalithreatstream.update_id": 3898969521, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-08T12:22:16.000Z", - "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-08T12:22:16.000Z", + "threat.indicator.last_seen": "2020-10-08T12:24:42.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 61, + "anomali.threatstream.detail2": "imported by user 16", + "anomali.threatstream.id": "2788278724", + "anomali.threatstream.import_session_id": "3146", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P39996084337/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1834", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "310", + "553", + "709" + ], + "anomali.threatstream.update_id": "1925356831", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -186,41 +215,43 @@ "log.offset": 2195, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 61, - "threatintel.anomalithreatstream.detail2": "imported by user 16", - "threatintel.anomalithreatstream.id": 2788278724, - "threatintel.anomalithreatstream.import_session_id": 3146, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P39996084337/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1834, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "310", - "553", - "709" - ], - "threatintel.anomalithreatstream.update_id": 1925356831, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.as.number": 20001, - "threatintel.indicator.as.organization.name": "Spectrum", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-08T12:28:50.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.geo.location.lat": -64.8, - "threatintel.indicator.geo.location.lon": -129.3, - "threatintel.indicator.ip": "192.0.2.235", - "threatintel.indicator.last_seen": "2020-10-09T18:49:37.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.as.number": 20001, + "threat.indicator.as.organization.name": "Spectrum", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-08T12:28:50.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.geo.location.lat": -64.8, + "threat.indicator.geo.location.lon": -129.3, + "threat.indicator.ip": "192.0.2.235", + "threat.indicator.last_seen": "2020-10-09T18:49:37.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 31, + "anomali.threatstream.detail2": "imported by user 659", + "anomali.threatstream.id": "2979716207", + "anomali.threatstream.import_session_id": "2369", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P24601068254/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "2122", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "297", + "811" + ], + "anomali.threatstream.update_id": "1327494837", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -232,40 +263,44 @@ "log.offset": 2757, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 31, - "threatintel.anomalithreatstream.detail2": "imported by user 659", - "threatintel.anomalithreatstream.id": 2979716207, - "threatintel.anomalithreatstream.import_session_id": 2369, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P24601068254/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 2122, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "297", - "811" - ], - "threatintel.anomalithreatstream.update_id": 1327494837, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.as.number": 11351, - "threatintel.indicator.as.organization.name": "Spectrum", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-08T12:29:01.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.geo.location.lat": 72.1, - "threatintel.indicator.geo.location.lon": -52.2, - "threatintel.indicator.ip": "2001:db8:df14:f43b:a986:5e2a:8ce9:4523", - "threatintel.indicator.last_seen": "2020-10-09T18:49:37.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.as.number": 11351, + "threat.indicator.as.organization.name": "Spectrum", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-08T12:29:01.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.geo.location.lat": 72.1, + "threat.indicator.geo.location.lon": -52.2, + "threat.indicator.ip": "2001:db8:df14:f43b:a986:5e2a:8ce9:4523", + "threat.indicator.last_seen": "2020-10-09T18:49:37.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv6-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv6-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 72, + "anomali.threatstream.detail2": "imported by user 50", + "anomali.threatstream.id": "3763825895", + "anomali.threatstream.itype": "c2_domain", + "anomali.threatstream.maltype": "malware:r47agu9", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P49850231022/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "967", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "238", + "259", + "537" + ], + "anomali.threatstream.update_id": "1356750652", + "anomali.threatstream.value_type": "domain", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -281,6 +316,7 @@ "Botnet-1QZ2U", "Botnet-VXPC5QK8T", "first_seen=2020-07-24T07:36:41", + "forwarded", "mask=2001:db8:867f:42a1:d692:b396:4f14:548c", "popularity=high", "popularity=high", @@ -288,35 +324,37 @@ "threatintel-anomalithreatstream", "type=2" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 72, - "threatintel.anomalithreatstream.detail2": "imported by user 50", - "threatintel.anomalithreatstream.id": 3763825895, - "threatintel.anomalithreatstream.itype": "c2_domain", - "threatintel.anomalithreatstream.maltype": "malware:r47agu9", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P49850231022/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 967, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "238", - "259", - "537" - ], - "threatintel.anomalithreatstream.update_id": 1356750652, - "threatintel.anomalithreatstream.value_type": "domain", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:14:43.000Z", - "threatintel.indicator.ip": "203.0.113.130", - "threatintel.indicator.last_seen": "2020-10-09T18:14:43.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:14:43.000Z", + "threat.indicator.ip": "203.0.113.130", + "threat.indicator.last_seen": "2020-10-09T18:14:43.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "ei1im6skd.example.com" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "ei1im6skd.example.com" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 60, + "anomali.threatstream.detail2": "imported by user 167", + "anomali.threatstream.id": "3178646499", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.md5": "0f321db9", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P35792781031/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1743", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "112", + "455", + "761" + ], + "anomali.threatstream.update_id": "1585930018", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -328,35 +366,37 @@ "log.offset": 4049, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 60, - "threatintel.anomalithreatstream.detail2": "imported by user 167", - "threatintel.anomalithreatstream.id": 3178646499, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.md5": "0f321db9", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P35792781031/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1743, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "112", - "455", - "761" - ], - "threatintel.anomalithreatstream.update_id": 1585930018, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:30:10.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:10.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:30:10.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:10.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 70, + "anomali.threatstream.detail2": "imported by user 654", + "anomali.threatstream.id": "2435568409", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:9rb9", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P41264495308/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "3940", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "633", + "641" + ], + "anomali.threatstream.update_id": "2070423140", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -368,43 +408,46 @@ "log.offset": 4495, "service.type": "threatintel", "tags": [ + "forwarded", "jn5jpvg", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 70, - "threatintel.anomalithreatstream.detail2": "imported by user 654", - "threatintel.anomalithreatstream.id": 2435568409, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:9rb9", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P41264495308/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 3940, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "633", - "641" - ], - "threatintel.anomalithreatstream.update_id": 2070423140, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:30:13.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.236", - "threatintel.indicator.last_seen": "2020-10-09T18:30:13.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:30:13.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.236", + "threat.indicator.last_seen": "2020-10-09T18:30:13.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ax1a6o38z.example.org", - "threatintel.indicator.url.full": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p", - "threatintel.indicator.url.original": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p", - "threatintel.indicator.url.path": "/enec3i/f1n8fv", - "threatintel.indicator.url.query": "4shpqq9=fbo9osx8p", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ax1a6o38z.example.org", + "threat.indicator.url.full": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p", + "threat.indicator.url.original": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p", + "threat.indicator.url.path": "/enec3i/f1n8fv", + "threat.indicator.url.query": "4shpqq9=fbo9osx8p", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 35, + "anomali.threatstream.detail2": "imported by user 81", + "anomali.threatstream.id": "1404936664", + "anomali.threatstream.itype": "mal_url", + "anomali.threatstream.maltype": "malware:4p1lc0bf", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P22799247040/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "2236", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "424", + "718" + ], + "anomali.threatstream.update_id": "2151391711", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -417,43 +460,46 @@ "service.type": "threatintel", "tags": [ "7zhsn5t7", + "forwarded", "threatintel-anomalithreatstream", "xl4" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 35, - "threatintel.anomalithreatstream.detail2": "imported by user 81", - "threatintel.anomalithreatstream.id": 1404936664, - "threatintel.anomalithreatstream.itype": "mal_url", - "threatintel.anomalithreatstream.maltype": "malware:4p1lc0bf", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P22799247040/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 2236, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "424", - "718" - ], - "threatintel.anomalithreatstream.update_id": 2151391711, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 4, - "threatintel.indicator.first_seen": "2020-10-09T18:30:13.000Z", - "threatintel.indicator.geo.country_iso_code": "CN", - "threatintel.indicator.ip": "2001:db8:62cc:2fd2:f406:9c03:e2e8:617d", - "threatintel.indicator.last_seen": "2020-10-09T18:30:13.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:30:13.000Z", + "threat.indicator.geo.country_iso_code": "CN", + "threat.indicator.ip": "2001:db8:62cc:2fd2:f406:9c03:e2e8:617d", + "threat.indicator.last_seen": "2020-10-09T18:30:13.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "beko3.example.com", - "threatintel.indicator.url.full": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge", - "threatintel.indicator.url.original": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge", - "threatintel.indicator.url.path": "/vkelnz/jdz6zf-ga", - "threatintel.indicator.url.query": "g39fu=88309ge", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "beko3.example.com", + "threat.indicator.url.full": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge", + "threat.indicator.url.original": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge", + "threat.indicator.url.path": "/vkelnz/jdz6zf-ga", + "threat.indicator.url.query": "g39fu=88309ge", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 7, + "anomali.threatstream.detail2": "imported by user 993", + "anomali.threatstream.id": "1300368058", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:s7-t", + "anomali.threatstream.md5": "b91c", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P43593676062/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1581", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "812" + ], + "anomali.threatstream.update_id": "1852221746", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -467,34 +513,39 @@ "tags": [ "aampq5", "d6-", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 7, - "threatintel.anomalithreatstream.detail2": "imported by user 993", - "threatintel.anomalithreatstream.id": 1300368058, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:s7-t", - "threatintel.anomalithreatstream.md5": "b91c", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P43593676062/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1581, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "812" - ], - "threatintel.anomalithreatstream.update_id": 1852221746, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2020-10-09T18:30:22.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:22.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:30:22.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:22.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 63, + "anomali.threatstream.detail2": "imported by user 963", + "anomali.threatstream.id": "1511736215", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:0vnvp84", + "anomali.threatstream.md5": "3c49c", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P47666251160/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1695", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "29", + "537", + "879" + ], + "anomali.threatstream.update_id": "3048270616", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -507,36 +558,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 63, - "threatintel.anomalithreatstream.detail2": "imported by user 963", - "threatintel.anomalithreatstream.id": 1511736215, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:0vnvp84", - "threatintel.anomalithreatstream.md5": "3c49c", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P47666251160/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1695, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "29", - "537", - "879" - ], - "threatintel.anomalithreatstream.update_id": 3048270616, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:30:23.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:23.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:30:23.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:23.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 95, + "anomali.threatstream.detail2": "imported by user 302", + "anomali.threatstream.id": "2213035853", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:25iv", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P11608678465/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "787", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "154", + "766" + ], + "anomali.threatstream.update_id": "2851232102", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -549,42 +601,46 @@ "service.type": "threatintel", "tags": [ "22nciqjs", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 95, - "threatintel.anomalithreatstream.detail2": "imported by user 302", - "threatintel.anomalithreatstream.id": 2213035853, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:25iv", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P11608678465/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 787, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "154", - "766" - ], - "threatintel.anomalithreatstream.update_id": 2851232102, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 10, - "threatintel.indicator.first_seen": "2020-10-09T18:30:30.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.162", - "threatintel.indicator.last_seen": "2020-10-09T18:30:30.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:30:30.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.162", + "threat.indicator.last_seen": "2020-10-09T18:30:30.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "sevs82.example.com", - "threatintel.indicator.url.full": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi", - "threatintel.indicator.url.original": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi", - "threatintel.indicator.url.path": "/c5-d/hdajog", - "threatintel.indicator.url.query": "4rs78hl=wvwi", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "sevs82.example.com", + "threat.indicator.url.full": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi", + "threat.indicator.url.original": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi", + "threat.indicator.url.path": "/c5-d/hdajog", + "threat.indicator.url.query": "4rs78hl=wvwi", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 18, + "anomali.threatstream.detail2": "imported by user 548", + "anomali.threatstream.id": "2594216423", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:i6z9qr", + "anomali.threatstream.md5": "e29608b", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P32471582403/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1475", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "539", + "6" + ], + "anomali.threatstream.update_id": "2328838402", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -597,36 +653,38 @@ "service.type": "threatintel", "tags": [ "26sg-3-", + "forwarded", "threatintel-anomalithreatstream", "vnx4nu7c" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 18, - "threatintel.anomalithreatstream.detail2": "imported by user 548", - "threatintel.anomalithreatstream.id": 2594216423, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:i6z9qr", - "threatintel.anomalithreatstream.md5": "e29608b", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P32471582403/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1475, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "539", - "6" - ], - "threatintel.anomalithreatstream.update_id": 2328838402, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:30:37.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:37.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:30:37.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:37.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 54, + "anomali.threatstream.detail2": "imported by user 438", + "anomali.threatstream.id": "1133111133", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:4rs9qpc1", + "anomali.threatstream.md5": "c38d2e6d", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P20539380512/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "3600", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "762" + ], + "anomali.threatstream.update_id": "1784507596", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -639,34 +697,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 54, - "threatintel.anomalithreatstream.detail2": "imported by user 438", - "threatintel.anomalithreatstream.id": 1133111133, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:4rs9qpc1", - "threatintel.anomalithreatstream.md5": "c38d2e6d", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P20539380512/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 3600, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "762" - ], - "threatintel.anomalithreatstream.update_id": 1784507596, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:30:40.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:40.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:30:40.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:40.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 78, + "anomali.threatstream.detail2": "imported by user 690", + "anomali.threatstream.id": "2543010039", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:ghdl7nwwq", + "anomali.threatstream.md5": "67808c", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P16167095005/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "926", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "751" + ], + "anomali.threatstream.update_id": "2343991526", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -679,35 +740,40 @@ "service.type": "threatintel", "tags": [ "8ahl", + "forwarded", "ica", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 78, - "threatintel.anomalithreatstream.detail2": "imported by user 690", - "threatintel.anomalithreatstream.id": 2543010039, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:ghdl7nwwq", - "threatintel.anomalithreatstream.md5": "67808c", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P16167095005/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 926, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "751" - ], - "threatintel.anomalithreatstream.update_id": 2343991526, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 8, - "threatintel.indicator.first_seen": "2020-10-09T18:30:45.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:45.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:30:45.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:45.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 0, + "anomali.threatstream.detail2": "imported by user 517", + "anomali.threatstream.id": "3233930917", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:m5pk44o", + "anomali.threatstream.md5": "efa99", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15758111412/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "2010", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "390", + "519", + "909" + ], + "anomali.threatstream.update_id": "3008175946", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -719,38 +785,41 @@ "log.offset": 8774, "service.type": "threatintel", "tags": [ + "forwarded", "gyu-", "iop", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 0, - "threatintel.anomalithreatstream.detail2": "imported by user 517", - "threatintel.anomalithreatstream.id": 3233930917, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:m5pk44o", - "threatintel.anomalithreatstream.md5": "efa99", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15758111412/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 2010, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "390", - "519", - "909" - ], - "threatintel.anomalithreatstream.update_id": 3008175946, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 0, - "threatintel.indicator.first_seen": "2020-10-09T18:30:54.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:54.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:30:54.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:54.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 34, + "anomali.threatstream.detail2": "imported by user 303", + "anomali.threatstream.id": "1777540600", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:-fesxy", + "anomali.threatstream.md5": "e8c1", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13990676648/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "3201", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "109", + "621", + "718" + ], + "anomali.threatstream.update_id": "2404949482", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -763,36 +832,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 34, - "threatintel.anomalithreatstream.detail2": "imported by user 303", - "threatintel.anomalithreatstream.id": 1777540600, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:-fesxy", - "threatintel.anomalithreatstream.md5": "e8c1", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13990676648/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 3201, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "109", - "621", - "718" - ], - "threatintel.anomalithreatstream.update_id": 2404949482, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:30:59.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:59.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:30:59.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:59.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 15, + "anomali.threatstream.detail2": "imported by user 219", + "anomali.threatstream.id": "2796250594", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:c1b7kt7", + "anomali.threatstream.md5": "be24", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13506696048/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "3205", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "559" + ], + "anomali.threatstream.update_id": "3529199846", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -805,34 +875,39 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 15, - "threatintel.anomalithreatstream.detail2": "imported by user 219", - "threatintel.anomalithreatstream.id": 2796250594, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:c1b7kt7", - "threatintel.anomalithreatstream.md5": "be24", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13506696048/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 3205, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "559" - ], - "threatintel.anomalithreatstream.update_id": 3529199846, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:31:10.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:10.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:31:10.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:10.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 56, + "anomali.threatstream.detail2": "imported by user 762", + "anomali.threatstream.id": "2310429917", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:slwl", + "anomali.threatstream.md5": "a2678fc", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P35629727989/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "885", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "190", + "495", + "959" + ], + "anomali.threatstream.update_id": "3510871820", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -845,36 +920,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 56, - "threatintel.anomalithreatstream.detail2": "imported by user 762", - "threatintel.anomalithreatstream.id": 2310429917, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:slwl", - "threatintel.anomalithreatstream.md5": "a2678fc", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P35629727989/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 885, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "190", - "495", - "959" - ], - "threatintel.anomalithreatstream.update_id": 3510871820, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:31:16.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:16.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:31:16.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:16.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 11, + "anomali.threatstream.detail2": "imported by user 616", + "anomali.threatstream.id": "2853859039", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:voc", + "anomali.threatstream.md5": "2ee715a9b", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P39948074871/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "586", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "454", + "562" + ], + "anomali.threatstream.update_id": "3756244435", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -887,35 +964,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 11, - "threatintel.anomalithreatstream.detail2": "imported by user 616", - "threatintel.anomalithreatstream.id": 2853859039, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:voc", - "threatintel.anomalithreatstream.md5": "2ee715a9b", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P39948074871/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 586, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "454", - "562" - ], - "threatintel.anomalithreatstream.update_id": 3756244435, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2020-10-09T18:31:22.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:22.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:31:22.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:22.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 51, + "anomali.threatstream.detail2": "imported by user 510", + "anomali.threatstream.id": "2328858169", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:yuq33pg5", + "anomali.threatstream.md5": "e1df8d", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P30902643017/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "826", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "362", + "846" + ], + "anomali.threatstream.update_id": "1410682100", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -928,39 +1008,41 @@ "service.type": "threatintel", "tags": [ "etukwxhs", + "forwarded", "g0vc9", "gcgm1we6l", "mask=203.0.113.182", "threat=bm-uj8c12", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 51, - "threatintel.anomalithreatstream.detail2": "imported by user 510", - "threatintel.anomalithreatstream.id": 2328858169, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:yuq33pg5", - "threatintel.anomalithreatstream.md5": "e1df8d", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P30902643017/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 826, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "362", - "846" - ], - "threatintel.anomalithreatstream.update_id": 1410682100, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:31:27.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:27.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:31:27.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:27.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 14", + "anomali.threatstream.id": "1145199430", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:qc6c9qt", + "anomali.threatstream.md5": "9006d07f", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P14842247088/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1793", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "305" + ], + "anomali.threatstream.update_id": "1592676961", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -973,33 +1055,36 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 14", - "threatintel.anomalithreatstream.id": 1145199430, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:qc6c9qt", - "threatintel.anomalithreatstream.md5": "9006d07f", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P14842247088/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1793, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "305" - ], - "threatintel.anomalithreatstream.update_id": 1592676961, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.first_seen": "2020-10-09T18:31:29.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:29.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:31:29.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:29.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 2, + "anomali.threatstream.detail2": "imported by user 600", + "anomali.threatstream.id": "1726466938", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:t52oo3", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P39735553093/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "1965", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "553" + ], + "anomali.threatstream.update_id": "2718905308", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1011,42 +1096,46 @@ "log.offset": 12237, "service.type": "threatintel", "tags": [ + "forwarded", "g1wn0g", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 2, - "threatintel.anomalithreatstream.detail2": "imported by user 600", - "threatintel.anomalithreatstream.id": 1726466938, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:t52oo3", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P39735553093/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 1965, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "553" - ], - "threatintel.anomalithreatstream.update_id": 2718905308, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 0, - "threatintel.indicator.first_seen": "2020-10-09T18:31:34.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.229", - "threatintel.indicator.last_seen": "2020-10-09T18:31:34.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:31:34.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.229", + "threat.indicator.last_seen": "2020-10-09T18:31:34.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "faahk3drf.example.net", - "threatintel.indicator.url.full": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz", - "threatintel.indicator.url.original": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz", - "threatintel.indicator.url.path": "/julf98x5/0g1t8f", - "threatintel.indicator.url.query": "cbffxs2qv=vwgz", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "faahk3drf.example.net", + "threat.indicator.url.full": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz", + "threat.indicator.url.original": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz", + "threat.indicator.url.path": "/julf98x5/0g1t8f", + "threat.indicator.url.query": "cbffxs2qv=vwgz", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 71, + "anomali.threatstream.detail2": "imported by user 976", + "anomali.threatstream.id": "1457264389", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:nx1qwwprl", + "anomali.threatstream.md5": "f5d", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P20794801988/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1437", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "866" + ], + "anomali.threatstream.update_id": "2310970191", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1059,35 +1148,40 @@ "service.type": "threatintel", "tags": [ "6rblg", + "forwarded", "pzs4xlqy", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 71, - "threatintel.anomalithreatstream.detail2": "imported by user 976", - "threatintel.anomalithreatstream.id": 1457264389, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:nx1qwwprl", - "threatintel.anomalithreatstream.md5": "f5d", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P20794801988/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1437, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "866" - ], - "threatintel.anomalithreatstream.update_id": 2310970191, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:31:36.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:36.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:31:36.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:36.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 70, + "anomali.threatstream.detail2": "imported by user 761", + "anomali.threatstream.id": "3532094043", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:k1y", + "anomali.threatstream.md5": "cfd9", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P48760414603/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "2198", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "68", + "70", + "789" + ], + "anomali.threatstream.update_id": "1487534287", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1100,36 +1194,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 70, - "threatintel.anomalithreatstream.detail2": "imported by user 761", - "threatintel.anomalithreatstream.id": 3532094043, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:k1y", - "threatintel.anomalithreatstream.md5": "cfd9", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P48760414603/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 2198, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "68", - "70", - "789" - ], - "threatintel.anomalithreatstream.update_id": 1487534287, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:31:39.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:39.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:31:39.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:39.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 23, + "anomali.threatstream.detail2": "imported by user 680", + "anomali.threatstream.id": "1753194968", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:ixlyb", + "anomali.threatstream.md5": "93daa", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P36997562731/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "2101", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "15" + ], + "anomali.threatstream.update_id": "1772862647", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1142,35 +1237,38 @@ "service.type": "threatintel", "tags": [ "6rw", + "forwarded", "g80r1d4sj", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 23, - "threatintel.anomalithreatstream.detail2": "imported by user 680", - "threatintel.anomalithreatstream.id": 1753194968, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:ixlyb", - "threatintel.anomalithreatstream.md5": "93daa", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P36997562731/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 2101, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "15" - ], - "threatintel.anomalithreatstream.update_id": 1772862647, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:31:43.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:43.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:31:43.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:43.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 0, + "anomali.threatstream.detail2": "imported by user 820", + "anomali.threatstream.id": "3285278133", + "anomali.threatstream.itype": "scan_ip", + "anomali.threatstream.maltype": "malware:1u76t", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P45121980169/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "1152", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "390", + "7" + ], + "anomali.threatstream.update_id": "2657969647", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1183,36 +1281,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 0, - "threatintel.anomalithreatstream.detail2": "imported by user 820", - "threatintel.anomalithreatstream.id": 3285278133, - "threatintel.anomalithreatstream.itype": "scan_ip", - "threatintel.anomalithreatstream.maltype": "malware:1u76t", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P45121980169/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 1152, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "390", - "7" - ], - "threatintel.anomalithreatstream.update_id": 2657969647, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 0, - "threatintel.indicator.first_seen": "2020-10-09T18:31:49.000Z", - "threatintel.indicator.geo.country_iso_code": "DE", - "threatintel.indicator.ip": "192.0.2.219", - "threatintel.indicator.last_seen": "2020-10-09T18:31:49.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:31:49.000Z", + "threat.indicator.geo.country_iso_code": "DE", + "threat.indicator.ip": "192.0.2.219", + "threat.indicator.last_seen": "2020-10-09T18:31:49.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 45, + "anomali.threatstream.detail2": "imported by user 894", + "anomali.threatstream.id": "2098390184", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:hc-wh", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P33231447204/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "3354", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "846" + ], + "anomali.threatstream.update_id": "2110937414", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1224,42 +1324,46 @@ "log.offset": 14812, "service.type": "threatintel", "tags": [ + "forwarded", "om0z7", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 45, - "threatintel.anomalithreatstream.detail2": "imported by user 894", - "threatintel.anomalithreatstream.id": 2098390184, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:hc-wh", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P33231447204/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 3354, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "846" - ], - "threatintel.anomalithreatstream.update_id": 2110937414, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:31:49.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.208", - "threatintel.indicator.last_seen": "2020-10-09T18:31:49.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:31:49.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.208", + "threat.indicator.last_seen": "2020-10-09T18:31:49.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "p9okf0.example.org", - "threatintel.indicator.url.full": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d", - "threatintel.indicator.url.original": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d", - "threatintel.indicator.url.path": "/jyb3n8f/f55vfyt48", - "threatintel.indicator.url.query": "s2n=0t2d", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "p9okf0.example.org", + "threat.indicator.url.full": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d", + "threat.indicator.url.original": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d", + "threat.indicator.url.path": "/jyb3n8f/f55vfyt48", + "threat.indicator.url.query": "s2n=0t2d", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 34, + "anomali.threatstream.detail2": "imported by user 747", + "anomali.threatstream.id": "3367490507", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:0ua9", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P34959401147/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "959", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "404", + "574" + ], + "anomali.threatstream.update_id": "2335801340", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1272,42 +1376,47 @@ "service.type": "threatintel", "tags": [ "adeba89", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 34, - "threatintel.anomalithreatstream.detail2": "imported by user 747", - "threatintel.anomalithreatstream.id": 3367490507, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:0ua9", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P34959401147/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 959, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "404", - "574" - ], - "threatintel.anomalithreatstream.update_id": 2335801340, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:31:58.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.105", - "threatintel.indicator.last_seen": "2020-10-09T18:31:58.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:31:58.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.105", + "threat.indicator.last_seen": "2020-10-09T18:31:58.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "fxkeo24m.example.com", - "threatintel.indicator.url.full": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4", - "threatintel.indicator.url.original": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4", - "threatintel.indicator.url.path": "/y75tg7sw/jnnu9xmc", - "threatintel.indicator.url.query": "apus=ob1hnba4", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "fxkeo24m.example.com", + "threat.indicator.url.full": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4", + "threat.indicator.url.original": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4", + "threat.indicator.url.path": "/y75tg7sw/jnnu9xmc", + "threat.indicator.url.query": "apus=ob1hnba4", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 14, + "anomali.threatstream.detail2": "imported by user 604", + "anomali.threatstream.id": "1998649659", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:s0anj", + "anomali.threatstream.md5": "b4dd5cf7", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P21831217400/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1405", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "422", + "749", + "852" + ], + "anomali.threatstream.update_id": "1339527388", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1320,36 +1429,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 14, - "threatintel.anomalithreatstream.detail2": "imported by user 604", - "threatintel.anomalithreatstream.id": 1998649659, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:s0anj", - "threatintel.anomalithreatstream.md5": "b4dd5cf7", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P21831217400/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1405, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "422", - "749", - "852" - ], - "threatintel.anomalithreatstream.update_id": 1339527388, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2020-10-09T18:32:02.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:02.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:32:02.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:02.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 85, + "anomali.threatstream.detail2": "imported by user 386", + "anomali.threatstream.id": "3005939184", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:hn5uajghq", + "anomali.threatstream.md5": "b890cdad", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P23229581043/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "652", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "120" + ], + "anomali.threatstream.update_id": "1316735853", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1362,35 +1472,40 @@ "service.type": "threatintel", "tags": [ "a-e8lz", + "forwarded", "nj3f", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 85, - "threatintel.anomalithreatstream.detail2": "imported by user 386", - "threatintel.anomalithreatstream.id": 3005939184, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:hn5uajghq", - "threatintel.anomalithreatstream.md5": "b890cdad", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P23229581043/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 652, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "120" - ], - "threatintel.anomalithreatstream.update_id": 1316735853, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:32:03.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:03.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:32:03.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:03.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 31, + "anomali.threatstream.detail2": "imported by user 706", + "anomali.threatstream.id": "1900495748", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:3taf", + "anomali.threatstream.md5": "817", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P35660572297/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "506", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "718", + "828", + "98" + ], + "anomali.threatstream.update_id": "3243777736", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1403,36 +1518,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 31, - "threatintel.anomalithreatstream.detail2": "imported by user 706", - "threatintel.anomalithreatstream.id": 1900495748, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:3taf", - "threatintel.anomalithreatstream.md5": "817", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P35660572297/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 506, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "718", - "828", - "98" - ], - "threatintel.anomalithreatstream.update_id": 3243777736, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:32:04.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:04.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:32:04.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:04.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 50, + "anomali.threatstream.detail2": "imported by user 222", + "anomali.threatstream.id": "1040883425", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:wsge", + "anomali.threatstream.md5": "a06b", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P33297645928/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "146", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "539", + "959" + ], + "anomali.threatstream.update_id": "1284922297", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1445,35 +1562,39 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 50, - "threatintel.anomalithreatstream.detail2": "imported by user 222", - "threatintel.anomalithreatstream.id": 1040883425, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:wsge", - "threatintel.anomalithreatstream.md5": "a06b", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P33297645928/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 146, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "539", - "959" - ], - "threatintel.anomalithreatstream.update_id": 1284922297, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:32:08.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:08.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:32:08.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:08.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 50, + "anomali.threatstream.detail2": "imported by user 414", + "anomali.threatstream.id": "1703603090", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:yid8n1", + "anomali.threatstream.md5": "ebd6108", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P25381157923/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "294", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "124", + "394", + "820" + ], + "anomali.threatstream.update_id": "1405107391", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1486,36 +1607,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 50, - "threatintel.anomalithreatstream.detail2": "imported by user 414", - "threatintel.anomalithreatstream.id": 1703603090, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:yid8n1", - "threatintel.anomalithreatstream.md5": "ebd6108", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P25381157923/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 294, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "124", - "394", - "820" - ], - "threatintel.anomalithreatstream.update_id": 1405107391, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:32:11.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:11.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:32:11.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:11.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 6, + "anomali.threatstream.detail2": "imported by user 872", + "anomali.threatstream.id": "1393798645", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:aeu2f0", + "anomali.threatstream.md5": "5afe0a", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P34100122259/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "1256", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "386", + "980" + ], + "anomali.threatstream.update_id": "2194495180", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1528,35 +1651,36 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 6, - "threatintel.anomalithreatstream.detail2": "imported by user 872", - "threatintel.anomalithreatstream.id": 1393798645, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:aeu2f0", - "threatintel.anomalithreatstream.md5": "5afe0a", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P34100122259/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 1256, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "386", - "980" - ], - "threatintel.anomalithreatstream.update_id": 2194495180, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2020-10-09T18:32:19.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:19.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:32:19.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:19.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 46, + "anomali.threatstream.detail2": "imported by user 237", + "anomali.threatstream.id": "3384379889", + "anomali.threatstream.itype": "scan_ip", + "anomali.threatstream.maltype": "malware:w3rx", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P38445847685/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "773", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "830" + ], + "anomali.threatstream.update_id": "2280522298", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1569,35 +1693,40 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 46, - "threatintel.anomalithreatstream.detail2": "imported by user 237", - "threatintel.anomalithreatstream.id": 3384379889, - "threatintel.anomalithreatstream.itype": "scan_ip", - "threatintel.anomalithreatstream.maltype": "malware:w3rx", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P38445847685/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 773, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "830" - ], - "threatintel.anomalithreatstream.update_id": 2280522298, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:32:30.000Z", - "threatintel.indicator.geo.country_iso_code": "CN", - "threatintel.indicator.ip": "2001:db8:b94f:43d3:f1ef:8964:c8e3:48d4", - "threatintel.indicator.last_seen": "2020-10-09T18:32:30.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:32:30.000Z", + "threat.indicator.geo.country_iso_code": "CN", + "threat.indicator.ip": "2001:db8:b94f:43d3:f1ef:8964:c8e3:48d4", + "threat.indicator.last_seen": "2020-10-09T18:32:30.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv6-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv6-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 60, + "anomali.threatstream.detail2": "imported by user 317", + "anomali.threatstream.id": "1291701932", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:upf65oc8", + "anomali.threatstream.md5": "758a81", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P40886917073/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "2980", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "407", + "437" + ], + "anomali.threatstream.update_id": "1128332354", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1610,35 +1739,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 60, - "threatintel.anomalithreatstream.detail2": "imported by user 317", - "threatintel.anomalithreatstream.id": 1291701932, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:upf65oc8", - "threatintel.anomalithreatstream.md5": "758a81", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P40886917073/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 2980, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "407", - "437" - ], - "threatintel.anomalithreatstream.update_id": 1128332354, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:32:35.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:35.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:32:35.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:35.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 352", + "anomali.threatstream.id": "3279148213", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:u0e", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P37449871811/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "2315", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "29", + "817", + "831" + ], + "anomali.threatstream.update_id": "2267992225", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1650,43 +1782,47 @@ "log.offset": 19948, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream", "ziqdk" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 352", - "threatintel.anomalithreatstream.id": 3279148213, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:u0e", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P37449871811/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 2315, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "29", - "817", - "831" - ], - "threatintel.anomalithreatstream.update_id": 2267992225, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.first_seen": "2020-10-09T18:33:10.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.16", - "threatintel.indicator.last_seen": "2020-10-09T18:33:10.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:33:10.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.16", + "threat.indicator.last_seen": "2020-10-09T18:33:10.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ke4ffyj5.example.com", - "threatintel.indicator.url.full": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1", - "threatintel.indicator.url.original": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1", - "threatintel.indicator.url.path": "/t-9ikyrtt/ai91", - "threatintel.indicator.url.query": "s6u=3y1", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ke4ffyj5.example.com", + "threat.indicator.url.full": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1", + "threat.indicator.url.original": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1", + "threat.indicator.url.path": "/t-9ikyrtt/ai91", + "threat.indicator.url.query": "s6u=3y1", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 42, + "anomali.threatstream.detail2": "imported by user 768", + "anomali.threatstream.id": "2138145846", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:-shiotjs", + "anomali.threatstream.md5": "c9b4", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P24530928152/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "837", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "322", + "410" + ], + "anomali.threatstream.update_id": "3812327380", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1699,35 +1835,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 42, - "threatintel.anomalithreatstream.detail2": "imported by user 768", - "threatintel.anomalithreatstream.id": 2138145846, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:-shiotjs", - "threatintel.anomalithreatstream.md5": "c9b4", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P24530928152/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 837, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "322", - "410" - ], - "threatintel.anomalithreatstream.update_id": 3812327380, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 4, - "threatintel.indicator.first_seen": "2020-10-09T18:33:13.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:13.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:13.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:13.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 25, + "anomali.threatstream.detail2": "imported by user 148", + "anomali.threatstream.id": "1502954738", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:c8f0r5d4", + "anomali.threatstream.md5": "ad0", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P43216360516/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "3786", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "520", + "695" + ], + "anomali.threatstream.update_id": "2085432040", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1740,35 +1879,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 25, - "threatintel.anomalithreatstream.detail2": "imported by user 148", - "threatintel.anomalithreatstream.id": 1502954738, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:c8f0r5d4", - "threatintel.anomalithreatstream.md5": "ad0", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P43216360516/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 3786, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "520", - "695" - ], - "threatintel.anomalithreatstream.update_id": 2085432040, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:33:14.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:14.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:33:14.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:14.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 56, + "anomali.threatstream.detail2": "imported by user 649", + "anomali.threatstream.id": "2730182815", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:2vsd1miq", + "anomali.threatstream.md5": "571957", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P23842171060/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "2923", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "127" + ], + "anomali.threatstream.update_id": "3768246717", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1781,34 +1922,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 56, - "threatintel.anomalithreatstream.detail2": "imported by user 649", - "threatintel.anomalithreatstream.id": 2730182815, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:2vsd1miq", - "threatintel.anomalithreatstream.md5": "571957", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P23842171060/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 2923, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "127" - ], - "threatintel.anomalithreatstream.update_id": 3768246717, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:33:14.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:14.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:14.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:14.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 132", + "anomali.threatstream.id": "1649793681", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:d1q-sdovn", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13727067406/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "1993", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "176", + "715", + "824" + ], + "anomali.threatstream.update_id": "3498000116", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1821,42 +1966,45 @@ "service.type": "threatintel", "tags": [ "73d", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 132", - "threatintel.anomalithreatstream.id": 1649793681, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:d1q-sdovn", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13727067406/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 1993, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "176", - "715", - "824" - ], - "threatintel.anomalithreatstream.update_id": 3498000116, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.first_seen": "2020-10-09T18:33:22.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.154", - "threatintel.indicator.last_seen": "2020-10-09T18:33:22.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:33:22.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.154", + "threat.indicator.last_seen": "2020-10-09T18:33:22.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "rl27d.example.net", - "threatintel.indicator.url.full": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk", - "threatintel.indicator.url.original": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk", - "threatintel.indicator.url.path": "/ko6/4rtt", - "threatintel.indicator.url.query": "b12=o4mgzz2kk", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "rl27d.example.net", + "threat.indicator.url.full": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk", + "threat.indicator.url.original": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk", + "threat.indicator.url.path": "/ko6/4rtt", + "threat.indicator.url.query": "b12=o4mgzz2kk", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 48, + "anomali.threatstream.detail2": "imported by user 137", + "anomali.threatstream.id": "2195098028", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:886x", + "anomali.threatstream.md5": "7f4", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P39956518309/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1936", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "469" + ], + "anomali.threatstream.update_id": "1238197737", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1869,35 +2017,38 @@ "service.type": "threatintel", "tags": [ "e3mm2h", + "forwarded", "knjq-wt", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 48, - "threatintel.anomalithreatstream.detail2": "imported by user 137", - "threatintel.anomalithreatstream.id": 2195098028, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:886x", - "threatintel.anomalithreatstream.md5": "7f4", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P39956518309/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1936, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "469" - ], - "threatintel.anomalithreatstream.update_id": 1238197737, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:33:24.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:24.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:24.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:24.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 62, + "anomali.threatstream.detail2": "imported by user 76", + "anomali.threatstream.id": "2273277634", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:eem8vy0", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P28216636081/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "2583", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "143", + "22" + ], + "anomali.threatstream.update_id": "3547953290", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1909,43 +2060,45 @@ "log.offset": 23077, "service.type": "threatintel", "tags": [ + "forwarded", "rb2my5u7", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 62, - "threatintel.anomalithreatstream.detail2": "imported by user 76", - "threatintel.anomalithreatstream.id": 2273277634, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:eem8vy0", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P28216636081/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 2583, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "143", - "22" - ], - "threatintel.anomalithreatstream.update_id": 3547953290, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:33:26.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.228", - "threatintel.indicator.last_seen": "2020-10-09T18:33:26.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:26.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.228", + "threat.indicator.last_seen": "2020-10-09T18:33:26.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "6ygk0y.example.com", - "threatintel.indicator.url.full": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef", - "threatintel.indicator.url.original": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef", - "threatintel.indicator.url.path": "/t520/4twe", - "threatintel.indicator.url.query": "ql4bhkpop=yfpkef", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "6ygk0y.example.com", + "threat.indicator.url.full": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef", + "threat.indicator.url.original": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef", + "threat.indicator.url.path": "/t520/4twe", + "threat.indicator.url.query": "ql4bhkpop=yfpkef", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 47, + "anomali.threatstream.detail2": "imported by user 304", + "anomali.threatstream.id": "1593951372", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:lrfqa", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P18416887501/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1922", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "281" + ], + "anomali.threatstream.update_id": "3726618139", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1958,41 +2111,47 @@ "service.type": "threatintel", "tags": [ "3jujb6j", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 47, - "threatintel.anomalithreatstream.detail2": "imported by user 304", - "threatintel.anomalithreatstream.id": 1593951372, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:lrfqa", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P18416887501/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1922, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "281" - ], - "threatintel.anomalithreatstream.update_id": 3726618139, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:33:27.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.38", - "threatintel.indicator.last_seen": "2020-10-09T18:33:27.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:27.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.38", + "threat.indicator.last_seen": "2020-10-09T18:33:27.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "rcsr9o.example.net", - "threatintel.indicator.url.full": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-", - "threatintel.indicator.url.original": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-", - "threatintel.indicator.url.path": "/e6f/08b", - "threatintel.indicator.url.query": "8d2y=d-42fr-", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "rcsr9o.example.net", + "threat.indicator.url.full": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-", + "threat.indicator.url.original": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-", + "threat.indicator.url.path": "/e6f/08b", + "threat.indicator.url.query": "8d2y=d-42fr-", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 578", + "anomali.threatstream.id": "2881597176", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:wpo", + "anomali.threatstream.md5": "89a0a684", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P37162617510/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1312", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "450", + "588", + "873" + ], + "anomali.threatstream.update_id": "2444963851", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2006,35 +2165,39 @@ "tags": [ "2uu9b", "f7ciq9", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 578", - "threatintel.anomalithreatstream.id": 2881597176, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:wpo", - "threatintel.anomalithreatstream.md5": "89a0a684", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P37162617510/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1312, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "450", - "588", - "873" - ], - "threatintel.anomalithreatstream.update_id": 2444963851, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.first_seen": "2020-10-09T18:33:29.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:29.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:33:29.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:29.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 51, + "anomali.threatstream.detail2": "imported by user 347", + "anomali.threatstream.id": "1789877636", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:f7l", + "anomali.threatstream.md5": "a41f", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15884312830/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1250", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "299", + "501", + "551" + ], + "anomali.threatstream.update_id": "3210446946", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2047,36 +2210,39 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 51, - "threatintel.anomalithreatstream.detail2": "imported by user 347", - "threatintel.anomalithreatstream.id": 1789877636, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:f7l", - "threatintel.anomalithreatstream.md5": "a41f", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15884312830/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1250, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "299", - "501", - "551" - ], - "threatintel.anomalithreatstream.update_id": 3210446946, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:33:43.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:43.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:43.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:43.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 56, + "anomali.threatstream.detail2": "imported by user 182", + "anomali.threatstream.id": "1300434967", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:5kjd", + "anomali.threatstream.md5": "d0f5f32", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P44427200974/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1603", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "122", + "460", + "615" + ], + "anomali.threatstream.update_id": "2994196701", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2089,37 +2255,38 @@ "service.type": "threatintel", "tags": [ "f5c6pl", + "forwarded", "kpjt", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 56, - "threatintel.anomalithreatstream.detail2": "imported by user 182", - "threatintel.anomalithreatstream.id": 1300434967, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:5kjd", - "threatintel.anomalithreatstream.md5": "d0f5f32", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P44427200974/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1603, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "122", - "460", - "615" - ], - "threatintel.anomalithreatstream.update_id": 2994196701, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:33:45.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:45.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:45.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:45.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 79, + "anomali.threatstream.detail2": "imported by user 976", + "anomali.threatstream.id": "2448066635", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:7x9cgytj", + "anomali.threatstream.md5": "4f984375b", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15169037907/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "814", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "804" + ], + "anomali.threatstream.update_id": "2396481494", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2132,34 +2299,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 79, - "threatintel.anomalithreatstream.detail2": "imported by user 976", - "threatintel.anomalithreatstream.id": 2448066635, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:7x9cgytj", - "threatintel.anomalithreatstream.md5": "4f984375b", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15169037907/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 814, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "804" - ], - "threatintel.anomalithreatstream.update_id": 2396481494, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 8, - "threatintel.indicator.first_seen": "2020-10-09T18:33:45.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:45.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:33:45.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:45.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 15, + "anomali.threatstream.detail2": "imported by user 408", + "anomali.threatstream.id": "1693329110", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:1l5tib0", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46598563676/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "3431", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "301", + "374" + ], + "anomali.threatstream.update_id": "1425004305", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2172,42 +2342,47 @@ "service.type": "threatintel", "tags": [ "5w8i", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 15, - "threatintel.anomalithreatstream.detail2": "imported by user 408", - "threatintel.anomalithreatstream.id": 1693329110, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:1l5tib0", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46598563676/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 3431, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "301", - "374" - ], - "threatintel.anomalithreatstream.update_id": 1425004305, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:33:48.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.115", - "threatintel.indicator.last_seen": "2020-10-09T18:33:48.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:33:48.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.115", + "threat.indicator.last_seen": "2020-10-09T18:33:48.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cc7d.example.com", - "threatintel.indicator.url.full": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb", - "threatintel.indicator.url.original": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb", - "threatintel.indicator.url.path": "/kxxwobg/hd6omn", - "threatintel.indicator.url.query": "tr8=essb", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cc7d.example.com", + "threat.indicator.url.full": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb", + "threat.indicator.url.original": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb", + "threat.indicator.url.path": "/kxxwobg/hd6omn", + "threat.indicator.url.query": "tr8=essb", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 35, + "anomali.threatstream.detail2": "imported by user 843", + "anomali.threatstream.id": "1522150430", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:8-8a", + "anomali.threatstream.md5": "9c67037e6", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P28645937174/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "2342", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "27", + "396", + "989" + ], + "anomali.threatstream.update_id": "3573181354", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2220,36 +2395,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 35, - "threatintel.anomalithreatstream.detail2": "imported by user 843", - "threatintel.anomalithreatstream.id": 1522150430, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:8-8a", - "threatintel.anomalithreatstream.md5": "9c67037e6", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P28645937174/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 2342, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "27", - "396", - "989" - ], - "threatintel.anomalithreatstream.update_id": 3573181354, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 4, - "threatintel.indicator.first_seen": "2020-10-09T18:33:51.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:51.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:51.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:51.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 71, + "anomali.threatstream.detail2": "imported by user 831", + "anomali.threatstream.id": "1760436567", + "anomali.threatstream.itype": "scan_ip", + "anomali.threatstream.maltype": "malware:vy02k4", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P14276852864/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "271", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "342", + "504" + ], + "anomali.threatstream.update_id": "1253389383", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2262,36 +2438,38 @@ "service.type": "threatintel", "tags": [ "f3ctz7j", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 71, - "threatintel.anomalithreatstream.detail2": "imported by user 831", - "threatintel.anomalithreatstream.id": 1760436567, - "threatintel.anomalithreatstream.itype": "scan_ip", - "threatintel.anomalithreatstream.maltype": "malware:vy02k4", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P14276852864/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 271, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "342", - "504" - ], - "threatintel.anomalithreatstream.update_id": 1253389383, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:33:57.000Z", - "threatintel.indicator.geo.country_iso_code": "VN", - "threatintel.indicator.ip": "192.0.2.61", - "threatintel.indicator.last_seen": "2020-10-09T18:33:57.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:33:57.000Z", + "threat.indicator.geo.country_iso_code": "VN", + "threat.indicator.ip": "192.0.2.61", + "threat.indicator.last_seen": "2020-10-09T18:33:57.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 85, + "anomali.threatstream.detail2": "imported by user 650", + "anomali.threatstream.id": "1925240476", + "anomali.threatstream.itype": "scan_ip", + "anomali.threatstream.maltype": "malware:2bnikxoma", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15033658538/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1067", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "51" + ], + "anomali.threatstream.update_id": "1098288836", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2304,35 +2482,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 85, - "threatintel.anomalithreatstream.detail2": "imported by user 650", - "threatintel.anomalithreatstream.id": 1925240476, - "threatintel.anomalithreatstream.itype": "scan_ip", - "threatintel.anomalithreatstream.maltype": "malware:2bnikxoma", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15033658538/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1067, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "51" - ], - "threatintel.anomalithreatstream.update_id": 1098288836, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.geo.country_iso_code": "DE", - "threatintel.indicator.ip": "192.0.2.233", - "threatintel.indicator.last_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:34:00.000Z", + "threat.indicator.geo.country_iso_code": "DE", + "threat.indicator.ip": "192.0.2.233", + "threat.indicator.last_seen": "2020-10-09T18:34:00.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 91, + "anomali.threatstream.detail2": "imported by user 489", + "anomali.threatstream.id": "3001806953", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:ak63t", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P34696300225/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "782", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "484" + ], + "anomali.threatstream.update_id": "2722308334", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2344,42 +2525,45 @@ "log.offset": 28355, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream", "v9ycq" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 91, - "threatintel.anomalithreatstream.detail2": "imported by user 489", - "threatintel.anomalithreatstream.id": 3001806953, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:ak63t", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P34696300225/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 782, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "484" - ], - "threatintel.anomalithreatstream.update_id": 2722308334, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "2001:db8:9850:9607:e204:423b:cade:837e", - "threatintel.indicator.last_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:34:00.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "2001:db8:9850:9607:e204:423b:cade:837e", + "threat.indicator.last_seen": "2020-10-09T18:34:00.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "v9aqrp81q.example.net", - "threatintel.indicator.url.full": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh", - "threatintel.indicator.url.original": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh", - "threatintel.indicator.url.path": "/psuj4bs/rvp", - "threatintel.indicator.url.query": "qufy=ymryh", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "v9aqrp81q.example.net", + "threat.indicator.url.full": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh", + "threat.indicator.url.original": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh", + "threat.indicator.url.path": "/psuj4bs/rvp", + "threat.indicator.url.query": "qufy=ymryh", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 453", + "anomali.threatstream.id": "3933431319", + "anomali.threatstream.itype": "scan_ip", + "anomali.threatstream.maltype": "malware:ejrypgr", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46019487828/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1904", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "444" + ], + "anomali.threatstream.update_id": "3520784497", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2392,34 +2576,40 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 453", - "threatintel.anomalithreatstream.id": 3933431319, - "threatintel.anomalithreatstream.itype": "scan_ip", - "threatintel.anomalithreatstream.maltype": "malware:ejrypgr", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46019487828/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1904, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "444" - ], - "threatintel.anomalithreatstream.update_id": 3520784497, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.first_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.geo.country_iso_code": "IN", - "threatintel.indicator.ip": "192.0.2.234", - "threatintel.indicator.last_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:34:00.000Z", + "threat.indicator.geo.country_iso_code": "IN", + "threat.indicator.ip": "192.0.2.234", + "threat.indicator.last_seen": "2020-10-09T18:34:00.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 95, + "anomali.threatstream.detail2": "imported by user 722", + "anomali.threatstream.id": "1356788940", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:q4a", + "anomali.threatstream.md5": "a4fa", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P30118085912/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "3698", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "743", + "936" + ], + "anomali.threatstream.update_id": "3707298072", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2431,37 +2621,41 @@ "log.offset": 29493, "service.type": "threatintel", "tags": [ + "forwarded", "qxwn7lw", "threatintel-anomalithreatstream", "xva1ki" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 95, - "threatintel.anomalithreatstream.detail2": "imported by user 722", - "threatintel.anomalithreatstream.id": 1356788940, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:q4a", - "threatintel.anomalithreatstream.md5": "a4fa", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P30118085912/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 3698, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "743", - "936" - ], - "threatintel.anomalithreatstream.update_id": 3707298072, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 10, - "threatintel.indicator.first_seen": "2020-10-09T18:34:02.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:02.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:34:02.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:02.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 6, + "anomali.threatstream.detail2": "imported by user 236", + "anomali.threatstream.id": "3804309005", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:2sclqws1s", + "anomali.threatstream.md5": "5e11299", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P14689465586/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "342", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "50", + "642", + "948" + ], + "anomali.threatstream.update_id": "3749914856", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2473,38 +2667,39 @@ "log.offset": 29986, "service.type": "threatintel", "tags": [ + "forwarded", "r81f4", "threatintel-anomalithreatstream", "wwsw" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 6, - "threatintel.anomalithreatstream.detail2": "imported by user 236", - "threatintel.anomalithreatstream.id": 3804309005, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:2sclqws1s", - "threatintel.anomalithreatstream.md5": "5e11299", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P14689465586/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 342, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "50", - "642", - "948" - ], - "threatintel.anomalithreatstream.update_id": 3749914856, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2020-10-09T18:34:05.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:05.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:05.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:05.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 15, + "anomali.threatstream.detail2": "imported by user 488", + "anomali.threatstream.id": "1022859708", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:9cfecc", + "anomali.threatstream.md5": "22315f8", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P33092174596/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "2811", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "1" + ], + "anomali.threatstream.update_id": "1637146862", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2517,34 +2712,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 15, - "threatintel.anomalithreatstream.detail2": "imported by user 488", - "threatintel.anomalithreatstream.id": 1022859708, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:9cfecc", - "threatintel.anomalithreatstream.md5": "22315f8", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P33092174596/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 2811, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "1" - ], - "threatintel.anomalithreatstream.update_id": 1637146862, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:34:11.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:11.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:11.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:11.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 54, + "anomali.threatstream.detail2": "imported by user 310", + "anomali.threatstream.id": "1581368214", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:r7vbej", + "anomali.threatstream.md5": "d4a", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P28408487114/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "1371", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "810", + "910" + ], + "anomali.threatstream.update_id": "1671617316", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2557,35 +2756,36 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 54, - "threatintel.anomalithreatstream.detail2": "imported by user 310", - "threatintel.anomalithreatstream.id": 1581368214, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:r7vbej", - "threatintel.anomalithreatstream.md5": "d4a", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P28408487114/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 1371, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "810", - "910" - ], - "threatintel.anomalithreatstream.update_id": 1671617316, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:34:12.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:12.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:34:12.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:12.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 376", + "anomali.threatstream.id": "3576055846", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:0qqrz", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P27429039546/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1808", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "660" + ], + "anomali.threatstream.update_id": "2477226249", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2597,41 +2797,48 @@ "log.offset": 31451, "service.type": "threatintel", "tags": [ + "forwarded", "gry2doqf", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 376", - "threatintel.anomalithreatstream.id": 3576055846, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:0qqrz", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P27429039546/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1808, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "660" - ], - "threatintel.anomalithreatstream.update_id": 2477226249, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.first_seen": "2020-10-09T18:34:17.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.83", - "threatintel.indicator.last_seen": "2020-10-09T18:34:17.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:34:17.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.83", + "threat.indicator.last_seen": "2020-10-09T18:34:17.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "o4kqv8b8.example.net", - "threatintel.indicator.url.full": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp", - "threatintel.indicator.url.original": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp", - "threatintel.indicator.url.path": "/gm4d-9gt/v2iqt", - "threatintel.indicator.url.query": "x65ry67ao=skta9rp", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "o4kqv8b8.example.net", + "threat.indicator.url.full": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp", + "threat.indicator.url.original": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp", + "threat.indicator.url.path": "/gm4d-9gt/v2iqt", + "threat.indicator.url.query": "x65ry67ao=skta9rp", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 89, + "anomali.threatstream.detail2": "imported by user 748", + "anomali.threatstream.id": "1315247197", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:r38g5hbgx", + "anomali.threatstream.md5": "3eac", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15092591036/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "206", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "19", + "6", + "954" + ], + "anomali.threatstream.update_id": "1760504719", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2644,37 +2851,39 @@ "service.type": "threatintel", "tags": [ "1l9tule2", + "forwarded", "k6p", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 89, - "threatintel.anomalithreatstream.detail2": "imported by user 748", - "threatintel.anomalithreatstream.id": 1315247197, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:r38g5hbgx", - "threatintel.anomalithreatstream.md5": "3eac", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15092591036/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 206, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "19", - "6", - "954" - ], - "threatintel.anomalithreatstream.update_id": 1760504719, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:34:20.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:20.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:34:20.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:20.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 25, + "anomali.threatstream.detail2": "imported by user 380", + "anomali.threatstream.id": "1562423716", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:882dlx", + "anomali.threatstream.md5": "59893613", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P35184012550/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "3446", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "392", + "581" + ], + "anomali.threatstream.update_id": "2530088908", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2687,36 +2896,40 @@ "service.type": "threatintel", "tags": [ "d9qquxe", + "forwarded", "threatintel-anomalithreatstream", "ulx" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 25, - "threatintel.anomalithreatstream.detail2": "imported by user 380", - "threatintel.anomalithreatstream.id": 1562423716, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:882dlx", - "threatintel.anomalithreatstream.md5": "59893613", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P35184012550/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 3446, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "392", - "581" - ], - "threatintel.anomalithreatstream.update_id": 2530088908, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:34:20.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:20.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:20.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:20.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 4, + "anomali.threatstream.detail2": "imported by user 423", + "anomali.threatstream.id": "1470897088", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:rwo6s", + "anomali.threatstream.md5": "5facf1f", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P10368659748/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "599", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "591", + "663", + "848" + ], + "anomali.threatstream.update_id": "1937893007", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2728,38 +2941,39 @@ "log.offset": 33043, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream", "wsu7l1", "zrb" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 4, - "threatintel.anomalithreatstream.detail2": "imported by user 423", - "threatintel.anomalithreatstream.id": 1470897088, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:rwo6s", - "threatintel.anomalithreatstream.md5": "5facf1f", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P10368659748/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 599, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "591", - "663", - "848" - ], - "threatintel.anomalithreatstream.update_id": 1937893007, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 0, - "threatintel.indicator.first_seen": "2020-10-09T18:34:32.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:32.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:32.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:32.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 9, + "anomali.threatstream.detail2": "imported by user 983", + "anomali.threatstream.id": "1205553827", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:-pbnrmv", + "anomali.threatstream.md5": "708b2c", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P41514908414/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "3751", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "299" + ], + "anomali.threatstream.update_id": "3858315866", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2772,34 +2986,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 9, - "threatintel.anomalithreatstream.detail2": "imported by user 983", - "threatintel.anomalithreatstream.id": 1205553827, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:-pbnrmv", - "threatintel.anomalithreatstream.md5": "708b2c", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P41514908414/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 3751, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "299" - ], - "threatintel.anomalithreatstream.update_id": 3858315866, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2020-10-09T18:34:32.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:32.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:32.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:32.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 314", + "anomali.threatstream.id": "1744295971", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:uqw", + "anomali.threatstream.md5": "0df", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P36955243007/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "2305", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "556" + ], + "anomali.threatstream.update_id": "2655715062", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2812,33 +3029,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 314", - "threatintel.anomalithreatstream.id": 1744295971, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:uqw", - "threatintel.anomalithreatstream.md5": "0df", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P36955243007/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 2305, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "556" - ], - "threatintel.anomalithreatstream.update_id": 2655715062, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.first_seen": "2020-10-09T18:34:39.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:39.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:34:39.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:39.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 45, + "anomali.threatstream.detail2": "imported by user 986", + "anomali.threatstream.id": "1782793990", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:mkctzuaaf", + "anomali.threatstream.md5": "770", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P41751433270/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "3513", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "445" + ], + "anomali.threatstream.update_id": "2172945223", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2850,36 +3071,38 @@ "log.offset": 34489, "service.type": "threatintel", "tags": [ + "forwarded", "ps2", "qr2wno4", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 45, - "threatintel.anomalithreatstream.detail2": "imported by user 986", - "threatintel.anomalithreatstream.id": 1782793990, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:mkctzuaaf", - "threatintel.anomalithreatstream.md5": "770", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P41751433270/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 3513, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "445" - ], - "threatintel.anomalithreatstream.update_id": 2172945223, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:34:40.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:40.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:34:40.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:40.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 98, + "anomali.threatstream.detail2": "imported by user 615", + "anomali.threatstream.id": "1130190904", + "anomali.threatstream.itype": "scan_ip", + "anomali.threatstream.maltype": "malware:3zu2d2", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13755730530/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1192", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "88" + ], + "anomali.threatstream.update_id": "1575621349", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2892,35 +3115,39 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 98, - "threatintel.anomalithreatstream.detail2": "imported by user 615", - "threatintel.anomalithreatstream.id": 1130190904, - "threatintel.anomalithreatstream.itype": "scan_ip", - "threatintel.anomalithreatstream.maltype": "malware:3zu2d2", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13755730530/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1192, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "88" - ], - "threatintel.anomalithreatstream.update_id": 1575621349, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 10, - "threatintel.indicator.first_seen": "2020-10-09T18:34:41.000Z", - "threatintel.indicator.geo.country_iso_code": "VN", - "threatintel.indicator.ip": "192.0.2.88", - "threatintel.indicator.last_seen": "2020-10-09T18:34:41.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:34:41.000Z", + "threat.indicator.geo.country_iso_code": "VN", + "threat.indicator.ip": "192.0.2.88", + "threat.indicator.last_seen": "2020-10-09T18:34:41.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 17, + "anomali.threatstream.detail2": "imported by user 202", + "anomali.threatstream.id": "2499059829", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:86-jrf6o", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P43937262060/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "852", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "308", + "949" + ], + "anomali.threatstream.update_id": "2450069481", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2933,42 +3160,45 @@ "service.type": "threatintel", "tags": [ "ao6", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 17, - "threatintel.anomalithreatstream.detail2": "imported by user 202", - "threatintel.anomalithreatstream.id": 2499059829, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:86-jrf6o", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P43937262060/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 852, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "308", - "949" - ], - "threatintel.anomalithreatstream.update_id": 2450069481, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:34:43.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.111", - "threatintel.indicator.last_seen": "2020-10-09T18:34:43.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:43.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.111", + "threat.indicator.last_seen": "2020-10-09T18:34:43.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "91p0p.example.com", - "threatintel.indicator.url.full": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21", - "threatintel.indicator.url.original": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21", - "threatintel.indicator.url.path": "/easx3j6iy/xvnchuoa", - "threatintel.indicator.url.query": "dvkljl=h21", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "91p0p.example.com", + "threat.indicator.url.full": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21", + "threat.indicator.url.original": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21", + "threat.indicator.url.path": "/easx3j6iy/xvnchuoa", + "threat.indicator.url.query": "dvkljl=h21", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 67, + "anomali.threatstream.detail2": "imported by user 421", + "anomali.threatstream.id": "2799251412", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:91o2", + "anomali.threatstream.md5": "f9edba87a", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P31632809876/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "3756", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "776" + ], + "anomali.threatstream.update_id": "3951093865", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2981,34 +3211,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 67, - "threatintel.anomalithreatstream.detail2": "imported by user 421", - "threatintel.anomalithreatstream.id": 2799251412, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:91o2", - "threatintel.anomalithreatstream.md5": "f9edba87a", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P31632809876/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 3756, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "776" - ], - "threatintel.anomalithreatstream.update_id": 3951093865, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:34:48.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:48.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:34:48.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:48.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 22, + "anomali.threatstream.detail2": "imported by user 807", + "anomali.threatstream.id": "3711409360", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:yakt8pe9r", + "anomali.threatstream.md5": "c3b497", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P37263483140/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "3903", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "35" + ], + "anomali.threatstream.update_id": "3046847198", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3021,34 +3254,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 22, - "threatintel.anomalithreatstream.detail2": "imported by user 807", - "threatintel.anomalithreatstream.id": 3711409360, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:yakt8pe9r", - "threatintel.anomalithreatstream.md5": "c3b497", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P37263483140/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 3903, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "35" - ], - "threatintel.anomalithreatstream.update_id": 3046847198, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:34:53.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:53.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:53.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:53.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 20, + "anomali.threatstream.detail2": "imported by user 298", + "anomali.threatstream.id": "3346530445", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:jfje", + "anomali.threatstream.md5": "ec57713c", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P10248765051/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1239", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "196", + "775" + ], + "anomali.threatstream.update_id": "2946803375", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3061,35 +3298,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 20, - "threatintel.anomalithreatstream.detail2": "imported by user 298", - "threatintel.anomalithreatstream.id": 3346530445, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:jfje", - "threatintel.anomalithreatstream.md5": "ec57713c", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P10248765051/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1239, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "196", - "775" - ], - "threatintel.anomalithreatstream.update_id": 2946803375, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:34:53.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:53.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:53.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:53.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 345", + "anomali.threatstream.id": "2804727563", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:c7e", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P11093591971/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "2617", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "131", + "793" + ], + "anomali.threatstream.update_id": "1687817836", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3102,41 +3341,45 @@ "service.type": "threatintel", "tags": [ "-g6", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 345", - "threatintel.anomalithreatstream.id": 2804727563, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:c7e", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P11093591971/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 2617, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "131", - "793" - ], - "threatintel.anomalithreatstream.update_id": 1687817836, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.first_seen": "2020-10-09T18:34:54.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.133", - "threatintel.indicator.last_seen": "2020-10-09T18:34:54.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:34:54.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.133", + "threat.indicator.last_seen": "2020-10-09T18:34:54.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "lzr6.example.org", - "threatintel.indicator.url.full": "https://lzr6.example.org/a7og/4vpv?e7k5=wun", - "threatintel.indicator.url.original": "https://lzr6.example.org/a7og/4vpv?e7k5=wun", - "threatintel.indicator.url.path": "/a7og/4vpv", - "threatintel.indicator.url.query": "e7k5=wun", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "lzr6.example.org", + "threat.indicator.url.full": "https://lzr6.example.org/a7og/4vpv?e7k5=wun", + "threat.indicator.url.original": "https://lzr6.example.org/a7og/4vpv?e7k5=wun", + "threat.indicator.url.path": "/a7og/4vpv", + "threat.indicator.url.query": "e7k5=wun", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 84, + "anomali.threatstream.detail2": "imported by user 747", + "anomali.threatstream.id": "2229747614", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:0d7cxf", + "anomali.threatstream.md5": "bde", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P12084157836/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1620", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "30" + ], + "anomali.threatstream.update_id": "2339220849", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3149,34 +3392,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 84, - "threatintel.anomalithreatstream.detail2": "imported by user 747", - "threatintel.anomalithreatstream.id": 2229747614, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:0d7cxf", - "threatintel.anomalithreatstream.md5": "bde", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P12084157836/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1620, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "30" - ], - "threatintel.anomalithreatstream.update_id": 2339220849, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 8, - "threatintel.indicator.first_seen": "2020-10-09T18:34:55.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:55.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:34:55.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:55.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 54, + "anomali.threatstream.detail2": "imported by user 832", + "anomali.threatstream.id": "2821279948", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:-farvj0e", + "anomali.threatstream.md5": "aa674f5f", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P43981956471/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "2038", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "908" + ], + "anomali.threatstream.update_id": "2083515068", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3189,34 +3435,39 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 54, - "threatintel.anomalithreatstream.detail2": "imported by user 832", - "threatintel.anomalithreatstream.id": 2821279948, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:-farvj0e", - "threatintel.anomalithreatstream.md5": "aa674f5f", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P43981956471/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 2038, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "908" - ], - "threatintel.anomalithreatstream.update_id": 2083515068, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:35:01.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:35:01.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:35:01.000Z", + "threat.indicator.last_seen": "2020-10-09T18:35:01.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 63, + "anomali.threatstream.detail2": "imported by user 217", + "anomali.threatstream.id": "3118884222", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:23xfw4nyi", + "anomali.threatstream.md5": "48721c98", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P20451120036/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "1492", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "207", + "501", + "993" + ], + "anomali.threatstream.update_id": "3429396478", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3229,36 +3480,36 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 63, - "threatintel.anomalithreatstream.detail2": "imported by user 217", - "threatintel.anomalithreatstream.id": 3118884222, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:23xfw4nyi", - "threatintel.anomalithreatstream.md5": "48721c98", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P20451120036/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 1492, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "207", - "501", - "993" - ], - "threatintel.anomalithreatstream.update_id": 3429396478, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:35:01.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:35:01.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:35:01.000Z", + "threat.indicator.last_seen": "2020-10-09T18:35:01.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 72, + "anomali.threatstream.detail2": "imported by user 402", + "anomali.threatstream.id": "3912225830", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:dto", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P16185398807/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1594", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "439" + ], + "anomali.threatstream.update_id": "3320773285", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3270,42 +3521,46 @@ "log.offset": 39578, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream", "y7d71" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 72, - "threatintel.anomalithreatstream.detail2": "imported by user 402", - "threatintel.anomalithreatstream.id": 3912225830, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:dto", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P16185398807/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1594, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "439" - ], - "threatintel.anomalithreatstream.update_id": 3320773285, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:35:04.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.177", - "threatintel.indicator.last_seen": "2020-10-09T18:35:04.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:35:04.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.177", + "threat.indicator.last_seen": "2020-10-09T18:35:04.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "932.example.com", - "threatintel.indicator.url.full": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw", - "threatintel.indicator.url.original": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw", - "threatintel.indicator.url.path": "/1xmdjyom/tf3inx1", - "threatintel.indicator.url.query": "s6zgr=ajgw", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "932.example.com", + "threat.indicator.url.full": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw", + "threat.indicator.url.original": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw", + "threat.indicator.url.path": "/1xmdjyom/tf3inx1", + "threat.indicator.url.query": "s6zgr=ajgw", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 34, + "anomali.threatstream.detail2": "imported by user 626", + "anomali.threatstream.id": "2591984894", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:7nq6far", + "anomali.threatstream.md5": "114bd63e0", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P19612019110/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1579", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "669" + ], + "anomali.threatstream.update_id": "2275758319", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3317,36 +3572,40 @@ "log.offset": 40161, "service.type": "threatintel", "tags": [ + "forwarded", "hlq", "nknea", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 34, - "threatintel.anomalithreatstream.detail2": "imported by user 626", - "threatintel.anomalithreatstream.id": 2591984894, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:7nq6far", - "threatintel.anomalithreatstream.md5": "114bd63e0", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P19612019110/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1579, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "669" - ], - "threatintel.anomalithreatstream.update_id": 2275758319, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:35:06.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:35:06.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:35:06.000Z", + "threat.indicator.last_seen": "2020-10-09T18:35:06.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 53, + "anomali.threatstream.detail2": "imported by user 756", + "anomali.threatstream.id": "2589012476", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:c1z0qya", + "anomali.threatstream.md5": "636cd4267", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P47658489795/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "3665", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "835", + "850" + ], + "anomali.threatstream.update_id": "2399518196", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3359,35 +3618,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 53, - "threatintel.anomalithreatstream.detail2": "imported by user 756", - "threatintel.anomalithreatstream.id": 2589012476, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:c1z0qya", - "threatintel.anomalithreatstream.md5": "636cd4267", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P47658489795/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 3665, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "835", - "850" - ], - "threatintel.anomalithreatstream.update_id": 2399518196, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:35:22.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:35:22.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:35:22.000Z", + "threat.indicator.last_seen": "2020-10-09T18:35:22.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 57, + "anomali.threatstream.detail2": "imported by user 893", + "anomali.threatstream.id": "2677187012", + "anomali.threatstream.itype": "mal_url", + "anomali.threatstream.maltype": "malware:qtp", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P28161033466/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "3395", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "234", + "909" + ], + "anomali.threatstream.update_id": "3342338979", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3403,44 +3664,48 @@ "5z6", "IP=192.0.2.45", "first_seen=2020-11-24T05:32:17", + "forwarded", "mask=2001:db8:6d86:4a6:af9b:4385:14d6:b714", "popularity=high", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 57, - "threatintel.anomalithreatstream.detail2": "imported by user 893", - "threatintel.anomalithreatstream.id": 2677187012, - "threatintel.anomalithreatstream.itype": "mal_url", - "threatintel.anomalithreatstream.maltype": "malware:qtp", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P28161033466/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 3395, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "234", - "909" - ], - "threatintel.anomalithreatstream.update_id": 3342338979, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:44:01.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.71", - "threatintel.indicator.last_seen": "2020-10-09T18:44:01.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:44:01.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.71", + "threat.indicator.last_seen": "2020-10-09T18:44:01.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "0te9x75e.example.net", - "threatintel.indicator.url.full": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3", - "threatintel.indicator.url.original": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3", - "threatintel.indicator.url.path": "/y2cbl5ov5/u-s9", - "threatintel.indicator.url.query": "vhppw120=bt0ze0du3", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "0te9x75e.example.net", + "threat.indicator.url.full": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3", + "threat.indicator.url.original": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3", + "threat.indicator.url.path": "/y2cbl5ov5/u-s9", + "threat.indicator.url.query": "vhppw120=bt0ze0du3", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 31, + "anomali.threatstream.detail2": "imported by user 450", + "anomali.threatstream.id": "3137219963", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:nosy8", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P33588463803/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "2108", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "755", + "843", + "943" + ], + "anomali.threatstream.update_id": "1484831936", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3453,43 +3718,45 @@ "service.type": "threatintel", "tags": [ "06epx", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 31, - "threatintel.anomalithreatstream.detail2": "imported by user 450", - "threatintel.anomalithreatstream.id": 3137219963, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:nosy8", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P33588463803/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 2108, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "755", - "843", - "943" - ], - "threatintel.anomalithreatstream.update_id": 1484831936, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:44:04.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.180", - "threatintel.indicator.last_seen": "2020-10-09T18:44:04.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:44:04.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.180", + "threat.indicator.last_seen": "2020-10-09T18:44:04.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "b7qdtnl8f.example.org", - "threatintel.indicator.url.full": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse", - "threatintel.indicator.url.original": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse", - "threatintel.indicator.url.path": "/z2a-tx3ip/7cv", - "threatintel.indicator.url.query": "9a67ct3mb=ijse", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "b7qdtnl8f.example.org", + "threat.indicator.url.full": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse", + "threat.indicator.url.original": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse", + "threat.indicator.url.path": "/z2a-tx3ip/7cv", + "threat.indicator.url.query": "9a67ct3mb=ijse", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 19, + "anomali.threatstream.detail2": "imported by user 479", + "anomali.threatstream.id": "2506436592", + "anomali.threatstream.itype": "mal_domain", + "anomali.threatstream.maltype": "malware:4okr", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P42606732542/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "393", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "324", + "63" + ], + "anomali.threatstream.update_id": "1826833096", + "anomali.threatstream.value_type": "domain", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3501,37 +3768,40 @@ "log.offset": 42447, "service.type": "threatintel", "tags": [ + "forwarded", "jjz8e", "n5okkr7mg", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 19, - "threatintel.anomalithreatstream.detail2": "imported by user 479", - "threatintel.anomalithreatstream.id": 2506436592, - "threatintel.anomalithreatstream.itype": "mal_domain", - "threatintel.anomalithreatstream.maltype": "malware:4okr", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P42606732542/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 393, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "324", - "63" - ], - "threatintel.anomalithreatstream.update_id": 1826833096, - "threatintel.anomalithreatstream.value_type": "domain", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:44:19.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:44:19.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:44:19.000Z", + "threat.indicator.last_seen": "2020-10-09T18:44:19.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "4gtq1n.example.net" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "4gtq1n.example.net" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 83, + "anomali.threatstream.detail2": "imported by user 969", + "anomali.threatstream.id": "1214135687", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.maltype": "malware:h68c70o", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P25206292349/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "425", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "324", + "474" + ], + "anomali.threatstream.update_id": "2101635974", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3545,40 +3815,43 @@ "tags": [ "IP=203.0.113.163", "first_seen=2020-02-14T13:46:51", + "forwarded", "gnz6", "mask=203.0.113.12", "popularity=high", "threatintel-anomalithreatstream", "u96h" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 83, - "threatintel.anomalithreatstream.detail2": "imported by user 969", - "threatintel.anomalithreatstream.id": 1214135687, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.maltype": "malware:h68c70o", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P25206292349/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 425, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "324", - "474" - ], - "threatintel.anomalithreatstream.update_id": 2101635974, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 8, - "threatintel.indicator.first_seen": "2020-10-09T18:44:27.000Z", - "threatintel.indicator.geo.country_iso_code": "RU", - "threatintel.indicator.ip": "192.0.2.17", - "threatintel.indicator.last_seen": "2020-10-09T18:44:27.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:44:27.000Z", + "threat.indicator.geo.country_iso_code": "RU", + "threat.indicator.ip": "192.0.2.17", + "threat.indicator.last_seen": "2020-10-09T18:44:27.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 15, + "anomali.threatstream.detail2": "imported by user 501", + "anomali.threatstream.id": "1632578144", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:y9xovpr2", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P21633460934/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1114", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "615", + "818" + ], + "anomali.threatstream.update_id": "1949050295", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3590,43 +3863,47 @@ "log.offset": 43582, "service.type": "threatintel", "tags": [ + "forwarded", "t37z5d2", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 15, - "threatintel.anomalithreatstream.detail2": "imported by user 501", - "threatintel.anomalithreatstream.id": 1632578144, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:y9xovpr2", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P21633460934/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1114, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "615", - "818" - ], - "threatintel.anomalithreatstream.update_id": 1949050295, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:44:35.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.183", - "threatintel.indicator.last_seen": "2020-10-09T18:44:35.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:44:35.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.183", + "threat.indicator.last_seen": "2020-10-09T18:44:35.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "tfva.example.org", - "threatintel.indicator.url.full": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao", - "threatintel.indicator.url.original": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao", - "threatintel.indicator.url.path": "/iih3qkj/b04g7", - "threatintel.indicator.url.query": "dwosh0qmt=wi9ao", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "tfva.example.org", + "threat.indicator.url.full": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao", + "threat.indicator.url.original": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao", + "threat.indicator.url.path": "/iih3qkj/b04g7", + "threat.indicator.url.query": "dwosh0qmt=wi9ao", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 85, + "anomali.threatstream.detail2": "imported by user 149", + "anomali.threatstream.id": "3098969355", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:wxbuhcov9", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P30134520108/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "398", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "597", + "913", + "946" + ], + "anomali.threatstream.update_id": "2645963867", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3638,44 +3915,47 @@ "log.offset": 44184, "service.type": "threatintel", "tags": [ + "forwarded", "rprsi-", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 85, - "threatintel.anomalithreatstream.detail2": "imported by user 149", - "threatintel.anomalithreatstream.id": 3098969355, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:wxbuhcov9", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P30134520108/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 398, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "597", - "913", - "946" - ], - "threatintel.anomalithreatstream.update_id": 2645963867, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:44:36.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.149", - "threatintel.indicator.last_seen": "2020-10-09T18:44:36.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:44:36.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.149", + "threat.indicator.last_seen": "2020-10-09T18:44:36.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "erg2.example.com", - "threatintel.indicator.url.full": "https://erg2.example.com/4ys/vywa93c?7oru=evpi", - "threatintel.indicator.url.original": "https://erg2.example.com/4ys/vywa93c?7oru=evpi", - "threatintel.indicator.url.path": "/4ys/vywa93c", - "threatintel.indicator.url.query": "7oru=evpi", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "erg2.example.com", + "threat.indicator.url.full": "https://erg2.example.com/4ys/vywa93c?7oru=evpi", + "threat.indicator.url.original": "https://erg2.example.com/4ys/vywa93c?7oru=evpi", + "threat.indicator.url.path": "/4ys/vywa93c", + "threat.indicator.url.query": "7oru=evpi", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 64, + "anomali.threatstream.detail2": "imported by user 59", + "anomali.threatstream.id": "2035701780", + "anomali.threatstream.itype": "mal_url", + "anomali.threatstream.maltype": "malware:xn2a", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P10508749376/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "2760", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "600", + "673", + "990" + ], + "anomali.threatstream.update_id": "2806149730", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3690,46 +3970,49 @@ "-jj", "IP=203.0.113.22", "first_seen=2020-12-24T20:20:31", + "forwarded", "gogpcno", "mask=2001:db8:bdc6:400b:c095:41c7:1d54:8ff6", "popularity=low", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 64, - "threatintel.anomalithreatstream.detail2": "imported by user 59", - "threatintel.anomalithreatstream.id": 2035701780, - "threatintel.anomalithreatstream.itype": "mal_url", - "threatintel.anomalithreatstream.maltype": "malware:xn2a", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P10508749376/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 2760, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "600", - "673", - "990" - ], - "threatintel.anomalithreatstream.update_id": 2806149730, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:44:37.000Z", - "threatintel.indicator.geo.country_iso_code": "IN", - "threatintel.indicator.ip": "203.0.113.27", - "threatintel.indicator.last_seen": "2020-10-09T18:44:37.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:44:37.000Z", + "threat.indicator.geo.country_iso_code": "IN", + "threat.indicator.ip": "203.0.113.27", + "threat.indicator.last_seen": "2020-10-09T18:44:37.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "0elz6c.example.com", - "threatintel.indicator.url.full": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl", - "threatintel.indicator.url.original": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl", - "threatintel.indicator.url.path": "/3nhx/cadsn6", - "threatintel.indicator.url.query": "kfcj94=gnl", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "0elz6c.example.com", + "threat.indicator.url.full": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl", + "threat.indicator.url.original": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl", + "threat.indicator.url.path": "/3nhx/cadsn6", + "threat.indicator.url.query": "kfcj94=gnl", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 44, + "anomali.threatstream.detail2": "imported by user 134", + "anomali.threatstream.id": "2120958409", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:cu6f11gp1", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46535027346/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1973", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "125", + "279", + "552" + ], + "anomali.threatstream.update_id": "3490786662", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3741,44 +4024,46 @@ "log.offset": 45480, "service.type": "threatintel", "tags": [ + "forwarded", "qztcai", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 44, - "threatintel.anomalithreatstream.detail2": "imported by user 134", - "threatintel.anomalithreatstream.id": 2120958409, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:cu6f11gp1", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46535027346/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1973, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "125", - "279", - "552" - ], - "threatintel.anomalithreatstream.update_id": 3490786662, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 4, - "threatintel.indicator.first_seen": "2020-10-09T18:44:45.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "2001:db8:129e:7520:8797:95ca:a4d1:3011", - "threatintel.indicator.last_seen": "2020-10-09T18:44:45.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:44:45.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "2001:db8:129e:7520:8797:95ca:a4d1:3011", + "threat.indicator.last_seen": "2020-10-09T18:44:45.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "6i0-utr.example.com", - "threatintel.indicator.url.full": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr", - "threatintel.indicator.url.original": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr", - "threatintel.indicator.url.path": "/hsv/50qcugwt", - "threatintel.indicator.url.query": "xcl=ofr", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "6i0-utr.example.com", + "threat.indicator.url.full": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr", + "threat.indicator.url.original": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr", + "threat.indicator.url.path": "/hsv/50qcugwt", + "threat.indicator.url.query": "xcl=ofr", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 94, + "anomali.threatstream.detail2": "imported by user 914", + "anomali.threatstream.id": "1139990065", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.maltype": "malware:9pyy91p7", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P20277063326/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "2363", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "346", + "610" + ], + "anomali.threatstream.update_id": "2750333841", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3793,39 +4078,41 @@ "IP=203.0.113.155", "ail6s", "first_seen=2020-11-23T17:11:50", + "forwarded", "mask=203.0.113.23", "popularity=medium", "q0n", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 94, - "threatintel.anomalithreatstream.detail2": "imported by user 914", - "threatintel.anomalithreatstream.id": 1139990065, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.maltype": "malware:9pyy91p7", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P20277063326/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 2363, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "346", - "610" - ], - "threatintel.anomalithreatstream.update_id": 2750333841, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:44:47.000Z", - "threatintel.indicator.geo.country_iso_code": "CN", - "threatintel.indicator.ip": "203.0.113.128", - "threatintel.indicator.last_seen": "2020-10-09T18:44:47.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:44:47.000Z", + "threat.indicator.geo.country_iso_code": "CN", + "threat.indicator.ip": "203.0.113.128", + "threat.indicator.last_seen": "2020-10-09T18:44:47.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 69, + "anomali.threatstream.detail2": "imported by user 886", + "anomali.threatstream.id": "2453026318", + "anomali.threatstream.itype": "mal_domain", + "anomali.threatstream.maltype": "malware:c0-a", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P26988858868/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1281", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "391" + ], + "anomali.threatstream.update_id": "3315952704", + "anomali.threatstream.value_type": "domain", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3839,39 +4126,44 @@ "tags": [ "0a3p", "first_seen=2020-03-11T09:04:13", + "forwarded", "mask=2001:db8:7aae:f1e6:e8b3:5702:40ea:29f0", "popularity=high", "smh", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 69, - "threatintel.anomalithreatstream.detail2": "imported by user 886", - "threatintel.anomalithreatstream.id": 2453026318, - "threatintel.anomalithreatstream.itype": "mal_domain", - "threatintel.anomalithreatstream.maltype": "malware:c0-a", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P26988858868/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1281, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "391" - ], - "threatintel.anomalithreatstream.update_id": 3315952704, - "threatintel.anomalithreatstream.value_type": "domain", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:44:50.000Z", - "threatintel.indicator.geo.country_iso_code": "HK", - "threatintel.indicator.ip": "203.0.113.16", - "threatintel.indicator.last_seen": "2020-10-09T18:44:50.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:44:50.000Z", + "threat.indicator.geo.country_iso_code": "HK", + "threat.indicator.ip": "203.0.113.16", + "threat.indicator.last_seen": "2020-10-09T18:44:50.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "ztpyt.example.org" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "ztpyt.example.org" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 88, + "anomali.threatstream.detail2": "imported by user 268", + "anomali.threatstream.id": "3554643386", + "anomali.threatstream.itype": "mal_url", + "anomali.threatstream.maltype": "malware:ai7s5vg01", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P48225335605/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "744", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "258", + "75", + "806" + ], + "anomali.threatstream.update_id": "3898530792", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3884,45 +4176,46 @@ "service.type": "threatintel", "tags": [ "first_seen=2020-07-17T00:42:30", + "forwarded", "mask=192.0.2.22", "mdedohd", "popularity=high", "sv5lmqoo", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 88, - "threatintel.anomalithreatstream.detail2": "imported by user 268", - "threatintel.anomalithreatstream.id": 3554643386, - "threatintel.anomalithreatstream.itype": "mal_url", - "threatintel.anomalithreatstream.maltype": "malware:ai7s5vg01", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P48225335605/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 744, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "258", - "75", - "806" - ], - "threatintel.anomalithreatstream.update_id": 3898530792, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:44:50.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:44:50.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:44:50.000Z", + "threat.indicator.last_seen": "2020-10-09T18:44:50.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "e5el.example.net", - "threatintel.indicator.url.full": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5", - "threatintel.indicator.url.original": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5", - "threatintel.indicator.url.path": "/rncer/fky", - "threatintel.indicator.url.query": "8tc53bbz=1pd-6w5", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "e5el.example.net", + "threat.indicator.url.full": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5", + "threat.indicator.url.original": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5", + "threat.indicator.url.path": "/rncer/fky", + "threat.indicator.url.query": "8tc53bbz=1pd-6w5", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 73, + "anomali.threatstream.detail2": "imported by user 737", + "anomali.threatstream.id": "2781657405", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:6faja4zy-", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13788530147/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "518", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "259" + ], + "anomali.threatstream.update_id": "1423149268", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3934,42 +4227,47 @@ "log.offset": 47992, "service.type": "threatintel", "tags": [ + "forwarded", "l019r8", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 73, - "threatintel.anomalithreatstream.detail2": "imported by user 737", - "threatintel.anomalithreatstream.id": 2781657405, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:6faja4zy-", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13788530147/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 518, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "259" - ], - "threatintel.anomalithreatstream.update_id": 1423149268, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:44:54.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.226", - "threatintel.indicator.last_seen": "2020-10-09T18:44:54.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:44:54.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.226", + "threat.indicator.last_seen": "2020-10-09T18:44:54.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "eryz36i.example.net", - "threatintel.indicator.url.full": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo", - "threatintel.indicator.url.original": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo", - "threatintel.indicator.url.path": "/9a86hdj/zti5r9fx", - "threatintel.indicator.url.query": "ahz=l7dsg01qo", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "eryz36i.example.net", + "threat.indicator.url.full": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo", + "threat.indicator.url.original": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo", + "threat.indicator.url.path": "/9a86hdj/zti5r9fx", + "threat.indicator.url.query": "ahz=l7dsg01qo", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 22, + "anomali.threatstream.detail2": "imported by user 703", + "anomali.threatstream.id": "1875325904", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:rrcnb", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P12535858975/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "417", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "114", + "792", + "802" + ], + "anomali.threatstream.update_id": "2621256767", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3982,43 +4280,45 @@ "service.type": "threatintel", "tags": [ "4yqbj3b", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 22, - "threatintel.anomalithreatstream.detail2": "imported by user 703", - "threatintel.anomalithreatstream.id": 1875325904, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:rrcnb", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P12535858975/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 417, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "114", - "792", - "802" - ], - "threatintel.anomalithreatstream.update_id": 2621256767, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:44:58.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.25", - "threatintel.indicator.last_seen": "2020-10-09T18:44:58.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:44:58.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.25", + "threat.indicator.last_seen": "2020-10-09T18:44:58.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "i-pb.example.com", - "threatintel.indicator.url.full": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd", - "threatintel.indicator.url.original": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd", - "threatintel.indicator.url.path": "/pjmy3/w0tgzb", - "threatintel.indicator.url.query": "noe1pr9=eiwcfihd", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "i-pb.example.com", + "threat.indicator.url.full": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd", + "threat.indicator.url.original": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd", + "threat.indicator.url.path": "/pjmy3/w0tgzb", + "threat.indicator.url.query": "noe1pr9=eiwcfihd", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 19, + "anomali.threatstream.detail2": "imported by user 846", + "anomali.threatstream.id": "2684776210", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.maltype": "malware:zfd", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P45743905551/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "965", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "641", + "697" + ], + "anomali.threatstream.update_id": "1171583779", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4032,40 +4332,44 @@ "tags": [ "IP=2001:db8:61be:1efa:290:c941:bef8:3803", "first_seen=2020-12-01T02:16:04", + "forwarded", "j6vwgb6", "mask=2001:db8:fc83:375e:9c60:3d50:1dc1:9f89", "popularity=medium", "qqo5fg", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 19, - "threatintel.anomalithreatstream.detail2": "imported by user 846", - "threatintel.anomalithreatstream.id": 2684776210, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.maltype": "malware:zfd", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P45743905551/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 965, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "641", - "697" - ], - "threatintel.anomalithreatstream.update_id": 1171583779, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:45:05.000Z", - "threatintel.indicator.geo.country_iso_code": "IN", - "threatintel.indicator.ip": "2001:db8:79d3:9083:95f2:a6fd:e475:4956", - "threatintel.indicator.last_seen": "2020-10-09T18:45:05.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:45:05.000Z", + "threat.indicator.geo.country_iso_code": "IN", + "threat.indicator.ip": "2001:db8:79d3:9083:95f2:a6fd:e475:4956", + "threat.indicator.last_seen": "2020-10-09T18:45:05.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv6-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv6-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 14, + "anomali.threatstream.detail2": "imported by user 812", + "anomali.threatstream.id": "1705726884", + "anomali.threatstream.import_session_id": "2813", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.maltype": "malware:ib0ezg", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P12586136986/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "632", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "459", + "936" + ], + "anomali.threatstream.update_id": "3651210157", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4077,41 +4381,42 @@ "log.offset": 49879, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 14, - "threatintel.anomalithreatstream.detail2": "imported by user 812", - "threatintel.anomalithreatstream.id": 1705726884, - "threatintel.anomalithreatstream.import_session_id": 2813, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.maltype": "malware:ib0ezg", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P12586136986/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 632, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "459", - "936" - ], - "threatintel.anomalithreatstream.update_id": 3651210157, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.as.number": 3356, - "threatintel.indicator.as.organization.name": "Level 3 Communications", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2021-04-07T13:10:07.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.geo.location.lat": 5.6, - "threatintel.indicator.geo.location.lon": 112.8, - "threatintel.indicator.ip": "192.0.2.12", - "threatintel.indicator.last_seen": "2021-04-19T08:57:46.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.as.number": 3356, + "threat.indicator.as.organization.name": "Level 3 Communications", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2021-04-07T13:10:07.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.geo.location.lat": 5.6, + "threat.indicator.geo.location.lon": 112.8, + "threat.indicator.ip": "192.0.2.12", + "threat.indicator.last_seen": "2021-04-19T08:57:46.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 81, + "anomali.threatstream.detail2": "imported by user 411", + "anomali.threatstream.id": "1502608684", + "anomali.threatstream.itype": "apt_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46655498126/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "2891", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "474", + "601" + ], + "anomali.threatstream.update_id": "1170853028", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4123,34 +4428,36 @@ "log.offset": 50468, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 81, - "threatintel.anomalithreatstream.detail2": "imported by user 411", - "threatintel.anomalithreatstream.id": 1502608684, - "threatintel.anomalithreatstream.itype": "apt_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46655498126/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 2891, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "474", - "601" - ], - "threatintel.anomalithreatstream.update_id": 1170853028, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 8, - "threatintel.indicator.first_seen": "2021-04-29T16:02:17.000Z", - "threatintel.indicator.ip": "203.0.113.5", - "threatintel.indicator.last_seen": "2021-04-29T16:02:17.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2021-04-29T16:02:17.000Z", + "threat.indicator.ip": "203.0.113.5", + "threat.indicator.last_seen": "2021-04-29T16:02:17.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 14, + "anomali.threatstream.detail2": "imported by user 601", + "anomali.threatstream.id": "1171635730", + "anomali.threatstream.itype": "ssh_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P24647878518/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "822", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "749" + ], + "anomali.threatstream.update_id": "1026394470", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4162,33 +4469,37 @@ "log.offset": 50919, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 14, - "threatintel.anomalithreatstream.detail2": "imported by user 601", - "threatintel.anomalithreatstream.id": 1171635730, - "threatintel.anomalithreatstream.itype": "ssh_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P24647878518/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 822, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "749" - ], - "threatintel.anomalithreatstream.update_id": 1026394470, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2021-04-29T16:02:23.000Z", - "threatintel.indicator.ip": "192.0.2.68", - "threatintel.indicator.last_seen": "2021-04-29T16:02:23.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2021-04-29T16:02:23.000Z", + "threat.indicator.ip": "192.0.2.68", + "threat.indicator.last_seen": "2021-04-29T16:02:23.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 70, + "anomali.threatstream.detail2": "imported by user 964", + "anomali.threatstream.id": "2251817936", + "anomali.threatstream.itype": "i2p_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P47421535249/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "3194", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "235", + "630" + ], + "anomali.threatstream.update_id": "3118045359", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4200,34 +4511,37 @@ "log.offset": 51361, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 70, - "threatintel.anomalithreatstream.detail2": "imported by user 964", - "threatintel.anomalithreatstream.id": 2251817936, - "threatintel.anomalithreatstream.itype": "i2p_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P47421535249/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 3194, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "235", - "630" - ], - "threatintel.anomalithreatstream.update_id": 3118045359, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2021-04-29T16:02:24.000Z", - "threatintel.indicator.ip": "203.0.113.54", - "threatintel.indicator.last_seen": "2021-04-29T16:02:24.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2021-04-29T16:02:24.000Z", + "threat.indicator.ip": "203.0.113.54", + "threat.indicator.last_seen": "2021-04-29T16:02:24.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 77, + "anomali.threatstream.detail2": "imported by user 137", + "anomali.threatstream.id": "1966380326", + "anomali.threatstream.itype": "parked_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P19479436344/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "229", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "303", + "461" + ], + "anomali.threatstream.update_id": "1757326916", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4239,34 +4553,38 @@ "log.offset": 51809, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 77, - "threatintel.anomalithreatstream.detail2": "imported by user 137", - "threatintel.anomalithreatstream.id": 1966380326, - "threatintel.anomalithreatstream.itype": "parked_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P19479436344/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 229, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "303", - "461" - ], - "threatintel.anomalithreatstream.update_id": 1757326916, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 8, - "threatintel.indicator.first_seen": "2021-04-29T16:02:25.000Z", - "threatintel.indicator.ip": "203.0.113.195", - "threatintel.indicator.last_seen": "2021-04-29T16:02:25.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2021-04-29T16:02:25.000Z", + "threat.indicator.ip": "203.0.113.195", + "threat.indicator.last_seen": "2021-04-29T16:02:25.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 14, + "anomali.threatstream.detail2": "imported by user 997", + "anomali.threatstream.id": "3377960871", + "anomali.threatstream.itype": "tor_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P25503355951/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1710", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "13", + "657", + "879" + ], + "anomali.threatstream.update_id": "1469037378", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4278,35 +4596,38 @@ "log.offset": 52257, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 14, - "threatintel.anomalithreatstream.detail2": "imported by user 997", - "threatintel.anomalithreatstream.id": 3377960871, - "threatintel.anomalithreatstream.itype": "tor_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P25503355951/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1710, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "13", - "657", - "879" - ], - "threatintel.anomalithreatstream.update_id": 1469037378, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2021-04-29T16:02:25.000Z", - "threatintel.indicator.ip": "192.0.2.239", - "threatintel.indicator.last_seen": "2021-04-29T16:02:25.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2021-04-29T16:02:25.000Z", + "threat.indicator.ip": "192.0.2.239", + "threat.indicator.last_seen": "2021-04-29T16:02:25.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 12, + "anomali.threatstream.detail2": "imported by user 445", + "anomali.threatstream.id": "1049633552", + "anomali.threatstream.itype": "c2_ip", + "anomali.threatstream.maltype": "malware:tos5xne", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P17175297976/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "274", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "683", + "719" + ], + "anomali.threatstream.update_id": "1541655552", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4318,33 +4639,20 @@ "log.offset": 52708, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream", "vjb9lmpcf" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 12, - "threatintel.anomalithreatstream.detail2": "imported by user 445", - "threatintel.anomalithreatstream.id": 1049633552, - "threatintel.anomalithreatstream.itype": "c2_ip", - "threatintel.anomalithreatstream.maltype": "malware:tos5xne", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P17175297976/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 274, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "683", - "719" - ], - "threatintel.anomalithreatstream.update_id": 1541655552, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2021-04-29T16:02:26.000Z", - "threatintel.indicator.ip": "192.0.2.169", - "threatintel.indicator.last_seen": "2021-04-29T16:02:26.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2021-04-29T16:02:26.000Z", + "threat.indicator.ip": "192.0.2.169", + "threat.indicator.last_seen": "2021-04-29T16:02:26.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/fields.go b/x-pack/filebeat/module/threatintel/fields.go index 4f915c83f55e..d0fa140db906 100644 --- a/x-pack/filebeat/module/threatintel/fields.go +++ b/x-pack/filebeat/module/threatintel/fields.go @@ -19,5 +19,5 @@ func init() { // AssetThreatintel returns asset data. // This is the base64 encoded zlib format compressed contents of module/threatintel. func AssetThreatintel() string { - return "eJzsXetz2ziS/z5/RZfvwzhbsmI7cXbiqrkrj+3MuM5xMn7MbO3lSoHIloQ1CDAAKFl7df/7FR58iAQp2aa8c1vrL4n46P6h0Wg0Go3mHtzj8hj0TCLRlGtk3wFoqhnWL0pkSBQewxg1+Q4gRhVJmmoq+DH8+3cAALf2BbBvMDpFHiF8oAzH5upHEWcMh98BTCiyWB3bV/aAk6TBy/zpZYrHMJUiS/2VAEfz98GSg4kUCegZVkmV3JOCu/mrIqiioDymEdFCDidUKj1SiLx4KIcUE42Viy2onDzQPg2Ex6BpgrCYIV+VjxKZjBAsP5CYCqkxBkWnM035FPSMqgqsDsSMvChgw+5ZePNXVAMvE3y6Gd6rLBmjBDGxYFWNOyyIAjFWKOcYQyR4nEUepNVTEmk6p3rZhdIgagC8x+VCyHhDmS5TNAhLWEQZwUlUyI3sxks4XZpmfLJQyZghUA43txd/gcPh/nCF2vlDipF5a05YhmrlHsCfgGRacJGITO2ppdKYNJ+Qmk5IpBs3Yiox0kIum3dEQijfM7Jp3MOEULZH4lg2bk0oaz5P0/nb8OM0nb8L30lI1HIj0/jQuJpKEaFqykaJiV4Q2cSUSda8plDukSgSGW+KakF5LBZqT+KUKi2Xe/fYlNrD3tH++70IjbxNz2OHmlX053nadmZvje1YQEvA6J7RdMHzIeB0rjSVnaM0IpyjHClN9HNG6qmRo4Fy8tvr87NrmCOPhTQoiQaVRabDJhljS4hROw1PCKMRFZmyigRCwt31ZRfWVIo5jVE+T4IXMXLTY16Ehok1MDNctYM5ty5EkeATGpvHe8VUkgVJrEUjStEpLzs2BweZMretLam8pSLCUD3OslwJDTcpRgZGPIArwXEAl2IxgI8Y0ywZwC90Omu8tr93sN+4eBInVBJG9RJuDBTYPdh796rx2NnVRX7/aO/9UfOB388/5w9cJKlQihrjuQenKDWh/FVH1ziHYCuqopyUIu90uFkpJpoAVRCJxPSI8Va6NMc8rlBvF59nUrpOgYm+C6TECcrna/d1TsYMcGCU39tJWgCJY2peIAwonwiZEGvGyFhk+hGeBk0b+FYubSZBkrsNKxM54XDx2QCVqBTsUinRiFfTuRW1m1Op4K86DZeQzZ7e3LauBwmGA3DnLT0RpJ3oh76lvellq1Qtu+cKNiHS6NJQs6YKPM6Jk2RiRsylcVrhsxRaRIKBmhFpdNXz6baoQCQeN03YjOqmR/KzXHXk3dUT03+Nq9cYd4pARzOMG82vLqwgsCSqUiNaJDSqMW6T4hpJQtMuOfIVDbBOgQcOBJiICAPkcyoFT5BrQB6nghqHQgJHvRDyHnCOXA+D+G3btgbfUs9dhK23pbYg6bcpub+4tZY09ZM0bcljVNPZtKBAaga0Lo2GLO44/ZZhbiUJMw00o1cLJ49iZQVuZTW0y+XG5cLMntxc1T0WgMwyYUugpeSRRLNCYIJbbhdco+RYUwIAfCBJyvAYDo4O3r0PikTIKeH073auHAbWbF3qQqdcSByRsZgbHvuHb2sPJBnTdBTqkSoEjQ/1RVPJueUmFzJRxzAhTNURryjxp0rzLLtWEf0sxJQhXF6edvowbgn3LC00jtRQaVkLZzxb2mtG76ng2gw8G6RZSGqXAg6G5avqogH4LNKMWbV20yyRkiyDBKzD6nU/F9IQPggJZknRWNlD/l7+rEMAu9fnP49u/joA8+/5Xz6fXJ2Nbv76auD8NzUTGYthjBUsVNdXEQCCo6fvIeC3zHiMyvqzjrF50XL5eHd5e2F5Wh45WcZg3EQ9J5LakAtDPtUzR55nCUrvIA/M8nRmxGVon/3+6frMhsfMr1/Nr5WmNOiPEdJC5haiEWiMEU0IK+NATp13cTiFrzsHO19ftWr19/+1c3r8RWryRWI80jr9Mqb8S7IkaTrEB9z57++DKpqShlj7U80PGWOWwwAoj1gWm/6Y0TkODHkrLusDtbSpIbRf/vPy45ebTx9ufz+5Pv/ykUZSKDHRX353cRe4uv1ymkmJXP+GUlHBv1wkZOqCzXD+gFFWi6S4v08WrvqyoNw02YjryxmOs+m0NoXkQguB7k9qV5XQguVkh6BG3tr3nWCbMaj+oF7ng9p056pUmiZ1iuJZ1jSiejnqe+Jaac4p1cvuueOj4FoiYWGAgmvKkevtoqzqR8GyFfGVkHoGJ9ZwkRbYGddyOaJKjCIRb1G8jhFc3HwCw6gV8+lJJ9Dt6oAH2akGp4STOCxN6x42rYxXdxQj6wt3IbgUfEp1FrvtFka0/dFu+P8HdpjgO8ew9+c3w3cHb394sz+AHUb0zjG8PRoe7R+9P/gB/jds/820LPj2+/7a8tmk6/d+Pe1CutXO9yg7+/7XDMcYddi5CWU4THFIk3RG1GyDCEMnyNbFyc4JGPpFFDpJhdQKKAcCn89tdHwIJxw8DtjbMysw9xjUkIG5GxFu/JJMudXNhPIpylSapduYciLtomSOHMhEowSJkUhSypyPIiQIPUNpu3eP4RxXjaSWhKsiWKdgRuYIIorMfB0PYDGj0QwW1u2LZoRPERIh0bxWBPtsK1zQZLV3LpFI7p4nGmZap+r49evFYjGcUIm4xGEkktdjJqavXVhpz3hXREaz14f7B29f7x+81pJE95RP9xLCFkTinpPTnuFp3MuZTthw57uAPuxH737YfxO9xfeHhwfmP3FEjt6/e0NI/OZdHE/WaMqzpsRGL7YRaSNUJaZZgxisGV2wfjECfv/YtPV7lauf4TUAOgEyJ5QZR7u5JslxKRUj1hvTPzLHxop0U2RJfLR1WEl89ChMakYOti+rGTl4LKrDo3cvgevw6N1jkb35oT4pbAXZmx/ePhbZ0cHhSyA7Ojhci+yJgcbnxjJyoJZJGJGifw8jWhPp6+D2vQItNGGWdpjrI/2QzRk3nY+cJT5o5KrNt3wu34J6mHlCExz1G2WuMP948fG81sXN6XI1H+MJ4Tibr9If/jNLL/e/MsnKmNCOcT6QEaVpNIzETn8d2s+AQmYznzShPN+tYFjiKbd+haRTym1I6luGSgfbMZFkmmBjVbPNZnwW0rmdhfC9V2p+ff23r5Wu0CJtkf8kY/UMn+dsmkwsQbi7vrSbet7XIVwbb3opMmlca4iIwoGBuayEOZUWEpu2nHL4mkk2NHS/GicZrYttA4uuE6myfjhXWroUHiHBxw7N20Yadq+lQbq+jQ8rWwWu0/uTzR1PRGxTREqNsn2mQKFNJSyhBqGZvyuh0W03UV5sjCSCUy0k5dOBU9g8se/u+hISsrRB5KJjrAwlkno43oqa2HQjYGKqHC1DgioQE40c/pa5zMYiQc/toBM9ayK9XemgBL0OFG8X1IkCqlcSEgdgVlUMtU1t4qJlvy8lSgW6YatDzrPMx5y3CG34HhVXXstaz2psKwP8tVvLtQzyWhYFdLkHbn167LcOHm+RWjG+ffsmjO5bho3Mym2bf8vTq2e8khjo7viNk1BbGvSM/L/96Ge6YD/kXL/+x1czGPAhYlmMcTnFVJkOjRUldmgU0xMX5l07IhtJmmBIclFtkiVhnzX3iOU7znTx1KDC1MkAH6jSTYtgd2VsykmqS3y2Ke6Nr55KLW4S04lNXNKUaIQx6kUzaQPcvvpC2OlAhXXDbZmhxHjUt+tiWjGj0xlam5azsSbZsRrYBqcpFsNdZWN3q9m9H4TM4yGDysagJeneMSMLdiZCDP1zw0gkO6aDdqoXWiyp2wXxYo5Ro0wox9hMdBFVyJa+r4BRpYHRe3TZjtmY0QhUNpnQejowuGd3Z1qnx69fu0fdk0Mhp6+GcCuXeb5ZmkrxQBOifdLeeAmKJilbgib3TUPhOtdmwpseZmSMTLmdRi402GlrgYxZodxenqnSlEVimN23GDIVzXCLsc+mktxYhu121wba2sDm2vLCtq3ga+2+9xDd/L+Ebxlhzgnxz9jUR7c12UhtBSCM5Y03D1rbhambvGdCafd6xmPvdjbG6xDgglsnQWpKGKsbemggGtgQ7cRnYWN+320pgI2q5pCsS2MRRIRz0fTwVsbKoCKZwrI2GjhGJhbhEdw56lcNRFX0biFElB4mS0/I6bgb+0TpwKB3BjzvpBlRLr8ktdvxczOYxKRkV9FIlY0PhyobH6yYmUFwfJZw3SzgnXEvnAqtnYEzL1yAloQyYxVSlFTELRESkY4szMdb7T5GAE4mPh9Si9SrjG/oLt5enr0aAGFKwD0XC26kVoq6uUiwBnFg+qowaUaZc62pDKNhcxao82+Qn5RvmI6yKvFPOQ3YKaBtBig7bPO5IFMot7oTFljCeZat7n8zYPNwtP/+WREbhZISNurI5uuhrYHFqs34c8zzvD2qVFYepKgc3wGS6ZmQVPs0KLMYN6aTR8um4bGmvVBl45+ydEZ8XtHArAXLmIBbjOT5QSLTEAkmjNnmMWRpitL4jg0W0YxIEmmUjTSvYsvq6OjDTz+9P/3z2flPH/bf/7D//uzg8PT0JLzrbhu+NeEX2QyGjRloLZI9zaWC1IZAzqjSlE8zqmYYOyK7Z1evzPR5KpJEcH/t9OrVAGJMkdvkI8FbogutOUenP97dDODTj+d+prvg0QA+3f1o57XSdg3g9Kp45uaXk0N77AVOlMokWT0K4f5uzGpftqU6qGz8N2wcxttSDklF4p4vmNXLS4rdi/nm9sdT4/AIySkZwOWPN4TDByNAqiJR6YaB6YehFbqaEYnxcMrEmLCiSziGQ5WEaWPGjLm1qQRby8tsdPilmWic32JFXEHiva/dm5OrV0MnQZclOSdyaUxO6LRg/lcMEmsXqp1p07bH1m6YrmHLwrkpz6agGsDZ1Q2EZAGwa0guKIsjImNlPAcerx7BaCaTFl2686dqBLxjmlB0yonO5DPPC310O/cwIQllSytqNxx3q7tagYMhZJwp9Pv+a6erDgD5iXMh4cSQPP2lwOSPwF9UDrJDcO4rzyawwHZLu3Z2Tt4f8g00mGamz+w0dnd9OSNZpfsCKEI982QUK/1Dl52MM8kMuFEsFpwJEvfB/9JnZsHu3fXlKxcIhqXIrEeZMwICkUiXzjZSd8a0E+mcykzZzcKhRJUx3QfUk9/8eVcDV7qU/Q1BGLegHu93KCZMEP1EDGZR5whvioNRft9Lr1F+n+eb/1aQ9yUGWsbyJhuFLzSOaS+qa9Z1F2eVza6NBk/oHOaz+8GbDeMhyLVj2J4Pz1RfIohccjc4qrk47q4vh/A5P+VbOVQHgjPKcQBiMjH/cY4ztwvfTuQuSawv1P4kYyTsWUXhPCKr0VSBn3ZWz7AHII0Zie7NWlUNVSbHrA9wN3fXP12WlL1YW2RpnsDYipALPXI/N0WcksSZ856Ae3pwFsLfBcpXJpF99e3tgmqNEmaEx6yyNHZc3GblzBX2cBVR6p0Ou0IC4YIvE5GpV53gGZEaQ/ZkLARDwjeHfuF8L1SVLWVcgWVAjxF5BbkoAp82ApaXEtjVMrN7lfaI1qvOcUWmvdiCExe1MdImUwVEKRHR1ZM03zKU1FWLyNvUnCu4SAijfU0VjtofY4oIHIDvSF16BsvVOhgdTFNiBgrvi68nt2mT54TReDSRIgkAiOvLqk7uv8+QrzK0+/euUtNEZNzmYNiSDlyZEeJOetM4hCvPitgWKht9DDApTcoYWW/zs9/pksiqJ2QLRCHdD9x7FgQXWKurxKAaai72V8yCiKpi58Wa5kUe8ChOX4W6LVyX5xn2rHJ7I322pdh6kZkhlGcBuCJYa1hH7nRpH8zPH7Qk9uCvGTLFo3PMmbSqUlAmPa2Wb1dGkSEysEvEqgqNEXZyvbHxkIFdZP9C1Gzv5peTw6N3OyGIwoZ+Rr4uhHHQext7tpZP4fF7ToH1kZulnE+qtESSbGX+u6mTrs9/Ic1iRKlit7MPwTT9HMIrfUsVpJLOicu1sgkpJN8umqD3dovIkb/DlvWIV81fPs6JDvwbq88X8TH/VKdEQoWicmmoWT2zaa2SJEhUJstaDlGUSRItYde2fd8Ms4P9/VcrdaOq/fm9ERjG1G1XEU7YUtNIgcZoxgUT06UhUQi42xePURPKDgMta5QC6GzYmaXjzIhRxKCRqMj9IvEe7Xhp99Hg7WEnzhfyz0KcLdKRQqXsIb1egFRAuLM4nrxbrESms+06pWoEBV9Rg27QfdnhixUbvHbQ7ZBU+x33nYH7ZS1z/oOm+f8yyRo5ATtjkT8SHVbIRIflVfse7NDD1F9LCCserdMz9wr+5kf5ShIf5f/1JFMi7zH2j6Qzqmb5u3Wy7mb1QU9CRYT762a5XWmC8i/USalMpa6SXuVhLaR52Fo+80Mi1yN7OA6lZdXZ9wlhLb2fbyI8pvvL0l4Sp0TauAkpVnQuzD8AAqe/ncPFmU2dIdwdQiRak+gebHkao7eD4CJxs1FYP+X1RHU2voG1T5tzluh2zUaZpH1AuDbelLHcd9cXTSjeIK/ZEcA5SqqXfcA5lVTTyNX7C3WPD5zZmdgXhExTRuvWaa1lYGIxgMRXI5zR6WwAc5TLPfPf7sZa6ffR1Btfzre9+6E6RZ2YmbVy2KIV28gIp7+JocSncSqtUtT3bUNQdH2p+lQpGUIeRLiK34qUbKHeTv9Jy0xpjEcRlRHDEY17cbfLGdTTB0ffn01IilDfpuM8S81iv6duvLPE4OJsXXC+F2bXl4+0aXZQ9razeWarEVXKk21uFWg6KJb+9uyWX8cl8VFz2eQnnTH5OyHNQrJPWzDle0o/WaJ/xC3iVYShBe3LbBD/ISLILpkgBKpaHjUArnkWv/uQotuIDiemPP5Ia1kLvaDsVrpe2s2+rdql7SDxdDfGYQZmEMTmZQ5yUj8jR9koWrnuTPXaE9W56uaH2aaODRhXHLSrElq3SDmki9tto7m4bQVSiQu5LaiAAje6unt2LCsY+kCrT8NZEAUqGydUu41Ez5AFB3okYhwZ69KLoylitKbKrCCqJYPzqas+tstDz6pZIfaJ1v7i5vM/am/oRGtJx1nNK1gpDRn15H2slGE8FUmScePely5To4ZpBcQ2MGzA2a0zfM5+EMLjRoDvZZf6bm3ckY2s+cOncJDn0ydCaYj8Kig8s0xELwpQVszOo+10ZXm9EmVvFZQNZ6pZP3vQxY6VO/RrrENBP8Q8y/oLxN3d1dSiES9fKeIZmtUftz1XfEFFTFxVzTpn234ffAva53wIj5qfnniKjv4iFpAQviwJ+zPr3B/PtGWkXEnPtSKyX1nRJEl7kVNB7cnCiqlyjeppG+GsQs85yZURYwx7cLBIkQqVRwFHTEShfLhHD5sb1PbzOG5vYJpJjEFwN73YHSqbnWu4uZrBVK3tPvNwT3klPqPc52lZUCsdR5XnFjjcXrMyo/606kTDwizN7aeLgsoUsmyVOjyS8unIzvs9TVGruwGWMsYOloIi6qLWTl0xVWTMjFGQViXDCv+UfqxQtJvkjlGcF6JudG0Ina0nEqvRS5huoBoSW4bfcW1xMYb9IRE1NyM0i3YIx4DpMxNH1AtgPwXQtnpqBdwTcNmq8j1aqIBRIqyyCSwxEbr5rZNVl7lHXWp3myn3tRGDdqvIzlv9cEwNZ59q1oLUn6R+PtY+NbAFq1XMPrD2rZUteG0iV66gasmjvHrGBnpauHc9Kms5rAvqjx3TJaw+s3b0yncqNoG2cojdB4BpOn87cCUOCY/tedzuJkRE47T+gbznpLl7es9oys6VL4904j9mGExHqvSCaNkceaoql5grtfwzLcyKMyKMLXNFzqusXJzddEPc1tTULd1uTPaRHl1C//EU2639IFyzFHr8onEVUJEmXvDBeFD/jKXdTUTpT1KrNZq4pbXkir0vG2Bsq00WmD3FeEUiadS9e3KM0pJSkJAYi4/LFDipVsgm3Wi2tVCx9Cr6mH/eyl2v6WTxFbkSV7eCIsO+TjXUh0vlEEMi5tWaU5t38cussAqkyFeWWT1MsD7ndBvT/yfvP4eHFi1H1kYIO8T7LG+gEHJTOYrNvtpKcv1Ya34CpK+k9YJH7QB9kbJuC5vsuHKjM3LgN673lIyCk7xNpX7Qw+16ggojwWMil09X2SbQbfmGjwX7DC+x2ahte4vPatxmfmOgp/r2H0OteJ4n2QS9LY9y0x7YDOXL+Jj9Yt6K1xmC2Jf/GdDol/BDQ016ikcasDJb9kxDyNvnzSa+P5avGmjNhoreu/faqeWP9mODQ/Mf6M9uxU14YQ83qPrdvm4r5hfxedtU6rHeb7MVf3QvuIjW6mrhv+ek8Xy6/cv/gxPe/zpWC/86VvvPfqy2PCUTCRljPMmCNcSeNs6vPVH4YKluPuYru9+2hl5NCu15q2uyOs8tNXfEoPBvyw/l15NL133sizbTStelnW6QeFrAXM0zzP/K0nA0PT54fzjcHx4OD97stKJsbFz2jZPbyrW/WeuWJ4P62oed+DcB3xg4fYMPHYtchXmRnrgyfTtBDbWJ66f1U3ndENfAq5brqo+hi0qePBi2TuSi87RPgTUdScKn4Yq3LTfXYL22nxkUE7j4rNaeOqp+cTPv/f3XB+9aPqtJ1X1fI/+aqns/nh87yqPyhF2rJo6XgaKSG6mhBVZhAbv7e28bX6gOorkkY6yn9EM/g6OBylYlGcInbvv6SnAcwB3PVEbYAG6KQ7AD+EhY/t/fUC7L3+1Nwrk7nu/OoDcLaJa194jWyAOf+Nm4Td+rglvzpGYdl4pE4FsZ7ZUDHiddS9309vv3Hd1txsBN6EMq0E9Hl+dJLKjrjGH5GR33dZ4Jiezx9Yn/nBsvXpHm6TU2/vXR23brbluXJQlpfL5lk+atLSW7oQxcdzgYa1pjWn30tiorn6bJloXUhs32gqu9P2ozNVWZNOo21AXS8QAXMlHHrohYu9AN7lZxB44kwWNVSa5oUdPZdN7Wt568TOdV/pp7l5d0LFf1qX1N6c6MxqNgncLHBSgvyyJRvkKqpit+V2nAsS+ePrBiKXZwxIeUSlR9cDw3pDZiFhEWZayvllb45oQ7MBSJyD0K2VWh6WTbX51Oz9OX6FxQPfPfdmvV8UbQYtRbWOlT/q25cuFZp11s7cZzlMp+5LqX2ENJzq3ZiERglN+Xq25RL/He2GUOIQl7EutW3grzgo1AyrNAPqAHZCwyDYTnkP4vAAD//ytUcvM=" + return "eJzsXNtz2zaXf89fccYvSWYUNXGTztYPO+PmsvGM23R9yfZNAwFHIlYgwAKgFPWv/wYASVEUSEk25Ob7pn6yeDnnh4NzB8BXsMD1BdhMI7FcWhTPACy3ArsXNQokBi9gipY8A2BoqOaF5UpewH8/AwC48y+Af0PwOUqK8IkLnLqrvypWChw/A5hxFMxc+FdegSQ5XsDZmf8JYNcFXsBcq7KorrQfb78S4I25ZJwSq/R4xgWOM2KysRUma56vaS5wvVKata5HhlD/3WUIjt5zAzwvlLbgaI6Az4AsCRdk6sZyDCaTkR//620yVIEcONKHopohsrG70gti8E1GTDZVRLMJZ3uHURMg09IgzcY5ESuidzm3J3rP4D95PYCZ0nDpqL7/DL8GqrXiXVWqWv91NWcDywlx4hBsceibkUFY4FXcvwvzEo1BBtM13N9cZ6Q04+bZCArD55LYUidBUctiRnIu+HqQcamFAzdhaiWFIiwF/2tFibsDL+5vrl/CKkONsFYlUCKhZgQEqCrWoGZgM278PAwiXXJdGqssEWONphQ2BdTLr8DQIvVwtUd9KIgCNUUZQzETitgHYuASKsKH4hBcLpLMGpcLsApshvC1IQ8anc8b95pzqcX3Yso8ifY6z3r1IeglOvs4yH40zlC7MJdyKirPASit3mvGE2OJLU0qEdBSa5QWAtVaHPc312P4XRnDpwJhSUSJBojGC1BScIkjULOZ+weIZFDKhVSrYYsKcSUV6kANqNIaTaEk43IelJobqCKPH8QQpKkgdCG4sWZsSj0VKcDd3t/8cr2hXIm1R5buCWRehFLZSfh5KOKC5MGjJwJe0YMPMfxDoILnQJ1qbu9W3FrUkBHJBNYaWXMBmxHrkqD6CtuZdHihNBCp5DpXpXk5CF4Q3Zb5BvpUKYFEHg79KmSAaFwgtJlHiluwHOgpomwhD244U8Y6BS60WnKGGl5YXSIoDTMiDL4ctCsyT+ILLr02emmTuQFijKKcOJArbjMP888SNUfWHtNuuJAqJ4KPBc9VqngRSH4fcWKT50cYdjLtR7F0tA5iWhBnLTIV34rcoUNeEsHZZKZVHgHAiMXDuf9fhnKbIayISxi1sTBTpWTOIrgBqqRxZoIssI/hyhXjMx617CSoBDE2xmTjV6YokgXpQM0V5KTlNhpEMd2P3HsUBB+3dlRi5C0Uv5G8EOiKUnfXF0bcAFM54XIU/PNKlYLBFP0Tnlhs2low0ji11u2D9Nk3QpLIzBGqHpn67GQfa6qkjRcaRzP/+M1qAha/WWcyzaNLrJn0qlJUJomq5rstK3JERr5UbKvQFOGs1hvMCRcjX2x/JiZ7dfv58vzdT2cxiGr6/0jtJCd6weXcZenJbO/27uoPaNL+ilOkTqoCX8hMjdVI8pMEwNsu6W4AjKmWIMbwGQ/1egrJ7GY7RLYmlxsoNF8SG7IYrXIgUJRTwSnMsMp5mwZWdUesxx0unaz5oiY6qt7Yfr7SoeapQYkoOeOsp5AzmdJHFPZOS3IkptSNgySUlprQNbzwY3/t7OzN69cvXV7F5zI0jNrz+dwJDBmn3kqJJGJtOTVgkWZSCTVfOxKNgIczcoaWcHEeGZlzCYcP7IOnE/yIU8Sol2jJ/Sqv8trpGkqDGt6eD+J8ogQtxtkjnRg0his5SQOkBSI0kCvyoWShbrJ9tdL2gkpuqcEw6FSO+GrLCe81ujNS2Elwymej8Mu75voHL+r/Si3ORh1yZ1NVP0LPW2To+eaqfw/O+HlRXcuJaB7t0nP3Gv7ux+aVnL2r/61IFkQvkFWPFBk3Wf1ul2y42X6wImEokdV1V3S3hmCqF7qkTGkKTrny/db6Yau0e9h7PvdDo7QTqwldoPasBuc+J6Jn9ldcMEqOm/6Z0nlo3WqcE+27J6Sp63w/eT0CAu+/foSrDyMI9XRw89YSunBXQqQbRUvFw6wwZ+9SqLNLDrx/OpyzRqNKTXFSap4Cwo1Lp5znvr+52oVSOeQ9SwO4RM3tOgWc95pbTongdh2dnqp95iOxd06mLArBu95pr2cQajWCHBkv8xFkfJ6NYIl6/cr9OzxYL/0UQ731lIamH9oh6tJFVmP3Y5s44aQLDBt8FufaK0XgMywm261VHyolR6gCwc1eKRGfhgwhs7o0FtmEck0FTjhLkm9vImhFHwL9oKQ8bxp+h9p5WbhqP9E03nticPVhX4s+CbOb6yN9mjfKZEucH4gloZIfKpsh5hV4MWpq/1KLppDL2bv+9aUq+EzJX4ToRIVTvcL0iyf6Pa4ZbyOMVbZPs2L8XfSTjfc+MVDt/SURcF3tiM1pqzqqVqZNB3GgJZScd24MjhPgtzKfonYjbSiHireS9u7ctv3TaZBUdA/G4Qw0CmJXtHHhbkj9D0rUnO6A69ejA0a2UV2D6FfP54ENuJQcrCazWbcdsIF0dXdqNFd3vUBaDaKwIBVR4J2pHo6SDKXlM46m7rgGy/GNaVNOc27DsmLFUEQNnSqGE+ddkiSciqF3Va6S4K36og5hXdtuFI+bIpW3v7r9/e9aJLq0VvNp2ckOWv1JPaeJspAvek4k/yuI973K81K6NH+TOuFya1fJFohTYDiAc6g3JgKXKOIQjrOAapY9veDj3vkO26jahPQGuAnLr8pYoFU1FI8sM5VEARjj7g4RTdudb5XZW+32XkH5tqbJ0qxIN0tXnp33Dg39GPOyTNeQu7/vqMVO47wVkONFznHrdI6pT8/VzCmB3OHsx1814aL+uTbhCVVldBnmOB39rFaQE7neEPa7PoBLKkqGzIUNAobLudgvIstzNJbkRRI5NdQeLCzGTRhUouWEDy16IUluWYxz7FFj0apQpu4GToSisQ1yR5vNLVrL5dyENYJ5qZGBkiG8+KUqxw0cN/C9XW72Tp97ONEuk2BS9a4tD2pr4ripuDkXJNWQl5mk06pLCytXojuKcWWKebamxsmI5nI+8XE/UYjaXhXwlJEFWAaa7ovZG7oYN2QqnFPQXiXjCv+QeWxR9KvlgRELSoW7UxtDh98sSmYmT+G6gVvI+TyzFdeeFGOcDonqpBmxKDogHAcm5ZacLTh+f84DAJ1qprbAPQCXUJTEGlcP9VARp0REazFYY64s7jRBt1PmhLrUnzZzCauM0yzut5q9eg53L86UataD1CtcCqwpNbAHq1fMFFhTa2UPXr+jq1ZQs5a0wnWInjbpXUJl3Zh1Q/1Ym97ASrl9p90QPgwafGrt7qkawbxYvh25qP/Gr4aakmbDQ6DE4lzpJGtjftN7Re8RQzn7De1K6QVcUsuX3K6j+5Jas6B6FkkeqsobzCar99aR0ipXcVIixLpWZN9vJS6A3g5DPFVoGpbuMCb/SMKUMFh5mNY0CPeUQscXjduAmk3jDR9kI+c9NRqU1WYbv6qIGqRvAJs9mniiWnLL328G4Hyr3zSQPcR5UZXniTZFvg+kDOSEYY1kg5Nbg2I2jOZUhYqn19LHik91vaOTpkDKZ5y2cA0rKApMdcahay6tIw25WtZR87gpfpoKq0GKcqvMShBgq82npwj/X6r8OW5afGNZByEcEO+jsoFGyLvK0Sz2dSrJ/bbmV5NTId3avd7wGAHDAsPhsQq9H5LgC4Qzv3TtkpRqAfuV0TQa5P2e6m92fNpM0CBVkhG9frjK7gI9VW54LNhHZIm7gzp1tviowR2WN0ZmKnX+GBvF4zLJXdCnyigPnYHDUD5NjpkW80myzhjEVPlnRKOfIg+NDekhGWnEy5w4M40h74+bu/i+r1w1MpoDFT159jqo5UfnsVHT/Bvz2ZOkCU+c4UZVfzjX7cX8JDlvn0odm/3ujuJ7z4Kbbq399qyL8WHbeL7c/fFvcNT7n/O18M/52v/087Wb0zJUaYZsVnY2Ij/Gzm8qovDJUz3c5lur39J2D8wM7Vvds6vzo6cWjho0+a0BUn8SrfNCfBdsr0tqg+vbdnrAxtMG5vY+w/qvOcFxxouLNz+fj1+Pz8dvfjzrRbmzcJkap2Mwhq/eu9WbQcO8DeM/BPyO4aQGHzseuQ3zqrhkTKMxZ1EN9RvX33dP5w1D3AOv/f2urg1dtb/D6NgGkavBUz8N1mKiiZx3JRqg9tzcg/XGveLiwtXvZu/po5ZYn9ez//qHNz89j6LV3CxSWf4NN4vKno+1cro5aderidO1janpAWrogbVYwIvXr96+3NXICJprMsXuln5IYxw7qPznScbwRfq5/k1JHMG9LE1JxAhum8OwI/iViPrfr6jXm9/9Q8JlOKYfzqJ3T0pA62N8xFqU+IgxPTcNt90Tm11chird73x2vyBwnHQ9dTfbP/88MN3OBm6tq75PM9Gb8yQe1E0p0ICaGtSuRCYuNs4I9cfYZxA+IyibV7R7eo+P/+Hd237v7kdX5jnR/abVPzw+l0rjhEzVEi/gzevzt4+ZjgBjz2jcqN+9bcuq2qYp1o3UxrvjBchLYfmkz9W0ZbLz/YauQAYekErn5iJ8Uqxf6A53r7gjR5LgWFXSW1q0m2yGbOvPRFlmyCr/t84ur/lUb+tTf00Zzo6ySfSrhcc1KK83X4uqPplq+VbetXHgmIpn1VjxFAc44reCazQpOH50pA5iRomgpUg10hbfmvAAhmYjckIhh6/RDLJN99XOimf1wc4VtxkPXZteHd9pWkyStZW+aD7nkohW4dml3SztsiVqQzTHNAdMN+RCzUY0guBysam6Q78tBqU5khFBEs8k9lXeBuvPNwLZnAWqGnpApqq0QGQN6V8BAAD///eBqM4=" } diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/_meta/fields.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/_meta/fields.yml index 16a50f3a0ff4..ea68e4c23cb8 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: malwarebazaar +- name: abusech.malwarebazaar type: group description: > Fields for Malware Bazaar Threat Intel diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml index a8cbef0b52b4..6c90f1d86dc5 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml @@ -5,19 +5,14 @@ interval: {{ .interval }} request.method: POST {{ if .ssl }} - request.ssl: {{ .ssl | tojson }} {{ end }} {{ if .proxy_url }} request.proxy_url: {{ .proxy_url }} {{ end }} request.url: {{ .url }} -#request.encode_as: application/x-www-form-encoded - +request.encode_as: application/x-www-form-urlencoded request.transforms: -- set: - target: header.Content-Type - value: application/x-www-form-urlencoded - set: target: url.params.query value: get_recent @@ -39,17 +34,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: ["json.md5_hash"] - target_field: "@metadata._id" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml index c2c4b51810d4..0a5aca9dbb34 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml @@ -1,4 +1,5 @@ -description: Pipeline for parsing Malware Bazaar Threat Intel +--- +description: Pipeline for parsing Abuse.ch URL Threat Intel processors: #################### # Event ECS fields # @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -20,148 +24,182 @@ processors: # General ECS fields # ###################### - rename: - field: json - target_field: threatintel.malwarebazaar - ignore_missing: true + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: abusech.malwarebazaar + - fingerprint: + fields: + - abusech.malwarebazaar.md5_hash + - abusech.malwarebazaar.sha256_hash + target_field: "_id" ##################### # Threat ECS Fields # ##################### + - set: + field: threat.feed.name + value: "[Filebeat] AbuseCH MalwareBazaar" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" - date: - field: threatintel.malwarebazaar.first_seen - target_field: threatintel.indicator.first_seen + field: abusech.malwarebazaar.first_seen + target_field: threat.indicator.first_seen formats: - "yyyy-MM-dd HH:mm:ss z" - "yyyy-MM-dd HH:mm:ss Z" - "yyyy-MM-dd HH:mm:ss" - if: "ctx?.threatintel?.malwarebazaar.first_seen != null" + if: "ctx.abusech?.malwarebazaar?.first_seen != null" - date: - field: threatintel.malwarebazaar.last_seen - target_field: threatintel.indicator.last_seen + field: abusech.malwarebazaar.last_seen + target_field: threat.indicator.last_seen formats: - "yyyy-MM-dd HH:mm:ss z" - "yyyy-MM-dd HH:mm:ss Z" - "yyyy-MM-dd HH:mm:ss" - if: "ctx?.threatintel?.malwarebazaar.last_seen != null" + if: "ctx.abusech?.malwarebazaar?.last_seen != null" - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - rename: - field: threatintel.malwarebazaar.file_name - target_field: threatintel.indicator.file.name + field: abusech.malwarebazaar.file_name + target_field: threat.indicator.file.name ignore_missing: true - rename: - field: threatintel.malwarebazaar.file_type_mime - target_field: threatintel.indicator.file.mime_type + field: abusech.malwarebazaar.file_type_mime + target_field: threat.indicator.file.mime_type ignore_missing: true - rename: - field: threatintel.malwarebazaar.reporter - target_field: threatintel.indicator.provider + field: abusech.malwarebazaar.reporter + target_field: threat.indicator.provider ignore_missing: true - rename: - field: threatintel.malwarebazaar.origin_country - target_field: threatintel.indicator.geo.country_iso_code + field: abusech.malwarebazaar.origin_country + target_field: threat.indicator.geo.country_iso_code ignore_missing: true - rename: - field: threatintel.malwarebazaar.signature - target_field: threatintel.indicator.signature + field: abusech.malwarebazaar.signature + target_field: threat.software.alias ignore_missing: true - foreach: - field: threatintel.malwarebazaar.code_sign + field: abusech.malwarebazaar.code_sign ignore_missing: true processor: rename: - field: subject_cn - target_field: threatintel.indicator.file.x509.subject.common_name + field: _ingest._value.subject_cn + target_field: threat.indicator.file.x509.subject.common_name + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: rename: - field: issuer_cn - target_field: threatintel.indicator.file.x509.issuer.common_name + field: _ingest._value.issuer_cn + target_field: threat.indicator.file.x509.issuer.common_name + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: rename: - field: algorithm - target_field: threatintel.indicator.file.x509.public_key_algorithm + field: _ingest._value.algorithm + target_field: threat.indicator.file.x509.public_key_algorithm + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: rename: - field: valid_from - target_field: threatintel.indicator.file.x509.not_before + field: _ingest._value.valid_from + target_field: threat.indicator.file.x509.not_before + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: rename: - field: valid_to - target_field: threatintel.indicator.file.x509.not_after + field: _ingest._value.valid_to + target_field: threat.indicator.file.x509.not_after + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: rename: - field: serial_number - target_field: threatintel.indicator.file.x509.serial_number + field: _ingest._value.serial_number + target_field: threat.indicator.file.x509.serial_number - rename: - field: threatintel.malwarebazaar.file_size - target_field: threatintel.indicator.file.size + field: abusech.malwarebazaar.file_size + target_field: threat.indicator.file.size ignore_missing: true - rename: - field: threatintel.malwarebazaar.file_type - target_field: threatintel.indicator.file.extension + field: abusech.malwarebazaar.file_type + target_field: threat.indicator.file.extension ignore_missing: true - rename: - field: threatintel.malwarebazaar.md5_hash - target_field: threatintel.indicator.file.hash.md5 + field: abusech.malwarebazaar.md5_hash + target_field: threat.indicator.file.hash.md5 ignore_missing: true - rename: - field: threatintel.malwarebazaar.sha256_hash - target_field: threatintel.indicator.file.hash.sha256 + field: abusech.malwarebazaar.sha256_hash + target_field: threat.indicator.file.hash.sha256 ignore_missing: true - rename: - field: threatintel.malwarebazaar.sha1_hash - target_field: threatintel.indicator.file.hash.sha1 + field: abusech.malwarebazaar.sha1_hash + target_field: threat.indicator.file.hash.sha1 ignore_missing: true - rename: - field: threatintel.malwarebazaar.sha3_384_hash - target_field: threatintel.indicator.file.hash.sha384 + field: abusech.malwarebazaar.sha3_384_hash + target_field: threat.indicator.file.hash.sha384 ignore_missing: true - rename: - field: threatintel.malwarebazaar.imphash - target_field: threatintel.indicator.file.pe.imphash + field: abusech.malwarebazaar.imphash + target_field: threat.indicator.file.pe.imphash ignore_missing: true - rename: - field: threatintel.malwarebazaar.ssdeep - target_field: threatintel.indicator.file.hash.ssdeep + field: abusech.malwarebazaar.ssdeep + target_field: threat.indicator.file.hash.ssdeep ignore_missing: true - rename: - field: threatintel.malwarebazaar.tlsh - target_field: threatintel.indicator.file.hash.tlsh + field: abusech.malwarebazaar.tlsh + target_field: threat.indicator.file.hash.tlsh ignore_missing: true - rename: - field: threatintel.malwarebazaar.telfhash - target_field: threatintel.indicator.file.elf.telfhash + field: abusech.malwarebazaar.telfhash + target_field: threat.indicator.file.elf.telfhash ignore_missing: true - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.md5 }}" - if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null + value: "{{ threat.indicator.file.hash.md5 }}" + if: ctx?.threat?.indicator?.file?.hash?.md5 != null - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.sha256 }}" - if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null + value: "{{ threat.indicator.file.hash.sha256 }}" + if: ctx?.threat?.indicator?.file?.hash?.sha256 != null - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.ssdeep }}" - if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null + value: "{{ threat.indicator.file.hash.ssdeep }}" + if: ctx?.threat?.indicator?.file?.hash?.ssdeep != null - append: field: related.hash - value: "{{ threatintel.indicator.file.pe.imphash }}" - if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null + value: "{{ threat.indicator.file.pe.imphash }}" + if: ctx?.threat?.indicator?.file?.pe?.imphash != null - append: field: related.hash - value: "{{ threatintel.indicator.file.elf.telfhash }}" - if: ctx?.threatintel?.indicator?.file?.elf?.telfhash != null + value: "{{ threat.indicator.file.elf.telfhash }}" + if: ctx?.threat?.indicator?.file?.elf?.telfhash != null - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.tlsh }}" - if: ctx?.threatintel?.indicator?.file?.hash?.tlsh != null + value: "{{ threat.indicator.file.hash.tlsh }}" + if: ctx?.threat?.indicator?.file?.hash?.tlsh != null - convert: - field: threatintel.indicator.file.size + field: threat.indicator.file.size type: long ignore_missing: true - convert: - field: threatintel.malwarebazaar.intelligence.downloads + field: abusech.malwarebazaar.intelligence.downloads type: long ignore_missing: true - convert: - field: threatintel.malwarebazaar.intelligence.uploads + field: abusech.malwarebazaar.intelligence.uploads type: long ignore_missing: true @@ -169,12 +207,12 @@ processors: # Cleanup processors # ###################### - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx?.threat?.indicator?.type == null - script: lang: painless - if: ctx?.threatintel != null + if: ctx?.abusech != null source: | void handleMap(Map map) { for (def x : map.values()) { @@ -196,10 +234,15 @@ processors: } } handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - remove: field: - - threatintel.malwarebazaar.first_seen - - threatintel.malwarebazaar.last_seen + - abusech.malwarebazaar.first_seen + - abusech.malwarebazaar.last_seen - message ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml index e9294ca9e2e2..b90ea0d95628 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml @@ -11,6 +11,8 @@ var: - name: tags default: [threatintel-malwarebazaar, forwarded] - name: proxy_url + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json index 1d84eda36cb2..40b3f4289ec1 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json @@ -1,5 +1,12 @@ [ { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 15, + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "exe" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -20,30 +27,29 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "exe", - "threatintel.indicator.file.hash.md5": "0af07660056a692b7cb82fa329221ddd", - "threatintel.indicator.file.hash.sha1": "a71fd0504821092e003f350080a6bcc5fa6a972e", - "threatintel.indicator.file.hash.sha256": "5bce7d528c1363104a93fbb5a7fa9bdd991ce929cc09cc7fb29052a68d4fd24b", - "threatintel.indicator.file.hash.sha384": "3b454eb6421d17d093f19292b64d30bf918cb91e9322d0e2d2512857997f574ea2ca5b005133c16f6c33c7cee9c1bd0e", - "threatintel.indicator.file.hash.ssdeep": "3072:DsPPK3p+8r5igrL1Tq50cVBDmDJhE9yV4veedHrP6FXK7:D+PL8bronBDmDJ69JeedHriFG", - "threatintel.indicator.file.hash.tlsh": "F9848B24AF932F9BC6CCC1FE50C2D165C9A9F85DD2B1251A73B6CB89FE00544ED2C686", - "threatintel.indicator.file.mime_type": "application/x-dosexec", - "threatintel.indicator.file.name": "SALM0BRU.exe", - "threatintel.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", - "threatintel.indicator.file.size": 399872, - "threatintel.indicator.first_seen": "2021-04-06T20:34:58.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.provider": "James_inthe_box", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 15, - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "exe" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "exe", + "threat.indicator.file.hash.md5": "0af07660056a692b7cb82fa329221ddd", + "threat.indicator.file.hash.sha1": "a71fd0504821092e003f350080a6bcc5fa6a972e", + "threat.indicator.file.hash.sha256": "5bce7d528c1363104a93fbb5a7fa9bdd991ce929cc09cc7fb29052a68d4fd24b", + "threat.indicator.file.hash.sha384": "3b454eb6421d17d093f19292b64d30bf918cb91e9322d0e2d2512857997f574ea2ca5b005133c16f6c33c7cee9c1bd0e", + "threat.indicator.file.hash.ssdeep": "3072:DsPPK3p+8r5igrL1Tq50cVBDmDJhE9yV4veedHrP6FXK7:D+PL8bronBDmDJ69JeedHriFG", + "threat.indicator.file.hash.tlsh": "F9848B24AF932F9BC6CCC1FE50C2D165C9A9F85DD2B1251A73B6CB89FE00544ED2C686", + "threat.indicator.file.mime_type": "application/x-dosexec", + "threat.indicator.file.name": "SALM0BRU.exe", + "threat.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", + "threat.indicator.file.size": 399872, + "threat.indicator.first_seen": "2021-04-06T20:34:58.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.provider": "James_inthe_box", + "threat.indicator.type": "file" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 11, + "abusech.malwarebazaar.intelligence.uploads": 1, "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -63,26 +69,31 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "zip", - "threatintel.indicator.file.hash.md5": "296aad7075596d21516b30bfbc17fcac", - "threatintel.indicator.file.hash.sha1": "c454be4eb0892d61a4ad6bac16f97724e73cd795", - "threatintel.indicator.file.hash.sha256": "83d0429a2c5f1b611ebc30391eeeb75bebb51212ee1af51dbcf2624b48f9d27f", - "threatintel.indicator.file.hash.sha384": "0a1536add280715320040d5ac5340d3b205d90045ff5c90993b8e909edb9b3e9338b3ffbb3febcaf82584d00d516e8c7", - "threatintel.indicator.file.hash.ssdeep": "12288:j++y4mulTPaYJSaHwvJblQpLGwYeHU9vPpNGd+Zr:j3HPaMtQxblje01pNHZr", - "threatintel.indicator.file.hash.tlsh": "74A4233B9A6D5CA02B224AA69F37537D13A8406300944EAEFD375CA431583056B9F6FF", - "threatintel.indicator.file.mime_type": "application/zip", - "threatintel.indicator.file.name": "PO_NO.ENQUIRY-210604.zip", - "threatintel.indicator.file.size": 476768, - "threatintel.indicator.first_seen": "2021-04-06T20:32:25.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.provider": "GovCERT_CH", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 11, - "threatintel.malwarebazaar.intelligence.uploads": 1 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "zip", + "threat.indicator.file.hash.md5": "296aad7075596d21516b30bfbc17fcac", + "threat.indicator.file.hash.sha1": "c454be4eb0892d61a4ad6bac16f97724e73cd795", + "threat.indicator.file.hash.sha256": "83d0429a2c5f1b611ebc30391eeeb75bebb51212ee1af51dbcf2624b48f9d27f", + "threat.indicator.file.hash.sha384": "0a1536add280715320040d5ac5340d3b205d90045ff5c90993b8e909edb9b3e9338b3ffbb3febcaf82584d00d516e8c7", + "threat.indicator.file.hash.ssdeep": "12288:j++y4mulTPaYJSaHwvJblQpLGwYeHU9vPpNGd+Zr:j3HPaMtQxblje01pNHZr", + "threat.indicator.file.hash.tlsh": "74A4233B9A6D5CA02B224AA69F37537D13A8406300944EAEFD375CA431583056B9F6FF", + "threat.indicator.file.mime_type": "application/zip", + "threat.indicator.file.name": "PO_NO.ENQUIRY-210604.zip", + "threat.indicator.file.size": 476768, + "threat.indicator.first_seen": "2021-04-06T20:32:25.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.provider": "GovCERT_CH", + "threat.indicator.type": "file" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 30, + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "Hancitor" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -103,31 +114,34 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "dll", - "threatintel.indicator.file.hash.md5": "a4838dd31c672122441bebcbf7e9d277", - "threatintel.indicator.file.hash.sha1": "bf103996196df8255881127dee103c22fc12bef3", - "threatintel.indicator.file.hash.sha256": "f4910ea08d14eeb634084de47cf590d4dc5e554552f111da20d22ae71d7b425b", - "threatintel.indicator.file.hash.sha384": "ee7586cb085fde3c14c9c1bea4635ccb30b1af2020f64e87a9983e61b05026ec9b35255670a3d9ecaab436c4ba302dcc", - "threatintel.indicator.file.hash.ssdeep": "12288:L2X/txpFDEVkUNglTovKfoLy+hqK/cEUMMlGOG:RzglgLm/9lGOG", - "threatintel.indicator.file.hash.tlsh": "0C947D11BA96C473E572163008399F6A17BE7A900B704BDBE3CC097E4E755C24B36BA7", - "threatintel.indicator.file.mime_type": "application/x-dosexec", - "threatintel.indicator.file.name": "DropDll.dat", - "threatintel.indicator.file.pe.imphash": "0b5a952a025c2783c3126cdb9bef2844", - "threatintel.indicator.file.size": 435926, - "threatintel.indicator.first_seen": "2021-04-06T20:12:29.000Z", - "threatintel.indicator.geo.country_iso_code": "DE", - "threatintel.indicator.provider": "DmitriyMelikov", - "threatintel.indicator.signature": "Hancitor", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 30, - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "Hancitor" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "dll", + "threat.indicator.file.hash.md5": "a4838dd31c672122441bebcbf7e9d277", + "threat.indicator.file.hash.sha1": "bf103996196df8255881127dee103c22fc12bef3", + "threat.indicator.file.hash.sha256": "f4910ea08d14eeb634084de47cf590d4dc5e554552f111da20d22ae71d7b425b", + "threat.indicator.file.hash.sha384": "ee7586cb085fde3c14c9c1bea4635ccb30b1af2020f64e87a9983e61b05026ec9b35255670a3d9ecaab436c4ba302dcc", + "threat.indicator.file.hash.ssdeep": "12288:L2X/txpFDEVkUNglTovKfoLy+hqK/cEUMMlGOG:RzglgLm/9lGOG", + "threat.indicator.file.hash.tlsh": "0C947D11BA96C473E572163008399F6A17BE7A900B704BDBE3CC097E4E755C24B36BA7", + "threat.indicator.file.mime_type": "application/x-dosexec", + "threat.indicator.file.name": "DropDll.dat", + "threat.indicator.file.pe.imphash": "0b5a952a025c2783c3126cdb9bef2844", + "threat.indicator.file.size": 435926, + "threat.indicator.first_seen": "2021-04-06T20:12:29.000Z", + "threat.indicator.geo.country_iso_code": "DE", + "threat.indicator.provider": "DmitriyMelikov", + "threat.indicator.type": "file", + "threat.software.alias": "Hancitor" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 27, + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "backdoor", + "python" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -147,30 +161,31 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "unknown", - "threatintel.indicator.file.hash.md5": "8d7c8b55ac49d241fb7f75a27a5ef8d5", - "threatintel.indicator.file.hash.sha1": "a68ca1b41cb93fe2879bb3baeb8e19990758f099", - "threatintel.indicator.file.hash.sha256": "e45ffc61a85c2f5c0cbe9376ff215cad324bf14f925bf52ec0d2949f7d235a00", - "threatintel.indicator.file.hash.sha384": "788f61cf45bbc8cad5775de18d0d5f42c4e028af0aaa34c570645efc96af8ebc3d7fe330aaf22ef34d35360bbd4a708c", - "threatintel.indicator.file.hash.ssdeep": "192:z7X/yHo/yz/yBKiSOINLyhQMYd+LiTfq6LTf3ZoTta3Grj6rg2:z7CIKnNNLwufPfAPq7", - "threatintel.indicator.file.hash.tlsh": "AE3222515C6A881A03B3C66F7992B844FB588303C7116607F6FC86782F79568CAF1BBD", - "threatintel.indicator.file.mime_type": "text/x-script.python", - "threatintel.indicator.file.name": "vabsheche.py", - "threatintel.indicator.file.size": 11717, - "threatintel.indicator.first_seen": "2021-04-06T20:07:59.000Z", - "threatintel.indicator.geo.country_iso_code": "FR", - "threatintel.indicator.provider": "ArkbirdDevil", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 27, - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "backdoor", - "python" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "unknown", + "threat.indicator.file.hash.md5": "8d7c8b55ac49d241fb7f75a27a5ef8d5", + "threat.indicator.file.hash.sha1": "a68ca1b41cb93fe2879bb3baeb8e19990758f099", + "threat.indicator.file.hash.sha256": "e45ffc61a85c2f5c0cbe9376ff215cad324bf14f925bf52ec0d2949f7d235a00", + "threat.indicator.file.hash.sha384": "788f61cf45bbc8cad5775de18d0d5f42c4e028af0aaa34c570645efc96af8ebc3d7fe330aaf22ef34d35360bbd4a708c", + "threat.indicator.file.hash.ssdeep": "192:z7X/yHo/yz/yBKiSOINLyhQMYd+LiTfq6LTf3ZoTta3Grj6rg2:z7CIKnNNLwufPfAPq7", + "threat.indicator.file.hash.tlsh": "AE3222515C6A881A03B3C66F7992B844FB588303C7116607F6FC86782F79568CAF1BBD", + "threat.indicator.file.mime_type": "text/x-script.python", + "threat.indicator.file.name": "vabsheche.py", + "threat.indicator.file.size": 11717, + "threat.indicator.first_seen": "2021-04-06T20:07:59.000Z", + "threat.indicator.geo.country_iso_code": "FR", + "threat.indicator.provider": "ArkbirdDevil", + "threat.indicator.type": "file" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 21, + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "maldoc" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -190,29 +205,32 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "docx", - "threatintel.indicator.file.hash.md5": "fe185f106730583156f39233f77f8019", - "threatintel.indicator.file.hash.sha1": "e8378aede9f26f09b7d503d79a05d67612be15f6", - "threatintel.indicator.file.hash.sha256": "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4", - "threatintel.indicator.file.hash.sha384": "752e5d56a166227d06f8cbd40cd3f693f543f9c3f798c673c1430957bb7e149a12d9158138fa449479105f472e70f68f", - "threatintel.indicator.file.hash.ssdeep": "196608:KQaeKLOiBEp+uc+iuYmbMdHmN1Rwyd2jecXeaH1pHE+2:oeIOTp+p+iNJC1ChjhXZ1pHz2", - "threatintel.indicator.file.hash.tlsh": "13863341B085EE2EE2CA41BA0DA9C2BD43B63D131E054F677269B72D3EB76E0E7D4144", - "threatintel.indicator.file.mime_type": "application/msword", - "threatintel.indicator.file.name": "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4.bin", - "threatintel.indicator.file.size": 7929856, - "threatintel.indicator.first_seen": "2021-04-06T20:00:48.000Z", - "threatintel.indicator.geo.country_iso_code": "FR", - "threatintel.indicator.provider": "ArkbirdDevil", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 21, - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "maldoc" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "docx", + "threat.indicator.file.hash.md5": "fe185f106730583156f39233f77f8019", + "threat.indicator.file.hash.sha1": "e8378aede9f26f09b7d503d79a05d67612be15f6", + "threat.indicator.file.hash.sha256": "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4", + "threat.indicator.file.hash.sha384": "752e5d56a166227d06f8cbd40cd3f693f543f9c3f798c673c1430957bb7e149a12d9158138fa449479105f472e70f68f", + "threat.indicator.file.hash.ssdeep": "196608:KQaeKLOiBEp+uc+iuYmbMdHmN1Rwyd2jecXeaH1pHE+2:oeIOTp+p+iNJC1ChjhXZ1pHz2", + "threat.indicator.file.hash.tlsh": "13863341B085EE2EE2CA41BA0DA9C2BD43B63D131E054F677269B72D3EB76E0E7D4144", + "threat.indicator.file.mime_type": "application/msword", + "threat.indicator.file.name": "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4.bin", + "threat.indicator.file.size": 7929856, + "threat.indicator.first_seen": "2021-04-06T20:00:48.000Z", + "threat.indicator.geo.country_iso_code": "FR", + "threat.indicator.provider": "ArkbirdDevil", + "threat.indicator.type": "file" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 30, + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "apt", + "tonto" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -233,31 +251,29 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "dll", - "threatintel.indicator.file.hash.md5": "70da6872b6b2da9ddc94d14b02302917", - "threatintel.indicator.file.hash.sha1": "b2da45913353bfc66d189455f9ad80ef26968143", - "threatintel.indicator.file.hash.sha256": "2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c", - "threatintel.indicator.file.hash.sha384": "c82132559381b7b3b184b4ce8c7a58c301a46001621f346b637139f5987dee968ae2ef009a17b2388852b2db15a45b58", - "threatintel.indicator.file.hash.ssdeep": "1536:2NVi7z0r0lJRn6I8+YDgr1fnWG5Ff0+adgBYlCtMiQMX1c0E4JsWjcdonPv870E1:YM7zh8+Cofnp5eRm6riQ6OZoPv870E", - "threatintel.indicator.file.hash.tlsh": "A2D38C067790C071DAAF013908799E624B7F7D70DDB49D8B77841A8E69342D0AF3AB27", - "threatintel.indicator.file.mime_type": "application/x-dosexec", - "threatintel.indicator.file.name": "winlog.wll", - "threatintel.indicator.file.pe.imphash": "6476b7c4dd55eafbdf922a7ba1e2d5f9", - "threatintel.indicator.file.size": 131584, - "threatintel.indicator.first_seen": "2021-04-06T19:58:50.000Z", - "threatintel.indicator.geo.country_iso_code": "FR", - "threatintel.indicator.provider": "ArkbirdDevil", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 30, - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "apt", - "tonto" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "dll", + "threat.indicator.file.hash.md5": "70da6872b6b2da9ddc94d14b02302917", + "threat.indicator.file.hash.sha1": "b2da45913353bfc66d189455f9ad80ef26968143", + "threat.indicator.file.hash.sha256": "2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c", + "threat.indicator.file.hash.sha384": "c82132559381b7b3b184b4ce8c7a58c301a46001621f346b637139f5987dee968ae2ef009a17b2388852b2db15a45b58", + "threat.indicator.file.hash.ssdeep": "1536:2NVi7z0r0lJRn6I8+YDgr1fnWG5Ff0+adgBYlCtMiQMX1c0E4JsWjcdonPv870E1:YM7zh8+Cofnp5eRm6riQ6OZoPv870E", + "threat.indicator.file.hash.tlsh": "A2D38C067790C071DAAF013908799E624B7F7D70DDB49D8B77841A8E69342D0AF3AB27", + "threat.indicator.file.mime_type": "application/x-dosexec", + "threat.indicator.file.name": "winlog.wll", + "threat.indicator.file.pe.imphash": "6476b7c4dd55eafbdf922a7ba1e2d5f9", + "threat.indicator.file.size": 131584, + "threat.indicator.first_seen": "2021-04-06T19:58:50.000Z", + "threat.indicator.geo.country_iso_code": "FR", + "threat.indicator.provider": "ArkbirdDevil", + "threat.indicator.type": "file" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 32, + "abusech.malwarebazaar.intelligence.uploads": 1, "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -277,26 +293,33 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "docx", - "threatintel.indicator.file.hash.md5": "de80e1d7d9f5b1c64ec9f8d4f5063989", - "threatintel.indicator.file.hash.sha1": "3d613d5678e43faeea1c636185a0b4c3ec80e742", - "threatintel.indicator.file.hash.sha256": "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606", - "threatintel.indicator.file.hash.sha384": "a3ec981ed158fe08cc2cd97303807cfbed147e59ccfd92fcaa9395c5718b4d9b892d6e9fa6337f5976dc1bd042562fe4", - "threatintel.indicator.file.hash.ssdeep": "24576:WKEiZxl3A4yJJG2dPQQCthXzglgLm/9lGO:WKEGByvGOQQC/XElga/9lGO", - "threatintel.indicator.file.hash.tlsh": "8635D001BA82C573D5621A35083ADBAA177E7D604F704ADBB3C83B2E5D355C14B32BA7", - "threatintel.indicator.file.mime_type": "application/msword", - "threatintel.indicator.file.name": "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606.bin.sample", - "threatintel.indicator.file.size": 1088000, - "threatintel.indicator.first_seen": "2021-04-06T19:58:44.000Z", - "threatintel.indicator.geo.country_iso_code": "DE", - "threatintel.indicator.provider": "DmitriyMelikov", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 32, - "threatintel.malwarebazaar.intelligence.uploads": 1 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "docx", + "threat.indicator.file.hash.md5": "de80e1d7d9f5b1c64ec9f8d4f5063989", + "threat.indicator.file.hash.sha1": "3d613d5678e43faeea1c636185a0b4c3ec80e742", + "threat.indicator.file.hash.sha256": "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606", + "threat.indicator.file.hash.sha384": "a3ec981ed158fe08cc2cd97303807cfbed147e59ccfd92fcaa9395c5718b4d9b892d6e9fa6337f5976dc1bd042562fe4", + "threat.indicator.file.hash.ssdeep": "24576:WKEiZxl3A4yJJG2dPQQCthXzglgLm/9lGO:WKEGByvGOQQC/XElga/9lGO", + "threat.indicator.file.hash.tlsh": "8635D001BA82C573D5621A35083ADBAA177E7D604F704ADBB3C83B2E5D355C14B32BA7", + "threat.indicator.file.mime_type": "application/msword", + "threat.indicator.file.name": "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606.bin.sample", + "threat.indicator.file.size": 1088000, + "threat.indicator.first_seen": "2021-04-06T19:58:44.000Z", + "threat.indicator.geo.country_iso_code": "DE", + "threat.indicator.provider": "DmitriyMelikov", + "threat.indicator.type": "file" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 38, + "abusech.malwarebazaar.intelligence.mail.Generic": "low", + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "SnakeKeylogger", + "exe" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -317,33 +340,35 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "exe", - "threatintel.indicator.file.hash.md5": "2759c73c986c6a757bf9d25621c5595a", - "threatintel.indicator.file.hash.sha1": "00b52e8ca1785d5086703ad8cff1d28fc3354934", - "threatintel.indicator.file.hash.sha256": "84f983067868de50e5b1553782c056c1f5b5118bb2084473ca4b6908f221cd3b", - "threatintel.indicator.file.hash.sha384": "138dc28a74d15c1f9797ce732e99097c8c6db4549cb17cb7b20c1c6738a170328e45aea2d4c3b593912f14a97f521c1d", - "threatintel.indicator.file.hash.ssdeep": "12288:8t11ulRZRLZNh4YeX6f6XmwNShqE73YXy7moh:S11gZpZNmBX06WmAcy7m0", - "threatintel.indicator.file.hash.tlsh": "23F4AE212684C9C0D93E67B4D43584F003BABD16D631F69F6E887C693EB32D2D63B646", - "threatintel.indicator.file.mime_type": "application/x-dosexec", - "threatintel.indicator.file.name": "Purchase Order.8000.scan.pdf...exe", - "threatintel.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", - "threatintel.indicator.file.size": 752128, - "threatintel.indicator.first_seen": "2021-04-06T19:52:32.000Z", - "threatintel.indicator.geo.country_iso_code": "FR", - "threatintel.indicator.provider": "James_inthe_box", - "threatintel.indicator.signature": "SnakeKeylogger", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 38, - "threatintel.malwarebazaar.intelligence.mail.Generic": "low", - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "SnakeKeylogger", - "exe" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "exe", + "threat.indicator.file.hash.md5": "2759c73c986c6a757bf9d25621c5595a", + "threat.indicator.file.hash.sha1": "00b52e8ca1785d5086703ad8cff1d28fc3354934", + "threat.indicator.file.hash.sha256": "84f983067868de50e5b1553782c056c1f5b5118bb2084473ca4b6908f221cd3b", + "threat.indicator.file.hash.sha384": "138dc28a74d15c1f9797ce732e99097c8c6db4549cb17cb7b20c1c6738a170328e45aea2d4c3b593912f14a97f521c1d", + "threat.indicator.file.hash.ssdeep": "12288:8t11ulRZRLZNh4YeX6f6XmwNShqE73YXy7moh:S11gZpZNmBX06WmAcy7m0", + "threat.indicator.file.hash.tlsh": "23F4AE212684C9C0D93E67B4D43584F003BABD16D631F69F6E887C693EB32D2D63B646", + "threat.indicator.file.mime_type": "application/x-dosexec", + "threat.indicator.file.name": "Purchase Order.8000.scan.pdf...exe", + "threat.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", + "threat.indicator.file.size": 752128, + "threat.indicator.first_seen": "2021-04-06T19:52:32.000Z", + "threat.indicator.geo.country_iso_code": "FR", + "threat.indicator.provider": "James_inthe_box", + "threat.indicator.type": "file", + "threat.software.alias": "SnakeKeylogger" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 40, + "abusech.malwarebazaar.intelligence.mail.Generic": "low", + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "AgentTesla", + "exe" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -364,30 +389,23 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "exe", - "threatintel.indicator.file.hash.md5": "596b3dbf07a287dcf76860b5e54762c3", - "threatintel.indicator.file.hash.sha1": "a34fd5e57d75d17bc2d84055ca4752e5ee2e92f5", - "threatintel.indicator.file.hash.sha256": "0661d87116f44cbd5b5c6bec7fb06c4e5cd5b6ecbc5455d959e65f1ee46c54c8", - "threatintel.indicator.file.hash.sha384": "ed5d03454121d81adf65a01ba90af81b1a7cea052709c22bb9170508069d17242861f85e5546b2cc3efb07c10926368c", - "threatintel.indicator.file.hash.ssdeep": "12288:qRedcNeqimzAEmN03VgdZfBOMx+RVBM7pdWje9ppB5nAZGNY2:ZaNeqikqN0udZfBFUYp55nFN", - "threatintel.indicator.file.hash.tlsh": "A505CF712694C9A4FABD53B80434403007F5FE42E232FA9A6FD17C993E72782DA3B655", - "threatintel.indicator.file.mime_type": "application/x-dosexec", - "threatintel.indicator.file.name": "New Order PO#121012020_____PDF_______.exe", - "threatintel.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", - "threatintel.indicator.file.size": 836096, - "threatintel.indicator.first_seen": "2021-04-06T19:47:13.000Z", - "threatintel.indicator.geo.country_iso_code": "FR", - "threatintel.indicator.provider": "James_inthe_box", - "threatintel.indicator.signature": "AgentTesla", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 40, - "threatintel.malwarebazaar.intelligence.mail.Generic": "low", - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "AgentTesla", - "exe" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "exe", + "threat.indicator.file.hash.md5": "596b3dbf07a287dcf76860b5e54762c3", + "threat.indicator.file.hash.sha1": "a34fd5e57d75d17bc2d84055ca4752e5ee2e92f5", + "threat.indicator.file.hash.sha256": "0661d87116f44cbd5b5c6bec7fb06c4e5cd5b6ecbc5455d959e65f1ee46c54c8", + "threat.indicator.file.hash.sha384": "ed5d03454121d81adf65a01ba90af81b1a7cea052709c22bb9170508069d17242861f85e5546b2cc3efb07c10926368c", + "threat.indicator.file.hash.ssdeep": "12288:qRedcNeqimzAEmN03VgdZfBOMx+RVBM7pdWje9ppB5nAZGNY2:ZaNeqikqN0udZfBFUYp55nFN", + "threat.indicator.file.hash.tlsh": "A505CF712694C9A4FABD53B80434403007F5FE42E232FA9A6FD17C993E72782DA3B655", + "threat.indicator.file.mime_type": "application/x-dosexec", + "threat.indicator.file.name": "New Order PO#121012020_____PDF_______.exe", + "threat.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", + "threat.indicator.file.size": 836096, + "threat.indicator.first_seen": "2021-04-06T19:47:13.000Z", + "threat.indicator.geo.country_iso_code": "FR", + "threat.indicator.provider": "James_inthe_box", + "threat.indicator.type": "file", + "threat.software.alias": "AgentTesla" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/misp/config/config.yml b/x-pack/filebeat/module/threatintel/misp/config/config.yml index 922f794af204..53ce56b16a29 100644 --- a/x-pack/filebeat/module/threatintel/misp/config/config.yml +++ b/x-pack/filebeat/module/threatintel/misp/config/config.yml @@ -12,18 +12,24 @@ request.proxy_url: {{ .proxy_url }} {{ end }} request.url: {{ .url }} request.body: - limit: 100 - page: 1 - returnFormat: json -{{if .filters}} - {{ range $key, $value := .filters}}{{$key}}: {{$value | tojson}}{{end}} -{{end}} +{{ if .filters }} + {{ .filters | tojson}} +{{ end }} request.transforms: {{ if .api_token }} - set: target: header.Authorization value: {{ .api_token }} -{{end}} +{{ end }} +- set: + target: body.page + value: 1 +- set: + target: body.limit + value: 10 +- set: + target: body.returnFormat + value: json - set: target: body.timestamp value: '[[.cursor.timestamp]]' @@ -63,28 +69,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: - - json.Event.Attribute.uuid - - json.Event.Object.Attribute.uuid - ignore_missing: true - target_field: "@metadata._id" - encoding: base64 - - script: - lang: javascript - id: my_filter - source: > - function process(event) { - event.Put("@metadata.op_type", "index"); - } - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml index e64379422db6..f4f54c903b9b 100644 --- a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml @@ -1,3 +1,4 @@ +--- description: Pipeline for parsing MISP Threat Intel processors: #################### @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -19,236 +23,253 @@ processors: ###################### # General ECS fields # ###################### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - fingerprint: + fields: + - json.Event.Attribute.uuid + - json.Event.Object.Attribute.uuid + target_field: "_id" + ignore_missing: true - rename: field: json.Event - target_field: threatintel.misp + target_field: misp ignore_missing: true - set: - field: threatintel.indicator.provider + field: threat.indicator.provider value: misp - if: ctx?.threatintel?.misp?.Orgc?.local != 'false' + if: ctx.misp?.Orgc?.local != 'false' - set: - field: threatintel.indicator.provider + field: threat.indicator.provider value: "{{misp.Orgc.name}}" - if: ctx?.threatintel?.misp?.Orgc?.local == 'false' + if: ctx.misp?.Orgc?.local == 'false' ignore_empty_value: true # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event - remove: field: - - threatintel.misp.ShadowAttribute - - threatintel.misp.RelatedEvent - - threatintel.misp.Galaxy - - threatintel.misp.Attribute.Galaxy - - threatintel.misp.Attribute.ShadowAttribute - - threatintel.misp.EventReport - - threatintel.misp.Object.Attribute.Galaxy - - threatintel.misp.Object.Attribute.ShadowAttribute - - message + - misp.ShadowAttribute + - misp.RelatedEvent + - misp.Galaxy + - misp.Attribute.Galaxy + - misp.Attribute.ShadowAttribute + - misp.EventReport + - misp.Object.Attribute.Galaxy + - misp.Object.Attribute.ShadowAttribute ignore_missing: true - remove: field: - - threatintel.misp.Attribute + - misp.Attribute ignore_missing: true - if: ctx?.threatintel?.misp?.Attribute.size() == 0 + if: ctx.misp?.Attribute.size() == 0 - remove: field: - - threatintel.misp.Object + - misp.Object ignore_missing: true - if: ctx?.threatintel?.misp?.Object.size() == 0 + if: ctx.misp?.Object.size() == 0 - date: - field: threatintel.misp.timestamp + field: misp.timestamp formats: - UNIX ignore_failure: true - rename: - field: threatintel.misp.Attribute - target_field: threatintel.misp.attribute + field: misp.Attribute + target_field: misp.attribute ignore_missing: true - rename: - field: threatintel.misp.Object - target_field: threatintel.misp.object + field: misp.Object + target_field: misp.object ignore_missing: true - rename: - field: threatintel.misp.object.Attribute - target_field: threatintel.misp.object.attribute + field: misp.object.Attribute + target_field: misp.object.attribute ignore_missing: true - rename: - field: threatintel.misp.Orgc - target_field: threatintel.misp.orgc + field: misp.Orgc + target_field: misp.orgc ignore_missing: true - rename: - field: threatintel.misp.Org - target_field: threatintel.misp.org + field: misp.Org + target_field: misp.org ignore_missing: true - rename: - field: threatintel.misp.Tag - target_field: threatintel.misp.tag + field: misp.Tag + target_field: misp.tag ignore_missing: true # # Dance around issue of not being able to split the document into two. # # Make the Object.Attribute field primary if it exists, but keep the # # outer Attribute as context. - rename: - field: threatintel.misp.attribute - target_field: threatintel.misp.context.attribute + field: misp.attribute + target_field: misp.context.attribute ignore_missing: true - if: ctx?.threatintel?.misp?.object != null + if: ctx.misp?.object != null - rename: - field: threatintel.misp.object.attribute - target_field: threatintel.misp.attribute + field: misp.object.attribute + target_field: misp.attribute ignore_missing: true - if: ctx?.threatintel?.misp?.object != null + if: ctx.misp?.object != null ##################### # Threat ECS Fields # ##################### + - set: + field: threat.feed.name + value: "[Filebeat] MISP" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" - rename: - field: threatintel.misp.attribute.first_seen - target_field: threatintel.indicator.first_seen + field: misp.attribute.first_seen + target_field: threat.indicator.first_seen ignore_missing: true - rename: - field: threatintel.misp.attribute.last_seen - target_field: threatintel.indicator.last_seen + field: misp.attribute.last_seen + target_field: threat.indicator.last_seen ignore_missing: true - convert: - field: threatintel.misp.analysis + field: misp.analysis type: long - target_field: threatintel.indicator.scanner_stats + target_field: threat.indicator.scanner_stats ignore_missing: true - convert: - field: threatintel.misp.threat_level_id + field: misp.threat_level_id type: long ignore_missing: true ## File/Hash indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - if: "ctx?.threatintel?.misp?.attribute?.type != null && (['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.threatintel?.misp?.attribute?.type) || ctx.threatintel?.misp?.attribute?.type.startsWith('filename'))" + if: "ctx.misp?.attribute?.type != null && (['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.misp?.attribute?.type) || ctx.misp?.attribute?.type.startsWith('filename'))" - rename: - field: threatintel.misp.attribute.value - target_field: "threatintel.indicator.file.hash.{{threatintel.misp.attribute.type}}" + field: misp.attribute.value + target_field: "threat.indicator.file.hash.{{misp.attribute.type}}" ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'file' && ctx?.threatintel?.misp?.attribute?.type != null && !ctx?.threatintel?.misp?.attribute?.type.startsWith('filename')" + if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type != null && !ctx.misp?.attribute?.type.startsWith('filename')" - rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.file.name + field: misp.attribute.value + target_field: threat.indicator.file.name ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'file' && ctx?.threatintel?.misp?.attribute?.type == 'filename'" + if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type == 'filename'" - grok: - field: threatintel.misp.attribute.type + field: misp.attribute.type patterns: - "%{WORD}\\|%{WORD:_tmp.hashtype}" ignore_missing: true - if: ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') + if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') - grok: - field: threatintel.misp.attribute.value + field: misp.attribute.value patterns: - - "%{DATA:threatintel.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" + - "%{DATA:threat.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" ignore_missing: true - if: ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') + if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') - set: - field: threatintel.indicator.file.hash.{{_tmp.hashtype}} + field: threat.indicator.file.hash.{{_tmp.hashtype}} value: "{{_tmp.hashvalue}}" - if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null" + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null" ## URL/URI indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: url - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx?.threatintel?.misp?.attribute?.type)" + if: "ctx.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx.misp?.attribute?.type)" - uri_parts: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.url + field: misp.attribute.value + target_field: threat.indicator.url keep_original: true remove_if_successful: true - if: ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri' - + if: ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri' - set: - field: threatintel.indicator.url.full - value: "{{{threatintel.indicator.url.original}}}" + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" ignore_empty_value: true - if: "ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri'" + if: "ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri'" ## Regkey indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: windows-registry-key - if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('regkey')" + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('regkey')" - rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.registry.key + field: misp.attribute.value + target_field: threat.indicator.registry.key ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'windows-registry-key' && ctx?.threatintel?.misp?.attribute?.type == 'regkey'" + if: "ctx.threat?.indicator?.type == 'windows-registry-key' && ctx.misp?.attribute?.type == 'regkey'" - grok: - field: threatintel.misp.attribute.value + field: misp.attribute.value patterns: - - "%{DATA:threatintel.indicator.registry.key}\\|%{DATA:threatintel.indicator.registry.value}" + - "%{DATA:threat.indicator.registry.key}\\|%{DATA:threat.indicator.registry.value}" ignore_missing: true - if: "ctx?.threatintel?.misp?.attribute?.type == 'regkey|value'" + if: "ctx.misp?.attribute?.type == 'regkey|value'" ## AS indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: autonomous-system - if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type == 'AS'" + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type == 'AS'" - convert: - field: threatintel.misp.attribute.value + field: misp.attribute.value type: long - target_field: threatintel.indicator.as.number + target_field: threat.indicator.as.number ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'autonomous-system' + if: ctx.threat?.indicator?.type == 'autonomous-system' ## Domain/IP/Port indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: domain-name - if: "ctx?.threatintel?.misp?.attribute?.type != null && (ctx?.threatintel?.misp?.attribute?.type == 'hostname' || ctx?.threatintel?.misp?.attribute?.type.startsWith('domain'))" + if: "ctx.misp?.attribute?.type != null && (ctx.misp?.attribute?.type == 'hostname' || ctx.misp?.attribute?.type.startsWith('domain'))" - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv4-addr - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)" + if: "ctx.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" - rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.url.domain + field: misp.attribute.value + target_field: threat.indicator.url.domain ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'domain-name' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip' && ctx.threatintel?.indicator?.url?.domain == null" + if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.misp?.attribute?.type != 'domain|ip' && ctx.threat?.indicator?.url?.domain == null" - rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.ip + field: misp.attribute.value + target_field: threat.indicator.ip ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'ipv4-addr' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)" + if: "ctx.threat?.indicator?.type == 'ipv4-addr' && ctx.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" - grok: - field: threatintel.misp.attribute.value + field: misp.attribute.value patterns: - - "%{DATA:threatintel.indicator.url.domain}\\|%{IP:threatintel.indicator.ip}" + - "%{DATA:threat.indicator.url.domain}\\|%{IP:threat.indicator.ip}" ignore_missing: true - if: ctx.threatintel?.misp?.attribute?.type == 'domain|ip' && ctx.threatintel?.indicator?.url?.domain == null + if: ctx.misp?.attribute?.type == 'domain|ip' && ctx.threat?.indicator?.url?.domain == null - grok: - field: threatintel.misp.attribute.value + field: misp.attribute.value patterns: - - "%{IP:threatintel.indicator.ip}\\|%{NUMBER:threatintel.indicator.port}" + - "%{IP:threat.indicator.ip}\\|%{NUMBER:threat.indicator.port}" ignore_missing: true - if: "['ip-src|port', 'ip-dst|port'].contains(ctx.threatintel?.misp?.attribute?.type)" + if: "['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" ## Email indicator operations # Currently this ignores email-message, except setting the type it will leave the rest of the fields under misp. - set: - field: threatintel.indicator.type + field: threat.indicator.type value: email-addr - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.threatintel?.misp?.attribute?.type)" + if: "ctx.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)" - set: - field: threatintel.indicator.type + field: threat.indicator.type value: email-message - if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx.threatintel?.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.threatintel?.misp?.attribute?.type)" + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)" - rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.email.address + field: misp.attribute.value + target_field: threat.indicator.email.address ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'email-addr' + if: ctx.threat?.indicator?.type == 'email-addr' - rename: - field: threatintel.misp.event_creator_email + field: misp.event_creator_email target_field: user.email ignore_missing: true - append: @@ -258,14 +279,14 @@ processors: ## MAC Address indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: mac-addr - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.threatintel?.misp?.attribute?.type)" + if: "ctx.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.misp?.attribute?.type)" - rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.mac + field: misp.attribute.value + target_field: threat.indicator.mac ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'mac-addr' + if: ctx.threat?.indicator?.type == 'mac-addr' ################### # Tags ECS fields # @@ -273,9 +294,9 @@ processors: # Stripping special characters from tags - script: lang: painless - if: ctx?.threatintel?.misp?.tag != null + if: ctx.misp?.tag != null source: | - def tags = ctx.threatintel.misp.tag.stream() + def tags = ctx.misp.tag.stream() .map(t -> t.name.replace('\\', '').replace('"', '')) .collect(Collectors.toList()); def tlpTags = tags.stream() @@ -284,20 +305,45 @@ processors: .collect(Collectors.toList()); ctx.tags = tags; - ctx.threatintel.indicator.marking = [ 'tlp': tlpTags ]; + ctx.threat.indicator.marking = [ 'tlp': tlpTags ]; # Setting indicator type to unknown if it does not match anything - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx.threat?.indicator?.type == null + + ################# + # Convert types # + ################# + - convert: + field: misp.attribute.distribution + type: long + ignore_missing: true + - convert: + field: misp.context.attribute.distribution + type: long + ignore_missing: true + - convert: + field: threat.indicator.port + type: long + ignore_missing: true + - convert: + field: misp.attribute_count + type: long + ignore_missing: true ###################### # Cleanup processors # ###################### + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - script: lang: painless - if: ctx?.threatintel != null + if: ctx?.misp != null source: | void handleMap(Map map) { for (def x : map.values()) { @@ -322,24 +368,24 @@ processors: # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event - remove: field: - - threatintel.misp.attribute.value + - misp.attribute.value ignore_missing: true - if: ctx?.threatintel?.indicator?.type != 'unknown' + if: ctx.threat?.indicator?.type != 'unknown' - remove: field: # This removes a number of fields that may be wanted in the future when - # threatintel.misp.attribute and threatintel.misp.object.attribute can + # misp.attribute and misp.object.attribute can # be separated. At the root of .object are fields that mirror fields at - # the root of threatintel.misp. - - threatintel.misp.object + # the root of misp. + - misp.object ignore_missing: true - remove: field: - - threatintel.misp.Attribute.timestamp - - threatintel.misp.timestamp - - threatintel.misp.tag - - threatintel.misp.org - - threatintel.misp.analysis + - misp.Attribute.timestamp + - misp.timestamp + - misp.tag + - misp.org + - misp.analysis - _tmp - json ignore_missing: true diff --git a/x-pack/filebeat/module/threatintel/misp/manifest.yml b/x-pack/filebeat/module/threatintel/misp/manifest.yml index 41443c01df8d..3a91b68f4fed 100644 --- a/x-pack/filebeat/module/threatintel/misp/manifest.yml +++ b/x-pack/filebeat/module/threatintel/misp/manifest.yml @@ -15,6 +15,8 @@ var: - name: tags default: [threatintel-misp, forwarded] - name: proxy_url + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json index 9f4dbc50fc83..04e12fc0323d 100644 --- a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json @@ -9,6 +9,39 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 0, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "5", + "misp.attribute.id": "351", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1503930272", + "misp.attribute.to_ids": true, + "misp.attribute.type": "md5", + "misp.attribute.uuid": "59a427a0-f6f8-4178-9e7d-dfd702de0b81", + "misp.attribute_count": 7, + "misp.date": "2017-08-25", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "5", + "misp.info": "OSINT - New Arena Crysis Ransomware Variant Released", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CIRCL", + "misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1603226331", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f", "service.type": "threatintel", "tags": [ "malware_classification:malware-category=Ransomware", @@ -17,46 +50,15 @@ "tlp:white", "type:OSINT" ], - "threatintel.indicator.file.hash.md5": "f2679bdabe46e10edc6352fff3c829bc", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.md5": "f2679bdabe46e10edc6352fff3c829bc", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "5", - "threatintel.misp.attribute.id": "351", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1503930272", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "md5", - "threatintel.misp.attribute.uuid": "59a427a0-f6f8-4178-9e7d-dfd702de0b81", - "threatintel.misp.attribute_count": "7", - "threatintel.misp.date": "2017-08-25", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "5", - "threatintel.misp.info": "OSINT - New Arena Crysis Ransomware Variant Released", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CIRCL", - "threatintel.misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1603226331", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "file" }, { "@timestamp": "2017-08-28T14:24:36.000Z", @@ -68,6 +70,39 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 8248, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "1st stage", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "14", + "misp.attribute.id": "10794", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1542652482", + "misp.attribute.to_ids": false, + "misp.attribute.type": "domain|ip", + "misp.attribute.uuid": "5bf30242-8ef4-4c52-a2d7-0b7b0a016219", + "misp.attribute_count": 7, + "misp.date": "2017-08-25", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "5", + "misp.info": "OSINT - New Arena Crysis Ransomware Variant Released", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CIRCL", + "misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1603226331", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f", "service.type": "threatintel", "tags": [ "malware_classification:malware-category=Ransomware", @@ -76,47 +111,16 @@ "tlp:white", "type:OSINT" ], - "threatintel.indicator.ip": "178.128.103.74", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.ip": "178.128.103.74", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "your-ip.getmyip.com", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "1st stage", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "14", - "threatintel.misp.attribute.id": "10794", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1542652482", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "domain|ip", - "threatintel.misp.attribute.uuid": "5bf30242-8ef4-4c52-a2d7-0b7b0a016219", - "threatintel.misp.attribute_count": "7", - "threatintel.misp.date": "2017-08-25", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "5", - "threatintel.misp.info": "OSINT - New Arena Crysis Ransomware Variant Released", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CIRCL", - "threatintel.misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1603226331", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "your-ip.getmyip.com" }, { "@timestamp": "2017-04-28T18:23:44.000Z", @@ -128,55 +132,57 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 16434, + "misp.attribute.category": "External analysis", + "misp.attribute.comment": "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "4", + "misp.attribute.id": "342", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1490878550", + "misp.attribute.to_ids": false, + "misp.attribute.type": "link", + "misp.attribute.uuid": "58dd0056-6e74-43d5-b58b-494802de0b81", + "misp.attribute_count": 100, + "misp.date": "2017-03-30", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "4", + "misp.info": "OSINT - Carbon Paper: Peering into Turla\u2019s second stage backdoor", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CIRCL", + "misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1603226330", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "58dcfe62-ed84-4e5e-b293-4991950d210f", "service.type": "threatintel", "tags": [ "misp-galaxy:tool=Turla", "tlp:white" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "www.virustotal.com", - "threatintel.indicator.url.full": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", - "threatintel.indicator.url.original": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", - "threatintel.indicator.url.path": "/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", - "threatintel.indicator.url.scheme": "https", - "threatintel.misp.attribute.category": "External analysis", - "threatintel.misp.attribute.comment": "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "4", - "threatintel.misp.attribute.id": "342", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1490878550", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "link", - "threatintel.misp.attribute.uuid": "58dd0056-6e74-43d5-b58b-494802de0b81", - "threatintel.misp.attribute_count": "100", - "threatintel.misp.date": "2017-03-30", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "4", - "threatintel.misp.info": "OSINT - Carbon Paper: Peering into Turla\u2019s second stage backdoor", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CIRCL", - "threatintel.misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1603226330", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "58dcfe62-ed84-4e5e-b293-4991950d210f" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "url", + "threat.indicator.url.domain": "www.virustotal.com", + "threat.indicator.url.full": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", + "threat.indicator.url.original": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", + "threat.indicator.url.path": "/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", + "threat.indicator.url.scheme": "https" }, { "@timestamp": "2014-10-06T07:12:57.000Z", @@ -188,51 +194,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 20139, + "misp.attribute.category": "External analysis", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "2", + "misp.attribute.id": "1077", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1412579394", + "misp.attribute.to_ids": true, + "misp.attribute.type": "sha256", + "misp.attribute.uuid": "54324042-49fc-4628-a95e-44da950d210b", + "misp.attribute_count": 29, + "misp.date": "2014-10-03", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "2", + "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CthulhuSPRL.be", + "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610622316", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b", "service.type": "threatintel", "tags": [ "tlp:green", "type:OSINT" ], - "threatintel.indicator.file.hash.sha256": "0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.sha256": "0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0", + "threat.indicator.marking.tlp": [ "green" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "External analysis", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "2", - "threatintel.misp.attribute.id": "1077", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1412579394", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "sha256", - "threatintel.misp.attribute.uuid": "54324042-49fc-4628-a95e-44da950d210b", - "threatintel.misp.attribute_count": "29", - "threatintel.misp.date": "2014-10-03", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "2", - "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CthulhuSPRL.be", - "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610622316", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "file" }, { "@timestamp": "2014-10-06T07:12:57.000Z", @@ -244,51 +252,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 21711, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "2", + "misp.attribute.id": "1084", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1412579457", + "misp.attribute.to_ids": true, + "misp.attribute.type": "ip-dst", + "misp.attribute.uuid": "54324081-3308-4f1f-8674-4953950d210b", + "misp.attribute_count": 29, + "misp.date": "2014-10-03", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "2", + "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CthulhuSPRL.be", + "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610622316", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b", "service.type": "threatintel", "tags": [ "tlp:green", "type:OSINT" ], - "threatintel.indicator.ip": "223.25.233.248", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.ip": "223.25.233.248", + "threat.indicator.marking.tlp": [ "green" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "ipv4-addr", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "2", - "threatintel.misp.attribute.id": "1084", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1412579457", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "ip-dst", - "threatintel.misp.attribute.uuid": "54324081-3308-4f1f-8674-4953950d210b", - "threatintel.misp.attribute_count": "29", - "threatintel.misp.date": "2014-10-03", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "2", - "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CthulhuSPRL.be", - "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610622316", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "ipv4-addr" }, { "@timestamp": "2014-10-06T07:12:57.000Z", @@ -300,51 +310,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 23232, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "2", + "misp.attribute.id": "1086", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1412579548", + "misp.attribute.to_ids": true, + "misp.attribute.type": "hostname", + "misp.attribute.uuid": "543240dc-f068-437a-baa9-48f2950d210b", + "misp.attribute_count": 29, + "misp.date": "2014-10-03", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "2", + "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CthulhuSPRL.be", + "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610622316", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b", "service.type": "threatintel", "tags": [ "tlp:green", "type:OSINT" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "green" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "xenserver.ddns.net", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "2", - "threatintel.misp.attribute.id": "1086", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1412579548", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "hostname", - "threatintel.misp.attribute.uuid": "543240dc-f068-437a-baa9-48f2950d210b", - "threatintel.misp.attribute_count": "29", - "threatintel.misp.date": "2014-10-03", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "2", - "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CthulhuSPRL.be", - "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610622316", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "xenserver.ddns.net" }, { "@timestamp": "2014-10-06T07:12:57.000Z", @@ -356,51 +368,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 24759, + "misp.attribute.category": "External analysis", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "2", + "misp.attribute.id": "1089", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1412579577", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "543240f9-64e8-41f2-958f-4e21950d210b", + "misp.attribute.value": "Nitro", + "misp.attribute_count": 29, + "misp.date": "2014-10-03", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "2", + "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CthulhuSPRL.be", + "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610622316", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b", "service.type": "threatintel", "tags": [ "tlp:green", "type:OSINT" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "green" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "External analysis", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "2", - "threatintel.misp.attribute.id": "1089", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1412579577", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "543240f9-64e8-41f2-958f-4e21950d210b", - "threatintel.misp.attribute.value": "Nitro", - "threatintel.misp.attribute_count": "29", - "threatintel.misp.date": "2014-10-03", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "2", - "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CthulhuSPRL.be", - "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610622316", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "unknown" }, { "@timestamp": "2014-10-06T07:12:57.000Z", @@ -412,51 +426,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 26271, + "misp.attribute.category": "External analysis", + "misp.attribute.comment": "Automatically added (via 7915aabb2e66ff14841e4ef0fbff7486)", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "2", + "misp.attribute.id": "1090", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1455826343", + "misp.attribute.to_ids": true, + "misp.attribute.type": "sha1", + "misp.attribute.uuid": "56c625a7-f31c-460c-9ea1-c652950d210f", + "misp.attribute_count": 29, + "misp.date": "2014-10-03", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "2", + "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CthulhuSPRL.be", + "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610622316", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b", "service.type": "threatintel", "tags": [ "tlp:green", "type:OSINT" ], - "threatintel.indicator.file.hash.sha1": "0ea76f1586c008932d90c991dfdd5042f3aac8ea", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.sha1": "0ea76f1586c008932d90c991dfdd5042f3aac8ea", + "threat.indicator.marking.tlp": [ "green" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "External analysis", - "threatintel.misp.attribute.comment": "Automatically added (via 7915aabb2e66ff14841e4ef0fbff7486)", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "2", - "threatintel.misp.attribute.id": "1090", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1455826343", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "sha1", - "threatintel.misp.attribute.uuid": "56c625a7-f31c-460c-9ea1-c652950d210f", - "threatintel.misp.attribute_count": "29", - "threatintel.misp.date": "2014-10-03", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "2", - "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CthulhuSPRL.be", - "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610622316", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "file" }, { "@timestamp": "2014-10-06T07:12:57.000Z", @@ -468,51 +484,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 27875, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "22", + "misp.attribute.id": "12394", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1462454963", + "misp.attribute.to_ids": false, + "misp.attribute.type": "domain", + "misp.attribute.uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16", + "misp.attribute_count": 29, + "misp.date": "2014-10-03", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "2", + "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CthulhuSPRL.be", + "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610622316", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b", "service.type": "threatintel", "tags": [ "tlp:green", "type:OSINT" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "green" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "whatsapp.com", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "22", - "threatintel.misp.attribute.id": "12394", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1462454963", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "domain", - "threatintel.misp.attribute.uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16", - "threatintel.misp.attribute_count": "29", - "threatintel.misp.date": "2014-10-03", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "2", - "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CthulhuSPRL.be", - "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610622316", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "whatsapp.com" }, { "@timestamp": "2018-08-28T13:20:17.000Z", @@ -524,57 +542,59 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 29397, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "Fake adobe URL", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "158", + "misp.attribute.id": "17299", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1515427692", + "misp.attribute.to_ids": false, + "misp.attribute.type": "url", + "misp.attribute.uuid": "5a53976c-e7c8-480d-a68a-2fc50a016219", + "misp.attribute_count": 61, + "misp.date": "2018-01-08", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "158", + "misp.info": "Turla: Mosquito Whitepaper", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "5", + "misp.orgc.local": false, + "misp.orgc.name": "ESET", + "misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", + "misp.orgc_id": "5", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610637953", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219", "service.type": "threatintel", "tags": [ "Turla", "misp-galaxy:threat-actor=Turla Group", "tlp:white" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "get.adobe.com", - "threatintel.indicator.url.full": "http://get.adobe.com/stats/AbfFcBebD/?q=", - "threatintel.indicator.url.original": "http://get.adobe.com/stats/AbfFcBebD/?q=", - "threatintel.indicator.url.path": "/stats/AbfFcBebD/", - "threatintel.indicator.url.query": "q=", - "threatintel.indicator.url.scheme": "http", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "Fake adobe URL", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "158", - "threatintel.misp.attribute.id": "17299", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1515427692", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "url", - "threatintel.misp.attribute.uuid": "5a53976c-e7c8-480d-a68a-2fc50a016219", - "threatintel.misp.attribute_count": "61", - "threatintel.misp.date": "2018-01-08", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "158", - "threatintel.misp.info": "Turla: Mosquito Whitepaper", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "5", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "ESET", - "threatintel.misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", - "threatintel.misp.orgc_id": "5", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610637953", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "url", + "threat.indicator.url.domain": "get.adobe.com", + "threat.indicator.url.full": "http://get.adobe.com/stats/AbfFcBebD/?q=", + "threat.indicator.url.original": "http://get.adobe.com/stats/AbfFcBebD/?q=", + "threat.indicator.url.path": "/stats/AbfFcBebD/", + "threat.indicator.url.query": "q=", + "threat.indicator.url.scheme": "http" }, { "@timestamp": "2018-08-28T13:20:17.000Z", @@ -586,51 +606,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 31486, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "Win32 backdoor C&C URI", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "158", + "misp.attribute.id": "17330", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1515429089", + "misp.attribute.to_ids": false, + "misp.attribute.type": "uri", + "misp.attribute.uuid": "5a539ce1-3de0-4e34-8fc4-2fc50a016219", + "misp.attribute_count": 61, + "misp.date": "2018-01-08", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "158", + "misp.info": "Turla: Mosquito Whitepaper", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "5", + "misp.orgc.local": false, + "misp.orgc.name": "ESET", + "misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", + "misp.orgc_id": "5", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610637953", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219", "service.type": "threatintel", "tags": [ "Turla", "misp-galaxy:threat-actor=Turla Group", "tlp:white" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "url", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "Win32 backdoor C&C URI", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "158", - "threatintel.misp.attribute.id": "17330", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1515429089", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "uri", - "threatintel.misp.attribute.uuid": "5a539ce1-3de0-4e34-8fc4-2fc50a016219", - "threatintel.misp.attribute_count": "61", - "threatintel.misp.date": "2018-01-08", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "158", - "threatintel.misp.info": "Turla: Mosquito Whitepaper", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "5", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "ESET", - "threatintel.misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", - "threatintel.misp.orgc_id": "5", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610637953", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "url" }, { "@timestamp": "2018-08-28T13:20:17.000Z", @@ -642,53 +664,55 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 33567, + "misp.attribute.category": "Artifacts dropped", + "misp.attribute.comment": "JavaScript backdoor", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "158", + "misp.attribute.id": "17322", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1515429089", + "misp.attribute.to_ids": false, + "misp.attribute.type": "filename|sha1", + "misp.attribute.uuid": "5a539ce1-e6a0-426a-942c-2fc50a016219", + "misp.attribute_count": 61, + "misp.date": "2018-01-08", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "158", + "misp.info": "Turla: Mosquito Whitepaper", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "5", + "misp.orgc.local": false, + "misp.orgc.name": "ESET", + "misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", + "misp.orgc_id": "5", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610637953", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219", "service.type": "threatintel", "tags": [ "Turla", "misp-galaxy:threat-actor=Turla Group", "tlp:white" ], - "threatintel.indicator.file.hash.sha1": "c51d288469df9f25e2fb7ac491918b3e579282ea", - "threatintel.indicator.file.name": "google_update_checker.js", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.sha1": "c51d288469df9f25e2fb7ac491918b3e579282ea", + "threat.indicator.file.name": "google_update_checker.js", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Artifacts dropped", - "threatintel.misp.attribute.comment": "JavaScript backdoor", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "158", - "threatintel.misp.attribute.id": "17322", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1515429089", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "filename|sha1", - "threatintel.misp.attribute.uuid": "5a539ce1-e6a0-426a-942c-2fc50a016219", - "threatintel.misp.attribute_count": "61", - "threatintel.misp.date": "2018-01-08", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "158", - "threatintel.misp.info": "Turla: Mosquito Whitepaper", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "5", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "ESET", - "threatintel.misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", - "threatintel.misp.orgc_id": "5", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610637953", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file" }, { "@timestamp": "2018-01-23T16:09:56.000Z", @@ -700,50 +724,52 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 35697, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "22", + "misp.attribute.id": "12268", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1456266422", + "misp.attribute.to_ids": true, + "misp.attribute.type": "email-src", + "misp.attribute.uuid": "56ccdcb6-4d6c-4e48-b955-52849062e56a", + "misp.attribute_count": 133, + "misp.date": "2015-12-08", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "22", + "misp.info": "Packrat: Seven Years of a South American Threat Actor", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "4", + "misp.orgc.local": false, + "misp.orgc.name": "CUDESO", + "misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", + "misp.orgc_id": "4", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610637901", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a", "service.type": "threatintel", "tags": [ "tlp:white" ], - "threatintel.indicator.email.address": "claudiobonadio88@gmail.com", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.email.address": "claudiobonadio88@gmail.com", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "email-addr", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "22", - "threatintel.misp.attribute.id": "12268", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1456266422", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "email-src", - "threatintel.misp.attribute.uuid": "56ccdcb6-4d6c-4e48-b955-52849062e56a", - "threatintel.misp.attribute_count": "133", - "threatintel.misp.date": "2015-12-08", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "22", - "threatintel.misp.info": "Packrat: Seven Years of a South American Threat Actor", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "4", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CUDESO", - "threatintel.misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", - "threatintel.misp.orgc_id": "4", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610637901", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "email-addr" }, { "@timestamp": "2018-01-23T16:09:56.000Z", @@ -755,50 +781,52 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 37011, + "misp.attribute.category": "Artifacts dropped", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "22", + "misp.attribute.id": "12298", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1456266454", + "misp.attribute.to_ids": true, + "misp.attribute.type": "regkey", + "misp.attribute.uuid": "56ccdcd6-f4b8-4383-9624-52849062e56a", + "misp.attribute_count": 133, + "misp.date": "2015-12-08", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "22", + "misp.info": "Packrat: Seven Years of a South American Threat Actor", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "4", + "misp.orgc.local": false, + "misp.orgc.name": "CUDESO", + "misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", + "misp.orgc_id": "4", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610637901", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a", "service.type": "threatintel", "tags": [ "tlp:white" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.registry.key": "HKLM\\SOFTWARE\\Microsoft\\Active", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "windows-registry-key", - "threatintel.misp.attribute.category": "Artifacts dropped", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "22", - "threatintel.misp.attribute.id": "12298", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1456266454", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "regkey", - "threatintel.misp.attribute.uuid": "56ccdcd6-f4b8-4383-9624-52849062e56a", - "threatintel.misp.attribute_count": "133", - "threatintel.misp.date": "2015-12-08", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "22", - "threatintel.misp.info": "Packrat: Seven Years of a South American Threat Actor", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "4", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CUDESO", - "threatintel.misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", - "threatintel.misp.orgc_id": "4", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610637901", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a" + "threat.indicator.provider": "misp", + "threat.indicator.registry.key": "HKLM\\SOFTWARE\\Microsoft\\Active", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "windows-registry-key" }, { "@timestamp": "2020-12-13T14:03:16.000Z", @@ -810,51 +838,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 38330, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "On port 2222", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "10", + "misp.attribute.id": "10686", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1607517728", + "misp.attribute.to_ids": true, + "misp.attribute.type": "ip-dst|port", + "misp.attribute.uuid": "5fd0c620-a844-4ace-9710-a37bc0a8ab16", + "misp.attribute_count": 15, + "misp.date": "2020-12-09", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "10", + "misp.info": "Recent Qakbot (Qbot) activity", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "4", + "misp.orgc.local": false, + "misp.orgc.name": "CUDESO", + "misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", + "misp.orgc_id": "4", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610637888", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16", "service.type": "threatintel", "tags": [ "misp-galaxy:banker=Qakbot", "tlp:white" ], - "threatintel.indicator.ip": "62.38.114.12", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.ip": "62.38.114.12", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.port": "2222", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "ipv4-addr", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "On port 2222", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "10", - "threatintel.misp.attribute.id": "10686", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1607517728", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "ip-dst|port", - "threatintel.misp.attribute.uuid": "5fd0c620-a844-4ace-9710-a37bc0a8ab16", - "threatintel.misp.attribute_count": "15", - "threatintel.misp.date": "2020-12-09", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "10", - "threatintel.misp.info": "Recent Qakbot (Qbot) activity", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "4", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CUDESO", - "threatintel.misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", - "threatintel.misp.orgc_id": "4", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610637888", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16" + "threat.indicator.port": 2222, + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "ipv4-addr" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json index 6db06ab777c0..ae03f9bce957 100644 --- a/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json @@ -9,48 +9,50 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 0, + "misp.attribute.category": "Payload installation", + "misp.attribute.comment": "Contextual comment for the file md5 attribute", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3631", + "misp.attribute.id": "266258", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621588162", + "misp.attribute.to_ids": false, + "misp.attribute.type": "md5", + "misp.attribute.uuid": "34c59b06-d35d-4808-919c-4b452f185c52", + "misp.attribute_count": 1, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3631", + "misp.info": "Test event 1 just atrributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "8ca56ae9-3747-4172-93d2-808da1a4eaf3", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.md5": "70461da8b94c6ca5d2fda3260c5a8c3b", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload installation", - "threatintel.misp.attribute.comment": "Contextual comment for the file md5 attribute", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3631", - "threatintel.misp.attribute.id": "266258", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621588162", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "md5", - "threatintel.misp.attribute.uuid": "34c59b06-d35d-4808-919c-4b452f185c52", - "threatintel.misp.attribute_count": "1", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3631", - "threatintel.misp.info": "Test event 1 just atrributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "8ca56ae9-3747-4172-93d2-808da1a4eaf3", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.md5": "70461da8b94c6ca5d2fda3260c5a8c3b", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -66,48 +68,50 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 1614, + "misp.attribute.category": "Artifacts dropped", + "misp.attribute.comment": "Artefact dropped for test 2", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3632", + "misp.attribute.id": "266259", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621588675", + "misp.attribute.to_ids": true, + "misp.attribute.type": "md5", + "misp.attribute.uuid": "73102a1c-7432-47b7-9644-6f9d46b6887c", + "misp.attribute_count": 4, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3632", + "misp.info": "Test event 2 just more atrributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.md5": "60461da8b94c6ca5d2fda3260c5a8c3b", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Artifacts dropped", - "threatintel.misp.attribute.comment": "Artefact dropped for test 2", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3632", - "threatintel.misp.attribute.id": "266259", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621588675", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "md5", - "threatintel.misp.attribute.uuid": "73102a1c-7432-47b7-9644-6f9d46b6887c", - "threatintel.misp.attribute_count": "4", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3632", - "threatintel.misp.info": "Test event 2 just more atrributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.md5": "60461da8b94c6ca5d2fda3260c5a8c3b", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -123,48 +127,50 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 3241, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "Conext for domain type attribute event 2", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3632", + "misp.attribute.id": "266260", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621588744", + "misp.attribute.to_ids": true, + "misp.attribute.type": "domain", + "misp.attribute.uuid": "a52a1b47-a580-4f33-96ba-939cf9146c9b", + "misp.attribute_count": 4, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3632", + "misp.info": "Test event 2 just more atrributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "baddom.madeup.local", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "Conext for domain type attribute event 2", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3632", - "threatintel.misp.attribute.id": "266260", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621588744", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "domain", - "threatintel.misp.attribute.uuid": "a52a1b47-a580-4f33-96ba-939cf9146c9b", - "threatintel.misp.attribute_count": "4", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3632", - "threatintel.misp.info": "Test event 2 just more atrributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "baddom.madeup.local", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -180,48 +186,50 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 4870, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "Ip-src attribute context for event2", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3632", + "misp.attribute.id": "266261", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621588800", + "misp.attribute.to_ids": false, + "misp.attribute.type": "ip-src", + "misp.attribute.uuid": "3dbf224b-7c84-4c4b-9f95-80f28954bd10", + "misp.attribute_count": 4, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3632", + "misp.info": "Test event 2 just more atrributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.ip": "10.0.0.1", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "ipv4-addr", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "Ip-src attribute context for event2", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3632", - "threatintel.misp.attribute.id": "266261", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621588800", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "ip-src", - "threatintel.misp.attribute.uuid": "3dbf224b-7c84-4c4b-9f95-80f28954bd10", - "threatintel.misp.attribute_count": "4", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3632", - "threatintel.misp.info": "Test event 2 just more atrributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.ip": "10.0.0.1", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "ipv4-addr", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -237,48 +245,50 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 6484, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "ip-dst context for event id 2", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3632", + "misp.attribute.id": "266262", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621588836", + "misp.attribute.to_ids": true, + "misp.attribute.type": "ip-dst", + "misp.attribute.uuid": "db4bfd36-7374-4f8c-9031-60e56d4bba30", + "misp.attribute_count": 4, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3632", + "misp.info": "Test event 2 just more atrributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.ip": "192.168.1.50", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "ipv4-addr", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "ip-dst context for event id 2", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3632", - "threatintel.misp.attribute.id": "266262", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621588836", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "ip-dst", - "threatintel.misp.attribute.uuid": "db4bfd36-7374-4f8c-9031-60e56d4bba30", - "threatintel.misp.attribute_count": "4", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3632", - "threatintel.misp.info": "Test event 2 just more atrributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.ip": "192.168.1.50", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "ipv4-addr", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -294,63 +304,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 8095, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3633", + "misp.attribute.id": "266267", + "misp.attribute.object_id": "18207", + "misp.attribute.object_relation": "fullpath", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621589548", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "ff97cc32-815e-4fc9-9d4b-cab9822027a6", + "misp.attribute.value": "\\the\\fullpath\\to the file\\filenameofobject.txt", + "misp.attribute_count": 6, + "misp.context.attribute.category": "Payload delivery", + "misp.context.attribute.comment": "filename contect for test event 3", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3633", + "misp.context.attribute.id": "266263", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1621589229", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "filename", + "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "misp.context.attribute.value": "thetestfile.txt", + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3633", + "misp.info": "Test event 3 objects and attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3633", - "threatintel.misp.attribute.id": "266267", - "threatintel.misp.attribute.object_id": "18207", - "threatintel.misp.attribute.object_relation": "fullpath", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621589548", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "ff97cc32-815e-4fc9-9d4b-cab9822027a6", - "threatintel.misp.attribute.value": "\\the\\fullpath\\to the file\\filenameofobject.txt", - "threatintel.misp.attribute_count": "6", - "threatintel.misp.context.attribute.category": "Payload delivery", - "threatintel.misp.context.attribute.comment": "filename contect for test event 3", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3633", - "threatintel.misp.context.attribute.id": "266263", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1621589229", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "filename", - "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "threatintel.misp.context.attribute.value": "thetestfile.txt", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3633", - "threatintel.misp.info": "Test event 3 objects and attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -366,63 +378,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 10558, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3633", + "misp.attribute.id": "266268", + "misp.attribute.object_id": "18207", + "misp.attribute.object_relation": "size-in-bytes", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621589548", + "misp.attribute.to_ids": false, + "misp.attribute.type": "size-in-bytes", + "misp.attribute.uuid": "e378b4d9-43e1-4c64-bd4e-70fce2b4e581", + "misp.attribute.value": "505050", + "misp.attribute_count": 6, + "misp.context.attribute.category": "Payload delivery", + "misp.context.attribute.comment": "filename contect for test event 3", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3633", + "misp.context.attribute.id": "266263", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1621589229", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "filename", + "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "misp.context.attribute.value": "thetestfile.txt", + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3633", + "misp.info": "Test event 3 objects and attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3633", - "threatintel.misp.attribute.id": "266268", - "threatintel.misp.attribute.object_id": "18207", - "threatintel.misp.attribute.object_relation": "size-in-bytes", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621589548", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "size-in-bytes", - "threatintel.misp.attribute.uuid": "e378b4d9-43e1-4c64-bd4e-70fce2b4e581", - "threatintel.misp.attribute.value": "505050", - "threatintel.misp.attribute_count": "6", - "threatintel.misp.context.attribute.category": "Payload delivery", - "threatintel.misp.context.attribute.comment": "filename contect for test event 3", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3633", - "threatintel.misp.context.attribute.id": "266263", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1621589229", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "filename", - "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "threatintel.misp.context.attribute.value": "thetestfile.txt", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3633", - "threatintel.misp.info": "Test event 3 objects and attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -438,63 +452,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 12990, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3633", + "misp.attribute.id": "266264", + "misp.attribute.object_id": "18207", + "misp.attribute.object_relation": "md5", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621589548", + "misp.attribute.to_ids": true, + "misp.attribute.type": "md5", + "misp.attribute.uuid": "787b3822-0bec-4278-b34a-5d649e7bce05", + "misp.attribute_count": 6, + "misp.context.attribute.category": "Payload delivery", + "misp.context.attribute.comment": "filename contect for test event 3", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3633", + "misp.context.attribute.id": "266263", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1621589229", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "filename", + "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "misp.context.attribute.value": "thetestfile.txt", + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3633", + "misp.info": "Test event 3 objects and attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.md5": "70461da8b94c6ca5d2fda3260c5a8c3b", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3633", - "threatintel.misp.attribute.id": "266264", - "threatintel.misp.attribute.object_id": "18207", - "threatintel.misp.attribute.object_relation": "md5", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621589548", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "md5", - "threatintel.misp.attribute.uuid": "787b3822-0bec-4278-b34a-5d649e7bce05", - "threatintel.misp.attribute_count": "6", - "threatintel.misp.context.attribute.category": "Payload delivery", - "threatintel.misp.context.attribute.comment": "filename contect for test event 3", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3633", - "threatintel.misp.context.attribute.id": "266263", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1621589229", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "filename", - "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "threatintel.misp.context.attribute.value": "thetestfile.txt", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3633", - "threatintel.misp.info": "Test event 3 objects and attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.md5": "70461da8b94c6ca5d2fda3260c5a8c3b", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -510,63 +526,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 15439, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3633", + "misp.attribute.id": "266265", + "misp.attribute.object_id": "18207", + "misp.attribute.object_relation": "sha256", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621589548", + "misp.attribute.to_ids": true, + "misp.attribute.type": "sha256", + "misp.attribute.uuid": "657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e", + "misp.attribute_count": 6, + "misp.context.attribute.category": "Payload delivery", + "misp.context.attribute.comment": "filename contect for test event 3", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3633", + "misp.context.attribute.id": "266263", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1621589229", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "filename", + "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "misp.context.attribute.value": "thetestfile.txt", + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3633", + "misp.info": "Test event 3 objects and attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.sha256": "f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3633", - "threatintel.misp.attribute.id": "266265", - "threatintel.misp.attribute.object_id": "18207", - "threatintel.misp.attribute.object_relation": "sha256", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621589548", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "sha256", - "threatintel.misp.attribute.uuid": "657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e", - "threatintel.misp.attribute_count": "6", - "threatintel.misp.context.attribute.category": "Payload delivery", - "threatintel.misp.context.attribute.comment": "filename contect for test event 3", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3633", - "threatintel.misp.context.attribute.id": "266263", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1621589229", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "filename", - "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "threatintel.misp.context.attribute.value": "thetestfile.txt", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3633", - "threatintel.misp.info": "Test event 3 objects and attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.sha256": "f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -582,63 +600,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 17926, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3633", + "misp.attribute.id": "266266", + "misp.attribute.object_id": "18207", + "misp.attribute.object_relation": "filename", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621589548", + "misp.attribute.to_ids": true, + "misp.attribute.type": "filename", + "misp.attribute.uuid": "6648d129-9200-431b-9b41-263a84f7c9d2", + "misp.attribute_count": 6, + "misp.context.attribute.category": "Payload delivery", + "misp.context.attribute.comment": "filename contect for test event 3", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3633", + "misp.context.attribute.id": "266263", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1621589229", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "filename", + "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "misp.context.attribute.value": "thetestfile.txt", + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3633", + "misp.info": "Test event 3 objects and attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.name": "filenameofobject.txt", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3633", - "threatintel.misp.attribute.id": "266266", - "threatintel.misp.attribute.object_id": "18207", - "threatintel.misp.attribute.object_relation": "filename", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621589548", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "filename", - "threatintel.misp.attribute.uuid": "6648d129-9200-431b-9b41-263a84f7c9d2", - "threatintel.misp.attribute_count": "6", - "threatintel.misp.context.attribute.category": "Payload delivery", - "threatintel.misp.context.attribute.comment": "filename contect for test event 3", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3633", - "threatintel.misp.context.attribute.id": "266263", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1621589229", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "filename", - "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "threatintel.misp.context.attribute.value": "thetestfile.txt", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3633", - "threatintel.misp.info": "Test event 3 objects and attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.name": "filenameofobject.txt", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -654,49 +674,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 20372, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3634", + "misp.attribute.id": "266269", + "misp.attribute.object_id": "18208", + "misp.attribute.object_relation": "text", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621591770", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "25d2f181-26ae-4d6f-b4fd-85b9d1f82e67", + "misp.attribute.value": "Free text in the file object", + "misp.attribute_count": 3, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3634", + "misp.info": "Test event 4 with object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3634", - "threatintel.misp.attribute.id": "266269", - "threatintel.misp.attribute.object_id": "18208", - "threatintel.misp.attribute.object_relation": "text", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621591770", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "25d2f181-26ae-4d6f-b4fd-85b9d1f82e67", - "threatintel.misp.attribute.value": "Free text in the file object", - "threatintel.misp.attribute_count": "3", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3634", - "threatintel.misp.info": "Test event 4 with object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -712,49 +734,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 21959, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3634", + "misp.attribute.id": "266270", + "misp.attribute.object_id": "18208", + "misp.attribute.object_relation": "sha256", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621591770", + "misp.attribute.to_ids": true, + "misp.attribute.type": "sha256", + "misp.attribute.uuid": "4e579782-346b-44b3-b72c-1cae8d87cb25", + "misp.attribute_count": 3, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3634", + "misp.info": "Test event 4 with object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc666", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3634", - "threatintel.misp.attribute.id": "266270", - "threatintel.misp.attribute.object_id": "18208", - "threatintel.misp.attribute.object_relation": "sha256", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621591770", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "sha256", - "threatintel.misp.attribute.uuid": "4e579782-346b-44b3-b72c-1cae8d87cb25", - "threatintel.misp.attribute_count": "3", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3634", - "threatintel.misp.info": "Test event 4 with object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc666", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -770,49 +794,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 23597, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3634", + "misp.attribute.id": "266271", + "misp.attribute.object_id": "18208", + "misp.attribute.object_relation": "filename", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621591770", + "misp.attribute.to_ids": true, + "misp.attribute.type": "filename", + "misp.attribute.uuid": "a40343b5-a480-4288-9b0c-7ae074a77140", + "misp.attribute_count": 3, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3634", + "misp.info": "Test event 4 with object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.name": "filenameinmispobject.txt", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3634", - "threatintel.misp.attribute.id": "266271", - "threatintel.misp.attribute.object_id": "18208", - "threatintel.misp.attribute.object_relation": "filename", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621591770", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "filename", - "threatintel.misp.attribute.uuid": "a40343b5-a480-4288-9b0c-7ae074a77140", - "threatintel.misp.attribute_count": "3", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3634", - "threatintel.misp.info": "Test event 4 with object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.name": "filenameinmispobject.txt", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -828,49 +854,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 25198, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3635", + "misp.attribute.id": "266272", + "misp.attribute.object_id": "18209", + "misp.attribute.object_relation": "text", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621592379", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "188a6a15-5704-4e4f-acba-22c55ab08fe8", + "misp.attribute.value": "Object 5 free text attribute in object", + "misp.attribute_count": 5, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3635", + "misp.info": "Test event 5 with an object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3635", - "threatintel.misp.attribute.id": "266272", - "threatintel.misp.attribute.object_id": "18209", - "threatintel.misp.attribute.object_relation": "text", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621592379", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "188a6a15-5704-4e4f-acba-22c55ab08fe8", - "threatintel.misp.attribute.value": "Object 5 free text attribute in object", - "threatintel.misp.attribute_count": "5", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3635", - "threatintel.misp.info": "Test event 5 with an object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -886,49 +914,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 26791, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3635", + "misp.attribute.id": "266275", + "misp.attribute.object_id": "18209", + "misp.attribute.object_relation": "entropy", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621592379", + "misp.attribute.to_ids": false, + "misp.attribute.type": "float", + "misp.attribute.uuid": "2400b103-4a33-4f92-ac04-a558b6c6e252", + "misp.attribute.value": "0.53535445", + "misp.attribute_count": 5, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3635", + "misp.info": "Test event 5 with an object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3635", - "threatintel.misp.attribute.id": "266275", - "threatintel.misp.attribute.object_id": "18209", - "threatintel.misp.attribute.object_relation": "entropy", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621592379", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "float", - "threatintel.misp.attribute.uuid": "2400b103-4a33-4f92-ac04-a558b6c6e252", - "threatintel.misp.attribute.value": "0.53535445", - "threatintel.misp.attribute_count": "5", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3635", - "threatintel.misp.info": "Test event 5 with an object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -944,49 +974,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 28360, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3635", + "misp.attribute.id": "266276", + "misp.attribute.object_id": "18209", + "misp.attribute.object_relation": "size-in-bytes", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621592379", + "misp.attribute.to_ids": false, + "misp.attribute.type": "size-in-bytes", + "misp.attribute.uuid": "e5ea3ec0-cdf4-4d3e-bd66-a7bf384fd3d7", + "misp.attribute.value": "55555", + "misp.attribute_count": 5, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3635", + "misp.info": "Test event 5 with an object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3635", - "threatintel.misp.attribute.id": "266276", - "threatintel.misp.attribute.object_id": "18209", - "threatintel.misp.attribute.object_relation": "size-in-bytes", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621592379", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "size-in-bytes", - "threatintel.misp.attribute.uuid": "e5ea3ec0-cdf4-4d3e-bd66-a7bf384fd3d7", - "threatintel.misp.attribute.value": "55555", - "threatintel.misp.attribute_count": "5", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3635", - "threatintel.misp.info": "Test event 5 with an object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1002,49 +1034,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 29938, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3635", + "misp.attribute.id": "266273", + "misp.attribute.object_id": "18209", + "misp.attribute.object_relation": "sha256", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621592379", + "misp.attribute.to_ids": true, + "misp.attribute.type": "sha256", + "misp.attribute.uuid": "803f10bd-9087-4169-8699-277579a92693", + "misp.attribute_count": 5, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3635", + "misp.info": "Test event 5 with an object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc665", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3635", - "threatintel.misp.attribute.id": "266273", - "threatintel.misp.attribute.object_id": "18209", - "threatintel.misp.attribute.object_relation": "sha256", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621592379", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "sha256", - "threatintel.misp.attribute.uuid": "803f10bd-9087-4169-8699-277579a92693", - "threatintel.misp.attribute_count": "5", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3635", - "threatintel.misp.info": "Test event 5 with an object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc665", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1060,49 +1094,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 31572, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3635", + "misp.attribute.id": "266274", + "misp.attribute.object_id": "18209", + "misp.attribute.object_relation": "filename", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621592379", + "misp.attribute.to_ids": true, + "misp.attribute.type": "filename", + "misp.attribute.uuid": "e5c7a9f0-c0e1-4024-9ab8-de8a1b403e4f", + "misp.attribute_count": 5, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3635", + "misp.info": "Test event 5 with an object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.name": "object5.txt", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3635", - "threatintel.misp.attribute.id": "266274", - "threatintel.misp.attribute.object_id": "18209", - "threatintel.misp.attribute.object_relation": "filename", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621592379", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "filename", - "threatintel.misp.attribute.uuid": "e5c7a9f0-c0e1-4024-9ab8-de8a1b403e4f", - "threatintel.misp.attribute_count": "5", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3635", - "threatintel.misp.info": "Test event 5 with an object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.name": "object5.txt", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1118,63 +1154,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 33156, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266278", + "misp.attribute.object_id": "18210", + "misp.attribute.object_relation": "text", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200348", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "955e34a5-a630-42c9-868d-6e3dcb575987", + "misp.attribute.value": "Excutable create bad pipe", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266278", - "threatintel.misp.attribute.object_id": "18210", - "threatintel.misp.attribute.object_relation": "text", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200348", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "955e34a5-a630-42c9-868d-6e3dcb575987", - "threatintel.misp.attribute.value": "Excutable create bad pipe", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1190,63 +1228,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 35151, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266281", + "misp.attribute.object_id": "18211", + "misp.attribute.object_relation": "size-in-bytes", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200780", + "misp.attribute.to_ids": false, + "misp.attribute.type": "size-in-bytes", + "misp.attribute.uuid": "2fa7721b-ad73-4914-b082-8d44233ced98", + "misp.attribute.value": "3892", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266281", - "threatintel.misp.attribute.object_id": "18211", - "threatintel.misp.attribute.object_relation": "size-in-bytes", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200780", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "size-in-bytes", - "threatintel.misp.attribute.uuid": "2fa7721b-ad73-4914-b082-8d44233ced98", - "threatintel.misp.attribute.value": "3892", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1262,63 +1302,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 37149, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266283", + "misp.attribute.object_id": "18211", + "misp.attribute.object_relation": "name", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200780", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "d35c1ff8-a69c-482b-8fb0-1182988d9468", + "misp.attribute.value": ".data", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266283", - "threatintel.misp.attribute.object_id": "18211", - "threatintel.misp.attribute.object_relation": "name", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200780", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "d35c1ff8-a69c-482b-8fb0-1182988d9468", - "threatintel.misp.attribute.value": ".data", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1334,63 +1376,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 39130, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266284", + "misp.attribute.object_id": "18211", + "misp.attribute.object_relation": "text", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200780", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "dc11971a-a676-4676-b24c-a45a8791e0b0", + "misp.attribute.value": "Extracted zip archive data", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266284", - "threatintel.misp.attribute.object_id": "18211", - "threatintel.misp.attribute.object_relation": "text", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200780", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "dc11971a-a676-4676-b24c-a45a8791e0b0", - "threatintel.misp.attribute.value": "Extracted zip archive data", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1406,63 +1450,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 41132, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266285", + "misp.attribute.object_id": "18211", + "misp.attribute.object_relation": "entropy", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200780", + "misp.attribute.to_ids": false, + "misp.attribute.type": "float", + "misp.attribute.uuid": "a85c0cbb-25a8-4bc9-b146-3cba1020e5bb", + "misp.attribute.value": "7.93280431051", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266285", - "threatintel.misp.attribute.object_id": "18211", - "threatintel.misp.attribute.object_relation": "entropy", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200780", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "float", - "threatintel.misp.attribute.uuid": "a85c0cbb-25a8-4bc9-b146-3cba1020e5bb", - "threatintel.misp.attribute.value": "7.93280431051", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1478,63 +1524,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 43125, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266279", + "misp.attribute.object_id": "18210", + "misp.attribute.object_relation": "md5", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200348", + "misp.attribute.to_ids": true, + "misp.attribute.type": "md5", + "misp.attribute.uuid": "1c97c043-5de2-41a1-b591-3237174cd290", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.md5": "7392463caf95534d56460bc9f360adc1", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266279", - "threatintel.misp.attribute.object_id": "18210", - "threatintel.misp.attribute.object_relation": "md5", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200348", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "md5", - "threatintel.misp.attribute.uuid": "1c97c043-5de2-41a1-b591-3237174cd290", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.md5": "7392463caf95534d56460bc9f360adc1", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1550,63 +1598,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 45136, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266282", + "misp.attribute.object_id": "18211", + "misp.attribute.object_relation": "md5", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200780", + "misp.attribute.to_ids": true, + "misp.attribute.type": "md5", + "misp.attribute.uuid": "f3b8696e-5390-4383-ace2-6e06bfae497d", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.md5": "7295463caf95534d56460bc9f360adc1", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266282", - "threatintel.misp.attribute.object_id": "18211", - "threatintel.misp.attribute.object_relation": "md5", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200780", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "md5", - "threatintel.misp.attribute.uuid": "f3b8696e-5390-4383-ace2-6e06bfae497d", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.md5": "7295463caf95534d56460bc9f360adc1", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1622,63 +1672,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 47153, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266280", + "misp.attribute.object_id": "18210", + "misp.attribute.object_relation": "filename", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200348", + "misp.attribute.to_ids": true, + "misp.attribute.type": "filename", + "misp.attribute.uuid": "2dfcb937-e6af-4b5d-ad50-f8eb975990f3", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.name": "badmojopipe.exe", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266280", - "threatintel.misp.attribute.object_id": "18210", - "threatintel.misp.attribute.object_relation": "filename", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200348", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "filename", - "threatintel.misp.attribute.uuid": "2dfcb937-e6af-4b5d-ad50-f8eb975990f3", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.name": "badmojopipe.exe", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" diff --git a/x-pack/filebeat/module/threatintel/otx/config/config.yml b/x-pack/filebeat/module/threatintel/otx/config/config.yml index 9e2f5169e6f0..fe18e1141d3e 100644 --- a/x-pack/filebeat/module/threatintel/otx/config/config.yml +++ b/x-pack/filebeat/module/threatintel/otx/config/config.yml @@ -55,17 +55,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: ["json.id"] - target_field: "@metadata._id" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml index 4cb3ed37aef7..4b3f6aeaea6a 100644 --- a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml @@ -1,4 +1,5 @@ -description: Pipeline for parsing MISP Threat Intel +--- +description: Pipeline for parsing Abuse.ch URL Threat Intel processors: #################### # Event ECS fields # @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -20,108 +24,126 @@ processors: # General ECS fields # ###################### - rename: - field: json - target_field: threatintel.otx + field: message + target_field: event.original ignore_missing: true + - json: + field: event.original + target_field: otx + - fingerprint: + fields: + - otx.id + target_field: "_id" ##################### # Threat ECS Fields # ##################### + - set: + field: threat.feed.name + value: "[Filebeat] Alienvault OTX" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" ## File indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - if: "ctx.threatintel?.otx?.type.startsWith('FileHash') || ctx.threatintel?.otx?.type == 'filepath'" + if: "ctx.otx?.type.startsWith('FileHash') || ctx.otx?.type == 'filepath'" - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.md5 + field: otx.indicator + target_field: threat.indicator.file.hash.md5 ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-MD5'" + if: "ctx.otx?.type == 'FileHash-MD5'" - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.sha1 + field: otx.indicator + target_field: threat.indicator.file.hash.sha1 ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-SHA1'" + if: "ctx.otx?.type == 'FileHash-SHA1'" - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.sha256 + field: otx.indicator + target_field: threat.indicator.file.hash.sha256 ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-SHA256'" + if: "ctx.otx?.type == 'FileHash-SHA256'" - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.pehash + field: otx.indicator + target_field: threat.indicator.file.hash.pehash ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-PEHASH'" + if: "ctx.otx?.type == 'FileHash-PEHASH'" - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.imphash + field: otx.indicator + target_field: threat.indicator.file.hash.imphash ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-IMPHASH'" + if: "ctx.otx?.type == 'FileHash-IMPHASH'" ## IP indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv4-addr - if: ctx.threatintel?.otx?.type == 'IPv4' + if: ctx.otx?.type == 'IPv4' - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv6-addr - if: ctx.threatintel?.otx?.type == 'IPv6' + if: ctx.otx?.type == 'IPv6' - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.ip + field: otx.indicator + target_field: threat.indicator.ip ignore_missing: true - if: "ctx?.threatintel?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx?.threatintel?.indicator?.type)" + if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" ## URL indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: url - if: "ctx?.threatintel?.indicator?.type == null && ['URL', 'URI'].contains(ctx.threatintel?.otx?.type)" + if: "ctx.threat?.indicator?.type == null && ['URL', 'URI'].contains(ctx.otx?.type)" - uri_parts: - field: threatintel.otx.indicator - target_field: threatintel.indicator.url + field: otx.indicator + target_field: threat.indicator.url keep_original: true remove_if_successful: true - if: ctx?.threatintel?.indicator?.type == 'url' + if: ctx.threat?.indicator?.type == 'url' - set: - field: threatintel.indicator.url.full - value: "{{{threatintel.indicator.url.original}}}" + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" ignore_empty_value: true - if: "ctx?.threatintel?.otx?.type == 'URL'" + if: "ctx.otx?.type == 'URL'" ## Email indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: email-addr - if: ctx?.threatintel?.otx?.type == 'email' + if: ctx.otx?.type == 'email' - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.email.address + field: otx.indicator + target_field: threat.indicator.email.address ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'email-addr'" + if: "ctx.threat?.indicator?.type == 'email-addr'" ## Domain indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: domain-name - if: "ctx?.threatintel?.indicator?.type == null && ['domain', 'hostname'].contains(ctx.threatintel?.otx?.type)" + if: "ctx.threat?.indicator?.type == null && ['domain', 'hostname'].contains(ctx.otx?.type)" - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.url.domain + field: otx.indicator + target_field: threat.indicator.url.domain ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'domain-name' && ctx.threatintel?.indicator?.url?.domain == null" + if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.threat?.indicator?.url?.domain == null" ###################### # Cleanup processors # ###################### + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx.threat?.indicator?.type == null - script: lang: painless - if: ctx?.threatintel != null + if: ctx.otx != null source: | void handleMap(Map map) { for (def x : map.values()) { @@ -145,16 +167,16 @@ processors: handleMap(ctx); - remove: field: - - threatintel.otx.content + - otx.content ignore_missing: true - if: ctx?.threatintel?.otx?.content == "" + if: ctx.otx?.content == "" - remove: field: - - threatintel.otx.type - - threatintel.otx.id + - otx.type + - otx.id - message ignore_missing: true - if: ctx?.threatintel?.indicator?.type != null + if: ctx.threat?.indicator?.type != null on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/threatintel/otx/manifest.yml b/x-pack/filebeat/module/threatintel/otx/manifest.yml index 0fdefa51d76e..728302249844 100644 --- a/x-pack/filebeat/module/threatintel/otx/manifest.yml +++ b/x-pack/filebeat/module/threatintel/otx/manifest.yml @@ -20,6 +20,8 @@ var: - name: tags default: [threatintel-otx, forwarded] - name: proxy_url + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json index e56752d47c33..590bc64bfbc9 100644 --- a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json @@ -13,8 +13,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "86.104.194.30", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "86.104.194.30", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -25,15 +27,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 102, + "otx.description": "MD5 of a5725af4391d21a232dc6d4ad33d7d915bd190bdac9b1826b73f364dc5c1aa65", + "otx.title": "Win32:Hoblig-B", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "90421f8531f963d81cf54245b72cde80", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of a5725af4391d21a232dc6d4ad33d7d915bd190bdac9b1826b73f364dc5c1aa65", - "threatintel.otx.title": "Win32:Hoblig-B" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "90421f8531f963d81cf54245b72cde80", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -49,8 +53,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "ip.anysrc.net" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "ip.anysrc.net" }, { "event.category": "threat", @@ -66,8 +72,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "107.173.58.176", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "107.173.58.176", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -83,8 +91,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "d8c70ca70fd3555a0828fede6cc1f59e2c320ede80157039b6a2f09c336d5f7a", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "d8c70ca70fd3555a0828fede6cc1f59e2c320ede80157039b6a2f09c336d5f7a", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -95,14 +105,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 688, + "otx.description": "MD5 of df9b37477a83189cd4541674e64ce29bf7bf98338ed0d635276660e0c6419d09", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "f8e58af3ffefd4037fef246e93a55dc8", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of df9b37477a83189cd4541674e64ce29bf7bf98338ed0d635276660e0c6419d09" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "f8e58af3ffefd4037fef246e93a55dc8", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -118,8 +130,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "1c62f004d0c9b91d3467b1b8106772e667e7e2075470c2ec7982b63573c90c54", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "1c62f004d0c9b91d3467b1b8106772e667e7e2075470c2ec7982b63573c90c54", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -130,14 +144,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 1053, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "8d24a14f2600482d0231396b6350cf21773335ec2f0b8919763317fdab78baae", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "8d24a14f2600482d0231396b6350cf21773335ec2f0b8919763317fdab78baae", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -153,8 +169,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "213.252.244.38", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "213.252.244.38", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -170,8 +188,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "c758ec922b173820374e552c2f015ac53cc5d9f99cc92080e608652aaa63695b", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "c758ec922b173820374e552c2f015ac53cc5d9f99cc92080e608652aaa63695b", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -187,8 +207,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -199,14 +221,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 1671, + "otx.description": "MD5 of 0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "aeb08b0651bc8a13dcf5e5f6c0d482f8", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "aeb08b0651bc8a13dcf5e5f6c0d482f8", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -222,8 +246,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "6df5e1a017dff52020c7ff6ad92fdd37494e31769e1be242f6b23d1ea2d60140", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "6df5e1a017dff52020c7ff6ad92fdd37494e31769e1be242f6b23d1ea2d60140", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -239,8 +265,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "c72fef3835f65cb380f6920b22c3488554d1af6d298562ccee92284f265c9619", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "c72fef3835f65cb380f6920b22c3488554d1af6d298562ccee92284f265c9619", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -256,8 +284,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "e711fcd0f182b214c6ec74011a395f4c853068d59eb7c57f90c4a3e1de64434a", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "e711fcd0f182b214c6ec74011a395f4c853068d59eb7c57f90c4a3e1de64434a", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -273,8 +303,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "d3ec8f4a46b21fb189fc3d58f3d87bf9897653ecdf90b7952dcc71f3b4023b4e", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "d3ec8f4a46b21fb189fc3d58f3d87bf9897653ecdf90b7952dcc71f3b4023b4e", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -290,8 +322,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "70447996722e5c04514d20b7a429d162b46546002fb0c87f512b40f16bac99bb", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "70447996722e5c04514d20b7a429d162b46546002fb0c87f512b40f16bac99bb", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -302,15 +336,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 2703, + "otx.description": "MD5 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "29340643ca2e6677c19e1d3bf351d654", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "29340643ca2e6677c19e1d3bf351d654", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -321,15 +357,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 2919, + "otx.description": "MD5 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "86c314bc2dc37ba84f7364acd5108c2b", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "86c314bc2dc37ba84f7364acd5108c2b", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -340,15 +378,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 3135, + "otx.description": "MD5 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", + "otx.title": "Trojan:Win32/Occamy.B", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "cb0c1248d3899358a375888bb4e8f3fe", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", - "threatintel.otx.title": "Trojan:Win32/Occamy.B" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "cb0c1248d3899358a375888bb4e8f3fe", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -359,15 +399,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 3355, + "otx.description": "MD5 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "d348f536e214a47655af387408b4fca5", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "d348f536e214a47655af387408b4fca5", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -378,14 +420,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 3571, + "otx.title": "vad_contains_network_strings", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "vad_contains_network_strings" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -401,8 +445,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "b105891f90b2a8730bbadf02b5adeccbba539883bf75dec2ff7a5a97625dd222", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "b105891f90b2a8730bbadf02b5adeccbba539883bf75dec2ff7a5a97625dd222", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -418,8 +464,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "e4db5405ac7ab517d43722e1ca8d653ea4a32802bc8a5410d032275eedc7b7ee", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "e4db5405ac7ab517d43722e1ca8d653ea4a32802bc8a5410d032275eedc7b7ee", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -430,14 +478,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 4098, + "otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -453,8 +503,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "5051906d6ed1b2ae9c9a9f070ef73c9be8f591d2e41d144649a0dc96e28d0400", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "5051906d6ed1b2ae9c9a9f070ef73c9be8f591d2e41d144649a0dc96e28d0400", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -465,15 +517,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 4470, + "otx.description": "MD5 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", + "otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "14b74cb9be8cad8eb5fa8842d00bb692", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", - "threatintel.otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "14b74cb9be8cad8eb5fa8842d00bb692", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -484,15 +538,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 4709, + "otx.description": "SHA1 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", + "otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "a5b59f7d133e354dfc73f40517aab730f322f0ef", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "SHA1 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", - "threatintel.otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "a5b59f7d133e354dfc73f40517aab730f322f0ef", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -508,8 +564,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -520,15 +578,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 5125, + "otx.description": "MD5 of 5cb822616d2c9435c9ddd060d6abdbc286ab57cfcf6dc64768c52976029a925b", + "otx.title": "vad_contains_network_strings", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "ff2dcea4963e060a658f4dffbb119529", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 5cb822616d2c9435c9ddd060d6abdbc286ab57cfcf6dc64768c52976029a925b", - "threatintel.otx.title": "vad_contains_network_strings" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "ff2dcea4963e060a658f4dffbb119529", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -539,15 +599,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 5352, + "otx.description": "MD5 of 29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413", + "otx.title": "vad_contains_network_strings", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "0d73f1a1c4b2f8723fffc83eb3d00f31", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413", - "threatintel.otx.title": "vad_contains_network_strings" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "0d73f1a1c4b2f8723fffc83eb3d00f31", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -563,8 +625,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "185.25.50.167", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "185.25.50.167", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -580,8 +644,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "d35a30264c0698709ad554489004e0077e263d354ced0c54552a0b500f91ecc0", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "d35a30264c0698709ad554489004e0077e263d354ced0c54552a0b500f91ecc0", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -597,8 +663,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "5264b455f453820be629a324196131492ff03c80491e823ac06657c9387250dd", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "5264b455f453820be629a324196131492ff03c80491e823ac06657c9387250dd", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -609,14 +677,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 6018, + "otx.title": "Trojan:Win32/Occamy.B", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Trojan:Win32/Occamy.B" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -627,14 +697,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 6204, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -650,8 +722,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -662,14 +736,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 6553, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -680,14 +756,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 6735, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -703,8 +781,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "c51024bb119211c335f95e731cfa9a744fcdb645a57d35fb379d01b7dbdd098e", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "c51024bb119211c335f95e731cfa9a744fcdb645a57d35fb379d01b7dbdd098e", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -715,15 +795,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 7084, + "otx.description": "SHA1 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "ad20c6fac565f901c82a21b70f9739037eb54818", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "SHA1 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "ad20c6fac565f901c82a21b70f9739037eb54818", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -734,15 +816,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 7310, + "otx.description": "SHA1 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "13f11e273f9a4a56557f03821c3bfd591cca6ebc", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "SHA1 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "13f11e273f9a4a56557f03821c3bfd591cca6ebc", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -753,15 +837,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 7536, + "otx.description": "SHA1 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "1581fe76e3c96dc33182daafd09c8cf5c17004e0", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "SHA1 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "1581fe76e3c96dc33182daafd09c8cf5c17004e0", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -772,15 +858,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 7762, + "otx.description": "SHA1 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", + "otx.title": "Trojan:Win32/Occamy.B", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "b72e75e9e901a44b655a5cf89cf0eadcaff46037", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "SHA1 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", - "threatintel.otx.title": "Trojan:Win32/Occamy.B" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "b72e75e9e901a44b655a5cf89cf0eadcaff46037", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -796,8 +884,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "maper.info" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "maper.info" }, { "event.category": "threat", @@ -813,8 +903,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "213.252.244.126", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "213.252.244.126", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -830,8 +922,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "78.129.139.131", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "78.129.139.131", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -842,14 +936,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 8309, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -860,14 +956,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 8498, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "be9fb556a3c7aef0329e768d7f903e7dd42a821abc663e11fb637ce33b007087", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "be9fb556a3c7aef0329e768d7f903e7dd42a821abc663e11fb637ce33b007087", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -878,14 +976,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 8687, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "3bfec096c4837d1e6485fe0ae0ea6f1c0b44edc611d4f2204cc9cf73c985cbc2", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "3bfec096c4837d1e6485fe0ae0ea6f1c0b44edc611d4f2204cc9cf73c985cbc2", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -896,14 +996,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 8876, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "dff2e39b2e008ea89a3d6b36dcd9b8c927fb501d60c1ad5a52ed1ffe225da2e2", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "dff2e39b2e008ea89a3d6b36dcd9b8c927fb501d60c1ad5a52ed1ffe225da2e2", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -914,14 +1016,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 9065, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "6b4d271a48d118843aee3dee4481fa2930732ed7075db3241a8991418f00d92b", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "6b4d271a48d118843aee3dee4481fa2930732ed7075db3241a8991418f00d92b", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -932,14 +1036,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 9254, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "26de4265303491bed1424d85b263481ac153c2b3513f9ee48ffb42c12312ac43", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "26de4265303491bed1424d85b263481ac153c2b3513f9ee48ffb42c12312ac43", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -950,14 +1056,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 9443, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "02f54da6c6f2f87ff7b713d46e058dedac1cedabd693643bb7f6dfe994b2105d", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "02f54da6c6f2f87ff7b713d46e058dedac1cedabd693643bb7f6dfe994b2105d", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -973,8 +1081,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "103.13.67.4", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "103.13.67.4", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -990,8 +1100,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "80.90.87.201", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "80.90.87.201", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1007,8 +1119,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "80.80.163.182", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "80.80.163.182", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1024,8 +1138,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "91.187.114.210", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "91.187.114.210", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1041,8 +1157,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "170.238.117.187", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "170.238.117.187", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1058,8 +1176,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "e999b83629355ec7ff3b6fda465ef53ce6992c9327344fbf124f7eb37808389d", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "e999b83629355ec7ff3b6fda465ef53ce6992c9327344fbf124f7eb37808389d", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -1075,8 +1195,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "103.84.238.3", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "103.84.238.3", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1092,8 +1214,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "179.43.158.171", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "179.43.158.171", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1109,8 +1233,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "198.211.116.199", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "198.211.116.199", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1121,14 +1247,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 10641, + "otx.title": "Trickbot", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "203.176.135.102", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.otx.title": "Trickbot" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "203.176.135.102", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1144,8 +1272,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "fotmailz.com" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "fotmailz.com" }, { "event.category": "threat", @@ -1161,8 +1291,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "pori89g5jqo3v8.com" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "pori89g5jqo3v8.com" }, { "event.category": "threat", @@ -1178,8 +1310,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "sebco.co.ke" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "sebco.co.ke" }, { "event.category": "threat", @@ -1190,14 +1324,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 11077, + "otx.title": "Trickbot", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "177.74.232.124", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.otx.title": "Trickbot" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "177.74.232.124", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1213,8 +1349,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "chishir.com" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "chishir.com" }, { "event.category": "threat", @@ -1230,8 +1368,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "kostunivo.com" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "kostunivo.com" }, { "event.category": "threat", @@ -1247,8 +1387,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "mangoclone.com" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "mangoclone.com" }, { "event.category": "threat", @@ -1264,8 +1406,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "onixcellent.com" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "onixcellent.com" }, { "event.category": "threat", @@ -1276,14 +1420,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 11618, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "fc0efd612ad528795472e99cae5944b68b8e26dc", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "fc0efd612ad528795472e99cae5944b68b8e26dc", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -1294,14 +1440,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 11774, + "otx.title": "Sf:ShellCode-DZ\\ [Trj]", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "24d4bbc982a6a561f0426a683b9617de1a96a74a", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Sf:ShellCode-DZ\\ [Trj]" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "24d4bbc982a6a561f0426a683b9617de1a96a74a", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -1312,14 +1460,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 11936, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "fa98074dc18ad7e2d357b5d168c00a91256d87d1", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "fa98074dc18ad7e2d357b5d168c00a91256d87d1", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -1330,14 +1480,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 12092, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "e5dc7c8bfa285b61dda1618f0ade9c256be75d1a", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "e5dc7c8bfa285b61dda1618f0ade9c256be75d1a", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -1348,14 +1500,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 12248, + "otx.title": "Trickbot", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "96.9.77.142", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.otx.title": "Trickbot" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "96.9.77.142", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1371,8 +1525,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "36.89.106.69", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "36.89.106.69", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1388,8 +1544,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "96.9.73.73", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "96.9.73.73", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1400,15 +1558,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 12563, + "otx.description": "MD5 of 9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6", + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "10ec3571596c30b9993b89f12d29d23c", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "10ec3571596c30b9993b89f12d29d23c", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -1424,12 +1584,14 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "www.playboysplus.com", - "threatintel.indicator.url.full": "http://www.playboysplus.com", - "threatintel.indicator.url.original": "http://www.playboysplus.com", - "threatintel.indicator.url.path": "", - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "www.playboysplus.com", + "threat.indicator.url.full": "http://www.playboysplus.com", + "threat.indicator.url.original": "http://www.playboysplus.com", + "threat.indicator.url.path": "", + "threat.indicator.url.scheme": "http" }, { "event.category": "threat", @@ -1445,12 +1607,14 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "join.playboysplus.com", - "threatintel.indicator.url.full": "http://join.playboysplus.com/signup/", - "threatintel.indicator.url.original": "http://join.playboysplus.com/signup/", - "threatintel.indicator.url.path": "/signup/", - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "join.playboysplus.com", + "threat.indicator.url.full": "http://join.playboysplus.com/signup/", + "threat.indicator.url.original": "http://join.playboysplus.com/signup/", + "threat.indicator.url.path": "/signup/", + "threat.indicator.url.scheme": "http" }, { "event.category": "threat", @@ -1466,13 +1630,15 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "api.vk.com", - "threatintel.indicator.url.extension": "get", - "threatintel.indicator.url.full": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386", - "threatintel.indicator.url.original": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386", - "threatintel.indicator.url.path": "/method/wall.get", - "threatintel.indicator.url.query": "count=1&owner_id=-81972386", - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "api.vk.com", + "threat.indicator.url.extension": "get", + "threat.indicator.url.full": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386", + "threat.indicator.url.original": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386", + "threat.indicator.url.path": "/method/wall.get", + "threat.indicator.url.query": "count=1&owner_id=-81972386", + "threat.indicator.url.scheme": "http" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml b/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml index 08b2f682f3f9..2c610e5379dd 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml +++ b/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml @@ -38,27 +38,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: - - event.dataset - - json.entity.id - target_field: "@metadata._id" - encoding: base64 - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 - - script: - lang: javascript - id: set_opt_type - source: > - function process(event) { - event.Put("@metadata.op_type", "index"); - } +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml index 8e0a6d4b3343..6247c0cd8829 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml @@ -1,19 +1,14 @@ description: Pipeline for parsing Recorded Future threat intel. processors: - # - # Safeguard against feeding the pipeline with documents other - # that the ones generated by Filebeat's httpjson input. - # - - fail: - if: "ctx.json == null || !(ctx.json instanceof Map)" - message: "missing json object in input document" - # # Set basic ECS fields. # - set: field: event.ingested - value: "{{{ _ingest.timestamp }}}" + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -24,14 +19,29 @@ processors: field: event.type value: indicator + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + + - set: + field: threat.feed.name + value: "[Filebeat] RecordedFuture" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" + # - # Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). + # Map itype field to STIX 2.0 Cyber Observable values (threat.indicator.type). # - script: lang: painless if: "ctx.json.entity?.type != null" description: > - Map entity.type field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). + Map entity.type field to STIX 2.0 Cyber Observable values (threat.indicator.type). params: IpAddress: ipv4-addr InternetDomainName: domain-name @@ -40,7 +50,7 @@ processors: source: > String mapping = params[ctx.json.entity.type]; if (mapping != null) { - ctx["threatintel_indicator_type"] = mapping; + ctx["threat_indicator_type"] = mapping; } on_failure: - append: @@ -48,24 +58,24 @@ processors: value: 'Unable to determine indicator type from "{{{ json.entity.type }}}": {{{ _ingest.on_failure_message }}}' - rename: - field: threatintel_indicator_type - target_field: threatintel.indicator.type + field: threat_indicator_type + target_field: threat.indicator.type ignore_missing: true # # Detect ipv6 for ipv4-addr types. # - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv6-addr - if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && ctx.json.entity.name.contains(":")' + if: 'ctx.threat?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && ctx.json.entity.name.contains(":")' # # Map first and last seen dates. # - date: field: json.timestamps.firstSeen - target_field: threatintel.indicator.first_seen + target_field: threat.indicator.first_seen formats: - ISO8601 if: "ctx.json.timestamps?.firstSeen != null" @@ -75,7 +85,7 @@ processors: value: 'Error parsing firstSeen field value "{{{ json.timestamps.firstSeen }}}": {{{ _ingest.on_failure_message }}}' - date: field: json.timestamps.lastSeen - target_field: threatintel.indicator.last_seen + target_field: threat.indicator.last_seen formats: - ISO8601 if: "ctx.json.timestamps?.lastSeen != null" @@ -89,20 +99,20 @@ processors: # - rename: field: json.location.location.city - target_field: threatintel.indicator.geo.city_name + target_field: threat.indicator.geo.city_name ignore_missing: true - rename: field: json.location.location.continent - target_field: threatintel.indicator.geo.continent_name + target_field: threat.indicator.geo.continent_name ignore_missing: true - rename: field: json.location.location.country - target_field: threatintel.indicator.geo.country_name + target_field: threat.indicator.geo.country_name ignore_missing: true - grok: field: json.location.asn patterns: - - "^(?:[Aa][Ss])?%{NUMBER:threatintel.indicator.as.number:long}$" + - "^(?:[Aa][Ss])?%{NUMBER:threat.indicator.as.number:long}$" ignore_missing: true on_failure: - append: @@ -110,10 +120,10 @@ processors: value: "Cannot parse asn field `{{{ json.location.asn }}}`: {{{ _ingest.on_failure_message }}}" - rename: field: json.location.organization - target_field: threatintel.indicator.as.organization.name + target_field: threat.indicator.as.organization.name ignore_missing: true - set: - field: threatintel.indicator.reference + field: threat.indicator.reference value: "{{{ json.intelCard }}}" ignore_empty_value: true - set: @@ -123,30 +133,30 @@ processors: - set: field: json.ip_range value: "{{{ json.entity.name }}}/32" - if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' + if: 'ctx.threat?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' - set: field: json.ip_range value: "{{{ json.entity.name }}}/128" - if: 'ctx.threatintel?.indicator?.type == "ipv6-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' + if: 'ctx.threat?.indicator?.type == "ipv6-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' - set: field: json.ip_range value: "{{{json.entity.name}}}" if: 'ctx.json.entity?.type == "IpAddress" && ctx.json.entity.name != null && ctx.json.entity.name.contains("/")' - rename: field: json.entity.name - target_field: threatintel.indicator.ip + target_field: threat.indicator.ip if: 'ctx.json.entity?.type == "IpAddress" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' - rename: field: json.entity.name - target_field: threatintel.indicator.url.domain + target_field: threat.indicator.url.domain ignore_missing: true - if: 'ctx.threatintel?.indicator?.type == "domain-name" && ctx.threatintel?.indicator?.url?.domain == null' + if: 'ctx.threat?.indicator?.type == "domain-name" && ctx.threat?.indicator?.url?.domain == null' - uri_parts: field: json.entity.name - target_field: threatintel.indicator.url + target_field: threat.indicator.url keep_original: true remove_if_successful: true - if: 'ctx.threatintel?.indicator?.type == "url"' + if: 'ctx.threat?.indicator?.type == "url"' on_failure: - append: field: error.message @@ -157,10 +167,10 @@ processors: field: json.fileHashes value: "{{{ json.entity.name }}}" allow_duplicates: false - if: 'ctx.threatintel?.indicator?.type == "file"' + if: 'ctx.threat?.indicator?.type == "file"' - remove: field: json.entity.name - if: 'ctx.threatintel?.indicator?.type == "file"' + if: 'ctx.threat?.indicator?.type == "file"' - script: lang: painless description: > @@ -187,7 +197,7 @@ processors: value: "Failed to map fileHashes field: {{ _ingest.on_failure_message }}" - rename: field: _hashes - target_field: threatintel.indicator.file.hash + target_field: threat.indicator.file.hash ignore_missing: true # @@ -213,11 +223,48 @@ processors: - message ignore_missing: true # - # Save fields without an ECS mapping under `threatintel.recordedfuture`. + # Save fields without an ECS mapping under `recordedfuture`. # - rename: field: json - target_field: threatintel.recordedfuture + target_field: recordedfuture + + ###################### + # Cleanup processors # + ###################### + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - set: + field: threat.indicator.type + value: unknown + if: ctx.threat?.indicator?.type == null + - script: + lang: painless + if: ctx.recordedfuture != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml b/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml index 93df3884160a..da8a88e19dab 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml +++ b/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml @@ -14,6 +14,8 @@ var: default: [threatintel-recordedfuture, forwarded] - name: proxy_url - name: api_token + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml input: config/config.yml diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json index 29b0a8ed4a5d..7da98ffcc296 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json @@ -9,26 +9,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 0, + "recordedfuture.entity.id": "idn:16url-gy.example.net", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2016-07-25T20:29:32.750Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.901Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "16url-gy.example.net", - "threatintel.recordedfuture.entity.id": "idn:16url-gy.example.net", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2016-07-25T20:29:32.750Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.901Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "16url-gy.example.net" }, { "event.category": "threat", @@ -40,26 +42,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 482, + "recordedfuture.entity.id": "idn:b999f.example.org", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2012-11-21T01:54:04.292Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.812Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "b999f.example.org", - "threatintel.recordedfuture.entity.id": "idn:b999f.example.org", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2012-11-21T01:54:04.292Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.812Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "b999f.example.org" }, { "event.category": "threat", @@ -71,26 +75,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 955, + "recordedfuture.entity.id": "idn:c422.example.net", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2018-02-21T13:53:46.470Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.778Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "c422.example.net", - "threatintel.recordedfuture.entity.id": "idn:c422.example.net", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2018-02-21T13:53:46.470Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.778Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "c422.example.net" }, { "event.category": "threat", @@ -102,26 +108,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 1425, + "recordedfuture.entity.id": "idn:8rwcvgjsp.example.net", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2016-08-15T11:56:24.964Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.747Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "8rwcvgjsp.example.net", - "threatintel.recordedfuture.entity.id": "idn:8rwcvgjsp.example.net", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2016-08-15T11:56:24.964Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.747Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "8rwcvgjsp.example.net" }, { "event.category": "threat", @@ -133,26 +141,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 1910, + "recordedfuture.entity.id": "idn:c9px.example.net", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2016-06-29T21:06:06.066Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.460Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "c9px.example.net", - "threatintel.recordedfuture.entity.id": "idn:c9px.example.net", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2016-06-29T21:06:06.066Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.460Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "c9px.example.net" }, { "event.category": "threat", @@ -164,26 +174,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 2380, + "recordedfuture.entity.id": "idn:ttj1i9z7.example.com", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2018-09-20T03:26:08.564Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "ttj1i9z7.example.com", - "threatintel.recordedfuture.entity.id": "idn:ttj1i9z7.example.com", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2018-09-20T03:26:08.564Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "ttj1i9z7.example.com" }, { "event.category": "threat", @@ -195,26 +207,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 2862, + "recordedfuture.entity.id": "idn:7pgc.example.org", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2017-02-23T17:44:16.104Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "7pgc.example.org", - "threatintel.recordedfuture.entity.id": "idn:7pgc.example.org", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2017-02-23T17:44:16.104Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "7pgc.example.org" }, { "event.category": "threat", @@ -226,26 +240,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 3332, + "recordedfuture.entity.id": "idn:xm5u434.example.net", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2017-04-10T06:55:27.658Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "xm5u434.example.net", - "threatintel.recordedfuture.entity.id": "idn:xm5u434.example.net", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2017-04-10T06:55:27.658Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "xm5u434.example.net" }, { "event.category": "threat", @@ -257,26 +273,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 3811, + "recordedfuture.entity.id": "idn:gpgju.example.com", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2018-07-27T15:22:39.390Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "gpgju.example.com", - "threatintel.recordedfuture.entity.id": "idn:gpgju.example.com", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2018-07-27T15:22:39.390Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "gpgju.example.com" }, { "event.category": "threat", @@ -288,25 +306,27 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 4284, + "recordedfuture.entity.id": "idn:55g.example.com", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2021-01-10T21:24:38.353Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:45.025Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "55g.example.com", - "threatintel.recordedfuture.entity.id": "idn:55g.example.com", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-01-10T21:24:38.353Z", + "threat.indicator.last_seen": "2021-06-20T18:23:45.025Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "55g.example.com" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json index dbc47e31767e..cf8b9c1b23e2 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json @@ -9,24 +9,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 0, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "25328d1a481903f2d900479570842247", - "threatintel.indicator.file.hash.sha1": "d73c663e2ac0c7a14ca0e2681dd599b2e7a24f65", - "threatintel.indicator.file.hash.sha256": "dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.503Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.503Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -44,10 +32,24 @@ "timestamp": "2021-06-20T18:40:18.503Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "25328d1a481903f2d900479570842247", + "threat.indicator.file.hash.sha1": "d73c663e2ac0c7a14ca0e2681dd599b2e7a24f65", + "threat.indicator.file.hash.sha256": "dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", + "threat.indicator.first_seen": "2021-06-20T18:40:18.503Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.503Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -59,24 +61,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 1478, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "7b8d9afd032f0c253b7dd68aca6fb50b", - "threatintel.indicator.file.hash.sha1": "f9ece49c249aabab29fd9c2193d897b7d131ed17", - "threatintel.indicator.file.hash.sha256": "4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.452Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.452Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -94,10 +84,24 @@ "timestamp": "2021-06-20T18:40:18.452Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "7b8d9afd032f0c253b7dd68aca6fb50b", + "threat.indicator.file.hash.sha1": "f9ece49c249aabab29fd9c2193d897b7d131ed17", + "threat.indicator.file.hash.sha256": "4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", + "threat.indicator.first_seen": "2021-06-20T18:40:18.452Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.452Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -109,24 +113,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 2954, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "7b65b50ed4554c86cb777e35e7750209", - "threatintel.indicator.file.hash.sha1": "e10942ba3fbb937c90c7cb3e39c06a13324981a8", - "threatintel.indicator.file.hash.sha256": "299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.343Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.343Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -144,10 +136,24 @@ "timestamp": "2021-06-20T18:40:18.343Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "7b65b50ed4554c86cb777e35e7750209", + "threat.indicator.file.hash.sha1": "e10942ba3fbb937c90c7cb3e39c06a13324981a8", + "threat.indicator.file.hash.sha256": "299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", + "threat.indicator.first_seen": "2021-06-20T18:40:18.343Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.343Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -159,24 +165,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 4457, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "c6353df35499ca6934da2169b7bd1635", - "threatintel.indicator.file.hash.sha1": "3e208c649da0a9efbde7bbde6eece2142fdac3f9", - "threatintel.indicator.file.hash.sha256": "e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.258Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.258Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -194,10 +188,24 @@ "timestamp": "2021-06-20T18:40:18.257Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "c6353df35499ca6934da2169b7bd1635", + "threat.indicator.file.hash.sha1": "3e208c649da0a9efbde7bbde6eece2142fdac3f9", + "threat.indicator.file.hash.sha256": "e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", + "threat.indicator.first_seen": "2021-06-20T18:40:18.258Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.258Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -209,24 +217,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 5932, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "3d568bd03766a8d47c8fabb7d392c32e", - "threatintel.indicator.file.hash.sha1": "3ea8b08bc9ed3009a4d6a0ab5851b8e3fc10ead2", - "threatintel.indicator.file.hash.sha256": "184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.131Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.131Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -236,10 +232,24 @@ "timestamp": "2021-06-19T17:39:24.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/14", - "threatintel.recordedfuture.risk.riskSummary": "1 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "1/14", + "recordedfuture.risk.riskSummary": "1 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "3d568bd03766a8d47c8fabb7d392c32e", + "threat.indicator.file.hash.sha1": "3ea8b08bc9ed3009a4d6a0ab5851b8e3fc10ead2", + "threat.indicator.file.hash.sha256": "184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", + "threat.indicator.first_seen": "2021-06-20T18:40:18.131Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.131Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -251,24 +261,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 7054, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "a40e91f2d29616076114eea0f2a693af", - "threatintel.indicator.file.hash.sha1": "e38ccd47629c1b75385a83fbfbba0ea7f3b3a705", - "threatintel.indicator.file.hash.sha256": "1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.093Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.093Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -286,10 +284,24 @@ "timestamp": "2021-06-20T18:40:18.093Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "a40e91f2d29616076114eea0f2a693af", + "threat.indicator.file.hash.sha1": "e38ccd47629c1b75385a83fbfbba0ea7f3b3a705", + "threat.indicator.file.hash.sha256": "1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", + "threat.indicator.first_seen": "2021-06-20T18:40:18.093Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.093Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -301,24 +313,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 8550, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "02062782c7eeaff185ea6966460f7c9a", - "threatintel.indicator.file.hash.sha1": "64355796dc38992ca5e434682ddbf63bdfabeb4e", - "threatintel.indicator.file.hash.sha256": "bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.070Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.070Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -336,10 +336,24 @@ "timestamp": "2021-06-20T18:40:18.070Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "02062782c7eeaff185ea6966460f7c9a", + "threat.indicator.file.hash.sha1": "64355796dc38992ca5e434682ddbf63bdfabeb4e", + "threat.indicator.file.hash.sha256": "bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", + "threat.indicator.first_seen": "2021-06-20T18:40:18.070Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.070Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -351,24 +365,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 10020, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "bdd205ffc81c54e7cc1a9080cfa093e4", - "threatintel.indicator.file.hash.sha1": "a6b928fd6fee43495b96941ef80b25d074f6e0e2", - "threatintel.indicator.file.hash.sha256": "c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.011Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.011Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -386,10 +388,24 @@ "timestamp": "2021-06-20T18:40:18.010Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "bdd205ffc81c54e7cc1a9080cfa093e4", + "threat.indicator.file.hash.sha1": "a6b928fd6fee43495b96941ef80b25d074f6e0e2", + "threat.indicator.file.hash.sha256": "c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", + "threat.indicator.first_seen": "2021-06-20T18:40:18.011Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.011Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -401,24 +417,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 11492, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "af45390e39574cdb037d684074e6a542", - "threatintel.indicator.file.hash.sha1": "f6a14c7424604cd51ba6a6d3f7594ec762f48645", - "threatintel.indicator.file.hash.sha256": "c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", - "threatintel.indicator.first_seen": "2021-06-20T18:40:17.964Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:17.964Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -436,10 +440,24 @@ "timestamp": "2021-06-20T18:40:17.964Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "af45390e39574cdb037d684074e6a542", + "threat.indicator.file.hash.sha1": "f6a14c7424604cd51ba6a6d3f7594ec762f48645", + "threat.indicator.file.hash.sha256": "c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", + "threat.indicator.first_seen": "2021-06-20T18:40:17.964Z", + "threat.indicator.last_seen": "2021-06-20T18:40:17.964Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -451,24 +469,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 12964, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "5b8bcd367f802cd104210bb47abb3ab1", - "threatintel.indicator.file.hash.sha1": "b40d1796bd6974860ce6be691152ad963300c711", - "threatintel.indicator.file.hash.sha256": "0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", - "threatintel.indicator.first_seen": "2021-06-20T18:40:17.919Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:17.919Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -486,9 +492,23 @@ "timestamp": "2021-06-20T18:40:17.919Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "5b8bcd367f802cd104210bb47abb3ab1", + "threat.indicator.file.hash.sha1": "b40d1796bd6974860ce6be691152ad963300c711", + "threat.indicator.file.hash.sha256": "0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", + "threat.indicator.first_seen": "2021-06-20T18:40:17.919Z", + "threat.indicator.last_seen": "2021-06-20T18:40:17.919Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", + "threat.indicator.type": "file" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json index 74488f715daf..c46c3e2a51f1 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json @@ -9,32 +9,34 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 0, + "recordedfuture.entity.id": "ip:2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "recordedfuture.entity.name": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "recordedfuture.ip_range": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.number": 31287, - "threatintel.indicator.as.organization.name": "IPACCT CABLE Ltd", - "threatintel.indicator.first_seen": "2021-04-18T00:11:48.512Z", - "threatintel.indicator.geo.city_name": "Radnevo", - "threatintel.indicator.geo.continent_name": "Europe", - "threatintel.indicator.geo.country_name": "Bulgaria", - "threatintel.indicator.last_seen": "2021-06-19T19:40:32.897Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", - "threatintel.indicator.type": "ipv6-addr", - "threatintel.recordedfuture.entity.id": "ip:2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", - "threatintel.recordedfuture.entity.name": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", - "threatintel.recordedfuture.ip_range": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 31287, + "threat.indicator.as.organization.name": "IPACCT CABLE Ltd", + "threat.indicator.first_seen": "2021-04-18T00:11:48.512Z", + "threat.indicator.geo.city_name": "Radnevo", + "threat.indicator.geo.continent_name": "Europe", + "threat.indicator.geo.country_name": "Bulgaria", + "threat.indicator.last_seen": "2021-06-19T19:40:32.897Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "threat.indicator.type": "ipv6-addr" }, { "event.category": "threat", @@ -46,32 +48,33 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 763, + "recordedfuture.entity.id": "ip:2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", + "recordedfuture.ip_range": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071/128", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.number": 197207, - "threatintel.indicator.as.organization.name": "Mobile Communication Company of Iran PLC", - "threatintel.indicator.first_seen": "2021-06-19T17:55:58.019Z", - "threatintel.indicator.geo.city_name": null, - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "Iran", - "threatintel.indicator.ip": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", - "threatintel.indicator.last_seen": "2021-06-19T19:40:32.839Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", - "threatintel.indicator.type": "ipv6-addr", - "threatintel.recordedfuture.entity.id": "ip:2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", - "threatintel.recordedfuture.ip_range": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071/128", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 197207, + "threat.indicator.as.organization.name": "Mobile Communication Company of Iran PLC", + "threat.indicator.first_seen": "2021-06-19T17:55:58.019Z", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "Iran", + "threat.indicator.ip": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", + "threat.indicator.last_seen": "2021-06-19T19:40:32.839Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", + "threat.indicator.type": "ipv6-addr" }, { "event.category": "threat", @@ -83,31 +86,29 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 1531, + "recordedfuture.entity.id": "ip:203.0.113.55", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55", + "recordedfuture.ip_range": "203.0.113.55/32", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.organization.name": null, - "threatintel.indicator.first_seen": "2021-06-19T19:40:30.596Z", - "threatintel.indicator.geo.city_name": null, - "threatintel.indicator.geo.continent_name": null, - "threatintel.indicator.geo.country_name": null, - "threatintel.indicator.ip": "203.0.113.55", - "threatintel.indicator.last_seen": "2021-06-19T19:40:30.596Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:203.0.113.55", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55", - "threatintel.recordedfuture.ip_range": "203.0.113.55/32", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-19T19:40:30.596Z", + "threat.indicator.ip": "203.0.113.55", + "threat.indicator.last_seen": "2021-06-19T19:40:30.596Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -119,32 +120,34 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 2161, + "recordedfuture.entity.id": "ip:203.0.113.108", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108", + "recordedfuture.ip_range": "203.0.113.108/32", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.number": 17622, - "threatintel.indicator.as.organization.name": "China Unicom Guangzhou network", - "threatintel.indicator.first_seen": "2021-06-19T19:40:20.534Z", - "threatintel.indicator.geo.city_name": "Guangzhou", - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "China", - "threatintel.indicator.ip": "203.0.113.108", - "threatintel.indicator.last_seen": "2021-06-19T19:40:20.534Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:203.0.113.108", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108", - "threatintel.recordedfuture.ip_range": "203.0.113.108/32", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 17622, + "threat.indicator.as.organization.name": "China Unicom Guangzhou network", + "threat.indicator.first_seen": "2021-06-19T19:40:20.534Z", + "threat.indicator.geo.city_name": "Guangzhou", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "China", + "threat.indicator.ip": "203.0.113.108", + "threat.indicator.last_seen": "2021-06-19T19:40:20.534Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -156,32 +159,33 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 2851, + "recordedfuture.entity.id": "ip:203.0.113.139", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139", + "recordedfuture.ip_range": "203.0.113.139/32", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.number": 7713, - "threatintel.indicator.as.organization.name": "PT Telekomunikasi Indonesia", - "threatintel.indicator.first_seen": "2016-06-23T07:39:06.418Z", - "threatintel.indicator.geo.city_name": null, - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "Indonesia", - "threatintel.indicator.ip": "203.0.113.139", - "threatintel.indicator.last_seen": "2021-06-19T19:40:03.882Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:203.0.113.139", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139", - "threatintel.recordedfuture.ip_range": "203.0.113.139/32", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 7713, + "threat.indicator.as.organization.name": "PT Telekomunikasi Indonesia", + "threat.indicator.first_seen": "2016-06-23T07:39:06.418Z", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "Indonesia", + "threat.indicator.ip": "203.0.113.139", + "threat.indicator.last_seen": "2021-06-19T19:40:03.882Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -193,32 +197,34 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 3532, + "recordedfuture.entity.id": "ip:2001:db8:bf58:c5c3:7a06:5267:82e0:621a", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a", + "recordedfuture.ip_range": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a/128", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.number": 17622, - "threatintel.indicator.as.organization.name": "China Unicom Guangzhou network", - "threatintel.indicator.first_seen": "2021-06-19T19:40:02.557Z", - "threatintel.indicator.geo.city_name": "Guangzhou", - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "China", - "threatintel.indicator.ip": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a", - "threatintel.indicator.last_seen": "2021-06-19T19:40:02.557Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a", - "threatintel.indicator.type": "ipv6-addr", - "threatintel.recordedfuture.entity.id": "ip:2001:db8:bf58:c5c3:7a06:5267:82e0:621a", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a", - "threatintel.recordedfuture.ip_range": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a/128", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 17622, + "threat.indicator.as.organization.name": "China Unicom Guangzhou network", + "threat.indicator.first_seen": "2021-06-19T19:40:02.557Z", + "threat.indicator.geo.city_name": "Guangzhou", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "China", + "threat.indicator.ip": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a", + "threat.indicator.last_seen": "2021-06-19T19:40:02.557Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a", + "threat.indicator.type": "ipv6-addr" }, { "event.category": "threat", @@ -230,32 +236,34 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 4295, + "recordedfuture.entity.id": "ip:192.0.2.147", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147", + "recordedfuture.ip_range": "192.0.2.147/32", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.number": 4837, - "threatintel.indicator.as.organization.name": "CHINA UNICOM China169 Backbone", - "threatintel.indicator.first_seen": "2017-12-20T02:21:07.734Z", - "threatintel.indicator.geo.city_name": "Zhengzhou", - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "China", - "threatintel.indicator.ip": "192.0.2.147", - "threatintel.indicator.last_seen": "2021-06-19T19:39:43.160Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:192.0.2.147", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147", - "threatintel.recordedfuture.ip_range": "192.0.2.147/32", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 4837, + "threat.indicator.as.organization.name": "CHINA UNICOM China169 Backbone", + "threat.indicator.first_seen": "2017-12-20T02:21:07.734Z", + "threat.indicator.geo.city_name": "Zhengzhou", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "China", + "threat.indicator.ip": "192.0.2.147", + "threat.indicator.last_seen": "2021-06-19T19:39:43.160Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -267,28 +275,13 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 4972, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.as.number": 9829, - "threatintel.indicator.as.organization.name": "National Internet Backbone", - "threatintel.indicator.first_seen": "2019-12-24T09:54:02.935Z", - "threatintel.indicator.geo.city_name": "Palakkad", - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "India", - "threatintel.indicator.ip": "203.0.113.198", - "threatintel.indicator.last_seen": "2021-06-19T19:39:25.532Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:203.0.113.198", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198", - "threatintel.recordedfuture.ip_range": "203.0.113.198/32", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "ip:203.0.113.198", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198", + "recordedfuture.ip_range": "203.0.113.198/32", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -298,10 +291,27 @@ "timestamp": "2019-12-24T09:53:13.546Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/54", - "threatintel.recordedfuture.risk.riskSummary": "1 of 54 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/54", + "recordedfuture.risk.riskSummary": "1 of 54 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 9829, + "threat.indicator.as.organization.name": "National Internet Backbone", + "threat.indicator.first_seen": "2019-12-24T09:54:02.935Z", + "threat.indicator.geo.city_name": "Palakkad", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "India", + "threat.indicator.ip": "203.0.113.198", + "threat.indicator.last_seen": "2021-06-19T19:39:25.532Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -313,28 +323,13 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 5970, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.as.number": 9829, - "threatintel.indicator.as.organization.name": "National Internet Backbone", - "threatintel.indicator.first_seen": "2020-03-03T08:10:28.489Z", - "threatintel.indicator.geo.city_name": "Bangalore", - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "India", - "threatintel.indicator.ip": "192.0.2.179", - "threatintel.indicator.last_seen": "2021-06-19T19:39:11.694Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:192.0.2.179", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179", - "threatintel.recordedfuture.ip_range": "192.0.2.179/32", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "ip:192.0.2.179", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179", + "recordedfuture.ip_range": "192.0.2.179/32", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -360,10 +355,27 @@ "timestamp": "2021-06-21T19:53:19.897Z" } ], - "threatintel.recordedfuture.risk.riskString": "3/54", - "threatintel.recordedfuture.risk.riskSummary": "3 of 54 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 3, - "threatintel.recordedfuture.risk.score": 15 + "recordedfuture.risk.riskString": "3/54", + "recordedfuture.risk.riskSummary": "3 of 54 Risk Rules currently observed.", + "recordedfuture.risk.rules": 3, + "recordedfuture.risk.score": 15, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 9829, + "threat.indicator.as.organization.name": "National Internet Backbone", + "threat.indicator.first_seen": "2020-03-03T08:10:28.489Z", + "threat.indicator.geo.city_name": "Bangalore", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "India", + "threat.indicator.ip": "192.0.2.179", + "threat.indicator.last_seen": "2021-06-19T19:39:11.694Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -375,28 +387,13 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 7483, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.as.number": 45899, - "threatintel.indicator.as.organization.name": "VNPT Corp", - "threatintel.indicator.first_seen": "2021-06-19T19:38:57.372Z", - "threatintel.indicator.geo.city_name": "Long Phu", - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "Vietnam", - "threatintel.indicator.ip": "192.0.2.245", - "threatintel.indicator.last_seen": "2021-06-19T19:38:57.372Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:192.0.2.245", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245", - "threatintel.recordedfuture.ip_range": "192.0.2.245/32", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "ip:192.0.2.245", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245", + "recordedfuture.ip_range": "192.0.2.245/32", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -406,9 +403,26 @@ "timestamp": "2021-06-19T19:50:20.162Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/54", - "threatintel.recordedfuture.risk.riskSummary": "1 of 54 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/54", + "recordedfuture.risk.riskSummary": "1 of 54 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 45899, + "threat.indicator.as.organization.name": "VNPT Corp", + "threat.indicator.first_seen": "2021-06-19T19:38:57.372Z", + "threat.indicator.geo.city_name": "Long Phu", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "Vietnam", + "threat.indicator.ip": "192.0.2.245", + "threat.indicator.last_seen": "2021-06-19T19:38:57.372Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245", + "threat.indicator.type": "ipv4-addr" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json index 779d86ae9652..f840643fef3b 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json @@ -9,26 +9,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 0, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "d6s.example.net", - "threatintel.indicator.url.original": "https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", - "threatintel.indicator.url.path": "/nzy/vvc68ke", - "threatintel.indicator.url.query": "p5uxwn=1bj", - "threatintel.indicator.url.scheme": "https", - "threatintel.recordedfuture.entity.id": "url:https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -38,10 +24,26 @@ "timestamp": "2021-04-15T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "d6s.example.net", + "threat.indicator.url.original": "https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", + "threat.indicator.url.path": "/nzy/vvc68ke", + "threat.indicator.url.query": "p5uxwn=1bj", + "threat.indicator.url.scheme": "https" }, { "event.category": "threat", @@ -53,26 +55,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 874, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ga7v9u.example.org", - "threatintel.indicator.url.original": "https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", - "threatintel.indicator.url.path": "/bnqv8e2v8/qb49", - "threatintel.indicator.url.query": "7kq=iw61", - "threatintel.indicator.url.scheme": "https", - "threatintel.recordedfuture.entity.id": "url:https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -82,10 +70,26 @@ "timestamp": "2021-02-14T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ga7v9u.example.org", + "threat.indicator.url.original": "https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", + "threat.indicator.url.path": "/bnqv8e2v8/qb49", + "threat.indicator.url.query": "7kq=iw61", + "threat.indicator.url.scheme": "https" }, { "event.category": "threat", @@ -97,26 +101,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 1760, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cdmw.example.net", - "threatintel.indicator.url.original": "https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", - "threatintel.indicator.url.path": "/c20fwa/wwn", - "threatintel.indicator.url.query": "dlz53=z6ovc", - "threatintel.indicator.url.scheme": "https", - "threatintel.recordedfuture.entity.id": "url:https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -126,10 +116,26 @@ "timestamp": "2021-05-15T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cdmw.example.net", + "threat.indicator.url.original": "https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", + "threat.indicator.url.path": "/c20fwa/wwn", + "threat.indicator.url.query": "dlz53=z6ovc", + "threat.indicator.url.scheme": "https" }, { "event.category": "threat", @@ -141,26 +147,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 2627, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "4mne.example.local", - "threatintel.indicator.url.original": "https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", - "threatintel.indicator.url.path": "/ns2rk8f/wngtk2xz", - "threatintel.indicator.url.query": "vceuk7wl6=3p0", - "threatintel.indicator.url.scheme": "https", - "threatintel.recordedfuture.entity.id": "url:https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -170,10 +162,26 @@ "timestamp": "2021-02-14T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "4mne.example.local", + "threat.indicator.url.original": "https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", + "threat.indicator.url.path": "/ns2rk8f/wngtk2xz", + "threat.indicator.url.query": "vceuk7wl6=3p0", + "threat.indicator.url.scheme": "https" }, { "event.category": "threat", @@ -185,26 +193,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 3524, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "z198hloc8.example.com", - "threatintel.indicator.url.original": "http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", - "threatintel.indicator.url.path": "/f8ih39/f6kou", - "threatintel.indicator.url.query": "f6-u3=uwhii", - "threatintel.indicator.url.scheme": "http", - "threatintel.recordedfuture.entity.id": "url:http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -214,10 +208,26 @@ "timestamp": "2020-06-24T12:01:33.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "z198hloc8.example.com", + "threat.indicator.url.original": "http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", + "threat.indicator.url.path": "/f8ih39/f6kou", + "threat.indicator.url.query": "f6-u3=uwhii", + "threat.indicator.url.scheme": "http" }, { "event.category": "threat", @@ -229,26 +239,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 4377, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "y484j-fb6.example.local", - "threatintel.indicator.url.original": "http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", - "threatintel.indicator.url.path": "/b97s24xf/prz", - "threatintel.indicator.url.query": "sg-x1do=4myont", - "threatintel.indicator.url.scheme": "http", - "threatintel.recordedfuture.entity.id": "url:http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -258,10 +254,26 @@ "timestamp": "2021-02-14T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "y484j-fb6.example.local", + "threat.indicator.url.original": "http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", + "threat.indicator.url.path": "/b97s24xf/prz", + "threat.indicator.url.query": "sg-x1do=4myont", + "threat.indicator.url.scheme": "http" }, { "event.category": "threat", @@ -273,26 +285,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 5272, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "sp2xyqq82.example.local", - "threatintel.indicator.url.original": "http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", - "threatintel.indicator.url.path": "/zxvm093/kat1rcz", - "threatintel.indicator.url.query": "vaev0aeod=rc0513", - "threatintel.indicator.url.scheme": "http", - "threatintel.recordedfuture.entity.id": "url:http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -302,10 +300,26 @@ "timestamp": "2020-11-16T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "sp2xyqq82.example.local", + "threat.indicator.url.original": "http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", + "threat.indicator.url.path": "/zxvm093/kat1rcz", + "threat.indicator.url.query": "vaev0aeod=rc0513", + "threat.indicator.url.scheme": "http" }, { "event.category": "threat", @@ -317,26 +331,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 6187, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "zh4o7xc.example.com", - "threatintel.indicator.url.original": "https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", - "threatintel.indicator.url.path": "/-yiq/vg2whtxif", - "threatintel.indicator.url.query": "cb0-knk=s6poib5r", - "threatintel.indicator.url.scheme": "https", - "threatintel.recordedfuture.entity.id": "url:https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -346,10 +346,26 @@ "timestamp": "2021-05-15T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "zh4o7xc.example.com", + "threat.indicator.url.original": "https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", + "threat.indicator.url.path": "/-yiq/vg2whtxif", + "threat.indicator.url.query": "cb0-knk=s6poib5r", + "threat.indicator.url.scheme": "https" }, { "event.category": "threat", @@ -361,26 +377,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 7094, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "fiivf4s.example.org", - "threatintel.indicator.url.original": "http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", - "threatintel.indicator.url.path": "/8u2qi/86vfcfq7m", - "threatintel.indicator.url.query": "pfb2ensc0=h7imk8io2", - "threatintel.indicator.url.scheme": "http", - "threatintel.recordedfuture.entity.id": "url:http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -390,10 +392,26 @@ "timestamp": "2021-02-14T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "fiivf4s.example.org", + "threat.indicator.url.original": "http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", + "threat.indicator.url.path": "/8u2qi/86vfcfq7m", + "threat.indicator.url.query": "pfb2ensc0=h7imk8io2", + "threat.indicator.url.scheme": "http" }, { "event.category": "threat", @@ -405,26 +423,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 8007, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "abav9v.example.org", - "threatintel.indicator.url.original": "http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", - "threatintel.indicator.url.path": "/gj93q/7fs7", - "threatintel.indicator.url.query": "kcq7=pjaj1", - "threatintel.indicator.url.scheme": "http", - "threatintel.recordedfuture.entity.id": "url:http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -434,9 +438,25 @@ "timestamp": "2021-02-14T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "abav9v.example.org", + "threat.indicator.url.original": "http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", + "threat.indicator.url.path": "/gj93q/7fs7", + "threat.indicator.url.query": "kcq7=pjaj1", + "threat.indicator.url.scheme": "http" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/threatq/config/config.yml b/x-pack/filebeat/module/threatintel/threatq/config/config.yml index 89e8cab731ec..0f520215bc8f 100644 --- a/x-pack/filebeat/module/threatintel/threatq/config/config.yml +++ b/x-pack/filebeat/module/threatintel/threatq/config/config.yml @@ -1,7 +1,6 @@ {{ if eq .input "httpjson" }} type: httpjson -config_version: "2" interval: {{ .interval }} auth.oauth2: @@ -50,22 +49,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - process_array: true - max_depth: 5 - overwrite_keys: true - add_error_key: true - - fingerprint: - fields: ["json.id", "json.indicator_id"] - target_field: "@metadata._id" - ignore_missing: true - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 \ No newline at end of file +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/threatq/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/threatq/ingest/pipeline.yml index 6d301f898444..96f8b224e19a 100644 --- a/x-pack/filebeat/module/threatintel/threatq/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/threatq/ingest/pipeline.yml @@ -1,3 +1,4 @@ +--- description: Pipeline for parsing ThreatQ Threat Intel processors: #################### @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -19,6 +23,19 @@ processors: ############### # Parse dates # ############### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - fingerprint: + fields: + - json.id + - json.indicator_id + target_field: "_id" + ignore_missing: true - date: target_field: "@timestamp" field: "json.updated_at" @@ -27,28 +44,28 @@ processors: if: "ctx.json.updated_at != null" ignore_failure: true - date: - target_field: "threatintel.threatq.created_at" + target_field: "threatq.created_at" field: "json.created_at" formats: - "yyyy-MM-dd HH:mm:ss" if: "ctx.json.created_at != null" ignore_failure: true - date: - target_field: "threatintel.threatq.expires_at" + target_field: "threatq.expires_at" field: "json.expires_at" formats: - "yyyy-MM-dd HH:mm:ss" if: "ctx.json.expires_at != null" ignore_failure: true - date: - target_field: "threatintel.threatq.expires_calculated_at" + target_field: "threatq.expires_calculated_at" field: "json.expires_calculated_at" formats: - "yyyy-MM-dd HH:mm:ss" if: "ctx.json.expires_calculated_at != null" ignore_failure: true - date: - target_field: "threatintel.threatq.published_at" + target_field: "threatq.published_at" field: "json.published_at" formats: - "yyyy-MM-dd HH:mm:ss" @@ -58,29 +75,50 @@ processors: ##################### # Threat ECS Fields # ##################### + - set: + field: threat.feed.name + value: "[Filebeat] ThreatQuotient" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" - rename: field: json.type.name - target_field: threatintel.indicator.type + target_field: threat.indicator.type ignore_missing: true - rename: field: json.description - target_field: threatintel.indicator.description + target_field: threat.indicator.description ignore_missing: true - - convert: - field: json.score - target_field: threatintel.indicator.confidence - type: integer - on_failure: - - append: - field: error.message - value: "Cannot convert json.score to integer: {{{ _ingest.on_failure_message }}}" + - script: + lang: painless + if: ctx.json?.score != null + description: > + Normalize confidence level. + source: > + def value = ctx.json.score; + if (value <= 0.0 || value > 100.0) { + ctx.threat.indicator.confidence = "None"; + return; + } + if (value >= 1.0 && value <= 29.0) { + ctx.threat.indicator.confidence = "Low"; + return; + } + if (value >= 30.0 && value <= 69.0) { + ctx.threat.indicator.confidence = "Med"; + return; + } + if (value >= 70 && value <= 100) { + ctx.threat.indicator.confidence = "High"; + return; + } - rename: field: json.status.name - target_field: threatintel.threatq.status + target_field: threatq.status ignore_missing: true - rename: field: json.value - target_field: threatintel.threatq.indicator_value + target_field: threatq.indicator_value ignore_missing: true ######################################### @@ -89,119 +127,144 @@ processors: # Indicator type: Email Address - set: - field: threatintel.indicator.email.address - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'Email Address'" + field: threat.indicator.email.address + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'Email Address'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: email-addr - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'Email Address'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'Email Address'" # Indicator type: FQDN - set: - field: threatintel.indicator.domain - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'FQDN'" + field: threat.indicator.domain + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'FQDN'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: domain-name - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'FQDN'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'FQDN'" # Indicator type: IP Address - set: - field: threatintel.indicator.ip - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'IP Address'" + field: threat.indicator.ip + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IP Address'" + ignore_empty_value: true + - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv4-addr - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'IP Address'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IP Address'" # Indicator type: IPv6 Address - set: - field: threatintel.indicator.domain - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'IPv6 Address'" + field: threat.indicator.domain + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IPv6 Address'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv6-addr - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'IPv6 Address'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IPv6 Address'" # Indicator type: MD5 - set: - field: threatintel.indicator.file.hash.md5 - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'MD5'" + field: threat.indicator.file.hash.md5 + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'MD5'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'MD5'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'MD5'" # Indicator type: SHA-1 - set: - field: threatintel.indicator.file.hash.sha1 - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-1'" + field: threat.indicator.file.hash.sha1 + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-1'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-1'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-1'" # Indicator type: SHA-256 - set: - field: threatintel.indicator.file.hash.sha256 - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-256'" + field: threat.indicator.file.hash.sha256 + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-256'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-256'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-256'" # Indicator type: SHA-512 - set: - field: threatintel.indicator.file.hash.sha512 - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-512'" + field: threat.indicator.file.hash.sha512 + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-512'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-512'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-512'" # Indicator type: URL + - uri_parts: + field: threatq.indicator_value + target_field: threat.indicator.url + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'URL' && ctx.threatq?.indicator_value != null" + remove_if_successful: true - set: - field: threatintel.indicator.url.full - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'URL'" - - set: - field: threatintel.indicator.type + field: threat.indicator.type value: url - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'URL'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'URL'" # Indicator type: x509 Serial - set: - field: threatintel.indicator.x509.serial_number - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'x509 Serial'" + field: threat.indicator.x509.serial_number + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'x509 Serial'" + ignore_empty_value: true ################################### # Map indicator providers and TLP # ################################### - - foreach: - description: Append threat intel sources - field: json.sources - ignore_missing: true - processor: - append: - field: threatintel.indicator.provider - value: "{{{ _ingest._value.name }}}" - - foreach: - description: Append threat intel source TLP values - field: json.sources - ignore_missing: true - processor: - append: - field: threatintel.indicator.marking.tlp - value: "{{{ _ingest._value.tlp_name }}}" + - script: + if: "ctx.json?.sources != null && ctx.json?.sources instanceof List && ctx.json?.sources.size() > 0" + lang: painless + description: "Extract TLP and providers from source" + source: |- + def providers = new ArrayList(); + def tlps = new ArrayList(); + for (source in ctx.json.sources) { + if (source == null) { + return; + } + if (source.containsKey("provider") && source["provider"] != null) { + providers.add(source["provider"]); + } + if (source.containsKey("tlp_name") && source["tlp_name"] != null) { + tlps.add(source["tlp_name"]); + } + } + if (tlps.size() > 0) { + if (ctx.threat.indicator.marking == null) { + ctx.threat.indicator.marking = new HashMap(); + } + ctx.threat.indicator.marking.tlp = tlps; + } + if (providers.size() > 0) { + if (ctx.threat.indicator.provider == null) { + ctx.threat.indicator.provider = new HashMap(); + } + ctx.threat.indicator.provider = providers; + } ############################ # Map indicator attributes # @@ -228,7 +291,7 @@ processors: ignore_missing: true processor: append: - field: threatintel.threatq.attributes.{{{ _ingest._value.name }}} + field: threatq.attributes.{{{ _ingest._value.name }}} value: "{{{ _ingest._value.value }}}" ############################# @@ -239,20 +302,25 @@ processors: ignore_missing: true processor: append: - field: threatintel.threatq.adversaries + field: threatq.adversaries value: "{{{ _ingest._value.name }}}" ###################### # Cleanup processors # ###################### # Setting indicator type to unknown if it does not match anything + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx.threat?.indicator?.type == null - script: lang: painless - if: ctx?.threatintel != null + if: ctx.threat != null source: | void handleMap(Map map) { for (def x : map.values()) { diff --git a/x-pack/filebeat/module/threatintel/threatq/manifest.yml b/x-pack/filebeat/module/threatintel/threatq/manifest.yml index dd7165b182f1..d5628d2a705d 100644 --- a/x-pack/filebeat/module/threatintel/threatq/manifest.yml +++ b/x-pack/filebeat/module/threatintel/threatq/manifest.yml @@ -11,11 +11,13 @@ var: - name: client_id - name: client_secret - name: host - default: "https://www.threatq.com/" + default: "https://www.threatq.com" - name: proxy_url - name: http_client_timeout - name: tags default: [threatintel-threatq, forwarded] + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/threatq/test/threatq_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/threatq/test/threatq_sample.ndjson.log-expected.json index 58c61e5161c5..58958850bd53 100644 --- a/x-pack/filebeat/module/threatintel/threatq/test/threatq_sample.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/threatq/test/threatq_sample.ndjson.log-expected.json @@ -14,38 +14,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.44.202.220", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.44.202.220", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "3" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Saipan" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "MP" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.44.202.220", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.44.202.220", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -62,38 +58,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.94.155.176", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.94.155.176", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Sacramento" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.94.155.176", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.94.155.176", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -110,38 +102,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.42.81.68", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.42.81.68", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "New York" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.42.81.68", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.42.81.68", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -158,32 +146,28 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "37.17.250.101", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "37.17.250.101", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:41.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:02.000Z", - "threatintel.threatq.indicator_value": "37.17.250.101", - "threatintel.threatq.published_at": "2020-09-11T14:35:41.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:41.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:02.000Z", + "threatq.indicator_value": "37.17.250.101", + "threatq.published_at": "2020-09-11T14:35:41.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -200,38 +184,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.94.129.203", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.94.129.203", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Sacramento" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.94.129.203", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.94.129.203", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -248,38 +228,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.216.117.22", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.216.117.22", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "3" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Houston" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.216.117.22", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.216.117.22", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -296,38 +272,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.80.70.115", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.80.70.115", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Fort Lauderdale" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.80.70.115", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.80.70.115", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -344,38 +316,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.65.79.99", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.65.79.99", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Pompano Beach" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.65.79.99", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.65.79.99", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -392,37 +360,33 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.199.22.46", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.199.22.46", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Little Elm" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.199.22.46", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.199.22.46", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" } ] \ No newline at end of file diff --git a/x-pack/metricbeat/module/azure/billing/billing.go b/x-pack/metricbeat/module/azure/billing/billing.go index 669176442967..ea2a788b2924 100644 --- a/x-pack/metricbeat/module/azure/billing/billing.go +++ b/x-pack/metricbeat/module/azure/billing/billing.go @@ -5,8 +5,6 @@ package billing import ( - "time" - "github.com/pkg/errors" "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure" @@ -60,13 +58,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // It publishes the event which is then forwarded to the output. In case // of an error set the Error field of mb.Event or simply call report.Error(). func (m *MetricSet) Fetch(report mb.ReporterV2) error { - startTime := time.Now().UTC().Truncate(24 * time.Hour).Add((-48) * time.Hour) - endTime := startTime.Add(time.Hour * 24).Add(time.Second * (-1)) - results, err := m.client.GetMetrics(startTime, endTime) + results, err := m.client.GetMetrics() if err != nil { return errors.Wrap(err, "error retrieving usage information") } - events := EventsMapping(results, startTime, endTime, m.client.Config.SubscriptionId) + events := EventsMapping(m.client.Config.SubscriptionId, results) for _, event := range events { isOpen := report.Event(event) if !isOpen { diff --git a/x-pack/metricbeat/module/azure/billing/client.go b/x-pack/metricbeat/module/azure/billing/client.go index 2d7ce9bca9a7..3f1c73bf2f03 100644 --- a/x-pack/metricbeat/module/azure/billing/client.go +++ b/x-pack/metricbeat/module/azure/billing/client.go @@ -12,6 +12,7 @@ import ( "github.com/pkg/errors" + prevConsumption "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption" "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption" "github.com/elastic/beats/v7/libbeat/logp" @@ -25,7 +26,7 @@ type Client struct { } type Usage struct { - UsageDetails []consumption.BasicUsageDetail + UsageDetails []prevConsumption.UsageDetail ActualCosts []consumption.Forecast ForecastCosts []consumption.Forecast } @@ -45,7 +46,8 @@ func NewClient(config azure.Config) (*Client, error) { } // GetMetrics returns the usage detail and forecast values. -func (client *Client) GetMetrics(startTime time.Time, endTime time.Time) (Usage, error) { +func (client *Client) GetMetrics() (Usage, error) { + var usage Usage scope := fmt.Sprintf("subscriptions/%s", client.Config.SubscriptionId) if client.Config.BillingScopeDepartment != "" { @@ -53,9 +55,11 @@ func (client *Client) GetMetrics(startTime time.Time, endTime time.Time) (Usage, } else if client.Config.BillingScopeAccountId != "" { scope = fmt.Sprintf("/providers/Microsoft.Billing/billingAccounts/%s", client.Config.BillingScopeAccountId) } - - filter := fmt.Sprintf("properties/usageStart eq '%s' and properties/usageEnd eq '%s'", startTime.Format(time.RFC3339Nano), endTime.Format(time.RFC3339Nano)) - usageDetails, err := client.BillingService.GetUsageDetails(scope, "properties/meterDetails", filter, "", nil, consumption.MetrictypeActualCostMetricType) + startTime := time.Now().UTC().Truncate(24 * time.Hour).Add((-24) * time.Hour) + endTime := startTime.Add(time.Hour * 24).Add(time.Second * (-1)) + usageDetails, err := client.BillingService.GetUsageDetails(scope, "properties/meterDetails", + fmt.Sprintf("properties/usageStart eq '%s' and properties/usageEnd eq '%s'", startTime.Format(time.RFC3339Nano), endTime.Format(time.RFC3339Nano)), + "", nil, "properties/instanceLocation") if err != nil { return usage, errors.Wrap(err, "Retrieving usage details failed in client") } diff --git a/x-pack/metricbeat/module/azure/billing/client_test.go b/x-pack/metricbeat/module/azure/billing/client_test.go index 55bd15062d37..c18562fd945e 100644 --- a/x-pack/metricbeat/module/azure/billing/client_test.go +++ b/x-pack/metricbeat/module/azure/billing/client_test.go @@ -7,8 +7,8 @@ package billing import ( "errors" "testing" - "time" + prevConsumption "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption" "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" @@ -26,11 +26,9 @@ func TestClient(t *testing.T) { client.Config = config m := &MockService{} m.On("GetForcast", mock.Anything).Return(consumption.ForecastsListResult{}, errors.New("invalid query")) - m.On("GetUsageDetails", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(consumption.UsageDetailsListResultPage{}, nil) + m.On("GetUsageDetails", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(prevConsumption.UsageDetailsListResultPage{}, nil) client.BillingService = m - startTime := time.Now().UTC().Truncate(24 * time.Hour).Add((-48) * time.Hour) - endTime := startTime.Add(time.Hour * 24).Add(time.Second * (-1)) - results, err := client.GetMetrics(startTime, endTime) + results, err := client.GetMetrics() assert.Error(t, err) assert.Equal(t, len(results.ActualCosts), 0) m.AssertExpectations(t) @@ -41,11 +39,9 @@ func TestClient(t *testing.T) { m := &MockService{} forecasts := []consumption.Forecast{{}, {}} m.On("GetForcast", mock.Anything).Return(consumption.ForecastsListResult{Value: &forecasts}, nil) - m.On("GetUsageDetails", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(consumption.UsageDetailsListResultPage{}, nil) + m.On("GetUsageDetails", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(prevConsumption.UsageDetailsListResultPage{}, nil) client.BillingService = m - startTime := time.Now().UTC().Truncate(24 * time.Hour).Add((-48) * time.Hour) - endTime := startTime.Add(time.Hour * 24).Add(time.Second * (-1)) - results, err := client.GetMetrics(startTime, endTime) + results, err := client.GetMetrics() assert.NoError(t, err) assert.Equal(t, len(results.ActualCosts), 2) assert.Equal(t, len(results.ForecastCosts), 2) diff --git a/x-pack/metricbeat/module/azure/billing/data.go b/x-pack/metricbeat/module/azure/billing/data.go index 7f9c0a192794..9aafb87d9925 100644 --- a/x-pack/metricbeat/module/azure/billing/data.go +++ b/x-pack/metricbeat/module/azure/billing/data.go @@ -5,6 +5,8 @@ package billing import ( + "fmt" + "strings" "time" "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption" @@ -15,71 +17,36 @@ import ( "github.com/elastic/beats/v7/metricbeat/mb" ) -func EventsMapping(results Usage, startTime time.Time, endTime time.Time, subscriptionId string) []mb.Event { +func EventsMapping(subscriptionId string, results Usage) []mb.Event { var events []mb.Event - // usage details come in different forms, most common for this api call is LegacyUsageDetail if len(results.UsageDetails) > 0 { - for _, ud := range results.UsageDetails { - event := mb.Event{Timestamp: time.Now().UTC()} - if legacyUsageDetail, err := ud.AsLegacyUsageDetail(); err == true { - event.ModuleFields = common.MapStr{ + for _, usageDetail := range results.UsageDetails { + event := mb.Event{ + ModuleFields: common.MapStr{ "resource": common.MapStr{ - "type": legacyUsageDetail.ConsumedService, - "group": legacyUsageDetail.ResourceGroup, - "name": legacyUsageDetail.ResourceName, + "type": usageDetail.ConsumedService, + "group": getResourceGroupFromId(*usageDetail.InstanceID), + "name": usageDetail.InstanceName, }, - "subscription_id": legacyUsageDetail.SubscriptionID, - } - event.MetricSetFields = common.MapStr{ - "pretax_cost": legacyUsageDetail.Cost, - "department_name": legacyUsageDetail.InvoiceSection, - "product": legacyUsageDetail.Product, - "usage_start": startTime, - "usage_end": endTime, - "billing_period_start": legacyUsageDetail.BillingPeriodStartDate.ToTime(), - "billing_period_end": legacyUsageDetail.BillingPeriodEndDate.ToTime(), - "currency": legacyUsageDetail.BillingCurrency, - "effective_price": legacyUsageDetail.EffectivePrice, - "account_name": legacyUsageDetail.BillingAccountName, - "account_id": legacyUsageDetail.BillingAccountID, - "subscription_name": legacyUsageDetail.SubscriptionName, - "unit_price": legacyUsageDetail.UnitPrice, - "quantity": legacyUsageDetail.Quantity, - } - event.RootFields = common.MapStr{} - event.RootFields.Put("cloud.provider", "azure") - event.RootFields.Put("cloud.region", legacyUsageDetail.ResourceLocation) - event.RootFields.Put("cloud.instance.name", legacyUsageDetail.ResourceName) - event.RootFields.Put("cloud.instance.id", legacyUsageDetail.ResourceID) - } - if modernUsageDetail, err := ud.AsModernUsageDetail(); err == true { - event.ModuleFields = common.MapStr{ - "resource": common.MapStr{ - "type": modernUsageDetail.ConsumedService, - "group": modernUsageDetail.ResourceGroup, - "name": modernUsageDetail.InstanceName, - }, - "subscription_id": modernUsageDetail.SubscriptionGUID, - } - event.MetricSetFields = common.MapStr{ - "product": modernUsageDetail.Product, - "usage_start": startTime, - "usage_end": endTime, - "billing_period_start": modernUsageDetail.BillingPeriodStartDate.ToTime(), - "billing_period_end": modernUsageDetail.BillingPeriodEndDate.ToTime(), - "currency": modernUsageDetail.BillingCurrencyCode, - "account_id": modernUsageDetail.BillingAccountID, - "billing_account_name": modernUsageDetail.BillingAccountName, - "subscription_name": modernUsageDetail.SubscriptionName, - "unit_price": modernUsageDetail.UnitPrice, - } - event.RootFields = common.MapStr{} - event.RootFields.Put("cloud.provider", "azure") - event.RootFields.Put("cloud.region", modernUsageDetail.ResourceLocation) - } - if _, err := ud.AsUsageDetail(); err == true { - continue + "subscription_id": usageDetail.SubscriptionGUID, + }, + MetricSetFields: common.MapStr{ + "pretax_cost": usageDetail.PretaxCost, + "department_name": usageDetail.DepartmentName, + "product": usageDetail.Product, + "usage_start": usageDetail.UsageStart.ToTime(), + "usage_end": usageDetail.UsageEnd.ToTime(), + "currency": usageDetail.Currency, + "billing_period_id": usageDetail.BillingPeriodID, + "account_name": usageDetail.AccountName, + }, + Timestamp: time.Now().UTC(), } + event.RootFields = common.MapStr{} + event.RootFields.Put("cloud.provider", "azure") + event.RootFields.Put("cloud.region", usageDetail.InstanceLocation) + event.RootFields.Put("cloud.instance.name", usageDetail.InstanceName) + event.RootFields.Put("cloud.instance.id", usageDetail.InstanceID) events = append(events, event) } } @@ -125,3 +92,14 @@ func EventsMapping(results Usage, startTime time.Time, endTime time.Time, subscr } return events } + +// getResourceGroupFromId maps resource group from resource ID +func getResourceGroupFromId(path string) string { + params := strings.Split(path, "/") + for i, param := range params { + if param == "resourceGroups" { + return fmt.Sprintf("%s", params[i+1]) + } + } + return "" +} diff --git a/x-pack/metricbeat/module/azure/billing/data_test.go b/x-pack/metricbeat/module/azure/billing/data_test.go index 25490b332133..8d883d2862d0 100644 --- a/x-pack/metricbeat/module/azure/billing/data_test.go +++ b/x-pack/metricbeat/module/azure/billing/data_test.go @@ -8,9 +8,9 @@ import ( "testing" "time" + prevConsumption "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption" + consumption "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption" "github.com/Azure/go-autorest/autorest/date" - - "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption" "github.com/shopspring/decimal" "github.com/stretchr/testify/assert" ) @@ -18,7 +18,6 @@ import ( func TestEventMapping(t *testing.T) { usageDate := "2020-08-08" name := "test" - billingAccountId := "123" startDate := date.Time{} var charge decimal.Decimal = decimal.NewFromFloat(8.123456) @@ -38,19 +37,26 @@ func TestEventMapping(t *testing.T) { ChargeType: "Actual", ConfidenceLevels: nil, } - var pros = consumption.LegacyUsageDetailProperties{ - BillingAccountID: &billingAccountId, - BillingAccountName: &name, - BillingPeriodStartDate: &startDate, - BillingPeriodEndDate: &startDate, - Cost: &charge, - InvoiceSection: &name, - Product: &name, - } - var legacy = consumption.LegacyUsageDetail{ - LegacyUsageDetailProperties: &pros, + var prop1 = prevConsumption.UsageDetailProperties{ + InstanceName: &name, + SubscriptionName: &name, + AccountName: &name, + DepartmentName: &name, + Product: &name, + InstanceID: &name, + UsageStart: &startDate, + UsageEnd: &startDate, } - var usage = Usage{UsageDetails: []consumption.BasicUsageDetail{legacy}, + usage := Usage{ + UsageDetails: []prevConsumption.UsageDetail{ + { + UsageDetailProperties: &prop1, + ID: nil, + Name: nil, + Type: nil, + Tags: nil, + }, + }, ActualCosts: []consumption.Forecast{ { ForecastProperties: &prop2, @@ -58,17 +64,17 @@ func TestEventMapping(t *testing.T) { Name: nil, Type: nil, Tags: nil, - }}, ForecastCosts: []consumption.Forecast{ + }}, + ForecastCosts: []consumption.Forecast{ { ForecastProperties: &prop, ID: nil, Name: nil, Type: nil, Tags: nil, - }}} - startTime := time.Now().UTC().Truncate(24 * time.Hour).Add((-48) * time.Hour) - endTime := startTime.Add(time.Hour * 24).Add(time.Second * (-1)) - events := EventsMapping(usage, startTime, endTime, "sub") + }}, + } + events := EventsMapping("sub", usage) assert.Equal(t, len(events), 2) for _, event := range events { diff --git a/x-pack/metricbeat/module/azure/billing/mock_service.go b/x-pack/metricbeat/module/azure/billing/mock_service.go index c91723aee12d..2ab1d557855f 100644 --- a/x-pack/metricbeat/module/azure/billing/mock_service.go +++ b/x-pack/metricbeat/module/azure/billing/mock_service.go @@ -11,6 +11,7 @@ import ( "github.com/elastic/beats/v7/libbeat/logp" + prevConsumption "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption" "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption" ) @@ -35,19 +36,7 @@ func (service *MockService) GetForcast(filter string) (consumption.ForecastsList } // GetUsageDetails is a mock function for the billing service -func (service *MockService) GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply consumption.Metrictype) (consumption.UsageDetailsListResultPage, error) { +func (service *MockService) GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply string) (prevConsumption.UsageDetailsListResultPage, error) { args := service.Called(scope, expand, filter, skiptoken, top, apply) - return args.Get(0).(consumption.UsageDetailsListResultPage), args.Error(1) -} - -// GetMarketplaceUsage -func (service *MockService) GetMarketplaceUsage(scope string, filter string, skiptoken string, top *int32) (consumption.MarketplacesListResultPage, error) { - args := service.Called(scope, filter, skiptoken, top) - return args.Get(0).(consumption.MarketplacesListResultPage), args.Error(1) -} - -// GetCharges -func (service *MockService) GetCharges(scope string, startDate string, endDate string, filter string, apply string) (consumption.ChargesListResult, error) { - args := service.Called(scope, startDate, endDate, filter, apply) - return args.Get(0).(consumption.ChargesListResult), args.Error(1) + return args.Get(0).(prevConsumption.UsageDetailsListResultPage), args.Error(1) } diff --git a/x-pack/metricbeat/module/azure/billing/service.go b/x-pack/metricbeat/module/azure/billing/service.go index 7f7831130dff..cb7d588a0f29 100644 --- a/x-pack/metricbeat/module/azure/billing/service.go +++ b/x-pack/metricbeat/module/azure/billing/service.go @@ -12,25 +12,23 @@ import ( "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-10-01/consumption" "github.com/Azure/go-autorest/autorest/azure/auth" + prevConsumption "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption" + "github.com/elastic/beats/v7/libbeat/logp" ) // Service interface for the azure monitor service and mock for testing type Service interface { GetForcast(filter string) (consumption.ForecastsListResult, error) - GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply consumption.Metrictype) (consumption.UsageDetailsListResultPage, error) - GetMarketplaceUsage(scope string, filter string, skiptoken string, top *int32) (consumption.MarketplacesListResultPage, error) - GetCharges(scope string, startDate string, endDate string, filter string, apply string) (consumption.ChargesListResult, error) + GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply string) (prevConsumption.UsageDetailsListResultPage, error) } // BillingService service wrapper to the azure sdk for go type UsageService struct { - forcastsClient *consumption.ForecastsClient - usageClient *consumption.UsageDetailsClient - marketplaceClient *consumption.MarketplacesClient - chargesClient *consumption.ChargesClient - context context.Context - log *logp.Logger + usageDetailsClient *prevConsumption.UsageDetailsClient + forcastsClient *consumption.ForecastsClient + context context.Context + log *logp.Logger } // NewService instantiates the Azure monitoring service @@ -43,21 +41,15 @@ func NewService(config azure.Config) (*UsageService, error) { return nil, err } forcastsClient := consumption.NewForecastsClientWithBaseURI(config.ResourceManagerEndpoint, config.SubscriptionId) - usageDetailsClient := consumption.NewUsageDetailsClientWithBaseURI(config.ResourceManagerEndpoint, config.SubscriptionId) - // no data available for marketplace and charges apis but could be in the future - marketplaceClient := consumption.NewMarketplacesClientWithBaseURI(config.ResourceManagerEndpoint, config.SubscriptionId) - chargesClient := consumption.NewChargesClientWithBaseURI(config.ResourceManagerEndpoint, config.SubscriptionId) + usageDetailsClient := prevConsumption.NewUsageDetailsClientWithBaseURI(config.ResourceManagerEndpoint, config.SubscriptionId) + forcastsClient.Authorizer = authorizer usageDetailsClient.Authorizer = authorizer - marketplaceClient.Authorizer = authorizer - chargesClient.Authorizer = authorizer service := &UsageService{ - forcastsClient: &forcastsClient, - usageClient: &usageDetailsClient, - marketplaceClient: &marketplaceClient, - chargesClient: &chargesClient, - context: context.Background(), - log: logp.NewLogger("azure billing service"), + usageDetailsClient: &usageDetailsClient, + forcastsClient: &forcastsClient, + context: context.Background(), + log: logp.NewLogger("azure billing service"), } return service, nil } @@ -68,16 +60,6 @@ func (service *UsageService) GetForcast(filter string) (consumption.ForecastsLis } // GetUsageDetails -func (service *UsageService) GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply consumption.Metrictype) (consumption.UsageDetailsListResultPage, error) { - return service.usageClient.List(service.context, scope, expand, filter, skiptoken, top, apply) -} - -// GetMarketplaceUsage -func (service *UsageService) GetMarketplaceUsage(scope string, filter string, skiptoken string, top *int32) (consumption.MarketplacesListResultPage, error) { - return service.marketplaceClient.List(service.context, scope, filter, top, skiptoken) -} - -// GetCharges -func (service *UsageService) GetCharges(scope string, startDate string, endDate string, filter string, apply string) (consumption.ChargesListResult, error) { - return service.chargesClient.List(service.context, scope, startDate, endDate, filter, apply) +func (service *UsageService) GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply string) (prevConsumption.UsageDetailsListResultPage, error) { + return service.usageDetailsClient.List(service.context, scope, expand, filter, skiptoken, top, apply) } diff --git a/x-pack/winlogbeat/module/powershell/_meta/fields.yml b/x-pack/winlogbeat/module/powershell/_meta/fields.yml index 7507fcc099c0..093ac17761c0 100644 --- a/x-pack/winlogbeat/module/powershell/_meta/fields.yml +++ b/x-pack/winlogbeat/module/powershell/_meta/fields.yml @@ -127,6 +127,14 @@ - name: script_block_text type: text + analyzer: + winlogbeat_powershell_script_analyzer: + type: pattern + pattern: "[\\W&&[^-]]+" + search_analyzer: + winlogbeat_powershell_script_analyzer: + type: pattern + pattern: "[\\W&&[^-]]+" description: > Text of the executed script block. example: ".\\a_script.ps1" diff --git a/x-pack/winlogbeat/module/powershell/fields.go b/x-pack/winlogbeat/module/powershell/fields.go index 16bb78e0a37e..8ca3a28ece40 100644 --- a/x-pack/winlogbeat/module/powershell/fields.go +++ b/x-pack/winlogbeat/module/powershell/fields.go @@ -19,5 +19,5 @@ func init() { // AssetPowershell returns asset data. // This is the base64 encoded zlib format compressed contents of module/powershell. func AssetPowershell() string { - return "eJy8V1FP6zgTfe+vGPGefBQKfO3DlVhWu6q0CwhY9qVSNYknjRfHztpOS/fXr2wn0Nwkl7ag5QGpsT3nzPjMmSSCF9rOoFQb0iYnIUYAlltBM7h3zx7dMygUqwSNABiZVPPSciVn8G0EAPCUkyFATWBzAlqTtJBxEsyAKSnlGU/BKr8YwkCmtP/5O0+1Miqz0Z9cMrUx0Tvk/+5K0uhwUABKBvWWXVZCrUw8AtAkCA3NICGLI6jRZyNPLwKJBe1mGHPmVwDstqSZK8BG6eZZK8OAM2dxvUivWJSuNm/UA59QuSG8kpckuKTl/sD39RHgXeyT8ckglK6kKTE9BOqhPtILNclweno1YdHkApNoQhfn0XQ8vYhoOp7+f4zpWZIkw2wM/V2RTKlFRSi56q11vRlkVSSkQWVeJO/hgF4prdzmDs/xIAWrLIq98J/czh3wgozBFRng0hNpkumCnw6ip6ooULavYqVVVfYR+BktOi2jJdZ0TEiZGNSRGvBG4lD/vWGjzd8e9l9+V2to86baQ3htVdzMFou6HxcLszWWivOzxSItWEyvVOthl5b7fyitWyzoMFrD+A7wUPynbXkY/nVZCp56z+oyWKOouhQsvdpB/JyAy7V6+QB2XpRK2+g3laLg/xDzMoL2zyjjghwRuNZpztf0QEZVOiXTZeowQxZLRha5MB3aqDVuh3h/21kAuJZht6ukSv6i1BpIlbTIJZcrCAjEgMtM6cLDDhd9D67xUVedk9/okEOc3krfBB7zN9C9CNUdvWx7wUHc6qPOFDY5T3NfnhAfuNnxjH5dMhY5Me/F9phObd/4nRRbqAwxP+fvUWNBlvRPXLL3G/eBY5hL5jqGTLD6Zq+n15+LMVQkYuvMYa98Du+7djau/D5Go8paH36hIPQqVhlwCxsuBDAqSTJQcveOfLJ96Tx674znd/GNKkpNxrjp9gsXFFZ+MFikpNTJqjKkj58vb3HcjelmwspVvbjXzGGqQC4PFc0fDi8c7S3N8/WvD9e3T18zSzzYoKjWuNIo7WCxSa64pOOLvPPKGkJ9VNE1aSeEQ7N8DscapXZgm7ihO61qHLbvslsFOrmIx/H46uryPB6fnl71DNhS05qryiyNRftJA7mvY4GPNZhNvz+skQtMRI85SNp8Bbtb2hxD7NGqsiQ2qDE3oL/gNTHsAxftI5GFrctEqPTl/XNh76rMWWdO1+A+4oCOTtkZSxhGV+eX42gyPbuMcDphEZsSsowlk/MMe9TVovqddx9s6PRqj2AeLxa4DNvi0vzgC6zUKiVj4hDbSXHZbucPP8i+a+O6d3NlvDHX8eE9fverrbdd+7muOfvM/Oh6jOP5kfT+g1ZsUut3idTydZ9FfPrl576GHR42z6i5N6h/AwAA///IlkMK" + return "eJzEV8Fu4zYQvfsrBjnspZAaJ86m9mGBdIsWBtokSNLsYb01RuLYYkORKknb8X59QYqKrUhKbCdocwhgkZz3ZubxjRTBA61HUKgVaZORED0Ay62gEVy7Z7fuGeSKLQT1ABiZVPPCciVH8KkHAHCXkSFATWAzAlqStDDjJJgBU1DKZzwFq/xiGQZmSvuff/BUK6NmNvrCJVMrE20gf7wqSKPDQQEoGYQt26yEmpu4B6BJEBoaQUIWexDQRz1PLwKJOW1nGHPmVwDsuqCRK8BK6epZLcMSZ8zisEiPmBeuNk/USz5l5brwCl6Q4JKmuwNfhyPAm9hH/aNOKL2QpsB0H6ibcKQVajDD4fH5gEWDM0yiAZ2dRsP+8CyiYX/4Ux/TkyRJutkY+mdBMqUaFaHkvLXWYTPIRZ6QBjXzItmEA3qkdOE2N3j2OylYZVHshH/ndm6B52QMzskAl55IlUwT/LgTPVV5jrLeirlWi6KNwC9o0WkZLbHqxpQpE4MQqQKvJA7h7wkbbfb0sL35Ta2hzapqd+HVVfF5NJmE+ziZmLWxlJ+eTCZpzmJ6pKCHbVru/760LjGn/Wh14zvAffHv1sV++BdFIXjqPavJYIli0aRg6dF24mcEXC7Vwyuw47xQ2ka/qxQF/07MywjqP6MZF+SIwIVOM76kGzJqoVMyTaYOs8xiysgiF6ZBG7XGdRfvT1sLABey3O0qqZK/KbUGUiUtcsnlHEoEYsDlTOncw3YXfQeu8UGtzshvdMhlnNZKfy55jJ9AdyIUbvS07gV7cQtHnSmsMp5mvjxlfOBmyzPadclY5MS8E9tDbmq941dSrGFhiPk5f40ac7Kkf+aSbTruA8cwlszdGDKl1Vd7Pb32XIyhPBFrZw475bP/vatn48rvY1SqDPrwCzmhV7GaAbew4kIAo4IkAyW3e+STbUvn1ntnPL6KP6u80GSMm26/ckHlyguDRUpKnawWhvTh8+UpjuuYriasnIfFnWYOUzlyua9o/nR45dHW0txf/HZzcXn3PrPEg3WKaolzjdJ2FpvknEs6vMhbr6xlqNcquiTthLBvlvflsUqpDdgqbnk7raoctq3ZtQIdncX9uH9+/vE07h8fn7cM2ELTkquFmRqL9o0Gch1igY/VmU27PyyRC0xEizlIWr0Hu0taHULs1qqiINapMTeg3+E1sdwHLtprIiu3ThOh0ofN58LOVRmzxpwO4D5ih46O2QlLGEbnpx/70WB48jHC4YBFbEjIZiwZnM6wRV01qs+8u9XQUaJYfyc9qrVuxaVQ84TQTjeVn4bg7Ueq+AVaS1o+WwtPR3D0dTL58uHD17+ib99+ONraZQh1mnUE/x/4vDTp6NEe0NJ4MsHAOS7MC5+mhVYpGROXsd0dndZ97tUv1Wf+FkwtU8ZPrBAfNvGbn7OtPtbOdcnZWwZr03wdz9fu5H/gUVVq7faZWr5s8843vxVeB9juKXyPmnvn/jcAAP//Kx+R4w==" }