From 1806da0141f45c955d199e88ac205483fbc740c6 Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Tue, 7 Sep 2021 10:41:43 -0500 Subject: [PATCH] [Filebeat] Threatintel compatibility updates (#27323) * First pass on updating filebeat threatintel logic for ECS 1.11 This only covers modules starting with an a; the rest will follow shortly. In general, these changes address the following goals: * preference for indicator.url.domain, and deprecation of indicator.domain * moving from event.reference to indicator.reference * Move remaining modules from indicator.domain -> indicator.url.domain Along with conditional checks to ensure we're not overwriting the relevant uri_parts data from earlier in the pipeline. * Update indicator.reference in relevant modules * Fix missing prefix in target field * linting and apply new testfiles * Run `make update` in filebeat * fixing duplicate fields * mage fmt update * linting Co-authored-by: Marius Iversen --- filebeat/docs/fields.asciidoc | 12 +- filebeat/docs/modules/threatintel.asciidoc | 4 +- .../module/threatintel/_meta/docs.asciidoc | 4 +- .../module/threatintel/_meta/fields.yml | 502 +++++------ .../abusemalware/ingest/pipeline.yml | 252 +++--- .../abusechmalware.ndjson.log-expected.json | 25 - .../threatintel/abuseurl/ingest/pipeline.yml | 198 +++-- .../test/abusechurl.ndjson.log-expected.json | 353 ++++---- .../threatintel/anomali/ingest/pipeline.yml | 283 ++++--- .../anomali_limo.ndjson.log-expected.json | 114 ++- .../anomalithreatstream/ingest/pipeline.yml | 792 +++++++++--------- .../test/generated.log-expected.json | 416 ++++++--- x-pack/filebeat/module/threatintel/fields.go | 2 +- .../malwarebazaar/ingest/pipeline.yml | 393 +++++---- .../threatintel/misp/ingest/pipeline.yml | 537 ++++++------ .../test/misp_sample.ndjson.log-expected.json | 6 +- .../threatintel/otx/ingest/pipeline.yml | 291 ++++--- .../test/otx_sample.ndjson.log-expected.json | 36 +- .../recordedfuture/ingest/pipeline.yml | 66 +- .../test/domain.ndjson.log-expected.json | 40 +- .../test/hash.ndjson.log-expected.json | 20 +- .../test/ip.ndjson.log-expected.json | 20 +- .../test/url.ndjson.log-expected.json | 20 +- 23 files changed, 2299 insertions(+), 2087 deletions(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 43ce5a21071..6e40ec0107f 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -156557,23 +156557,23 @@ type: keyword -- -*`threatintel.indicator.ip`*:: +*`threatintel.indicator.reference`*:: + -- -Identifies a threat indicator as an IP address (irrespective of direction). +Reference URL linking to additional information about this indicator. -type: ip +type: keyword -- -*`threatintel.indicator.domain`*:: +*`threatintel.indicator.ip`*:: + -- -Identifies a threat indicator as a domain (irrespective of direction). +Identifies a threat indicator as an IP address (irrespective of direction). -type: keyword +type: ip -- diff --git a/filebeat/docs/modules/threatintel.asciidoc b/filebeat/docs/modules/threatintel.asciidoc index f637b8beb6c..4fe241ab4e0 100644 --- a/filebeat/docs/modules/threatintel.asciidoc +++ b/filebeat/docs/modules/threatintel.asciidoc @@ -68,7 +68,7 @@ Abuse.ch URL Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================== | URL Threat Intel Fields | ECS Fields -| url | threat.indicator.url.full +| url | threatintel.indicator.url.full | date_added | @timestamp | host | threatintel.indicator.ip/domain |============================================================== @@ -473,7 +473,7 @@ Anomali ThreatStream fields are mapped to the following ECS fields: | date_first | threatintel.indicator.first_seen | date_last | threatintel.indicator.last_seen | detail | tags -| domain | threatintel.indicator.domain +| domain | threatintel.indicator.url.domain | email | threatintel.indicator.email.address | itype<> | threatintel.indicator.type | lat | threatintel.indicator.geo.location.lat diff --git a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc index fa770e0eb6e..c183d210418 100644 --- a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc @@ -63,7 +63,7 @@ Abuse.ch URL Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================== | URL Threat Intel Fields | ECS Fields -| url | threat.indicator.url.full +| url | threatintel.indicator.url.full | date_added | @timestamp | host | threatintel.indicator.ip/domain |============================================================== @@ -468,7 +468,7 @@ Anomali ThreatStream fields are mapped to the following ECS fields: | date_first | threatintel.indicator.first_seen | date_last | threatintel.indicator.last_seen | detail | tags -| domain | threatintel.indicator.domain +| domain | threatintel.indicator.url.domain | email | threatintel.indicator.email.address | itype<> | threatintel.indicator.type | lat | threatintel.indicator.geo.location.lat diff --git a/x-pack/filebeat/module/threatintel/_meta/fields.yml b/x-pack/filebeat/module/threatintel/_meta/fields.yml index fb4ef48b062..1ef368f528e 100644 --- a/x-pack/filebeat/module/threatintel/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/_meta/fields.yml @@ -73,14 +73,14 @@ type: keyword description: > Identifies the name of specific dataset from the intelligence source. + - name: indicator.reference + type: keyword + description: > + Reference URL linking to additional information about this indicator. - name: indicator.ip type: ip description: > Identifies a threat indicator as an IP address (irrespective of direction). - - name: indicator.domain - type: keyword - description: > - Identifies a threat indicator as a domain (irrespective of direction). - name: indicator.port type: long description: > @@ -101,285 +101,291 @@ - name: indicator.matched type: group fields: - - name: atomic - type: keyword - description: > - Identifies the atomic indicator that matched a local environment endpoint or network event. - - name: field - type: keyword - description: > - Identifies the field of the atomic indicator that matched a local environment endpoint or network event. - - name: type - type: keyword - description: > - Identifies the type of the atomic indicator that matched a local environment endpoint or network event. + - name: atomic + type: keyword + description: > + Identifies the atomic indicator that matched a local environment endpoint or network event. + - name: field + type: keyword + description: > + Identifies the field of the atomic indicator that matched a local environment endpoint or network event. + - name: type + type: keyword + description: > + Identifies the type of the atomic indicator that matched a local environment endpoint or network event. - name: indicator.as type: group fields: - - name: number - type: long - description: Unique number allocated to the autonomous system. The autonomous system number (ASN) - uniquely identifies each network on the Internet. - example: 15169 - - name: organization.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Organization name. - example: Google LLC + - name: number + type: long + description: + Unique number allocated to the autonomous system. The autonomous system number (ASN) + uniquely identifies each network on the Internet. + example: 15169 + - name: organization.name + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Organization name. + example: Google LLC - name: indicator.registry type: group fields: - - name: data.strings - type: keyword - ignore_above: 1024 - description: > - Content when writing string types. - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`). - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - - name: path - type: keyword - ignore_above: 1024 - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - - name: value - type: keyword - ignore_above: 1024 - description: Name of the value written. - example: Debugger - - name: key - type: keyword - ignore_above: 1024 - description: Registry key value + - name: data.strings + type: keyword + ignore_above: 1024 + description: > + Content when writing string types. + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`). + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + - name: path + type: keyword + ignore_above: 1024 + description: Full path, including hive, key and value + example: + HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + - name: value + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger + - name: key + type: keyword + ignore_above: 1024 + description: Registry key value - name: indicator.geo type: group fields: - - name: city_name - type: keyword - ignore_above: 1024 - description: City name. - example: Montreal - - name: continent_name - type: keyword - ignore_above: 1024 - description: Name of the continent. - example: North America - - name: country_iso_code - type: keyword - ignore_above: 1024 - description: Country ISO code. - example: CA - - name: country_name - type: keyword - ignore_above: 1024 - description: Country name. - example: Canada - - name: location - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - - name: region_iso_code - type: keyword - ignore_above: 1024 - description: Region ISO code. - example: CA-QC - - name: region_name - type: keyword - ignore_above: 1024 - description: Region name. - example: Quebec + - name: city_name + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + - name: continent_name + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + - name: country_iso_code + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + - name: country_name + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + - name: location + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + - name: region_iso_code + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + - name: region_name + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec - name: indicator.file.pe.imphash type: keyword ignore_above: 1024 - description: 'A hash of the imports in a PE file. An imphash -- or import hash + description: + "A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html." example: 0c6803c4e922103c4dca5963aad36ddf - name: indicator.file type: group fields: - - name: hash - type: group - fields: - - name: tlsh + - name: hash + type: group + fields: + - name: tlsh + type: keyword + description: > + The file's import tlsh, if available. + - name: ssdeep + type: keyword + description: > + The file's ssdeep hash, if available. + - name: md5 + type: keyword + description: > + The file's md5 hash, if available. + - name: sha1 + type: keyword + description: > + The file's sha1 hash, if available. + - name: sha256 + type: keyword + description: > + The file's sha256 hash, if available. + - name: sha384 + type: keyword + description: > + The file's sha384 hash, if available. + - name: sha512 + type: keyword + description: > + The file's sha512 hash, if available. + - name: type type: keyword + ignore_above: 1024 + description: > + The file type. + - name: size + type: long description: > - The file's import tlsh, if available. - - name: ssdeep + The file's total size. + - name: name type: keyword description: > - The file's ssdeep hash, if available. - - name: md5 + The file's name. + - name: extension type: keyword description: > - The file's md5 hash, if available. - - name: sha1 + The file's extension. + - name: mime_type type: keyword description: > - The file's sha1 hash, if available. - - name: sha256 + The file's MIME type. + - name: indicator.url + type: group + fields: + - name: domain type: keyword description: > - The file's sha256 hash, if available. - - name: sha384 + Domain of the url, such as "www.elastic.co". + - name: extension type: keyword + ignore_above: 1024 description: > - The file's sha384 hash, if available. - - name: sha512 + The field contains the file extension from the original request + - name: fragment type: keyword + ignore_above: 1024 description: > - The file's sha512 hash, if available. - - name: type - type: keyword - ignore_above: 1024 - description: > - The file type. - - name: size - type: long - description: > - The file's total size. - - name: name - type: keyword - description: > - The file's name. - - name: extension - type: keyword - description: > - The file's extension. - - name: mime_type - type: keyword - description: > - The file's MIME type. - - name: indicator.url - type: group - fields: - - name: domain - type: keyword - description: > - Domain of the url, such as "www.elastic.co". - - name: extension - type: keyword - ignore_above: 1024 - description: > - The field contains the file extension from the original request - - name: fragment - type: keyword - ignore_above: 1024 - description: > - Portion of the url after the `#`, such as "top". - - name: full - type: keyword - description: > - If full URLs are important to your use case, they should be stored - in `url.full`, whether this field is reconstructed or present in the event - source. - - name: original - type: keyword - description: > - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas - in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - - name: password - type: keyword - ignore_above: 1024 - description: > - Password of the request. - - name: path - type: keyword - description: > - Path of the request, such as "/search". - - name: port - type: long - format: string - description: > - Port of the request, such as 443. - - name: query - type: keyword - ignore_above: 1024 - description: > - The query field describes the query string of the request, such - as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there - is no query field. If there is a `?` but no query, the query field exists - with an empty string. The `exists` query can be used to differentiate between - the two cases. - - name: registered_domain - type: keyword - description: > - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk". - - name: scheme - type: keyword - ignore_above: 1024 - description: > - Scheme of the request, such as "https". - - name: subdomain - type: keyword - ignore_above: 1024 - description: > - The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period. - - name: top_level_domain - type: keyword - ignore_above: 1024 - description: > - The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk". - - name: username - type: keyword - ignore_above: 1024 - description: > - Username of the request. + Portion of the url after the `#`, such as "top". + - name: full + type: keyword + description: > + If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + - name: original + type: keyword + description: > + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + - name: password + type: keyword + ignore_above: 1024 + description: > + Password of the request. + - name: path + type: keyword + description: > + Path of the request, such as "/search". + - name: port + type: long + format: string + description: > + Port of the request, such as 443. + - name: query + type: keyword + ignore_above: 1024 + description: > + The query field describes the query string of the request, such + as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases. + - name: registered_domain + type: keyword + description: > + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk". + - name: scheme + type: keyword + ignore_above: 1024 + description: > + Scheme of the request, such as "https". + - name: subdomain + type: keyword + ignore_above: 1024 + description: > + The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period. + - name: top_level_domain + type: keyword + ignore_above: 1024 + description: > + The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk". + - name: username + type: keyword + ignore_above: 1024 + description: > + Username of the request. - name: indicator.x509 type: group fields: - - name: serial_number - type: keyword - ignore_above: 1024 - description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. - example: 55FBB9C7DEBF09809D12CCAA - - name: issuer - type: keyword - ignore_above: 1024 - description: Name of issuing certificate authority. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. - example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance - Server CA - - name: subject - type: keyword - ignore_above: 1024 - description: Name of the certificate subject entity. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. - example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - - name: alternative_names - type: keyword - ignore_above: 1024 - description: List of subject alternative names (SAN). Name types vary by certificate - authority and certificate type but commonly contain IP addresses, DNS names - (and wildcards), and email addresses. - example: '*.elastic.co' + - name: serial_number + type: keyword + ignore_above: 1024 + description: + Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + - name: issuer + type: keyword + ignore_above: 1024 + description: Name of issuing certificate authority. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. + example: + C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + - name: subject + type: keyword + ignore_above: 1024 + description: Name of the certificate subject entity. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + - name: alternative_names + type: keyword + ignore_above: 1024 + description: + List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: "*.elastic.co" - name: indicator.signature type: keyword description: > diff --git a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml index 42ed997a44f..5e24b68c52e 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml @@ -1,138 +1,138 @@ description: Pipeline for parsing Abuse.ch Malware Threat Intel processors: + #################### + # Event ECS fields # + #################### + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator -#################### -# Event ECS fields # -#################### -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- set: - field: event.kind - value: enrichment -- set: - field: event.category - value: threat -- set: - field: event.type - value: indicator + ###################### + # General ECS fields # + ###################### + - rename: + field: json + target_field: threatintel.abusemalware + ignore_missing: true -###################### -# General ECS fields # -###################### -- rename: - field: json - target_field: threatintel.abusemalware - ignore_missing: true + ##################### + # Threat ECS Fields # + ##################### + - date: + field: threatintel.abusemalware.firstseen + target_field: threatintel.indicator.first_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + - "yyyy-MM-dd HH:mm:ss" + if: "ctx?.threatintel?.abusemalware.firstseen != null" + - set: + field: threatintel.indicator.type + value: file + - rename: + field: threatintel.abusemalware.file_size + target_field: threatintel.indicator.file.size + ignore_missing: true + - rename: + field: threatintel.abusemalware.file_type + target_field: threatintel.indicator.file.type + ignore_missing: true + # This includes a direct link to malicious files, we do not want them to appear in Kibana + # in case they are accidently clicked. + - remove: + field: threatintel.abusemalware.urlhaus_download + ignore_missing: true + - convert: + field: threatintel.indicator.file.size + type: long + ignore_missing: true + - rename: + field: threatintel.abusemalware.md5_hash + target_field: threatintel.indicator.file.hash.md5 + ignore_missing: true + - rename: + field: threatintel.abusemalware.sha256_hash + target_field: threatintel.indicator.file.hash.sha256 + ignore_missing: true + - rename: + field: threatintel.abusemalware.imphash + target_field: threatintel.indicator.file.pe.imphash + ignore_missing: true + - rename: + field: threatintel.abusemalware.ssdeep + target_field: threatintel.indicator.file.hash.ssdeep + ignore_missing: true + - rename: + field: threatintel.abusemalware.tlsh + target_field: threatintel.indicator.file.hash.tlsh + ignore_missing: true + - append: + field: related.hash + value: "{{ threatintel.indicator.file.hash.md5 }}" + if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null + - append: + field: related.hash + value: "{{ threatintel.indicator.file.hash.sha256 }}" + if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null + - append: + field: related.hash + value: "{{ threatintel.indicator.file.hash.ssdeep }}" + if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null + - append: + field: related.hash + value: "{{ threatintel.indicator.file.pe.imphash }}" + if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null + - append: + field: related.hash + value: "{{ threatintel.indicator.file.hash.tlsh }}" + if: ctx?.threatintel?.indicator?.file?.hash?.tlsh != null -##################### -# Threat ECS Fields # -##################### -- date: - field: threatintel.abusemalware.firstseen - target_field: threatintel.indicator.first_seen - formats: - - "yyyy-MM-dd HH:mm:ss z" - - "yyyy-MM-dd HH:mm:ss Z" - - "yyyy-MM-dd HH:mm:ss" - if: "ctx?.threatintel?.abusemalware.firstseen != null" -- set: - field: threatintel.indicator.type - value: file -- rename: - field: threatintel.abusemalware.file_size - target_field: threatintel.indicator.file.size - ignore_missing: true -- rename: - field: threatintel.abusemalware.file_type - target_field: threatintel.indicator.file.type - ignore_missing: true -- rename: - field: threatintel.abusemalware.urlhaus_download - target_field: event.reference - ignore_missing: true -- convert: - field: threatintel.indicator.file.size - type: long - ignore_missing: true -- rename: - field: threatintel.abusemalware.md5_hash - target_field: threatintel.indicator.file.hash.md5 - ignore_missing: true -- rename: - field: threatintel.abusemalware.sha256_hash - target_field: threatintel.indicator.file.hash.sha256 - ignore_missing: true -- rename: - field: threatintel.abusemalware.imphash - target_field: threatintel.indicator.file.pe.imphash - ignore_missing: true -- rename: - field: threatintel.abusemalware.ssdeep - target_field: threatintel.indicator.file.hash.ssdeep - ignore_missing: true -- rename: - field: threatintel.abusemalware.tlsh - target_field: threatintel.indicator.file.hash.tlsh - ignore_missing: true -- append: - field: related.hash - value: '{{ threatintel.indicator.file.hash.md5 }}' - if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null -- append: - field: related.hash - value: '{{ threatintel.indicator.file.hash.sha256 }}' - if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null -- append: - field: related.hash - value: '{{ threatintel.indicator.file.hash.ssdeep }}' - if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null -- append: - field: related.hash - value: '{{ threatintel.indicator.file.pe.imphash }}' - if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null -- append: - field: related.hash - value: '{{ threatintel.indicator.file.hash.tlsh }}' - if: ctx?.threatintel?.indicator?.file?.hash?.tlsh != null - -###################### -# Cleanup processors # -###################### -- set: - field: threatintel.indicator.type - value: unknown - if: ctx?.threatintel?.indicator?.type == null -- script: - lang: painless - if: ctx?.threatintel != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { + ###################### + # Cleanup processors # + ###################### + - set: + field: threatintel.indicator.type + value: unknown + if: ctx?.threatintel?.indicator?.type == null + - script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { if (x instanceof Map) { handleMap(x); } else if (x instanceof List) { handleList(x); } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } } - } - handleMap(ctx); -- remove: - field: - - threatintel.abusemalware.firstseen - - message - ignore_missing: true + handleMap(ctx); + - remove: + field: + - threatintel.abusemalware.firstseen + - message + ignore_missing: true on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json index 7ebe04b2f10..6c31b6f779c 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json @@ -4,7 +4,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -36,7 +35,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -68,7 +66,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -103,7 +100,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -135,7 +131,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -165,7 +160,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -200,7 +194,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -232,7 +225,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -264,7 +256,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -297,7 +288,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -329,7 +319,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -361,7 +350,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -393,7 +381,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -425,7 +412,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -457,7 +443,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -490,7 +475,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -522,7 +506,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -554,7 +537,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -587,7 +569,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -619,7 +600,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -651,7 +631,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -684,7 +663,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -716,7 +694,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -748,7 +725,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -780,7 +756,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", diff --git a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml index 75631742b17..bf674ba2c88 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml @@ -1,114 +1,110 @@ description: Pipeline for parsing Abuse.ch URL Threat Intel processors: + #################### + # Event ECS fields # + #################### + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator -#################### -# Event ECS fields # -#################### -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- set: - field: event.kind - value: enrichment -- set: - field: event.category - value: threat -- set: - field: event.type - value: indicator + ###################### + # General ECS fields # + ###################### + - rename: + field: json + target_field: threatintel.abuseurl + ignore_missing: true -###################### -# General ECS fields # -###################### -- rename: - field: json - target_field: threatintel.abuseurl - ignore_missing: true + ##################### + # Threat ECS Fields # + ##################### + - set: + field: threatintel.indicator.type + value: url + - date: + field: threatintel.abuseurl.date_added + target_field: threatintel.indicator.first_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + if: "ctx?.threatintel?.abuseurl?.date_added != null" + - uri_parts: + field: threatintel.abuseurl.url + target_field: threatintel.indicator.url + keep_original: true + remove_if_successful: true + - set: + field: threatintel.indicator.url.full + value: "{{{threatintel.indicator.url.original}}}" + ignore_empty_value: true + - rename: + field: threatintel.abuseurl.urlhaus_reference + target_field: threatintel.indicator.reference + ignore_missing: true -##################### -# Threat ECS Fields # -##################### -- set: - field: threatintel.indicator.type - value: url -- date: - field: threatintel.abuseurl.date_added - target_field: threatintel.indicator.first_seen - formats: - - "yyyy-MM-dd HH:mm:ss z" - - "yyyy-MM-dd HH:mm:ss Z" - if: "ctx?.threatintel?.abuseurl?.date_added != null" -- uri_parts: - field: threatintel.abuseurl.url - target_field: threatintel.indicator.url - keep_original: true - remove_if_successful: true -- set: - field: threatintel.indicator.url.full - value: '{{{threatintel.indicator.url.original}}}' - ignore_empty_value: true -- rename: - field: threatintel.abuseurl.host - target_field: threatintel.indicator.domain - ignore_missing: true -- rename: - field: threatintel.abuseurl.urlhaus_reference - target_field: event.reference - ignore_missing: true + # Host can be both IP addresses and domain names + - grok: + field: threatintel.abuseurl.host + patterns: + - "(?:%{IP:threatintel.indicator.ip}|%{GREEDYDATA:threatintel.indicator.url.domain})" + ignore_failure: true + - rename: + field: threatintel.abuseurl.reporter + target_field: threatintel.indicator.provider + ignore_missing: true -# Host can be both IP addresses and domain names -- grok: - field: threatintel.abuseurl.host - patterns: - - "(?:%{IP:threatintel.indicator.ip}|%{GREEDYDATA:threatintel.indicator.domain})" - ignore_failure: true -- rename: - field: threatintel.abuseurl.reporter - target_field: threatintel.indicator.provider - ignore_missing: true - -###################### -# Cleanup processors # -###################### -- set: - field: threatintel.indicator.type - value: unknown - if: ctx?.threatintel?.indicator?.type == null -- convert: - field: threatintel.abuseurl.larted - type: boolean - ignore_missing: true -- script: - lang: painless - if: ctx?.threatintel != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { + ###################### + # Cleanup processors # + ###################### + - set: + field: threatintel.indicator.type + value: unknown + if: ctx?.threatintel?.indicator?.type == null + - convert: + field: threatintel.abuseurl.larted + type: boolean + ignore_missing: true + - script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { if (x instanceof Map) { handleMap(x); } else if (x instanceof List) { handleList(x); } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } } - } - handleMap(ctx); -- remove: - field: - - threatintel.abuseurl.date_added - - threatintel.abuseurl.url - - message - ignore_missing: true + handleMap(ctx); + - remove: + field: + - threatintel.abuseurl.date_added + - threatintel.abuseurl.url + - threatintel.abuseurl.host + - message + ignore_missing: true on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json index a37eb5f45de..3b312440b34 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json @@ -4,7 +4,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961548/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -24,9 +23,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "103.72.223.103", "threatintel.indicator.first_seen": "2021-01-14T21:19:13.000Z", + "threatintel.indicator.ip": "103.72.223.103", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961548/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "103.72.223.103", "threatintel.indicator.url.extension": "m", @@ -41,7 +41,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961546/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -61,9 +60,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "112.30.97.184", "threatintel.indicator.first_seen": "2021-01-14T21:19:05.000Z", + "threatintel.indicator.ip": "112.30.97.184", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961546/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "112.30.97.184", "threatintel.indicator.url.extension": "m", @@ -78,7 +78,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961547/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -98,9 +97,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "113.110.198.53", "threatintel.indicator.first_seen": "2021-01-14T21:19:05.000Z", + "threatintel.indicator.ip": "113.110.198.53", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961547/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "113.110.198.53", "threatintel.indicator.url.extension": "m", @@ -115,7 +115,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961545/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -135,9 +134,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "101.20.183.170", "threatintel.indicator.first_seen": "2021-01-14T21:19:04.000Z", + "threatintel.indicator.ip": "101.20.183.170", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961545/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "101.20.183.170", "threatintel.indicator.url.extension": "m", @@ -152,7 +152,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961544/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -172,9 +171,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "59.8.35.22", "threatintel.indicator.first_seen": "2021-01-14T21:07:07.000Z", + "threatintel.indicator.ip": "59.8.35.22", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961544/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "59.8.35.22", "threatintel.indicator.url.extension": "a", @@ -189,7 +189,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961543/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -209,9 +208,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "59.96.37.35", "threatintel.indicator.first_seen": "2021-01-14T21:07:06.000Z", + "threatintel.indicator.ip": "59.96.37.35", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961543/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "59.96.37.35", "threatintel.indicator.url.extension": "a", @@ -226,7 +226,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961540/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -246,9 +245,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "42.239.233.17", "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z", + "threatintel.indicator.ip": "42.239.233.17", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961540/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "42.239.233.17", "threatintel.indicator.url.extension": "m", @@ -263,7 +263,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961541/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -283,9 +282,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "58.252.178.20", "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z", + "threatintel.indicator.ip": "58.252.178.20", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961541/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "58.252.178.20", "threatintel.indicator.url.extension": "m", @@ -300,7 +300,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961542/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -320,9 +319,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "45.176.111.95", "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z", + "threatintel.indicator.ip": "45.176.111.95", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961542/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "45.176.111.95", "threatintel.indicator.url.extension": "m", @@ -337,7 +337,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961539/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -357,9 +356,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "42.224.68.97", "threatintel.indicator.first_seen": "2021-01-14T21:07:04.000Z", + "threatintel.indicator.ip": "42.224.68.97", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961539/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "42.224.68.97", "threatintel.indicator.url.extension": "m", @@ -374,7 +374,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961538/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -394,9 +393,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "222.81.144.207", "threatintel.indicator.first_seen": "2021-01-14T21:06:08.000Z", + "threatintel.indicator.ip": "222.81.144.207", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961538/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "222.81.144.207", "threatintel.indicator.url.extension": "m", @@ -411,7 +411,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961537/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -431,9 +430,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "182.127.185.137", "threatintel.indicator.first_seen": "2021-01-14T21:06:06.000Z", + "threatintel.indicator.ip": "182.127.185.137", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961537/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.127.185.137", "threatintel.indicator.url.extension": "m", @@ -448,7 +448,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961531/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -468,9 +467,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "39.84.175.185", "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threatintel.indicator.ip": "39.84.175.185", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961531/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "39.84.175.185", "threatintel.indicator.url.extension": "a", @@ -485,7 +485,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961532/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -505,9 +504,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "27.41.11.238", "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threatintel.indicator.ip": "27.41.11.238", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961532/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "27.41.11.238", "threatintel.indicator.url.extension": "m", @@ -522,7 +522,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961533/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -542,9 +541,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "182.127.133.68", "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threatintel.indicator.ip": "182.127.133.68", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961533/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.127.133.68", "threatintel.indicator.url.extension": "a", @@ -559,7 +559,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961534/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -579,9 +578,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "27.46.44.102", "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threatintel.indicator.ip": "27.46.44.102", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961534/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "27.46.44.102", "threatintel.indicator.url.extension": "m", @@ -596,7 +596,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961535/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -616,9 +615,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "39.70.88.65", "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threatintel.indicator.ip": "39.70.88.65", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961535/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "39.70.88.65", "threatintel.indicator.url.extension": "m", @@ -633,7 +633,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961536/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -653,9 +652,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "42.224.136.237", "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threatintel.indicator.ip": "42.224.136.237", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961536/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "42.224.136.237", "threatintel.indicator.url.extension": "m", @@ -670,7 +670,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961530/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -690,9 +689,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "117.208.135.63", "threatintel.indicator.first_seen": "2021-01-14T21:05:34.000Z", + "threatintel.indicator.ip": "117.208.135.63", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961530/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "117.208.135.63", "threatintel.indicator.url.extension": "a", @@ -707,7 +707,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961525/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -727,9 +726,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "125.47.66.60", "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threatintel.indicator.ip": "125.47.66.60", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961525/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "125.47.66.60", "threatintel.indicator.url.extension": "m", @@ -744,7 +744,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961526/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -764,9 +763,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "182.117.95.148", "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threatintel.indicator.ip": "182.117.95.148", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961526/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.117.95.148", "threatintel.indicator.url.extension": "a", @@ -781,7 +781,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961527/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -801,9 +800,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "117.202.71.48", "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threatintel.indicator.ip": "117.202.71.48", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961527/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "117.202.71.48", "threatintel.indicator.url.extension": "m", @@ -818,7 +818,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961528/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -838,9 +837,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "125.99.132.118", "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threatintel.indicator.ip": "125.99.132.118", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961528/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "125.99.132.118", "threatintel.indicator.url.extension": "m", @@ -855,7 +855,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961529/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -875,9 +874,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "182.114.123.69", "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threatintel.indicator.ip": "182.114.123.69", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961529/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.114.123.69", "threatintel.indicator.url.extension": "m", @@ -892,7 +892,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961524/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -911,9 +910,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "116.19.127.37", "threatintel.indicator.first_seen": "2021-01-14T21:04:38.000Z", + "threatintel.indicator.ip": "116.19.127.37", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961524/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "116.19.127.37", "threatintel.indicator.url.extension": "m", @@ -928,7 +928,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961523/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -947,9 +946,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "42.239.253.55", "threatintel.indicator.first_seen": "2021-01-14T21:04:36.000Z", + "threatintel.indicator.ip": "42.239.253.55", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961523/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "42.239.253.55", "threatintel.indicator.url.extension": "m", @@ -964,7 +964,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961520/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -983,9 +982,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "103.217.121.228", "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z", + "threatintel.indicator.ip": "103.217.121.228", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961520/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "103.217.121.228", "threatintel.indicator.url.extension": "m", @@ -1000,7 +1000,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961521/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1019,9 +1018,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "111.92.81.255", "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z", + "threatintel.indicator.ip": "111.92.81.255", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961521/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "111.92.81.255", "threatintel.indicator.url.extension": "m", @@ -1036,7 +1036,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961522/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1055,9 +1054,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "45.229.55.75", "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z", + "threatintel.indicator.ip": "45.229.55.75", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961522/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "45.229.55.75", "threatintel.indicator.url.extension": "m", @@ -1072,7 +1072,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961518/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1091,9 +1090,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "182.121.242.148", "threatintel.indicator.first_seen": "2021-01-14T21:04:10.000Z", + "threatintel.indicator.ip": "182.121.242.148", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961518/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.121.242.148", "threatintel.indicator.url.extension": "m", @@ -1108,7 +1108,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961519/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1128,9 +1127,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "106.115.189.249", "threatintel.indicator.first_seen": "2021-01-14T21:04:10.000Z", + "threatintel.indicator.ip": "106.115.189.249", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961519/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "106.115.189.249", "threatintel.indicator.url.extension": "m", @@ -1145,7 +1145,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961516/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1166,9 +1165,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "182.117.93.110", "threatintel.indicator.first_seen": "2021-01-14T21:04:08.000Z", + "threatintel.indicator.ip": "182.117.93.110", "threatintel.indicator.provider": "geenensp", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961516/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.117.93.110", "threatintel.indicator.url.extension": "sh", @@ -1183,7 +1183,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961517/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1203,9 +1202,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "110.251.5.169", "threatintel.indicator.first_seen": "2021-01-14T21:04:08.000Z", + "threatintel.indicator.ip": "110.251.5.169", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961517/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "110.251.5.169", "threatintel.indicator.url.extension": "m", @@ -1220,7 +1220,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961515/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1239,9 +1238,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "101.51.117.186", "threatintel.indicator.first_seen": "2021-01-14T21:04:06.000Z", + "threatintel.indicator.ip": "101.51.117.186", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961515/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "101.51.117.186", "threatintel.indicator.url.extension": "m", @@ -1256,7 +1256,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961513/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1275,9 +1274,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "121.151.78.166", "threatintel.indicator.first_seen": "2021-01-14T21:04:05.000Z", + "threatintel.indicator.ip": "121.151.78.166", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961513/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "121.151.78.166", "threatintel.indicator.url.extension": "m", @@ -1292,7 +1292,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961514/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1311,9 +1310,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "116.72.92.97", "threatintel.indicator.first_seen": "2021-01-14T21:04:05.000Z", + "threatintel.indicator.ip": "116.72.92.97", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961514/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "116.72.92.97", "threatintel.indicator.url.extension": "m", @@ -1328,7 +1328,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961509/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1347,9 +1346,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "27.218.15.209", "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threatintel.indicator.ip": "27.218.15.209", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961509/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "27.218.15.209", "threatintel.indicator.url.extension": "m", @@ -1364,7 +1364,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961510/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1383,9 +1382,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "120.85.171.210", "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threatintel.indicator.ip": "120.85.171.210", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961510/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "120.85.171.210", "threatintel.indicator.url.extension": "m", @@ -1400,7 +1400,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961511/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1421,9 +1420,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "117.251.59.53", "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threatintel.indicator.ip": "117.251.59.53", "threatintel.indicator.provider": "geenensp", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961511/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "117.251.59.53", "threatintel.indicator.url.full": "http://117.251.59.53:50611/i", @@ -1437,7 +1437,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961512/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1456,9 +1455,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "115.58.83.167", "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threatintel.indicator.ip": "115.58.83.167", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961512/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "115.58.83.167", "threatintel.indicator.url.extension": "m", @@ -1473,7 +1473,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961507/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1493,9 +1492,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "94.178.124.83", "threatintel.indicator.first_seen": "2021-01-14T20:52:08.000Z", + "threatintel.indicator.ip": "94.178.124.83", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961507/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "94.178.124.83", "threatintel.indicator.url.extension": "m", @@ -1510,7 +1510,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961508/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1530,9 +1529,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "182.122.75.232", "threatintel.indicator.first_seen": "2021-01-14T20:52:08.000Z", + "threatintel.indicator.ip": "182.122.75.232", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961508/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.122.75.232", "threatintel.indicator.url.extension": "m", @@ -1547,7 +1547,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961506/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1567,9 +1566,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "115.63.202.43", "threatintel.indicator.first_seen": "2021-01-14T20:52:07.000Z", + "threatintel.indicator.ip": "115.63.202.43", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961506/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "115.63.202.43", "threatintel.indicator.url.extension": "m", @@ -1584,7 +1584,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961504/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1604,9 +1603,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "59.99.40.204", "threatintel.indicator.first_seen": "2021-01-14T20:52:06.000Z", + "threatintel.indicator.ip": "59.99.40.204", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961504/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "59.99.40.204", "threatintel.indicator.url.extension": "m", @@ -1621,7 +1621,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961505/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1641,9 +1640,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "117.247.128.213", "threatintel.indicator.first_seen": "2021-01-14T20:52:06.000Z", + "threatintel.indicator.ip": "117.247.128.213", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961505/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "117.247.128.213", "threatintel.indicator.url.extension": "m", @@ -1658,7 +1658,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961500/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1678,9 +1677,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "14.137.219.132", "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threatintel.indicator.ip": "14.137.219.132", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961500/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "14.137.219.132", "threatintel.indicator.url.extension": "a", @@ -1695,7 +1695,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961501/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1715,9 +1714,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "42.224.40.14", "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threatintel.indicator.ip": "42.224.40.14", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961501/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "42.224.40.14", "threatintel.indicator.url.extension": "m", @@ -1732,7 +1732,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961502/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1752,9 +1751,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "186.33.104.107", "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threatintel.indicator.ip": "186.33.104.107", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961502/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "186.33.104.107", "threatintel.indicator.url.extension": "m", @@ -1769,7 +1769,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961503/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1789,9 +1788,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "85.105.16.154", "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threatintel.indicator.ip": "85.105.16.154", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961503/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "85.105.16.154", "threatintel.indicator.url.extension": "m", @@ -1806,7 +1806,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961496/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1826,9 +1825,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "178.141.73.115", "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threatintel.indicator.ip": "178.141.73.115", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961496/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "178.141.73.115", "threatintel.indicator.url.extension": "a", @@ -1843,7 +1843,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961497/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1863,9 +1862,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "186.33.104.135", "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threatintel.indicator.ip": "186.33.104.135", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961497/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "186.33.104.135", "threatintel.indicator.url.extension": "m", @@ -1880,7 +1880,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961498/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1900,9 +1899,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "115.56.159.43", "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threatintel.indicator.ip": "115.56.159.43", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961498/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "115.56.159.43", "threatintel.indicator.url.extension": "m", @@ -1917,7 +1917,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961499/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1937,9 +1936,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "42.230.138.170", "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threatintel.indicator.ip": "42.230.138.170", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961499/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "42.230.138.170", "threatintel.indicator.url.extension": "m", @@ -1954,7 +1954,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961494/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1973,9 +1972,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:47.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961494/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "jpg", @@ -1989,7 +1988,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961495/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2008,9 +2006,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:47.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961495/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "png", @@ -2024,7 +2022,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961492/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2043,9 +2040,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "ladiesincode.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:45.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961492/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ladiesincode.com", "threatintel.indicator.url.extension": "jpg", @@ -2059,7 +2056,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961493/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2078,9 +2074,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "letonguesc.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:45.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961493/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "letonguesc.com", "threatintel.indicator.url.extension": "css", @@ -2094,7 +2090,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961490/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2113,9 +2108,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:44.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961490/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "png", @@ -2129,7 +2124,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961491/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2148,9 +2142,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:44.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961491/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "css", @@ -2164,7 +2158,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961489/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2183,9 +2176,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:41.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961489/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "gif", @@ -2199,7 +2192,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961488/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2218,9 +2210,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "belfetproduction.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:40.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961488/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "png", @@ -2234,7 +2226,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961487/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2253,9 +2244,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "belfetproduction.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:17.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961487/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "jpg", @@ -2269,7 +2260,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961485/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2288,9 +2278,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "ladiesincode.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:16.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961485/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ladiesincode.com", "threatintel.indicator.url.extension": "css", @@ -2304,7 +2294,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961486/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2323,9 +2312,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "letonguesc.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:16.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961486/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "letonguesc.com", "threatintel.indicator.url.extension": "gif", @@ -2339,7 +2328,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961482/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2358,9 +2346,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961482/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "css", @@ -2374,7 +2362,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961483/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2393,9 +2380,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "belfetproduction.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961483/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "png", @@ -2409,7 +2396,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961484/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2428,9 +2414,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961484/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "jpg", @@ -2444,7 +2430,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961480/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2463,9 +2448,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:13.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961480/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "png", @@ -2479,7 +2464,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961481/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2498,9 +2482,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:13.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961481/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "jpg", @@ -2514,7 +2498,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961478/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2533,9 +2516,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:10.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961478/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "png", @@ -2549,7 +2532,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961479/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2568,9 +2550,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "ladiesincode.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:10.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961479/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ladiesincode.com", "threatintel.indicator.url.extension": "gif", @@ -2584,7 +2566,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961476/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2603,9 +2584,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:45.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961476/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "css", @@ -2619,7 +2600,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961477/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2638,9 +2618,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "belfetproduction.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:45.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961477/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "png", @@ -2654,7 +2634,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961470/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2673,9 +2652,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961470/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "jpg", @@ -2689,7 +2668,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961471/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2708,9 +2686,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "fhivelifestyle.online", "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961471/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "fhivelifestyle.online", "threatintel.indicator.url.extension": "jpg", @@ -2724,7 +2702,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961472/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2743,9 +2720,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "belfetproduction.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961472/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "css", @@ -2759,7 +2736,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961473/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2778,9 +2754,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "belfetproduction.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961473/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "css", @@ -2794,7 +2770,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961474/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2813,9 +2788,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "belfetproduction.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961474/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "css", @@ -2829,7 +2804,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961475/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2848,9 +2822,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961475/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "css", @@ -2864,7 +2838,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961468/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2883,9 +2856,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:38.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961468/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "jpg", @@ -2899,7 +2872,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961469/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2918,9 +2890,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:38.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961469/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "css", @@ -2934,7 +2906,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961467/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2953,9 +2924,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "letonguesc.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:13.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961467/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "letonguesc.com", "threatintel.indicator.url.extension": "png", @@ -2969,7 +2940,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961464/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2988,9 +2958,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "ladiesincode.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961464/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ladiesincode.com", "threatintel.indicator.url.extension": "css", @@ -3004,7 +2974,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961465/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3023,9 +2992,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "ladiesincode.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961465/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ladiesincode.com", "threatintel.indicator.url.extension": "css", @@ -3039,7 +3008,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961466/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3058,9 +3026,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "letonguesc.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961466/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "letonguesc.com", "threatintel.indicator.url.extension": "jpg", @@ -3074,7 +3042,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961461/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3093,9 +3060,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961461/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "png", @@ -3109,7 +3076,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961462/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3128,9 +3094,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961462/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "css", @@ -3144,7 +3110,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961463/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3163,9 +3128,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961463/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "css", @@ -3179,7 +3144,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961458/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3198,9 +3162,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "belfetproduction.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961458/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "css", @@ -3214,7 +3178,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961459/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3233,9 +3196,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "ladiesincode.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961459/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ladiesincode.com", "threatintel.indicator.url.extension": "jpg", @@ -3249,7 +3212,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961460/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3268,9 +3230,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961460/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "png", @@ -3284,7 +3246,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961455/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3303,9 +3264,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961455/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "gif", @@ -3319,7 +3280,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961456/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3338,9 +3298,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961456/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "gif", @@ -3354,7 +3314,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961457/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3373,9 +3332,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "letonguesc.com", "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961457/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "letonguesc.com", "threatintel.indicator.url.extension": "gif", @@ -3389,7 +3348,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961450/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3408,9 +3366,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961450/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "png", @@ -3424,7 +3382,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961451/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3443,9 +3400,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961451/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "css", @@ -3459,7 +3416,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961452/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3478,9 +3434,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961452/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "css", @@ -3494,7 +3450,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961453/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3513,9 +3468,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961453/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "jpg", @@ -3529,7 +3484,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961454/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3548,9 +3502,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961454/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "jpg", @@ -3564,7 +3518,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961448/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3583,9 +3536,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "belfetproduction.com", "threatintel.indicator.first_seen": "2021-01-14T20:49:36.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961448/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "png", diff --git a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml index cc98cd5032a..eccbf5e9826 100644 --- a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml @@ -1,153 +1,152 @@ description: Pipeline for parsing Anomali Threat Intel processors: + #################### + # Event ECS fields # + #################### + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator -#################### -# Event ECS fields # -#################### -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- set: - field: event.kind - value: enrichment -- set: - field: event.category - value: threat -- set: - field: event.type - value: indicator + ###################### + # General ECS fields # + ###################### + - rename: + field: json + target_field: threatintel.anomali + ignore_missing: true -###################### -# General ECS fields # -###################### -- rename: - field: json - target_field: threatintel.anomali - ignore_missing: true - -##################### -# Threat ECS Fields # -##################### -## File indicator operations -- date: - field: threatintel.anomali.created - formats: - - "yyyy-MM-dd'T'HH:mm:ssz" - - "yyyy-MM-dd'T'HH:mm:ssZ" - - "yyyy-MM-dd'T'HH:mm:ss.Sz" - - "yyyy-MM-dd'T'HH:mm:ss.SZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx?.threatintel?.anomali?.created != null" -- date: - field: threatintel.anomali.modified - target_field: threatintel.anomali.modified - formats: - - "yyyy-MM-dd'T'HH:mm:ss.Sz" - - "yyyy-MM-dd'T'HH:mm:ss.SZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx?.threatintel?.anomali?.modified != null" -- date: - field: threatintel.anomali.valid_from - target_field: threatintel.anomali.valid_from - formats: - - "yyyy-MM-dd'T'HH:mm:ss.Sz" - - "yyyy-MM-dd'T'HH:mm:ss.SZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx?.threatintel?.anomali?.valid_from != null" -- grok: - field: threatintel.anomali.pattern - patterns: - - "^\\[%{DATA:_tmp.threattype}:value%{SPACE}=%{SPACE}'%{DATA:_tmp.threatvalue}'\\]" -- rename: - field: _tmp.threattype - target_field: threatintel.indicator.type - ignore_missing: true -- rename: - field: _tmp.threatvalue - target_field: threatintel.indicator.ip - ignore_missing: true - if: "['ipv4-addr', 'ipv6-addr'].contains(ctx?.threatintel?.indicator?.type)" -- uri_parts: - field: _tmp.threatvalue - target_field: threatintel.indicator.url - keep_original: true - remove_if_successful: true - if: ctx?.threatintel?.indicator?.type == 'url' -- set: - field: threatintel.indicator.url.full - value: '{{{threatintel.indicator.url.original}}}' - ignore_empty_value: true -- rename: - field: _tmp.threatvalue - target_field: threatintel.indicator.email.address - ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'email-addr' -- rename: - field: _tmp.threatvalue - target_field: threatintel.indicator.domain - ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'domain-name' -- set: - field: threatintel.indicator.type - value: unknown - if: ctx?.threatintel?.indicator?.type == null -- foreach: - field: threatintel.anomali.labels - ignore_missing: true - processor: - append: - field: tags - value: "{{_ingest._value}}" - allow_duplicates: false -- grok: - field: threatintel.anomali.description - patterns: - - "^%{GREEDYDATA}Source: %{GREEDYDATA:threatintel.indicator.provider}" - ignore_missing: true - ignore_failure: true -###################### -# Cleanup processors # -###################### -- script: - lang: painless - if: ctx?.threatintel != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { + ##################### + # Threat ECS Fields # + ##################### + ## File indicator operations + - date: + field: threatintel.anomali.created + formats: + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" + - "yyyy-MM-dd'T'HH:mm:ss.Sz" + - "yyyy-MM-dd'T'HH:mm:ss.SZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + if: "ctx?.threatintel?.anomali?.created != null" + - date: + field: threatintel.anomali.modified + target_field: threatintel.anomali.modified + formats: + - "yyyy-MM-dd'T'HH:mm:ss.Sz" + - "yyyy-MM-dd'T'HH:mm:ss.SZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + if: "ctx?.threatintel?.anomali?.modified != null" + - date: + field: threatintel.anomali.valid_from + target_field: threatintel.indicator.first_seen + formats: + - "yyyy-MM-dd'T'HH:mm:ss.Sz" + - "yyyy-MM-dd'T'HH:mm:ss.SZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + if: "ctx?.threatintel?.anomali?.valid_from != null" + - grok: + field: threatintel.anomali.pattern + patterns: + - "^\\[%{DATA:_tmp.threattype}:value%{SPACE}=%{SPACE}'%{DATA:_tmp.threatvalue}'\\]" + - rename: + field: _tmp.threattype + target_field: threatintel.indicator.type + ignore_missing: true + - rename: + field: _tmp.threatvalue + target_field: threatintel.indicator.ip + ignore_missing: true + if: "['ipv4-addr', 'ipv6-addr'].contains(ctx?.threatintel?.indicator?.type)" + - uri_parts: + field: _tmp.threatvalue + target_field: threatintel.indicator.url + keep_original: true + remove_if_successful: true + if: ctx?.threatintel?.indicator?.type == 'url' + - set: + field: threatintel.indicator.url.full + value: "{{{threatintel.indicator.url.original}}}" + ignore_empty_value: true + - rename: + field: _tmp.threatvalue + target_field: threatintel.indicator.email.address + ignore_missing: true + if: ctx?.threatintel?.indicator?.type == 'email-addr' + - rename: + field: _tmp.threatvalue + target_field: threatintel.indicator.url.domain + ignore_missing: true + if: ctx?.threatintel?.indicator?.type == 'domain-name' + - set: + field: threatintel.indicator.type + value: unknown + if: ctx?.threatintel?.indicator?.type == null + - foreach: + field: threatintel.anomali.labels + ignore_missing: true + processor: + append: + field: tags + value: "{{_ingest._value}}" + allow_duplicates: false + - grok: + field: threatintel.anomali.description + patterns: + - "^%{GREEDYDATA}Source: %{GREEDYDATA:threatintel.indicator.provider}" + ignore_missing: true + ignore_failure: true + ###################### + # Cleanup processors # + ###################### + - script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { if (x instanceof Map) { handleMap(x); } else if (x instanceof List) { handleList(x); } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } } - } - handleMap(ctx); -- remove: - field: - - threatintel.anomali.created - - message - - _tmp - ignore_missing: true + handleMap(ctx); + - remove: + field: + - threatintel.anomali.created + - message + - _tmp + ignore_missing: true on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json index ae4d6f5223d..f527da1ed98 100644 --- a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json @@ -31,6 +31,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:58:57.431Z", + "threatintel.indicator.first_seen": "2020-01-22T02:58:57.431Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "chol.cc", @@ -72,6 +73,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:58:57.503Z", + "threatintel.indicator.first_seen": "2020-01-22T02:58:57.503Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "worldatdoor.in", @@ -112,7 +114,8 @@ ], "threatintel.anomali.pattern": "[url:value = 'http://f0387770.xsph.ru/login']", "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:58:57.570Z", + "threatintel.anomali.valid_from": "2020-01-22T02:58:57.57Z", + "threatintel.indicator.first_seen": "2020-01-22T02:58:57.570Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0387770.xsph.ru", @@ -153,6 +156,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://178.62.187.103/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:58:59.366Z", + "threatintel.indicator.first_seen": "2020-01-22T02:58:59.366Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "178.62.187.103", @@ -193,6 +197,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://appareluea.com/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:58:59.457Z", + "threatintel.indicator.first_seen": "2020-01-22T02:58:59.457Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "appareluea.com", @@ -234,6 +239,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot3/login.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:06.402Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:06.402Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "nkpotu.xyz", @@ -274,7 +280,8 @@ ], "threatintel.anomali.pattern": "[ipv4-addr:value = '162.144.128.116']", "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:19.990Z", + "threatintel.anomali.valid_from": "2020-01-22T02:59:19.99Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:19.990Z", "threatintel.indicator.ip": "162.144.128.116", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -311,6 +318,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://ntrcgroup.com/nze/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:20.155Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:20.155Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ntrcgroup.com", @@ -352,6 +360,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:25.521Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:25.521Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "chol.cc", @@ -393,6 +402,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://f0390764.xsph.ru/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:25.626Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:25.626Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0390764.xsph.ru", @@ -433,6 +443,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '45.143.138.39']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:36.461Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:36.461Z", "threatintel.indicator.ip": "45.143.138.39", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -469,6 +480,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:41.193Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:41.193Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "aglfreight.com.my", @@ -510,6 +522,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://95.182.122.184/']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:41.228Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:41.228Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "95.182.122.184", @@ -550,6 +563,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '198.54.115.121']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:51.313Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:51.313Z", "threatintel.indicator.ip": "198.54.115.121", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -586,6 +600,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '192.185.119.172']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:51.372Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:51.372Z", "threatintel.indicator.ip": "192.185.119.172", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -622,6 +637,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://f0389246.xsph.ru/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:51.442Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:51.442Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0389246.xsph.ru", @@ -662,6 +678,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://appareluea.com/server/cp.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:01.563Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:01.563Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "appareluea.com", @@ -703,6 +720,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot2/login.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:03.138Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:03.138Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "nkpotu.xyz", @@ -744,6 +762,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:03.396Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:03.396Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "chol.cc", @@ -785,6 +804,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://mecharnise.ir/ca4/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:03.642Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:03.642Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "mecharnise.ir", @@ -826,6 +846,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:27.534Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:27.534Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "chol.cc", @@ -867,6 +888,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://kironofer.com/webpanel/login.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:27.591Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:27.591Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "kironofer.com", @@ -908,6 +930,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:45.787Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:45.787Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "worldatdoor.in", @@ -949,6 +972,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://smartlinktelecom.top/kings/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:45.841Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:45.841Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "smartlinktelecom.top", @@ -990,6 +1014,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://carirero.net/login.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:45.959Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:45.959Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "carirero.net", @@ -1031,6 +1056,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '74.116.84.20']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:46.025Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:46.025Z", "threatintel.indicator.ip": "74.116.84.20", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -1067,6 +1093,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://tuu.nu/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:57.729Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:57.729Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "tuu.nu", @@ -1107,6 +1134,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:01:02.696Z", + "threatintel.indicator.first_seen": "2020-01-22T03:01:02.696Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "dulfix.com", @@ -1148,6 +1176,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:01:02.807Z", + "threatintel.indicator.first_seen": "2020-01-22T03:01:02.807Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "deliciasdvally.com.pe", @@ -1188,7 +1217,8 @@ ], "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot1/login.php']", "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:24.810Z", + "threatintel.anomali.valid_from": "2020-01-22T03:01:24.81Z", + "threatintel.indicator.first_seen": "2020-01-22T03:01:24.810Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "nkpotu.xyz", @@ -1230,6 +1260,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '194.87.147.80']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:01:41.158Z", + "threatintel.indicator.first_seen": "2020-01-22T03:01:41.158Z", "threatintel.indicator.ip": "194.87.147.80", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -1266,6 +1297,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://35.158.92.3/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:01:57.189Z", + "threatintel.indicator.first_seen": "2020-01-22T03:01:57.189Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "35.158.92.3", @@ -1307,6 +1339,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '45.95.168.70']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:01:57.279Z", + "threatintel.indicator.first_seen": "2020-01-22T03:01:57.279Z", "threatintel.indicator.ip": "45.95.168.70", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -1342,7 +1375,8 @@ ], "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:02:50.570Z", + "threatintel.anomali.valid_from": "2020-01-22T03:02:50.57Z", + "threatintel.indicator.first_seen": "2020-01-22T03:02:50.570Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "chol.cc", @@ -1384,6 +1418,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://f0391600.xsph.ru/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:02:52.496Z", + "threatintel.indicator.first_seen": "2020-01-22T03:02:52.496Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0391600.xsph.ru", @@ -1424,6 +1459,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://extraclick.space/login.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:03:42.819Z", + "threatintel.indicator.first_seen": "2020-01-22T03:03:42.819Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "extraclick.space", @@ -1465,6 +1501,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://petrogarmani.pw/login.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:03:52.044Z", + "threatintel.indicator.first_seen": "2020-01-22T03:03:52.044Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "petrogarmani.pw", @@ -1505,7 +1542,8 @@ ], "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/mighty/32/panel/admin.php']", "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:04:01.650Z", + "threatintel.anomali.valid_from": "2020-01-22T03:04:01.65Z", + "threatintel.indicator.first_seen": "2020-01-22T03:04:01.650Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "worldatdoor.in", @@ -1547,6 +1585,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://zanlma.com/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:04:32.717Z", + "threatintel.indicator.first_seen": "2020-01-22T03:04:32.717Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "zanlma.com", @@ -1587,6 +1626,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://f0369688.xsph.ru/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:04:56.858Z", + "threatintel.indicator.first_seen": "2020-01-22T03:04:56.858Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0369688.xsph.ru", @@ -1627,6 +1667,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:04:59.245Z", + "threatintel.indicator.first_seen": "2020-01-22T03:04:59.245Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "chol.cc", @@ -1668,6 +1709,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '192.185.214.199']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-23T03:00:22.287Z", + "threatintel.indicator.first_seen": "2020-01-23T03:00:22.287Z", "threatintel.indicator.ip": "192.185.214.199", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -1704,6 +1746,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-23T03:01:11.329Z", + "threatintel.indicator.first_seen": "2020-01-23T03:01:11.329Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "softtouchcollars.com", @@ -1745,6 +1788,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://imobiliariatirol.com/gh/panelnew/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-23T03:01:36.682Z", + "threatintel.indicator.first_seen": "2020-01-23T03:01:36.682Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "imobiliariatirol.com", @@ -1786,6 +1830,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-23T03:02:15.854Z", + "threatintel.indicator.first_seen": "2020-01-23T03:02:15.854Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "deliveryexpressworld.xyz", @@ -1827,6 +1872,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://f0392261.xsph.ru/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-23T03:02:47.364Z", + "threatintel.indicator.first_seen": "2020-01-23T03:02:47.364Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0392261.xsph.ru", @@ -1867,6 +1913,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://104.168.99.168/panel/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-23T03:03:05.048Z", + "threatintel.indicator.first_seen": "2020-01-23T03:03:05.048Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "104.168.99.168", @@ -1908,6 +1955,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://f0387404.xsph.ru/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-23T03:03:15.734Z", + "threatintel.indicator.first_seen": "2020-01-23T03:03:15.734Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0387404.xsph.ru", @@ -1949,6 +1997,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://a0386457.xsph.ru/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-23T03:03:42.599Z", + "threatintel.indicator.first_seen": "2020-01-23T03:03:42.599Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "a0386457.xsph.ru", @@ -1990,6 +2039,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://defenseisrael.com/dis/index.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:57:04.821Z", + "threatintel.indicator.first_seen": "2020-01-24T02:57:04.821Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "defenseisrael.com", @@ -2031,6 +2081,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '91.215.170.249']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:57:04.857Z", + "threatintel.indicator.first_seen": "2020-01-24T02:57:04.857Z", "threatintel.indicator.ip": "91.215.170.249", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -2067,6 +2118,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://lbfb3f03.justinstalledpanel.com/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:57:04.883Z", + "threatintel.indicator.first_seen": "2020-01-24T02:57:04.883Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "lbfb3f03.justinstalledpanel.com", @@ -2107,6 +2159,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:57:12.997Z", + "threatintel.indicator.first_seen": "2020-01-24T02:57:12.997Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "byedtronchgroup.yt", @@ -2148,6 +2201,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://199.192.28.11/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:57:13.025Z", + "threatintel.indicator.first_seen": "2020-01-24T02:57:13.025Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "199.192.28.11", @@ -2189,6 +2243,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://217.8.117.51/aW8bVds1/login.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:57:32.901Z", + "threatintel.indicator.first_seen": "2020-01-24T02:57:32.901Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "217.8.117.51", @@ -2230,6 +2285,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://lansome.site/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:57:32.929Z", + "threatintel.indicator.first_seen": "2020-01-24T02:57:32.929Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "lansome.site", @@ -2270,6 +2326,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:57:49.028Z", + "threatintel.indicator.first_seen": "2020-01-24T02:57:49.028Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "iplusvietnam.com.vn", @@ -2311,6 +2368,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:58:03.345Z", + "threatintel.indicator.first_seen": "2020-01-24T02:58:03.345Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "leakaryadeen.com", @@ -2352,6 +2410,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:58:16.318Z", + "threatintel.indicator.first_seen": "2020-01-24T02:58:16.318Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "oaa-my.com", @@ -2393,6 +2452,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:58:16.358Z", + "threatintel.indicator.first_seen": "2020-01-24T02:58:16.358Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "thaubenuocngam.com", @@ -2434,6 +2494,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://suspiciousactivity.xyz/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:58:32.126Z", + "threatintel.indicator.first_seen": "2020-01-24T02:58:32.126Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "suspiciousactivity.xyz", @@ -2474,6 +2535,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://217.8.117.8/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:58:37.603Z", + "threatintel.indicator.first_seen": "2020-01-24T02:58:37.603Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "217.8.117.8", @@ -2514,6 +2576,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://f0387550.xsph.ru/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:58:37.643Z", + "threatintel.indicator.first_seen": "2020-01-24T02:58:37.643Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0387550.xsph.ru", @@ -2554,6 +2617,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://lf4e4abf.justinstalledpanel.com/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:58:39.465Z", + "threatintel.indicator.first_seen": "2020-01-24T02:58:39.465Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "lf4e4abf.justinstalledpanel.com", @@ -2594,6 +2658,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '206.217.131.245']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:59:02.031Z", + "threatintel.indicator.first_seen": "2020-01-24T02:59:02.031Z", "threatintel.indicator.ip": "206.217.131.245", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -2630,6 +2695,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://67.215.224.101/a1/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:59:15.878Z", + "threatintel.indicator.first_seen": "2020-01-24T02:59:15.878Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "67.215.224.101", @@ -2671,6 +2737,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '162.241.73.163']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:59:29.155Z", + "threatintel.indicator.first_seen": "2020-01-24T02:59:29.155Z", "threatintel.indicator.ip": "162.241.73.163", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -2707,6 +2774,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://l60bdd58.justinstalledpanel.com/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:59:50.233Z", + "threatintel.indicator.first_seen": "2020-01-24T02:59:50.233Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "l60bdd58.justinstalledpanel.com", @@ -2747,6 +2815,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://107.175.150.73/~giftioz/.azma/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:59:50.255Z", + "threatintel.indicator.first_seen": "2020-01-24T02:59:50.255Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "107.175.150.73", @@ -2788,6 +2857,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://5.188.60.52/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:59:52.536Z", + "threatintel.indicator.first_seen": "2020-01-24T02:59:52.536Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "5.188.60.52", @@ -2828,6 +2898,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://trotdeiman.ga/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:59:54.784Z", + "threatintel.indicator.first_seen": "2020-01-24T02:59:54.784Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "trotdeiman.ga", @@ -2868,6 +2939,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '217.8.117.8']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:59:54.815Z", + "threatintel.indicator.first_seen": "2020-01-24T02:59:54.815Z", "threatintel.indicator.ip": "217.8.117.8", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -2904,6 +2976,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '104.223.170.113']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T03:00:01.726Z", + "threatintel.indicator.first_seen": "2020-01-24T03:00:01.726Z", "threatintel.indicator.ip": "104.223.170.113", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -2940,6 +3013,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://tavim.org/includes/firmino/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T03:00:01.762Z", + "threatintel.indicator.first_seen": "2020-01-24T03:00:01.762Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "tavim.org", @@ -2981,6 +3055,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://onlinesecuritycenter.xyz/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T03:00:10.928Z", + "threatintel.indicator.first_seen": "2020-01-24T03:00:10.928Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "onlinesecuritycenter.xyz", @@ -3021,6 +3096,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T03:00:20.166Z", + "threatintel.indicator.first_seen": "2020-01-24T03:00:20.166Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "oaa-my.com", @@ -3062,6 +3138,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://jumbajumbadun.fun/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T03:00:24.048Z", + "threatintel.indicator.first_seen": "2020-01-24T03:00:24.048Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "jumbajumbadun.fun", @@ -3102,6 +3179,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://tavim.org/includes/salah/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T03:00:55.816Z", + "threatintel.indicator.first_seen": "2020-01-24T03:00:55.816Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "tavim.org", @@ -3143,6 +3221,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://l0c23205.justinstalledpanel.com/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T03:01:10.501Z", + "threatintel.indicator.first_seen": "2020-01-24T03:01:10.501Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "l0c23205.justinstalledpanel.com", @@ -3183,6 +3262,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://l535e9e5.justinstalledpanel.com/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T03:01:10.518Z", + "threatintel.indicator.first_seen": "2020-01-24T03:01:10.518Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "l535e9e5.justinstalledpanel.com", @@ -3223,6 +3303,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '217.8.117.47']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T03:01:14.843Z", + "threatintel.indicator.first_seen": "2020-01-24T03:01:14.843Z", "threatintel.indicator.ip": "217.8.117.47", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -3259,6 +3340,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://46.161.27.57/northon/']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:57:12.699Z", + "threatintel.indicator.first_seen": "2020-01-25T02:57:12.699Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "46.161.27.57", @@ -3299,6 +3381,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://104.168.99.170/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:57:28.034Z", + "threatintel.indicator.first_seen": "2020-01-25T02:57:28.034Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "104.168.99.170", @@ -3339,6 +3422,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/scan/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:57:38.187Z", + "threatintel.indicator.first_seen": "2020-01-25T02:57:38.187Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "officelog.org", @@ -3380,6 +3464,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://f0391587.xsph.ru/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:57:38.214Z", + "threatintel.indicator.first_seen": "2020-01-25T02:57:38.214Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0391587.xsph.ru", @@ -3420,6 +3505,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://46.161.27.57:8080/northon/']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:57:47.281Z", + "threatintel.indicator.first_seen": "2020-01-25T02:57:47.281Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "46.161.27.57", @@ -3461,6 +3547,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://f0393086.xsph.ru/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:57:51.296Z", + "threatintel.indicator.first_seen": "2020-01-25T02:57:51.296Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0393086.xsph.ru", @@ -3501,6 +3588,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files1/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:57:56.007Z", + "threatintel.indicator.first_seen": "2020-01-25T02:57:56.007Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "insuncos.com", @@ -3542,6 +3630,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://tg-h.ru/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:57:56.044Z", + "threatintel.indicator.first_seen": "2020-01-25T02:57:56.044Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "tg-h.ru", @@ -3582,6 +3671,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:58:11.038Z", + "threatintel.indicator.first_seen": "2020-01-25T02:58:11.038Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "wusetwo.xyz", @@ -3622,7 +3712,8 @@ ], "threatintel.anomali.pattern": "[url:value = 'http://185.234.217.36/northon/']", "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:20.420Z", + "threatintel.anomali.valid_from": "2020-01-25T02:58:20.42Z", + "threatintel.indicator.first_seen": "2020-01-25T02:58:20.420Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "185.234.217.36", @@ -3663,6 +3754,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://topik07.mcdir.ru/papka/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:58:20.448Z", + "threatintel.indicator.first_seen": "2020-01-25T02:58:20.448Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "topik07.mcdir.ru", @@ -3704,6 +3796,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files2/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:58:33.189Z", + "threatintel.indicator.first_seen": "2020-01-25T02:58:33.189Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "insuncos.com", @@ -3745,6 +3838,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://185.234.218.68/kaspersky/']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:58:49.056Z", + "threatintel.indicator.first_seen": "2020-01-25T02:58:49.056Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "185.234.218.68", @@ -3785,6 +3879,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/mh/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:58:59.472Z", + "threatintel.indicator.first_seen": "2020-01-25T02:58:59.472Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "officelog.org", @@ -3825,7 +3920,8 @@ ], "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/ch/panel/admin.php']", "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:59:27.070Z", + "threatintel.anomali.valid_from": "2020-01-25T02:59:27.07Z", + "threatintel.indicator.first_seen": "2020-01-25T02:59:27.070Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "officelog.org", @@ -3867,6 +3963,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/dar/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:59:28.967Z", + "threatintel.indicator.first_seen": "2020-01-25T02:59:28.967Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "officelog.org", @@ -3908,6 +4005,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:59:37.661Z", + "threatintel.indicator.first_seen": "2020-01-25T02:59:37.661Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "oaa-my.com", @@ -3949,6 +4047,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '192.64.118.56']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:59:37.692Z", + "threatintel.indicator.first_seen": "2020-01-25T02:59:37.692Z", "threatintel.indicator.ip": "192.64.118.56", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -3985,6 +4084,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files3/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:59:54.296Z", + "threatintel.indicator.first_seen": "2020-01-25T02:59:54.296Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "insuncos.com", diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml index be753edb153..22644d79518 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml @@ -1,401 +1,399 @@ description: Pipeline for parsing Anomali ThreatStream processors: -# -# Safeguard against feeding the pipeline with documents other -# that the ones generated by Filebeat's http_endpoint input. -# -- fail: - if: 'ctx.json == null || !(ctx.json instanceof Map)' - message: 'missing json object in input document' - -# -# Set basic ECS fields. -# -- set: - field: event.ingested - value: '{{{ _ingest.timestamp }}}' -- set: - field: event.kind - value: enrichment -- set: - field: event.category - value: threat -- set: - field: event.type - value: indicator - -# -# Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). -# -- script: - lang: painless - if: 'ctx.json.itype != null' - description: > - Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). - params: - actor_ip: ipv4-addr - adware_domain: domain-name - anon_proxy: ipv4-addr - anon_vpn: ipv4-addr - apt_domain: domain-name - apt_email: email-addr - apt_ip: ipv4-addr - apt_md5: file - apt_subject: email - apt_ua: url - apt_url: url - bot_ip: ipv4-addr - brute_ip: ipv4-addr - c2_domain: domain-name - c2_ip: ipv4-addr - c2_url: url - comm_proxy_domain: domain-name - comm_proxy_ip: ipv4-addr - compromised_domain: domain-name - compromised_ip: ipv4-addr - compromised_url: url - crypto_hash: file - crypto_ip: ipv4-addr - crypto_pool: domain - crypto_url: url - crypto_wallet: file - ddos_ip: ipv4-addr - disposable_email_domain: domain-name - dyn_dns: domain-name - exfil_domain: domain-name - exfil_ip: ipv4-addr - exfil_url: url - exploit_domain: domain-name - exploit_ip: ipv4-addr - exploit_url: url - free_email_domain: domain-name - geolocation_url: url - hack_tool: file - i2p_ip: ipv4-addr - ipcheck_url: url - mal_domain: domain-name - mal_email: email-addr - mal_ip: ipv4-addr - mal_md5: file - mal_sslcert_sh1: x509-certificate - mal_sslcert_sha1: x509-certificate - mal_ua: url - mal_url: url - p2pcnc: ipv4-addr - parked_domain: domain-name - parked_ip: ipv4-addr - parked_url: url - pastesite_url: url - phish_domain: domain-name - phish_email: email-addr - phish_ip: ipv4-addr - phish_url: url - proxy_ip: ipv4-addr - scan_ip: ipv4-addr - sinkhole_domain: domain-name - sinkhole_ip: ipv4-addr - spam_domain: domain-name - spam_email: email-addr - spam_ip: ipv4-addr - spam_url: url - speedtest_url: url - ssh_ip: ipv4-addr - suppress: suppress - suspicious_domain: domain-name - suspicious_email: email-addr - suspicious_ip: ipv4-addr - suspicious_reg_email: email-addr - suspicious_url: url - tor_ip: ipv4-addr - torrent_tracker_url: url - vpn_domain: domain-name - vps_ip: ipv4-addr - whois_bulk_reg_email: email-addr - whois_privacy_domain: domain-name - whois_privacy_email: email-addr - source: > - String mapping = params[ctx.json.itype]; - if (mapping != null) { - ctx["threatintel_indicator_type"] = mapping; - } - on_failure: - - append: - field: error.message - value: 'Unable to determine indicator type from "{{{ json.itype }}}": {{{ _ingest.on_failure_message }}}' - -- rename: - field: threatintel_indicator_type - target_field: threatintel.indicator.type - ignore_missing: true - -# -# Detect ipv6 for ipv4-addr types. -# -- set: - field: threatintel.indicator.type - value: ipv6-addr - if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.srcip != null && ctx.json.srcip.contains(":")' - -# -# Map first and last seen dates. -# -- date: - field: json.date_first - target_field: threatintel.indicator.first_seen - formats: - - ISO8601 - if: 'ctx.json.date_first != null' - on_failure: - - append: - field: error.message - value: 'Error parsing date_first field value "{{{ json.date_first }}}": {{{ _ingest.on_failure_message }}}' - -- date: - field: json.date_last - target_field: threatintel.indicator.last_seen - formats: - - ISO8601 - if: 'ctx.json.date_last != null' - on_failure: - - append: - field: error.message - value: 'Error parsing date_last field value "{{{ json.date_last }}}": {{{ _ingest.on_failure_message }}}' - -# -# Map IP geolocation fields. -# -- convert: - field: json.lat - target_field: threatintel.indicator.geo.location.lat - type: double - if: 'ctx.json.lat != null && ctx.json.lon != null' - on_failure: - - append: - field: error.message - value: 'Cannot convert lat field "{{{ json.lat }}}" to double: {{{ _ingest.on_failure_message }}}' -- convert: - field: json.lon - target_field: threatintel.indicator.geo.location.lon - type: double - if: 'ctx.json.lat != null && ctx.json.lon != null' - on_failure: - - append: - field: error.message - value: 'Cannot convert lon field "{{{ json.lon }}}" to double: {{{ _ingest.on_failure_message }}}' - -# -# Map classification field to Traffic Light Protocol (TLP). -# Currently: -# public => White ("Disclosure is not limited.") -# private => Amber ("Limited disclosure, restricted to participants’ organizations."). -# -- set: - field: threatintel.indicator.marking.tlp - value: Amber - if: 'ctx.json.classification == "private"' -- set: - field: threatintel.indicator.marking.tlp - value: White - if: 'ctx.json.classification == "public"' - -# -# Convert confidence field (-1..100) to ECS confidence (0..10). -# -- script: - lang: painless - description: > - Normalize confidence level. - source: > - def value = ctx.json.confidence; - if (value == null || value < 0.0 || value > 100.0) return; - ctx["threatintel_indicator_confidence"] = (long)Math.round((double)value / 10.0); - on_failure: - - append: - field: error.message - value: 'failed to normalize confidence value `{{{ json.confidence }}}`: {{{ _ingest.on_failure_message }}}' - -- rename: - field: threatintel_indicator_confidence - target_field: threatintel.indicator.confidence - ignore_missing: true - -# -# Convert asn field. -# -- convert: - field: json.asn - target_field: threatintel.indicator.as.number - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Cannot convert asn field `{{{ json.asn }}}` to long: {{{ _ingest.on_failure_message }}}' - -- rename: - field: json.org - target_field: threatintel.indicator.as.organization.name - ignore_missing: true - -- rename: - field: json.domain - target_field: threatintel.indicator.domain - ignore_missing: true - -- rename: - field: json.email - target_field: threatintel.indicator.email.address - ignore_missing: true - -- rename: - field: json.srcip - target_field: threatintel.indicator.ip - ignore_missing: true - -- uri_parts: - field: json.url - target_field: threatintel.indicator.url - keep_original: true - remove_if_successful: true - if: 'ctx.json.url != null' - on_failure: - - append: - field: error.message - value: 'Cannot parse url field `{{{ json.url }}}`: {{{ _ingest.on_failure_message }}}' - -- set: - field: threatintel.indicator.url.full - value: '{{{threatintel.indicator.url.original}}}' - ignore_empty_value: true - -- rename: - field: json.country - target_field: threatintel.indicator.geo.country_iso_code - ignore_missing: true - -# -# md5 field can actually contain different kinds of hash. -# Map to file.hash.* depending on hash length. -# -- rename: - field: json.md5 - target_field: threatintel.indicator.file.hash.md5 - if: 'ctx.json.md5 != null && ctx.json.md5.length() == 32' - -- rename: - field: json.md5 - target_field: threatintel.indicator.file.hash.sha1 - if: 'ctx.json.md5 != null && ctx.json.md5.length() == 40' - -- rename: - field: json.md5 - target_field: threatintel.indicator.file.hash.sha256 - if: 'ctx.json.md5 != null && ctx.json.md5.length() == 64' - -- rename: - field: json.md5 - target_field: threatintel.indicator.file.hash.sha512 - if: 'ctx.json.md5 != null && ctx.json.md5.length() == 128' - -- rename: - field: json.source - target_field: threatintel.indicator.provider - ignore_missing: true - -# -# Map field severity to event severity as follows: -# low => 3 -# medium => 5 -# high => 7 -# very-high => 9 -# -- set: - field: event.severity - value: 3 - if: 'ctx.json.severity == "low"' - -- set: - field: event.severity - value: 5 - if: 'ctx.json.severity == "medium"' - -- set: - field: event.severity - value: 7 - if: 'ctx.json.severity == "high"' - -- set: - field: event.severity - value: 9 - if: 'ctx.json.severity == "very-high"' - -# -# Field trusted_circles_ids is a comma-separated string -# that can contain leading and trailing separators (i.e. ",123,"). -# Need a script processor as split processor doesn't support -# removing non-trailing separators. -# -- script: - lang: painless - if: 'ctx.json.trusted_circle_ids != null && ctx.json.trusted_circle_ids instanceof String' - description: > - Convert trusted_circles_ids from CSV to an array. - source: > - def lst = - Stream.of(ctx.json.trusted_circle_ids.splitOnToken(",")) - .filter(s -> !s.isEmpty()) - .toArray(String[]::new); - if (lst.length > 0) { - ctx.json.trusted_circle_ids = lst; - } else { - ctx.json.remove('trusted_circle_ids'); - } - on_failure: - - append: - field: error.message - value: 'unable to split trusted_circle_ids "{{{ json.trusted_circle_ids }}}": {{{ _ingest.on_failure_message }}}' - -# -# Split detail field and append each component to ECS tags field. -# -- split: - field: json.detail - separator: '(? + Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). + params: + actor_ip: ipv4-addr + adware_domain: domain-name + anon_proxy: ipv4-addr + anon_vpn: ipv4-addr + apt_domain: domain-name + apt_email: email-addr + apt_ip: ipv4-addr + apt_md5: file + apt_subject: email + apt_ua: url + apt_url: url + bot_ip: ipv4-addr + brute_ip: ipv4-addr + c2_domain: domain-name + c2_ip: ipv4-addr + c2_url: url + comm_proxy_domain: domain-name + comm_proxy_ip: ipv4-addr + compromised_domain: domain-name + compromised_ip: ipv4-addr + compromised_url: url + crypto_hash: file + crypto_ip: ipv4-addr + crypto_pool: domain + crypto_url: url + crypto_wallet: file + ddos_ip: ipv4-addr + disposable_email_domain: domain-name + dyn_dns: domain-name + exfil_domain: domain-name + exfil_ip: ipv4-addr + exfil_url: url + exploit_domain: domain-name + exploit_ip: ipv4-addr + exploit_url: url + free_email_domain: domain-name + geolocation_url: url + hack_tool: file + i2p_ip: ipv4-addr + ipcheck_url: url + mal_domain: domain-name + mal_email: email-addr + mal_ip: ipv4-addr + mal_md5: file + mal_sslcert_sh1: x509-certificate + mal_sslcert_sha1: x509-certificate + mal_ua: url + mal_url: url + p2pcnc: ipv4-addr + parked_domain: domain-name + parked_ip: ipv4-addr + parked_url: url + pastesite_url: url + phish_domain: domain-name + phish_email: email-addr + phish_ip: ipv4-addr + phish_url: url + proxy_ip: ipv4-addr + scan_ip: ipv4-addr + sinkhole_domain: domain-name + sinkhole_ip: ipv4-addr + spam_domain: domain-name + spam_email: email-addr + spam_ip: ipv4-addr + spam_url: url + speedtest_url: url + ssh_ip: ipv4-addr + suppress: suppress + suspicious_domain: domain-name + suspicious_email: email-addr + suspicious_ip: ipv4-addr + suspicious_reg_email: email-addr + suspicious_url: url + tor_ip: ipv4-addr + torrent_tracker_url: url + vpn_domain: domain-name + vps_ip: ipv4-addr + whois_bulk_reg_email: email-addr + whois_privacy_domain: domain-name + whois_privacy_email: email-addr + source: > + String mapping = params[ctx.json.itype]; + if (mapping != null) { + ctx["threatintel_indicator_type"] = mapping; + } + on_failure: + - append: + field: error.message + value: 'Unable to determine indicator type from "{{{ json.itype }}}": {{{ _ingest.on_failure_message }}}' + + - rename: + field: threatintel_indicator_type + target_field: threatintel.indicator.type + ignore_missing: true + + # + # Detect ipv6 for ipv4-addr types. + # + - set: + field: threatintel.indicator.type + value: ipv6-addr + if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.srcip != null && ctx.json.srcip.contains(":")' + + # + # Map first and last seen dates. + # + - date: + field: json.date_first + target_field: threatintel.indicator.first_seen + formats: + - ISO8601 + if: "ctx.json.date_first != null" + on_failure: + - append: + field: error.message + value: 'Error parsing date_first field value "{{{ json.date_first }}}": {{{ _ingest.on_failure_message }}}' + + - date: + field: json.date_last + target_field: threatintel.indicator.last_seen + formats: + - ISO8601 + if: "ctx.json.date_last != null" + on_failure: + - append: + field: error.message + value: 'Error parsing date_last field value "{{{ json.date_last }}}": {{{ _ingest.on_failure_message }}}' + + # + # Map IP geolocation fields. + # + - convert: + field: json.lat + target_field: threatintel.indicator.geo.location.lat + type: double + if: "ctx.json.lat != null && ctx.json.lon != null" + on_failure: + - append: + field: error.message + value: 'Cannot convert lat field "{{{ json.lat }}}" to double: {{{ _ingest.on_failure_message }}}' + - convert: + field: json.lon + target_field: threatintel.indicator.geo.location.lon + type: double + if: "ctx.json.lat != null && ctx.json.lon != null" + on_failure: + - append: + field: error.message + value: 'Cannot convert lon field "{{{ json.lon }}}" to double: {{{ _ingest.on_failure_message }}}' + + # + # Map classification field to Traffic Light Protocol (TLP). + # Currently: + # public => White ("Disclosure is not limited.") + # private => Amber ("Limited disclosure, restricted to participants’ organizations."). + # + - append: + field: threatintel.indicator.marking.tlp + value: Amber + if: 'ctx.json.classification == "private"' + - append: + field: threatintel.indicator.marking.tlp + value: White + if: 'ctx.json.classification == "public"' + + # + # Convert confidence field (-1..100) to ECS confidence (0..10). + # + - script: + lang: painless + description: > + Normalize confidence level. + source: > + def value = ctx.json.confidence; + if (value == null || value < 0.0 || value > 100.0) return; + ctx["threatintel_indicator_confidence"] = (long)Math.round((double)value / 10.0); + on_failure: + - append: + field: error.message + value: "failed to normalize confidence value `{{{ json.confidence }}}`: {{{ _ingest.on_failure_message }}}" + + - rename: + field: threatintel_indicator_confidence + target_field: threatintel.indicator.confidence + ignore_missing: true + + # + # Convert asn field. + # + - convert: + field: json.asn + target_field: threatintel.indicator.as.number + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: "Cannot convert asn field `{{{ json.asn }}}` to long: {{{ _ingest.on_failure_message }}}" + + - rename: + field: json.org + target_field: threatintel.indicator.as.organization.name + ignore_missing: true + + - rename: + field: json.email + target_field: threatintel.indicator.email.address + ignore_missing: true + + - rename: + field: json.srcip + target_field: threatintel.indicator.ip + ignore_missing: true + + - uri_parts: + field: json.url + target_field: threatintel.indicator.url + keep_original: true + remove_if_successful: true + if: "ctx.json.url != null" + on_failure: + - append: + field: error.message + value: "Cannot parse url field `{{{ json.url }}}`: {{{ _ingest.on_failure_message }}}" + - set: + field: threatintel.indicator.url.full + value: "{{{threatintel.indicator.url.original}}}" + ignore_empty_value: true + - rename: + field: json.domain + target_field: threatintel.indicator.url.domain + ignore_missing: true + if: ctx.threatintel?.indicator?.url?.domain == null + - rename: + field: json.country + target_field: threatintel.indicator.geo.country_iso_code + ignore_missing: true + + # + # md5 field can actually contain different kinds of hash. + # Map to file.hash.* depending on hash length. + # + - rename: + field: json.md5 + target_field: threatintel.indicator.file.hash.md5 + if: "ctx.json.md5 != null && ctx.json.md5.length() == 32" + + - rename: + field: json.md5 + target_field: threatintel.indicator.file.hash.sha1 + if: "ctx.json.md5 != null && ctx.json.md5.length() == 40" + + - rename: + field: json.md5 + target_field: threatintel.indicator.file.hash.sha256 + if: "ctx.json.md5 != null && ctx.json.md5.length() == 64" + + - rename: + field: json.md5 + target_field: threatintel.indicator.file.hash.sha512 + if: "ctx.json.md5 != null && ctx.json.md5.length() == 128" + + - rename: + field: json.source + target_field: threatintel.indicator.provider + ignore_missing: true + + # + # Map field severity to event severity as follows: + # low => 3 + # medium => 5 + # high => 7 + # very-high => 9 + # + - set: + field: event.severity + value: 3 + if: 'ctx.json.severity == "low"' + + - set: + field: event.severity + value: 5 + if: 'ctx.json.severity == "medium"' + + - set: + field: event.severity + value: 7 + if: 'ctx.json.severity == "high"' + + - set: + field: event.severity + value: 9 + if: 'ctx.json.severity == "very-high"' + + # + # Field trusted_circles_ids is a comma-separated string + # that can contain leading and trailing separators (i.e. ",123,"). + # Need a script processor as split processor doesn't support + # removing non-trailing separators. + # + - script: + lang: painless + if: "ctx.json.trusted_circle_ids != null && ctx.json.trusted_circle_ids instanceof String" + description: > + Convert trusted_circles_ids from CSV to an array. + source: > + def lst = + Stream.of(ctx.json.trusted_circle_ids.splitOnToken(",")) + .filter(s -> !s.isEmpty()) + .toArray(String[]::new); + if (lst.length > 0) { + ctx.json.trusted_circle_ids = lst; + } else { + ctx.json.remove('trusted_circle_ids'); + } + on_failure: + - append: + field: error.message + value: 'unable to split trusted_circle_ids "{{{ json.trusted_circle_ids }}}": {{{ _ingest.on_failure_message }}}' + + # + # Split detail field and append each component to ECS tags field. + # + - split: + field: json.detail + separator: '(? v == null); - } - void handleList(List list) { - for (def x : list) { + ###################### + # Cleanup processors # + ###################### + - set: + field: threatintel.indicator.type + value: unknown + if: ctx?.threatintel?.indicator?.type == null + - script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { if (x instanceof Map) { handleMap(x); } else if (x instanceof List) { handleList(x); } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } } - } - handleMap(ctx); -- remove: - field: - - threatintel.malwarebazaar.first_seen - - threatintel.malwarebazaar.last_seen - - message - ignore_missing: true + handleMap(ctx); + - remove: + field: + - threatintel.malwarebazaar.first_seen + - threatintel.malwarebazaar.last_seen + - message + ignore_missing: true on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml index a251bf04833..8987e591b9b 100644 --- a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml @@ -1,241 +1,240 @@ description: Pipeline for parsing MISP Threat Intel processors: + #################### + # Event ECS fields # + #################### + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator -#################### -# Event ECS fields # -#################### -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- set: - field: event.kind - value: enrichment -- set: - field: event.category - value: threat -- set: - field: event.type - value: indicator + ###################### + # General ECS fields # + ###################### + - rename: + field: json.Event + target_field: threatintel.misp + ignore_missing: true + - set: + field: threatintel.indicator.provider + value: misp + if: ctx?.threatintel?.misp?.Orgc?.local != 'false' + - set: + field: threatintel.indicator.provider + value: "{{misp.Orgc.name}}" + if: ctx?.threatintel?.misp?.Orgc?.local == 'false' + ignore_empty_value: true -###################### -# General ECS fields # -###################### -- rename: - field: json.Event - target_field: threatintel.misp - ignore_missing: true -- set: - field: threatintel.indicator.provider - value: misp - if: ctx?.threatintel?.misp?.Orgc?.local != 'false' -- set: - field: threatintel.indicator.provider - value: '{{misp.Orgc.name}}' - if: ctx?.threatintel?.misp?.Orgc?.local == 'false' - ignore_empty_value: true + # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event + - remove: + field: + - threatintel.misp.ShadowAttribute + - threatintel.misp.RelatedEvent + - threatintel.misp.Galaxy + - threatintel.misp.Attribute.Galaxy + - threatintel.misp.Attribute.ShadowAttribute + - threatintel.misp.Object + - threatintel.misp.EventReport + - message + ignore_missing: true + - date: + field: threatintel.misp.timestamp + formats: + - UNIX + ignore_failure: true + - rename: + field: threatintel.misp.Attribute + target_field: threatintel.misp.attribute + ignore_missing: true + - rename: + field: threatintel.misp.Orgc + target_field: threatintel.misp.orgc + ignore_missing: true + - rename: + field: threatintel.misp.Org + target_field: threatintel.misp.org + ignore_missing: true + - rename: + field: threatintel.misp.Attribute + target_field: threatintel.misp.attribute + ignore_missing: true + - rename: + field: threatintel.misp.Tag + target_field: threatintel.misp.tag + ignore_missing: true -# Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event -- remove: - field: - - threatintel.misp.ShadowAttribute - - threatintel.misp.RelatedEvent - - threatintel.misp.Galaxy - - threatintel.misp.Attribute.Galaxy - - threatintel.misp.Attribute.ShadowAttribute - - threatintel.misp.Object - - threatintel.misp.EventReport - - message - ignore_missing: true -- date: - field: threatintel.misp.timestamp - formats: - - UNIX - ignore_failure: true -- rename: - field: threatintel.misp.Attribute - target_field: threatintel.misp.attribute - ignore_missing: true -- rename: - field: threatintel.misp.Orgc - target_field: threatintel.misp.orgc - ignore_missing: true -- rename: - field: threatintel.misp.Org - target_field: threatintel.misp.org - ignore_missing: true -- rename: - field: threatintel.misp.Attribute - target_field: threatintel.misp.attribute - ignore_missing: true -- rename: - field: threatintel.misp.Tag - target_field: threatintel.misp.tag - ignore_missing: true + ##################### + # Threat ECS Fields # + ##################### + - rename: + field: threatintel.misp.attribute.first_seen + target_field: threatintel.indicator.first_seen + ignore_missing: true + - rename: + field: threatintel.misp.attribute.last_seen + target_field: threatintel.indicator.last_seen + ignore_missing: true + - convert: + field: threatintel.misp.analysis + type: long + target_field: threatintel.indicator.scanner_stats + ignore_missing: true + - convert: + field: threatintel.misp.threat_level_id + type: long + ignore_missing: true -##################### -# Threat ECS Fields # -##################### -- rename: - field: threatintel.misp.attribute.first_seen - target_field: threatintel.indicator.first_seen - ignore_missing: true -- rename: - field: threatintel.misp.attribute.last_seen - target_field: threatintel.indicator.last_seen - ignore_missing: true -- convert: - field: threatintel.misp.analysis - type: long - target_field: threatintel.indicator.scanner_stats - ignore_missing: true -- convert: - field: threatintel.misp.threat_level_id - type: long - ignore_missing: true + ## File/Hash indicator operations + - set: + field: threatintel.indicator.type + value: file + if: "['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.threatintel?.misp?.attribute?.type) || ctx.threatintel?.misp?.attribute?.type.startsWith('filename')" + - rename: + field: threatintel.misp.attribute.value + target_field: "threatintel.indicator.file.hash.{{threatintel.misp.attribute.type}}" + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'file' && ctx?.threatintel?.misp?.attribute?.type != null && !ctx?.threatintel?.misp?.attribute?.type.startsWith('filename')" + - rename: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.file.name + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'file' && ctx?.threatintel?.misp?.attribute?.type == 'filename'" + - grok: + field: threatintel.misp.attribute.type + patterns: + - "%{WORD}\\|%{WORD:_tmp.hashtype}" + ignore_missing: true + if: ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') + - grok: + field: threatintel.misp.attribute.value + patterns: + - "%{DATA:threatintel.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" + ignore_missing: true + if: ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') + - set: + field: threatintel.indicator.file.hash.{{_tmp.hashtype}} + value: "{{_tmp.hashvalue}}" + if: "ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null" -## File/Hash indicator operations -- set: - field: threatintel.indicator.type - value: file - if: "['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.threatintel?.misp?.attribute?.type) || ctx.threatintel?.misp?.attribute?.type.startsWith('filename')" -- rename: - field: threatintel.misp.attribute.value - target_field: "threatintel.indicator.file.hash.{{threatintel.misp.attribute.type}}" - ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'file' && ctx?.threatintel?.misp?.attribute?.type != null && !ctx?.threatintel?.misp?.attribute?.type.startsWith('filename')" -- rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.file.name - ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'file' && ctx?.threatintel?.misp?.attribute?.type == 'filename'" -- grok: - field: threatintel.misp.attribute.type - patterns: - - "%{WORD}\\|%{WORD:_tmp.hashtype}" - ignore_missing: true - if: ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') -- grok: - field: threatintel.misp.attribute.value - patterns: - - "%{DATA:threatintel.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" - ignore_missing: true - if: ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') -- set: - field: threatintel.indicator.file.hash.{{_tmp.hashtype}} - value: '{{_tmp.hashvalue}}' - if: "ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null" + ## URL/URI indicator operations + - set: + field: threatintel.indicator.type + value: url + if: "ctx?.threatintel?.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx?.threatintel?.misp?.attribute?.type)" + - uri_parts: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.url + keep_original: true + remove_if_successful: true + if: ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri' -## URL/URI indicator operations -- set: - field: threatintel.indicator.type - value: url - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx?.threatintel?.misp?.attribute?.type)" -- uri_parts: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.url - keep_original: true - remove_if_successful: true - if: ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri' + - set: + field: threatintel.indicator.url.full + value: "{{{threatintel.indicator.url.original}}}" + ignore_empty_value: true + if: "ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri'" -- set: - field: threatintel.indicator.url.full - value: '{{{threatintel.indicator.url.original}}}' - ignore_empty_value: true - if: "ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri'" + ## Regkey indicator operations + - set: + field: threatintel.indicator.type + value: windows-registry-key + if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('regkey')" + - rename: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.registry.key + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'windows-registry-key' && ctx?.threatintel?.misp?.attribute?.type == 'regkey'" + - grok: + field: threatintel.misp.attribute.value + patterns: + - "%{DATA:threatintel.indicator.registry.key}\\|%{DATA:threatintel.indicator.registry.value}" + ignore_missing: true + if: "ctx?.threatintel?.misp?.attribute?.type == 'regkey|value'" -## Regkey indicator operations -- set: - field: threatintel.indicator.type - value: windows-registry-key - if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('regkey')" -- rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.registry.key - ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'windows-registry-key' && ctx?.threatintel?.misp?.attribute?.type == 'regkey'" -- grok: - field: threatintel.misp.attribute.value - patterns: - - "%{DATA:threatintel.indicator.registry.key}\\|%{DATA:threatintel.indicator.registry.value}" - ignore_missing: true - if: "ctx?.threatintel?.misp?.attribute?.type == 'regkey|value'" + ## AS indicator operations + - set: + field: threatintel.indicator.type + value: autonomous-system + if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type == 'AS'" + - convert: + field: threatintel.misp.attribute.value + type: long + target_field: threatintel.indicator.as.number + ignore_missing: true + if: ctx?.threatintel?.indicator?.type == 'autonomous-system' -## AS indicator operations -- set: - field: threatintel.indicator.type - value: autonomous-system - if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type == 'AS'" -- convert: - field: threatintel.misp.attribute.value - type: long - target_field: threatintel.indicator.as.number - ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'autonomous-system' + ## Domain/IP/Port indicator operations + - set: + field: threatintel.indicator.type + value: domain-name + if: "ctx?.threatintel?.misp?.attribute?.type != null && (ctx?.threatintel?.misp?.attribute?.type == 'hostname' || ctx?.threatintel?.misp?.attribute?.type.startsWith('domain'))" + - set: + field: threatintel.indicator.type + value: ipv4-addr + if: "ctx?.threatintel?.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)" + - rename: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.url.domain + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'domain-name' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip' && ctx.threatintel?.indicator?.url?.domain == null" + - rename: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.ip + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'ipv4-addr' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)" + - grok: + field: threatintel.misp.attribute.value + patterns: + - "%{DATA:threatintel.indicator.url.domain}\\|%{IP:threatintel.indicator.ip}" + ignore_missing: true + if: ctx.threatintel?.misp?.attribute?.type == 'domain|ip' && ctx.threatintel?.indicator?.url?.domain == null + - grok: + field: threatintel.misp.attribute.value + patterns: + - "%{IP:threatintel.indicator.ip}\\|%{NUMBER:threatintel.indicator.port}" + ignore_missing: true + if: "['ip-src|port', 'ip-dst|port'].contains(ctx.threatintel?.misp?.attribute?.type)" -## Domain/IP/Port indicator operations -- set: - field: threatintel.indicator.type - value: domain-name - if: "ctx?.threatintel?.misp?.attribute?.type != null && (ctx?.threatintel?.misp?.attribute?.type == 'hostname' || ctx?.threatintel?.misp?.attribute?.type.startsWith('domain'))" -- set: - field: threatintel.indicator.type - value: ipv4-addr - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)" -- rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.domain - ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'domain-name' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip'" -- rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.ip - ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'ipv4-addr' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)" -- grok: - field: threatintel.misp.attribute.value - patterns: - - "%{DATA:threatintel.indicator.domain}\\|%{IP:threatintel.indicator.ip}" - ignore_missing: true - if: ctx.threatintel?.misp?.attribute?.type == 'domain|ip' -- grok: - field: threatintel.misp.attribute.value - patterns: - - "%{IP:threatintel.indicator.ip}\\|%{NUMBER:threatintel.indicator.port}" - ignore_missing: true - if: "['ip-src|port', 'ip-dst|port'].contains(ctx.threatintel?.misp?.attribute?.type)" + ## Email indicator operations + # Currently this ignores email-message, except setting the type it will leave the rest of the fields under misp. + - set: + field: threatintel.indicator.type + value: email-addr + if: "ctx?.threatintel?.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.threatintel?.misp?.attribute?.type)" + - set: + field: threatintel.indicator.type + value: email-message + if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx.threatintel?.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.threatintel?.misp?.attribute?.type)" + - rename: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.email.address + ignore_missing: true + if: ctx?.threatintel?.indicator?.type == 'email-addr' -## Email indicator operations -# Currently this ignores email-message, except setting the type it will leave the rest of the fields under misp. -- set: - field: threatintel.indicator.type - value: email-addr - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.threatintel?.misp?.attribute?.type)" -- set: - field: threatintel.indicator.type - value: email-message - if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx.threatintel?.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.threatintel?.misp?.attribute?.type)" -- rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.email.address - ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'email-addr' + ## MAC Address indicator operations + - set: + field: threatintel.indicator.type + value: mac-addr + if: "ctx?.threatintel?.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.threatintel?.misp?.attribute?.type)" + - rename: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.mac + ignore_missing: true + if: ctx?.threatintel?.indicator?.type == 'mac-addr' -## MAC Address indicator operations -- set: - field: threatintel.indicator.type - value: mac-addr - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.threatintel?.misp?.attribute?.type)" -- rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.mac - ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'mac-addr' - -################### -# Tags ECS fields # -################### -# Stripping special characters from tags -- script: + ################### + # Tags ECS fields # + ################### + # Stripping special characters from tags + - script: lang: painless if: ctx?.threatintel?.misp?.tag != null source: | @@ -250,57 +249,57 @@ processors: ctx.tags = tags; ctx.threatintel.indicator.marking = [ 'tlp': tlpTags ]; -# Setting indicator type to unknown if it does not match anything -- set: - field: threatintel.indicator.type - value: unknown - if: ctx?.threatintel?.indicator?.type == null + # Setting indicator type to unknown if it does not match anything + - set: + field: threatintel.indicator.type + value: unknown + if: ctx?.threatintel?.indicator?.type == null -###################### -# Cleanup processors # -###################### -- script: - lang: painless - if: ctx?.threatintel != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { + ###################### + # Cleanup processors # + ###################### + - script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { if (x instanceof Map) { handleMap(x); } else if (x instanceof List) { handleList(x); } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } } - } - handleMap(ctx); -# Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event -- remove: - field: - - threatintel.misp.attribute.value - ignore_missing: true - if: ctx?.threatintel?.indicator?.type != 'unknown' -- remove: - field: - - threatintel.misp.Attribute.timestamp - - threatintel.misp.timestamp - - threatintel.misp.tag - - threatintel.misp.org - - threatintel.misp.analysis - - _tmp - - json - ignore_missing: true + handleMap(ctx); + # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event + - remove: + field: + - threatintel.misp.attribute.value + ignore_missing: true + if: ctx?.threatintel?.indicator?.type != 'unknown' + - remove: + field: + - threatintel.misp.Attribute.timestamp + - threatintel.misp.timestamp + - threatintel.misp.tag + - threatintel.misp.org + - threatintel.misp.analysis + - _tmp + - json + ignore_missing: true on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json index 45edea74815..6543ec7cb6e 100644 --- a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json @@ -75,7 +75,6 @@ "tlp:white", "type:OSINT" ], - "threatintel.indicator.domain": "your-ip.getmyip.com", "threatintel.indicator.ip": "178.128.103.74", "threatintel.indicator.marking.tlp": [ "white" @@ -83,6 +82,7 @@ "threatintel.indicator.provider": "misp", "threatintel.indicator.scanner_stats": 2, "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "your-ip.getmyip.com", "threatintel.misp.attribute.category": "Network activity", "threatintel.misp.attribute.comment": "1st stage", "threatintel.misp.attribute.deleted": false, @@ -300,13 +300,13 @@ "tlp:green", "type:OSINT" ], - "threatintel.indicator.domain": "xenserver.ddns.net", "threatintel.indicator.marking.tlp": [ "green" ], "threatintel.indicator.provider": "misp", "threatintel.indicator.scanner_stats": 2, "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "xenserver.ddns.net", "threatintel.misp.attribute.category": "Network activity", "threatintel.misp.attribute.comment": "", "threatintel.misp.attribute.deleted": false, @@ -465,13 +465,13 @@ "tlp:green", "type:OSINT" ], - "threatintel.indicator.domain": "whatsapp.com", "threatintel.indicator.marking.tlp": [ "green" ], "threatintel.indicator.provider": "misp", "threatintel.indicator.scanner_stats": 2, "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "whatsapp.com", "threatintel.misp.attribute.category": "Network activity", "threatintel.misp.attribute.comment": "", "threatintel.misp.attribute.deleted": false, diff --git a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml index ddc32e88537..4cb3ed37aef 100644 --- a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml @@ -1,162 +1,161 @@ description: Pipeline for parsing MISP Threat Intel processors: + #################### + # Event ECS fields # + #################### + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator -#################### -# Event ECS fields # -#################### -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- set: - field: event.kind - value: enrichment -- set: - field: event.category - value: threat -- set: - field: event.type - value: indicator + ###################### + # General ECS fields # + ###################### + - rename: + field: json + target_field: threatintel.otx + ignore_missing: true -###################### -# General ECS fields # -###################### -- rename: - field: json - target_field: threatintel.otx - ignore_missing: true + ##################### + # Threat ECS Fields # + ##################### + ## File indicator operations + - set: + field: threatintel.indicator.type + value: file + if: "ctx.threatintel?.otx?.type.startsWith('FileHash') || ctx.threatintel?.otx?.type == 'filepath'" + - rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.file.hash.md5 + ignore_missing: true + if: "ctx.threatintel?.otx?.type == 'FileHash-MD5'" + - rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.file.hash.sha1 + ignore_missing: true + if: "ctx.threatintel?.otx?.type == 'FileHash-SHA1'" + - rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.file.hash.sha256 + ignore_missing: true + if: "ctx.threatintel?.otx?.type == 'FileHash-SHA256'" + - rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.file.hash.pehash + ignore_missing: true + if: "ctx.threatintel?.otx?.type == 'FileHash-PEHASH'" + - rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.file.hash.imphash + ignore_missing: true + if: "ctx.threatintel?.otx?.type == 'FileHash-IMPHASH'" -##################### -# Threat ECS Fields # -##################### -## File indicator operations -- set: - field: threatintel.indicator.type - value: file - if: "ctx.threatintel?.otx?.type.startsWith('FileHash') || ctx.threatintel?.otx?.type == 'filepath'" -- rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.md5 - ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-MD5'" -- rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.sha1 - ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-SHA1'" -- rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.sha256 - ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-SHA256'" -- rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.pehash - ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-PEHASH'" -- rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.imphash - ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-IMPHASH'" + ## IP indicator operations + - set: + field: threatintel.indicator.type + value: ipv4-addr + if: ctx.threatintel?.otx?.type == 'IPv4' + - set: + field: threatintel.indicator.type + value: ipv6-addr + if: ctx.threatintel?.otx?.type == 'IPv6' + - rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.ip + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx?.threatintel?.indicator?.type)" -## IP indicator operations -- set: - field: threatintel.indicator.type - value: ipv4-addr - if: ctx.threatintel?.otx?.type == 'IPv4' -- set: - field: threatintel.indicator.type - value: ipv6-addr - if: ctx.threatintel?.otx?.type == 'IPv6' -- rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.ip - ignore_missing: true - if: "ctx?.threatintel?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx?.threatintel?.indicator?.type)" + ## URL indicator operations + - set: + field: threatintel.indicator.type + value: url + if: "ctx?.threatintel?.indicator?.type == null && ['URL', 'URI'].contains(ctx.threatintel?.otx?.type)" + - uri_parts: + field: threatintel.otx.indicator + target_field: threatintel.indicator.url + keep_original: true + remove_if_successful: true + if: ctx?.threatintel?.indicator?.type == 'url' + - set: + field: threatintel.indicator.url.full + value: "{{{threatintel.indicator.url.original}}}" + ignore_empty_value: true + if: "ctx?.threatintel?.otx?.type == 'URL'" -## URL indicator operations -- set: - field: threatintel.indicator.type - value: url - if: "ctx?.threatintel?.indicator?.type == null && ['URL', 'URI'].contains(ctx.threatintel?.otx?.type)" -- uri_parts: - field: threatintel.otx.indicator - target_field: threatintel.indicator.url - keep_original: true - remove_if_successful: true - if: ctx?.threatintel?.indicator?.type == 'url' -- set: - field: threatintel.indicator.url.full - value: '{{{threatintel.indicator.url.original}}}' - ignore_empty_value: true - if: "ctx?.threatintel?.otx?.type == 'URL'" + ## Email indicator operations + - set: + field: threatintel.indicator.type + value: email-addr + if: ctx?.threatintel?.otx?.type == 'email' + - rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.email.address + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'email-addr'" -## Email indicator operations -- set: - field: threatintel.indicator.type - value: email-addr - if: ctx?.threatintel?.otx?.type == 'email' -- rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.email.address - ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'email-addr'" + ## Domain indicator operations + - set: + field: threatintel.indicator.type + value: domain-name + if: "ctx?.threatintel?.indicator?.type == null && ['domain', 'hostname'].contains(ctx.threatintel?.otx?.type)" + - rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.url.domain + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'domain-name' && ctx.threatintel?.indicator?.url?.domain == null" -## Domain indicator operations -- set: - field: threatintel.indicator.type - value: domain-name - if: "ctx?.threatintel?.indicator?.type == null && ['domain', 'hostname'].contains(ctx.threatintel?.otx?.type)" -- rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.domain - ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'domain-name'" - -###################### -# Cleanup processors # -###################### -- set: - field: threatintel.indicator.type - value: unknown - if: ctx?.threatintel?.indicator?.type == null -- script: - lang: painless - if: ctx?.threatintel != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { + ###################### + # Cleanup processors # + ###################### + - set: + field: threatintel.indicator.type + value: unknown + if: ctx?.threatintel?.indicator?.type == null + - script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { if (x instanceof Map) { handleMap(x); } else if (x instanceof List) { handleList(x); } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } } - } - handleMap(ctx); -- remove: - field: - - threatintel.otx.content - ignore_missing: true - if: ctx?.threatintel?.otx?.content == "" -- remove: - field: - - threatintel.otx.type - - threatintel.otx.id - - message - ignore_missing: true - if: ctx?.threatintel?.indicator?.type != null + handleMap(ctx); + - remove: + field: + - threatintel.otx.content + ignore_missing: true + if: ctx?.threatintel?.otx?.content == "" + - remove: + field: + - threatintel.otx.type + - threatintel.otx.id + - message + ignore_missing: true + if: ctx?.threatintel?.indicator?.type != null on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json index 8a8564626d5..e56752d47c3 100644 --- a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json @@ -49,8 +49,8 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.domain": "ip.anysrc.net", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "ip.anysrc.net" }, { "event.category": "threat", @@ -796,8 +796,8 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.domain": "maper.info", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "maper.info" }, { "event.category": "threat", @@ -1144,8 +1144,8 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.domain": "fotmailz.com", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "fotmailz.com" }, { "event.category": "threat", @@ -1161,8 +1161,8 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.domain": "pori89g5jqo3v8.com", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "pori89g5jqo3v8.com" }, { "event.category": "threat", @@ -1178,8 +1178,8 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.domain": "sebco.co.ke", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "sebco.co.ke" }, { "event.category": "threat", @@ -1213,8 +1213,8 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.domain": "chishir.com", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "chishir.com" }, { "event.category": "threat", @@ -1230,8 +1230,8 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.domain": "kostunivo.com", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "kostunivo.com" }, { "event.category": "threat", @@ -1247,8 +1247,8 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.domain": "mangoclone.com", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "mangoclone.com" }, { "event.category": "threat", @@ -1264,8 +1264,8 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.domain": "onixcellent.com", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "onixcellent.com" }, { "event.category": "threat", diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml index 71a261a12af..8e0a6d4b334 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml @@ -5,15 +5,15 @@ processors: # that the ones generated by Filebeat's httpjson input. # - fail: - if: 'ctx.json == null || !(ctx.json instanceof Map)' - message: 'missing json object in input document' + if: "ctx.json == null || !(ctx.json instanceof Map)" + message: "missing json object in input document" # # Set basic ECS fields. # - set: field: event.ingested - value: '{{{ _ingest.timestamp }}}' + value: "{{{ _ingest.timestamp }}}" - set: field: event.kind value: enrichment @@ -29,7 +29,7 @@ processors: # - script: lang: painless - if: 'ctx.json.entity?.type != null' + if: "ctx.json.entity?.type != null" description: > Map entity.type field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). params: @@ -68,7 +68,7 @@ processors: target_field: threatintel.indicator.first_seen formats: - ISO8601 - if: 'ctx.json.timestamps?.firstSeen != null' + if: "ctx.json.timestamps?.firstSeen != null" on_failure: - append: field: error.message @@ -78,13 +78,12 @@ processors: target_field: threatintel.indicator.last_seen formats: - ISO8601 - if: 'ctx.json.timestamps?.lastSeen != null' + if: "ctx.json.timestamps?.lastSeen != null" on_failure: - append: field: error.message value: 'Error parsing lastSeen field value "{{{ json.timestamps.lastSeen }}}": {{{ _ingest.on_failure_message }}}' - # # Map location fields. # @@ -103,51 +102,45 @@ processors: - grok: field: json.location.asn patterns: - - '^(?:[Aa][Ss])?%{NUMBER:threatintel.indicator.as.number:long}$' + - "^(?:[Aa][Ss])?%{NUMBER:threatintel.indicator.as.number:long}$" ignore_missing: true on_failure: - append: field: error.message - value: 'Cannot parse asn field `{{{ json.location.asn }}}`: {{{ _ingest.on_failure_message }}}' - + value: "Cannot parse asn field `{{{ json.location.asn }}}`: {{{ _ingest.on_failure_message }}}" - rename: field: json.location.organization target_field: threatintel.indicator.as.organization.name ignore_missing: true - - set: - field: event.reference - value: '{{{ json.intelCard }}}' + field: threatintel.indicator.reference + value: "{{{ json.intelCard }}}" ignore_empty_value: true - - set: field: json.ip_range - value: '{{{json.entity.name}}}' + value: "{{{json.entity.name}}}" if: 'ctx.json.entity?.type == "IpAddress" && ctx.json.entity.name != null && ctx.json.entity.name.contains("/")' - set: field: json.ip_range - value: '{{{ json.entity.name }}}/32' + value: "{{{ json.entity.name }}}/32" if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' - set: field: json.ip_range - value: '{{{ json.entity.name }}}/128' + value: "{{{ json.entity.name }}}/128" if: 'ctx.threatintel?.indicator?.type == "ipv6-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' - set: field: json.ip_range - value: '{{{json.entity.name}}}' + value: "{{{json.entity.name}}}" if: 'ctx.json.entity?.type == "IpAddress" && ctx.json.entity.name != null && ctx.json.entity.name.contains("/")' - - rename: field: json.entity.name target_field: threatintel.indicator.ip if: 'ctx.json.entity?.type == "IpAddress" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' - - rename: field: json.entity.name - target_field: threatintel.indicator.domain + target_field: threatintel.indicator.url.domain ignore_missing: true - if: 'ctx.threatintel?.indicator?.type == "domain-name"' - + if: 'ctx.threatintel?.indicator?.type == "domain-name" && ctx.threatintel?.indicator?.url?.domain == null' - uri_parts: field: json.entity.name target_field: threatintel.indicator.url @@ -157,30 +150,28 @@ processors: on_failure: - append: field: error.message - value: 'Cannot parse url field `{{{ json.entity.name }}}`: {{{ _ingest.on_failure_message }}}' + value: "Cannot parse url field `{{{ json.entity.name }}}`: {{{ _ingest.on_failure_message }}}" # At this point fileHashes may exist if "fileHashes" field is requested. - append: field: json.fileHashes - value: '{{{ json.entity.name }}}' + value: "{{{ json.entity.name }}}" allow_duplicates: false if: 'ctx.threatintel?.indicator?.type == "file"' - - remove: field: json.entity.name if: 'ctx.threatintel?.indicator?.type == "file"' - - script: lang: painless description: > Map file hashes. - if: 'ctx.json.fileHashes != null' + if: "ctx.json.fileHashes != null" params: - '4': crc32 - '32': md5 - '40': sha1 - '64': sha256 - '128': sha512 + "4": crc32 + "32": md5 + "40": sha1 + "64": sha256 + "128": sha512 source: > def hashes = new HashMap(); for (def hash : ctx.json.fileHashes) { @@ -193,8 +184,7 @@ processors: on_failure: - append: field: error.message - value: 'Failed to map fileHashes field: {{ _ingest.on_failure_message }}' - + value: "Failed to map fileHashes field: {{ _ingest.on_failure_message }}" - rename: field: _hashes target_field: threatintel.indicator.file.hash @@ -211,7 +201,7 @@ processors: on_failure: - append: field: error.message - value: 'Risk score `{{{ json.risk.score }}}` cannot be converted to float: {{ _ingest.on_failure_message }}' + value: "Risk score `{{{ json.risk.score }}}` cannot be converted to float: {{ _ingest.on_failure_message }}" # # Remove fields converted to an ECS field. # @@ -222,15 +212,13 @@ processors: - json.fileHashes - message ignore_missing: true - # # Save fields without an ECS mapping under `threatintel.recordedfuture`. # - rename: field: json target_field: threatintel.recordedfuture - on_failure: - append: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json index 12d7044c9a1..29b0a8ed4a5 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json @@ -4,7 +4,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -15,10 +14,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "16url-gy.example.net", "threatintel.indicator.first_seen": "2016-07-25T20:29:32.750Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:47.901Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "16url-gy.example.net", "threatintel.recordedfuture.entity.id": "idn:16url-gy.example.net", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", @@ -35,7 +35,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -46,10 +45,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "b999f.example.org", "threatintel.indicator.first_seen": "2012-11-21T01:54:04.292Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:47.812Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "b999f.example.org", "threatintel.recordedfuture.entity.id": "idn:b999f.example.org", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", @@ -66,7 +66,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -77,10 +76,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "c422.example.net", "threatintel.indicator.first_seen": "2018-02-21T13:53:46.470Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:47.778Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "c422.example.net", "threatintel.recordedfuture.entity.id": "idn:c422.example.net", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", @@ -97,7 +97,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -108,10 +107,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "8rwcvgjsp.example.net", "threatintel.indicator.first_seen": "2016-08-15T11:56:24.964Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:47.747Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "8rwcvgjsp.example.net", "threatintel.recordedfuture.entity.id": "idn:8rwcvgjsp.example.net", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", @@ -128,7 +128,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -139,10 +138,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "c9px.example.net", "threatintel.indicator.first_seen": "2016-06-29T21:06:06.066Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:47.460Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "c9px.example.net", "threatintel.recordedfuture.entity.id": "idn:c9px.example.net", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", @@ -159,7 +159,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -170,10 +169,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "ttj1i9z7.example.com", "threatintel.indicator.first_seen": "2018-09-20T03:26:08.564Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "ttj1i9z7.example.com", "threatintel.recordedfuture.entity.id": "idn:ttj1i9z7.example.com", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", @@ -190,7 +190,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -201,10 +200,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "7pgc.example.org", "threatintel.indicator.first_seen": "2017-02-23T17:44:16.104Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "7pgc.example.org", "threatintel.recordedfuture.entity.id": "idn:7pgc.example.org", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", @@ -221,7 +221,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -232,10 +231,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "xm5u434.example.net", "threatintel.indicator.first_seen": "2017-04-10T06:55:27.658Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "xm5u434.example.net", "threatintel.recordedfuture.entity.id": "idn:xm5u434.example.net", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", @@ -252,7 +252,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -263,10 +262,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "gpgju.example.com", "threatintel.indicator.first_seen": "2018-07-27T15:22:39.390Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "gpgju.example.com", "threatintel.recordedfuture.entity.id": "idn:gpgju.example.com", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", @@ -283,7 +283,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -294,10 +293,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "55g.example.com", "threatintel.indicator.first_seen": "2021-01-10T21:24:38.353Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:45.025Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "55g.example.com", "threatintel.recordedfuture.entity.id": "idn:55g.example.com", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json index 32a800a1574..dbc47e31767 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json @@ -4,7 +4,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -20,6 +19,7 @@ "threatintel.indicator.file.hash.sha256": "dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", "threatintel.indicator.first_seen": "2021-06-20T18:40:18.503Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:18.503Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", "threatintel.recordedfuture.entity.type": "Hash", @@ -54,7 +54,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -70,6 +69,7 @@ "threatintel.indicator.file.hash.sha256": "4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", "threatintel.indicator.first_seen": "2021-06-20T18:40:18.452Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:18.452Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", "threatintel.recordedfuture.entity.type": "Hash", @@ -104,7 +104,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -120,6 +119,7 @@ "threatintel.indicator.file.hash.sha256": "299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", "threatintel.indicator.first_seen": "2021-06-20T18:40:18.343Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:18.343Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", "threatintel.recordedfuture.entity.type": "Hash", @@ -154,7 +154,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -170,6 +169,7 @@ "threatintel.indicator.file.hash.sha256": "e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", "threatintel.indicator.first_seen": "2021-06-20T18:40:18.258Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:18.258Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", "threatintel.recordedfuture.entity.type": "Hash", @@ -204,7 +204,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -220,6 +219,7 @@ "threatintel.indicator.file.hash.sha256": "184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", "threatintel.indicator.first_seen": "2021-06-20T18:40:18.131Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:18.131Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", "threatintel.recordedfuture.entity.type": "Hash", @@ -246,7 +246,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -262,6 +261,7 @@ "threatintel.indicator.file.hash.sha256": "1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", "threatintel.indicator.first_seen": "2021-06-20T18:40:18.093Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:18.093Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", "threatintel.recordedfuture.entity.type": "Hash", @@ -296,7 +296,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -312,6 +311,7 @@ "threatintel.indicator.file.hash.sha256": "bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", "threatintel.indicator.first_seen": "2021-06-20T18:40:18.070Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:18.070Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", "threatintel.recordedfuture.entity.type": "Hash", @@ -346,7 +346,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -362,6 +361,7 @@ "threatintel.indicator.file.hash.sha256": "c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", "threatintel.indicator.first_seen": "2021-06-20T18:40:18.011Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:18.011Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", "threatintel.recordedfuture.entity.type": "Hash", @@ -396,7 +396,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -412,6 +411,7 @@ "threatintel.indicator.file.hash.sha256": "c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", "threatintel.indicator.first_seen": "2021-06-20T18:40:17.964Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:17.964Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", "threatintel.recordedfuture.entity.type": "Hash", @@ -446,7 +446,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -462,6 +461,7 @@ "threatintel.indicator.file.hash.sha256": "0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", "threatintel.indicator.first_seen": "2021-06-20T18:40:17.919Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:17.919Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", "threatintel.recordedfuture.entity.type": "Hash", diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json index ed121c0a418..74488f715da 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json @@ -4,7 +4,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -22,6 +21,7 @@ "threatintel.indicator.geo.continent_name": "Europe", "threatintel.indicator.geo.country_name": "Bulgaria", "threatintel.indicator.last_seen": "2021-06-19T19:40:32.897Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", "threatintel.indicator.type": "ipv6-addr", "threatintel.recordedfuture.entity.id": "ip:2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", "threatintel.recordedfuture.entity.name": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", @@ -41,7 +41,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -60,6 +59,7 @@ "threatintel.indicator.geo.country_name": "Iran", "threatintel.indicator.ip": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", "threatintel.indicator.last_seen": "2021-06-19T19:40:32.839Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", "threatintel.indicator.type": "ipv6-addr", "threatintel.recordedfuture.entity.id": "ip:2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", "threatintel.recordedfuture.entity.type": "IpAddress", @@ -78,7 +78,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -96,6 +95,7 @@ "threatintel.indicator.geo.country_name": null, "threatintel.indicator.ip": "203.0.113.55", "threatintel.indicator.last_seen": "2021-06-19T19:40:30.596Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55", "threatintel.indicator.type": "ipv4-addr", "threatintel.recordedfuture.entity.id": "ip:203.0.113.55", "threatintel.recordedfuture.entity.type": "IpAddress", @@ -114,7 +114,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -133,6 +132,7 @@ "threatintel.indicator.geo.country_name": "China", "threatintel.indicator.ip": "203.0.113.108", "threatintel.indicator.last_seen": "2021-06-19T19:40:20.534Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108", "threatintel.indicator.type": "ipv4-addr", "threatintel.recordedfuture.entity.id": "ip:203.0.113.108", "threatintel.recordedfuture.entity.type": "IpAddress", @@ -151,7 +151,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -170,6 +169,7 @@ "threatintel.indicator.geo.country_name": "Indonesia", "threatintel.indicator.ip": "203.0.113.139", "threatintel.indicator.last_seen": "2021-06-19T19:40:03.882Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139", "threatintel.indicator.type": "ipv4-addr", "threatintel.recordedfuture.entity.id": "ip:203.0.113.139", "threatintel.recordedfuture.entity.type": "IpAddress", @@ -188,7 +188,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -207,6 +206,7 @@ "threatintel.indicator.geo.country_name": "China", "threatintel.indicator.ip": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a", "threatintel.indicator.last_seen": "2021-06-19T19:40:02.557Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a", "threatintel.indicator.type": "ipv6-addr", "threatintel.recordedfuture.entity.id": "ip:2001:db8:bf58:c5c3:7a06:5267:82e0:621a", "threatintel.recordedfuture.entity.type": "IpAddress", @@ -225,7 +225,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -244,6 +243,7 @@ "threatintel.indicator.geo.country_name": "China", "threatintel.indicator.ip": "192.0.2.147", "threatintel.indicator.last_seen": "2021-06-19T19:39:43.160Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147", "threatintel.indicator.type": "ipv4-addr", "threatintel.recordedfuture.entity.id": "ip:192.0.2.147", "threatintel.recordedfuture.entity.type": "IpAddress", @@ -262,7 +262,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -281,6 +280,7 @@ "threatintel.indicator.geo.country_name": "India", "threatintel.indicator.ip": "203.0.113.198", "threatintel.indicator.last_seen": "2021-06-19T19:39:25.532Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198", "threatintel.indicator.type": "ipv4-addr", "threatintel.recordedfuture.entity.id": "ip:203.0.113.198", "threatintel.recordedfuture.entity.type": "IpAddress", @@ -308,7 +308,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179", "event.risk_score": 15.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -327,6 +326,7 @@ "threatintel.indicator.geo.country_name": "India", "threatintel.indicator.ip": "192.0.2.179", "threatintel.indicator.last_seen": "2021-06-19T19:39:11.694Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179", "threatintel.indicator.type": "ipv4-addr", "threatintel.recordedfuture.entity.id": "ip:192.0.2.179", "threatintel.recordedfuture.entity.type": "IpAddress", @@ -370,7 +370,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -389,6 +388,7 @@ "threatintel.indicator.geo.country_name": "Vietnam", "threatintel.indicator.ip": "192.0.2.245", "threatintel.indicator.last_seen": "2021-06-19T19:38:57.372Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245", "threatintel.indicator.type": "ipv4-addr", "threatintel.recordedfuture.entity.id": "ip:192.0.2.245", "threatintel.recordedfuture.entity.type": "IpAddress", diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json index b341365e428..779d86ae965 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json @@ -4,7 +4,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -17,6 +16,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "d6s.example.net", "threatintel.indicator.url.original": "https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", @@ -48,7 +48,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -61,6 +60,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ga7v9u.example.org", "threatintel.indicator.url.original": "https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", @@ -92,7 +92,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -105,6 +104,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cdmw.example.net", "threatintel.indicator.url.original": "https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", @@ -136,7 +136,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -149,6 +148,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "4mne.example.local", "threatintel.indicator.url.original": "https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", @@ -180,7 +180,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -193,6 +192,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "z198hloc8.example.com", "threatintel.indicator.url.original": "http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", @@ -224,7 +224,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -237,6 +236,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "y484j-fb6.example.local", "threatintel.indicator.url.original": "http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", @@ -268,7 +268,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -281,6 +280,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "sp2xyqq82.example.local", "threatintel.indicator.url.original": "http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", @@ -312,7 +312,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -325,6 +324,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "zh4o7xc.example.com", "threatintel.indicator.url.original": "https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", @@ -356,7 +356,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -369,6 +368,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "fiivf4s.example.org", "threatintel.indicator.url.original": "http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", @@ -400,7 +400,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -413,6 +412,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "abav9v.example.org", "threatintel.indicator.url.original": "http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1",