From 225108ace7e7929de7c67155a1836444226bd3fb Mon Sep 17 00:00:00 2001 From: Dan Kortschak <90160302+efd6@users.noreply.github.com> Date: Thu, 7 Oct 2021 22:10:43 +1030 Subject: [PATCH] x-pack/filebeat/module/threatintel/misp: add support for secondary object attribute handling (#28124) Co-authored-by: Marius Iversen --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 150 ++ x-pack/filebeat/module/threatintel/fields.go | 2 +- .../module/threatintel/misp/_meta/fields.yml | 60 + .../module/threatintel/misp/config/config.yml | 16 +- .../threatintel/misp/ingest/pipeline.yml | 63 +- .../test/misp_sample.ndjson.log-expected.json | 15 + ...misp_sample_with_ext_attributes.ndjson.log | 26 + ...th_ext_attributes.ndjson.log-expected.json | 1687 +++++++++++++++++ 9 files changed, 2009 insertions(+), 11 deletions(-) create mode 100644 x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log create mode 100644 x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 2f32098290f..56a4baa07d0 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -744,6 +744,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Make aws-cloudwatch input GA. {pull}28161[28161] - Move processing to ingest node for AWS vpcflow fileset. {pull}28168[28168] - Release zoom module as GA. {pull}28106[28106] +- Add support for secondary object attribute handling in ThreatIntel MISP module {pull}28124[28124] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index c343709f78f..c02d5a30503 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -151364,6 +151364,156 @@ type: keyword The value of the attribute, depending on the type like "url, sha1, email-src". +type: keyword + +-- + +*`threatintel.misp.context.attribute.id`*:: ++ +-- +The ID of the secondary attribute related to the event object. + + +type: keyword + +-- + +*`threatintel.misp.context.attribute.type`*:: ++ +-- +The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such. + + +type: keyword + +-- + +*`threatintel.misp.context.attribute.category`*:: ++ +-- +The category of the secondary attribute related to the event object. For example "Network Activity". + + +type: keyword + +-- + +*`threatintel.misp.context.attribute.to_ids`*:: ++ +-- +If the secondary attribute should be automatically synced with an IDS. + + +type: boolean + +-- + +*`threatintel.misp.context.attribute.uuid`*:: ++ +-- +The UUID of the secondary attribute related to the event. + + +type: keyword + +-- + +*`threatintel.misp.context.attribute.event_id`*:: ++ +-- +The local event ID of the secondary attribute related to the event. + + +type: keyword + +-- + +*`threatintel.misp.context.attribute.distribution`*:: ++ +-- +How the secondary attribute has been distributed, represented by integer numbers. + + +type: long + +-- + +*`threatintel.misp.context.attribute.timestamp`*:: ++ +-- +The timestamp in which the secondary attribute was attached to the event object. + + +type: date + +-- + +*`threatintel.misp.context.attribute.comment`*:: ++ +-- +Comments made to the secondary attribute itself. + + +type: keyword + +-- + +*`threatintel.misp.context.attribute.sharing_group_id`*:: ++ +-- +The group ID of the sharing group related to the specific secondary attribute. + + +type: keyword + +-- + +*`threatintel.misp.context.attribute.deleted`*:: ++ +-- +If the secondary attribute has been removed from the event object. + + +type: boolean + +-- + +*`threatintel.misp.context.attribute.disable_correlation`*:: ++ +-- +If correlation has been enabled on the secondary attribute related to the event object. + + +type: boolean + +-- + +*`threatintel.misp.context.attribute.object_id`*:: ++ +-- +The ID of the Object in which the secondary attribute is attached. + + +type: keyword + +-- + +*`threatintel.misp.context.attribute.object_relation`*:: ++ +-- +The type of relation the secondary attribute has with the event object itself. + + +type: keyword + +-- + +*`threatintel.misp.context.attribute.value`*:: ++ +-- +The value of the attribute, depending on the type like "url, sha1, email-src". + + type: keyword -- diff --git a/x-pack/filebeat/module/threatintel/fields.go b/x-pack/filebeat/module/threatintel/fields.go index 84f4fed3ea6..fdee7dde59a 100644 --- a/x-pack/filebeat/module/threatintel/fields.go +++ b/x-pack/filebeat/module/threatintel/fields.go @@ -19,5 +19,5 @@ func init() { // AssetThreatintel returns asset data. // This is the base64 encoded zlib format compressed contents of module/threatintel. func AssetThreatintel() string { - return "eJzsfVtzGzmy5nv/igzuQ8sTFC3JkqetiN4NtSR3K1aWPbp0T8x6gwarkiyMUEAZQJHmnDj//QQudb+Qkoo+cyZGLzbrgvyQmUgkkImsfXjE9SnoSCLRlGtkPwBoqhnWL0pkSBSewgw1+QEgRBVImmgq+Cn87x8AAO7tC2DfYHSBPEB4TxnOzNUPIkwZTn4AmFNkoTq1r+wDJ3GDlvkLcU5Spqf26VOYE6bQ39LrBE9hIUWa5A83wJi/95YSzKWIQUdYplIAi3Ng5q8MrgyQ8pAGRAs5mVOp9FQh8vyhDFJINJYudqByrEL7NBAegqYxwipCXmWdEqkMECw9kJgIqTEERReRpnwBOqKqBKsHMSPfFbAh9yK82SuqgZcJvtgO700az1CCmFuwqkYdVkSBmCmUSwwhEDxMAw/SqjAJNF1Sve5DaRA1AD7ieiVkuCVP1wkahAUsogzjJCrkhnezNZyvTTc+WqhkxhAoh7v7q7/C0eRgUmnt8luCgXlrSViKqnIP4E9AUi24iEWq9tVaaYybT0hN5yTQjRshlRhoIdfNOyImlO8b3jTuYUwo2ydhKBu35pQ1n6fJ8rj9cZos37bfiUnQcSPV+K1xNZEiQNXkjRJzvSKyiSmVrHlNodwnQSBS3mTVivJQrNS+xAVVWq73H7HJtW/7Jwfv9gM0/DaSxx41K+nPy7Ttwt6a2bGAtgGje0bTBc+GgNO5wlT2jtKAcI5yqjTRLxmp54aPBsrZ768vL25hiTwU0qAkGlQaGIHNU8bWEKJ2Gh4TRgMqUmUVCYSEh9vrPqyJFEsaonwZB69C5EZinoWGiDUwEVbtYEatD1Eg+JyG5vFBMRXNgiTWohGl6IIXgs3AQarMbWtLSm+pgDBUT7MsN0LDXYKBgRGO4UZwHMO1WI3hA4Y0jcfwG11EjdcO9g8PGhfPwphKwqhew52BAnuH+29fNR67uLnK7p/svztpPvDH5afsgas4EUpRYzz34RylJpS/6hGNcwh2oirKcSnwToeblUKiCVAFgYiNRIy30qc55nGFerf4PJHCdWqZ6PtASpyjfLl232bNmAEOjPJHO0kLIGFIzQuEAeVzIWNizRiZiVQ/wdOgSQNf5dJ2HCSZ21CZyAmHq08GqESlYI9KiYa9mi4tq92cSgV/1Wu4hGxKenvbuhkkGArAnbf0TJB2op/4ng6ml51cteReytiYSKNLE82aKvA0J06SuRkx18ZphU9SaBEIBioi0uiqp9NvUYFIPG2asIjqpkfyq6w68u7qmZFf4+othr0s0EGEYaP75YUVtCyJyq0RLWIa1Ah3cXEDJ6Fpl1zzJQ2wToEHDgSYCAgD5EsqBY+Ra0AeJoIah0ICR70S8hFwiVxPWvHbvu0Mvm09cxF23pfagmTYrmT+4s560tRP0rQlT1FNZ9NaGVIzoHVuNHjxwOnXFDMrSZjpoBm9Wjh+5CsrcCuriV0uNy7nZvbs7qbusQCklghbAy04jySIcoYJbqldcY2SY00JAPAbiROGp3B4cvj2XStLhFwQTv9h58pJy5qtT13ogguJUzITS0Pj4Oi49kCcMk2nbRIpQ9D4rb5oKih33ORCxqq6BZT9VZT4Y6l7llwni34VYsEQrq/Pe30Yt4R7kRYaR2qitKxtZ7yY2xtG77ng2gw8u0mzktQuBRwMS1fVWQPwSSQps2rtplkiJVm3NmAdVq/7GZMm8F5IMEuKxsoesveyZx0C2Lu9/HV697cxmH8v//rp7OZieve3V2Pnv6lIpCyEGZawUF1fRQAIjr59DwG/psZjVNafdYTNi5bKh4fr+ytL09LImmUMZk3USyKp3XJhyBc6cs3zNEbpHeSxWZ5Ghl2m7Ys/Pt5e2O0x8+sv5lelK432ZwhJznML0TA0xIDGhBX7QE6d93CygC+jw9GXV51a/eP/G52ffpaafJYYTrVOPs8o/xyvSZJM8BuO/v+PrSqakAZbh1PN9yljlsIYKA9YGhp5RHSJY9O8ZZf1gTr61GDab//3+sPnu4/v7/84u738/IEGUigx15//cPsucHP/+TyVErn+HaWign++isnC7UPD5TcM0tpOivv7aOGqzyvKTZcNuz5f4CxdLGpTSMa0NtDDce2mtLVgKdkhqJF3yr4XbHMPajiot9mgNuKscqVpUhcoXmRNA6rX06Enrkp3zqle988dHwTXEglrByi4phy53i3Ksn7kJDsR3wipIzizhot0wE65luspVWIaiHCH7HWE4OruIxhCnZjPz3qB7lYHPMheNTgnnITt3LTuYdPKeHVHMbW+cB+Ca8EXVKehC7cwou2PbsP/HzBigo9OYf/PbyZvD49/enMwhhEjenQKxyeTk4OTd4c/wX+2238zLQu+e9nfWjrbiH7/L+d9SHcqfI+yV/Z/SXGGQY+dm1OGkwQnNE4ioqItdhh6QXYuTkZnYNrPd6HjREitgHIg8OnS7o5P4IyDxwH7+2YF5h6DGjIwdwPCjV+SKre6mVO+QJlIs3SbUU6kXZQskQOZa5QgMRBxQpnzUYQEoSOUVrz7DJdYNZJaEq7yzToFEVkiiCAw83U4hlVEgwhW1u0LIsIXCLGQaF7LN/tsL9ymSVU610gkd88TDZHWiTp9/Xq1Wk3mVCKucRKI+PWMicVrt620b7wrIoPo9dHB4fHrg8PXWpLgkfLFfkzYikjcd3zaNzSNexnpmE1GP7Tow0Hw9qeDN8Exvjs6OjT/CQNy8u7tG0LCN2/DcL5BU140JTak2NVIV0PlxjRrNAYbRhdsXoyAjx+bvv6oMvUztMZA50CWhDLjaDfXJBkupULEemeGR+bIWJZuiywOT3YOKw5PnoRJReRw97yKyOFTUR2dvP0euI5O3j4V2Zuf6pPCTpC9+en4qchODo++B7KTw6ONyJ650fjSvYwMqCXSjkjRf7Qj2rDT10PtRwVaaMJs2+1Un+iHbE+46XxkJPGbRq66fMuX0s1bbyce0xinw+4yl4h/uPpwWRNxc7qs5mM8YzvO5qsMh//Ctpf5X6lkxZ7QyDgfyIjSNJgEYjScQIcZUMhs5pMmlGfRCoYFniL0KyRdUG63pL6mqHRrP+aSLGJsrGp22Y1PQjq3M2e+90rNry//60tJFFokHfyfp6ye4fOSoMncNggPt9c2qOd9HcK18abXIpXGtYaAKBwbmOvSNqfSQmLTllMOX1LJJqbdL8ZJRuti241FJ0SqrB/OlZYuhUdI8HuH5m3DDRtraTRdD+NDJVTghD4cbx54LEKbIlJolJWZAoU2lbCA2grN/N0IjS7cRHkeGIkFp1pIyhdjp7BZYt/D7TXEZG03kXPBWB5KJPXteMtqYtONgImFcm2ZJqgCMdfI4e+py2zME/RcBJ3oqIn0viKgGL0O5G/nrRMFVFcSEsdgVlUMtU1t4qIj3pcQpVrEsNMh50lmY85bhC58T9pX3khaRzWypQH+2q3lOgZ5LYsC+twDtz499aGDp1ukTozHx2/a0X1NsZFZuWvzb2l69QwriYHujg+ctPWl0Z7h/9ef/UzXKoeM6pf/88UMBvwWsDTEsJhiykQnxooSOzTy6YkL864dkY0kTTBNclHukm3CPmvuEUt3lur8qXGJqOMBfqNKNy2CjcrYlJNEF/hsV9wbX3wrtX2TkM5t4pKmRCPMUK+aSRvg4uorYacD1a4bLmSGEsPp0K6L6UVEFxFam5aRsSbZkRrbDicJ5sNdpTN3qyne90Jm+yHjUmDQNuneMSMLRnMhJv65SSDikRHQqHyhw5K6KIhnc4gaZUw5hmaiC6hCtvayAkaVBkYf0WU7pjNGA1DpfE7r6cDgnt2LtE5OX792j7onJ0IuXk3gXq6zfLMkkeIbjYn2SXuzNSgaJ2wNmjw2DYUTrs2ENxJmZIZMuUgjFxrstLVCxixT7q8vVGHKAjFJHzsMmQoi3OHeZ1NJ7izBbrtrN9q6wGba8p1tW07X2n3vIbr5fw1fU8KcE+KfsamPLjTZSG0FIIxlnTcPWtuFiZu8I6G0ez3loXc7G+N1AnDFrZMgNSWM1Q09NBCN7Rbt3GdhY3bfhRTA7qpmkKxLYxEEhHPR9PAqY2Vc4kxuWRsdnCETq/YR3DvqqwaizHq3ECJKT+K1b8jpuBv7ROmWQe8MeCakiCiXX5LYcPzSDCYxL8iVNFKls6OJSmeHFTMzbh2fBVw3C3hn3DOn1NZo7MwLF6AlocxYhQQlFWHHDolIphbm0632ECMA53OfD6lF4lXGd3QP768vXo2BMCXgkYsVN1wrWN1cJFiDODayyk2aUeZMa0rDaNKcBer0G83PizeMoKxK/EtOA3YK6JoBCoFtPxekCuVOI2EtSzhPstP9b27YfDs5ePeiHRuFkhI27cnmG6CvLYtVm/HniGd5e1SptDhIUTq+AyTVkZBU+zQosxg3ppMH66bhsaY9V2Xjn7IkIj6vaGzWgsWegFuMZPlBItUQCCaM2eYhpEmC0viODRJBRCQJNMpGmlcesjo5ef/LL+/O/3xx+cv7g3c/Hby7ODw6Pz9rj7rbju+M+Xk2gyFjBloHZ88zriC1WyAXVGnKFylVEYaukb2Lm1dm+jwXcSy4v3Z+82oMISbIbfKR4B27C505R+c/P9yN4ePPl36mu+LBGD4+/GzntcJ2jeH8Jn/m7rezI3vsBc6USiWpHoVwf3dmtS+7Uh1UOvs7Ng7j7SiHpMRxTxfM6uV7st2z+e7+53Pj8AjJKRnD9c93hMN7w0CqAlESw9jIYWKZriIiMZwsmJgRlouEY/tWJWHamDFjbm0qwc7yMhsCvzYTjfNbLItLSLz3tXd3dvNq4jjosiSXRK6NyWk7LZj95YPE2oWyMG3a9szaDSMats6dm+JsCqoxXNzcQRsvAPZMkyvKwoDIUBnPgYfVIxjNZNJcpKM/lXfAe6YJRRec6FS+8LzQBxe5hzmJKVtbVrvhuFeOarUcDCGzVKGP+2+crnoAZCfOhYQz0+T5bzkmfzr+qnTGHVrnvuJsAmsJt3RrZ+/k/T4LoMEiNTKz09jD7XVE0pL4WlC0SebZKCryoetewqlkBtw0FCvOBAmHoH/tM7Ng7+H2+pXbCIa1SK1HmRECAoFI1s42UnfGtBfpkspU2WDhRKJKmR4C6tnv/ryrgStdyv6WIIxbUN/vdyjmTBD9TAxmUeca3hYHo/xxEKlR/pjlm/+eN+9LDHSM5W0Chd9pHNNBVNes664uSsGurQZP2znMF8vBmw3jIciNY9ieD0/VUCwIXHI3uFYzdjzcXk/gU3bKt3SoDgRnlOMYxHxu/uMcZ24Xvr3IXZLYUKj9ScZA2LOKwnlEVqOpAj/tVM+wt0CaMRI8mrWqmqhUztgQ4O4ebn+5Llr2bO3gpXkCQ8tCLvTU/dwWcUJiZ84HAu7bg4s2/H2gfGUSOZRs71dUa5QQER6y0tLYUXHBysgV9nAVUepChz0hgXDB17FI1ate8IxIjW32ZCYEQ8K3h37lfC9UpZAyVmAZ0DNEXkIu8o1PuwOWlRLY0zK1sUp7ROtV77gii0FswZnbtTHcJgsFRCkR0OpJmq8pSuqqRWR9as4VXMSE0aGmCtfaP8cU0XIAvid16QUkq3UweogmxAwUPhRd39y2XV4SRsPpXIq4BUBYX1b1Uv8jQl4laOP3rlLTXKTc5mDYkg5cmRHiTnrTsA1XlhWxK1R297GFSGFSZsgGm599pEsiK5+QzRG16X7LvRdBcBtrdZUYl7ea8/iKWRBRlUderGleZRse+emrNrG11+V5gT0r3d5Kn22VtkF4ZhrKsgBcEawNpAN3unQI4pfftCT24K8ZMvmjS8yIdKpSK08GWi3fV0aRaWRsl4hlFZohjDK9sfshY7vI/o2oaP/ut7Ojk7ejNojCbv1MfV0I46APNvZsLZ/c4/eUWtZHbpZyPqnSEkm8k/nvrt50T0k/aJke2xSPEaXyYOgQfGu6QYSXRE8VJJIuiUvFsvkqJIsmzdE7w/nGkr/D1vUNsZo7fZo1OvZvVJ/Pt8/8U70caasjlXFDRfXEp406FCNRqSxKPQRBKkmwhj3b9wMzCg8PDl5VykqVxf2jYRiG1EWzCCdsrWmgQGMQccHEYm2ayBnc76qHqAllRy09a1QK6O3YhW3HWRmjp602pMT3q9g7vLO1DbPB8VEvzu/kvrVRtkinCpWyZ/gGAVIC4Y7q+ObdWiYwwrbLmLKNFLyiBv2ghzLTVxUTvXHQjUiifUB+NHa/rOHOftAk+18qWSNlYDQT2SPBUamZ4Ki4at+DET1K/LWYsPzRenvmXk7f/CheicOT7L++yYTIRwz9I0lEVZS9W2/W3Sw/6JtQAeH+ulmNl7qg/Av1plSqEldor/SwFtI8bC2f+SGR66k9O4fSkuqVfUxYh/SzGMNTxF9U/pK4INJuq5B8weeiAGMgcP77JVxd2Mwawt0ZRaI1CR7BVq8xejtuXUNuNwrrh8Ceqc7GdbD2aXvKEl1QbZpKOgSEW+NsGcv9cHvVhOIN8oaAAS5RUr0eAs65pJoGrhxgm3j8vpqdiX29yCRhtG6dNloGJlZjiH2xwoguojEsUa73zX/7O2u5P0RX73y1327xQ3mKOjMza+ksRie2qWHOcBNDgU/jQlqlqId126Do+kr2uVwyDXkQ7UX+KlyydXx7/SctU6UxnAZUBgynNBzEGy9mUN8+uPb90YU43wncdpynSUg0DiTGB9sYXF1s2rsfhNjt9RNtmh2UgwU+L2yxolL1su2tAk3G+c6APdrll3lxeNJcVflJZ0b+QUizzuzz1lNZyOkX2+g/YwS5irBtvft94sf/FBvMLtegDVS5emoLuOZR/f4zjC5O3Z638vQTr0Wp9Lxlt9L13G7KtmyXdoPEt7s1DjMwW0FsXwUha+pX5CgbNS03HbneeOA6U93srNvCkQHjioN2RUTrFimDdHW/azRX951ASttGLkLVosANUffPjkWBQ78P67N0VkSBSmcx1S7O6Amy1oEeiBCnxroM4miKEK2pMiuIckXhbOqqj+3iTLRqFpB9prW/uvv03xU6OtNa0lla8woqlSODgbyPSpXGcxHHKTfufeEyNUqclkDsAsMWlN06w6f0t0J42gjwUnaZ8dbGndidNX82FQ6zdPtYKA2BXwW1zyxzMYgCFAW1s814WlleVzbhOxlltzNVNEyIOg9ouTPBxjrk7bcRT9PhNuIeHmpq0dhOr9T4bJvVnxa9yz+wIuau6Gadsu2/33xrtc/ZEJ42v0zxHB39TawgJnxdNOyPtHN/etNWmXIVPzeyyH6ERZM4GYRPeWvPZlZIlevUQGGEi1J7zkkujRhj2FsHixSJUNku4JSJoC1d7snD5g61/XqOiw0sUokhCO6mFxvAssm7hporKUzVRvGZhwdKO/EJ5z6Ny4KqCI4qT63l7HvNykyH06ozDSuzNLdfNmpVpjbLVirTIylfTO28P9AUVY0G2JYxdLAU5LsuauPUFVJFZswYBWlVsl3hnyPHUos2hu4IhVmd6oZo29DZciOhmn4P0w1UQ2yr9DuqHS7GZDgkouZmtM2iPcwxYIZM1BH1+tjPAbQrSVXAPQOXLTo/oIVqMUqElYLAEmOhm59CqbrMA+pSt9tMuS+d2Gq38uS96ndlajiHVLMOpP6g9cuxDqmBHVitYg6BdWit7MBr87wyBVVrHmTFNbbQ09y9G1BZi2Gdt/7UMV3AGjKpR1c+Y7ENtMoZd78BTJPl8dhVQCQ8tMd1+7sQEI2L+vfzXpIF79t7QVdGN7560pn/1mFrtlJJCqIjOPJcVS4wl0r9p1qYFWdAGFtnipwVYbm6uOuHuKupqZ+7/ZjsIwO6hP7bKlaswyDcsBR6+qKxCijPIs/pYDiuf+XSRhNR+oPWaoMm7mgtWbH3RQeMbbXJAtFzjFcg4kZZvGfvUdqmFMQkxPzbMzlOqhWyeT+aXS1UbHslfcy+fuWu13Qy/8hcgatfQZHhUIce6sOldMYhFstySartRfx9Vlg5UuSVZdYAE6xPSd3F9P/R+8/tQ4sWI2srhD3sfZE3kDO5qRx5sK+2ktw81ppfCBkqpz2nUTtfn2e027onI1eNNCKHPnC9r2QwakYwhC5XRHlJAOPj/V//Bxx9+fd5A/j3eYN/9fMGRX5gIGSI4TxtLa7QHOe9GfrbmYFbTxPeW6Lbm4TStqCtPVJjUndAf0O4+9K25nKvcsez+MBoPeq+6SMJtBlv3xSP3yIin8OsBmCzv6KkBk1OD98dTQ4mR5PDN6NOlI0dnaFxclvx63dr/LIoua8Z04t/G/CNcTU0+LZ88SrMq+TMlTcZtWqozeg5r6crv6ggZ7nMQX0MXZU/v2zIOpaL3jTIHGsylYQv2iuFddzcgPXWfp5FzOHqk9qYjln+UlEm/YPXh287PkdE1eNQI/+Wqkc/np86yoMi9bhTE2frlmI8W6mhBVYiAXsH+8eNL/u1orkmM6znOsEwg6OByp7mnMBHbmXtPuz+wFOVEjaGu/x0wBg+ZF/kH8PvKNfF7+4u4dKdW3KHc5qFh4qaJURr5C2l0bfu048qp9ZMYa/jUoFoqTHcfaTqady1rRtpv3vXI24zBu7aClDDMIIuEu0sqNuUYVF+3FU1n5PAnuuZ+89g8PwVaZ7eYONfnxx3W3fbuzSOSaPs9Tbd21iCa0seOHE4GBt6Y3p9clzmlY9fs3XOtUmzv5u+iVvmScenb6H7xFvx1/N93IIfvY5dFYsVcKdkWtI64alaJysKN/nhvwIAAP//BunvQg==" + return "eJzsfd1z2ziy7/v8FV2+D+NsyYrt2NmJq+be8tjOjOs6TtYfM1t7ckqByJaENQhwAFCy9tT530/hgxQ/QEq2Ke+crfVLIglE/9DdaDQajeYePODyBPRMItGUa2TfAWiqGda/lMiQKDyBMWryHUCMKpI01VTwE/i/3wEA3NkHwD7B6BR5hPCRMhybbz+JOGM4/A5gQpHF6sQ+sgecJA1a5i/GCcmYHtnWJzAhTKH/SS9TPIGpFFlaNG6AMX8fLSWYSJGAnmGZygpYUgAzf2VwZYCUxzQiWsjhhEqlRwqRF41ySDHRWPqyBZVjFdrWQHgMmiYIixnyKuuUyGSEYOmBxFRIjTEoOp1pyqegZ1SVYHUgZuRVARtyL8KbP6IaeJng083wXmfJGCWIiQWratRhQRSIsUI5xxgiweMs8iCtCpNI0znVyy6UBlED4AMuF0LGG/J0maJBuIJFlGGcRIXc8G68hLOlGcZnC5WMGQLlcHt3+Vc4HO4PK71dPKYYmafmhGWoKr8B/AlIpgUXicjUnloqjUmzhdR0QiLd+CGmEiMt5LL5i0gI5XuGN43fMCGU7ZE4lo2fJpQ129N0fhRuTtP5+/AvCYlafsg0Pja+TaWIUDV5o8REL4hsYsoka36nUO6RKBIZb7JqQXksFmpP4pQqLZd7D9jk2uPe8f6HvQgNv43ksUPNSvrzMm07tz+N7VxA24HRPaPpgudTwOncylR2ztKIcI5ypDTRL5mpZ4aPBsrpr28vzm9gjjwW0qAkGlQWGYFNMsaWEKN2Gp4QRiMqMmUVCYSE+5urLqypFHMao3wZBy9j5EZinoWGiDUwM6zawZxaF6JI8AmNTfNeMa26BUmsRSNK0SlfCTYHB5kyP1tbUnpKRYSheppluRYablOMDIx4ANeC4wCuxGIAnzCmWTKAX+h01nhsf+9gv/HlaZxQSRjVS7g1UGD3YO/9m0az8+vL/PfjvQ/HzQa/XXzJG1wmqVCKGuO5B2coNaH8TYdonEOwFVVRjkuRdzrcqhQTTYAqiERiJGK8lS7NMc0V6u3i80RWrlNgoe8CKXGC8uXafZN3YyY4MMof7CItgMQxNQ8QBpRPhEyINWNkLDL9BE+Dpg18la824yDJ3YbKQk44XH4xQCUqBbtUSjTs1XRuWe3WVCr4m07DJWRT0pvb1vUgwVAA7rylZ4K0C/3Qj7Q3vWzlqiX3UsYmRBpdGmrWVIGnOXGSTMyMuTJOK3yRQotIMFAzIo2uejrdFhWIxJOmCZtR3fRIfpZVR959e2rk1/j2BuNOFuhohnFj+OWNFQS2ROXeiBYJjWqE27i4hpPQtEuu+5IGWKfAAwcCTESEAfI5lYInyDUgj1NBjUMhgaNeCPkAOEeuh0H8dmxbg297z12ErY+ltiHpdyi5v7i1kTT1kzRtyVNU09m0IENqBrTOjQYv7jn9PcPcShJmBmhmrxaOH8XOCtzOami3y42vCzN7entd91gAMkuELYGuOI8kmhUME9xSu+QaJceaEgDgI0lShidwcHzw/kOQJUJOCaf/sGvlMLBn61IXOuVC4oiMxdzQ2D88qjVIMqbpKCSRMgSNj/VN04pyy49cyERVQ0D5X0WJP5eGZ8m1suhnIaYM4erqrNOHcVu4F2mhcaSGSstaOOPF3F4ze88E12bi2SDNQlK7FXAwLF1VZw3AF5FmzKq1W2aJlGQZ7MA6rF73cyYN4aOQYLYUjZ095M/lbR0C2L25+Hl0+7cBmH8v/vrl9Pp8dPu3NwPnv6mZyFgMYyxhobq+iwAQHH3/HgL+nhmPUVl/1hE2D1oqn+6v7i4tTUsj75YxGDdRz4mkNuTCkE/1zHXPswSld5AHZns6M+wyfZ//9vnm3IbHzKe/mE+VoTT6HyOkBc8tRMPQGCOaELaKAzl13sXhFL7tHOx8e9Oq1d//x87ZyVepyVeJ8Ujr9OuY8q/JkqTpEB9x5z+/D6poShps7U81P2aMWQoDoDxiWWzkMaNzHJjuLbusD9QypgbTfvn/V5++3n7+ePfb6c3F1080kkKJif76m4u7wPXd17NMSuT6V5SKCv71MiFTF4eGi0eMslokxf19tnDV1wXlZsiGXV/PcZxNp7UlJGdaCHR/XLsuhRYsJTsFNfJW2XeCbcag+oN6k09qI84qV5omdYriRdY0ono56nvhqgznjOpl99rxSXAtkbAwQME15cj1dlGW9aMg2Yr4Wkg9g1NruEgL7IxruRxRJUaRiLfIXkcILm8/gyHUivnstBPodnXAg+xUgzPCSRzmpnUPm1bGqzuKkfWFuxBcCT6lOovdcQsj2n5oN/z/BTtM8J0T2Pvzu+H7g6Mf3u0PYIcRvXMCR8fD4/3jDwc/wH+H7b9ZlgXfvuxvLJ1NRL/3l7MupFsVvkfZKfu/ZDjGqMPOTSjDYYpDmqQzomYbRBg6QbZuTnZOwfRfRKGTVEitgHIg8OXCRseHcMrB44C9PbMDc82ghgzMrxHhxi/JlNvdTCifokyl2bqNKSfSbkrmyIFMNEqQGIkkpcz5KEKC0DOUVrx7DOdYNZJaEq6KYJ2CGZkjiCgy63U8gMWMRjNYWLcvmhE+RUiERPNYEeyzo3BBk6p0rpBI7toTDTOtU3Xy9u1isRhOqERc4jASydsxE9O3Lqy0Z7wrIqPZ28P9g6O3+wdvtSTRA+XTvYSwBZG45/i0Z2ga93KmEzbc+S6gD/vR+x/230VH+OHw8MD8J47I8Yf37wiJ372P48kaTXnRktiQYlsnbR2VO9Os0RmsmV2wfjMC/vzYjPV7laufoTUAOgEyJ5QZR7u5J8lxKRUj1gfTPzJHxrJ0U2RJfLx1WEl8/CRMakYOts+rGTl4KqrD4/evgevw+P1Tkb37ob4obAXZux+Onors+ODwNZAdHxyuRfbMQONLYxk5UEskjEjRf4QRrYn0dVD7XoEWmjDbd5jqE/2QzQk3nY+cJD5q5KrNt3wp3aL3MPGEJjjqN8pcIv7p8tNFTcTN5bKaj/GMcJzNV+kP/7ntL/e/MslWMaEd43wgI0rTaBiJnf4E2s+EQmYznzShPD+tYLjCszr6FZJOKbchqd8zVDo4jokk0wQbu5ptDuOLkM7tLJjvvVLz6dv/+VYShRZpC/8nGatn+Lzk0GRiO4T7myt7qOd9HcK18aaXIpPGtYaIKBwYmMtSmFNpIbFpyymHb5lkQ9PvN+Mko3WxbWDRCZEq64dzpaVL4RESfOzQPG24Yc9aGl3Xj/GhclTghN4fb+55ImKbIrLSKCszBQptKuEKahCa+bsWGt1xE+XFwUgiONVCUj4dOIXNE/vub64gIUsbRC4EY3kokdTD8ZbVxKYbARNT5foyXVAFYqKRw98zl9lYJOi5E3SiZ02kdxUBJeh1oHi66J0ooLqSkDgAs6tiqG1qExct530pUSoghq1OOU8yn3PeIrThe1JceS1pPauRLU3wt24v1zLJa1kU0OUeuP3piT86eLpFasV4dPQujO73DBuZlds2/5amV8+4khjofvEHJ6GxNPoz/P/9R7/SBeWQU/32/76ZyYCPEctijFdLTJno0FhRYqdGsTxxYZ61M7KRpAmmSy7KQ7Jd2LbmN2LpjjNdtBqUiDoe4CNVumkR7KmMTTlJ9QqfHYp74pvvpRY3ienEJi5pSjTCGPWimbQB7lx9IexyoMK64Y7MUGI86tt1MaOY0ekMrU3LyViT7EgN7IDTFIvprrKx+6kp3o9C5vGQQelg0HbpnjEzC3YmQgx9u2Ekkh0joJ3yFy2W1J2CeDbHqFEmlGNsFrqIKmRLLytgVGlg9AFdtmM2ZjQClU0mtJ4ODK7t7kzr9OTtW9fUtRwKOX0zhDu5zPPN0lSKR5oQ7ZP2xktQNEnZEjR5aBoKJ1ybCW8kzMgYmXInjVxosMvWAhmzTLm7OlcrUxaJYfbQYshUNMMtxj6bSnJrCbbbXRtoawOba8sr27aCrrX73kN06/8Sfs8Ic06Ib2NTH93RZCO1FYAwlg/eNLS2C1O3eM+E0u7xjMfe7WzM1yHAJbdOgtSUMFY39NBANLAh2onPwsb8d3ekADaqmkOyLo1FEBHORdPDq8yVQYkzhWVtDHCMTCzCM7hz1lcNRJn1biNElB4mS9+R03E394nSgUnvDHgupBlRLr8ktcfxczOZxGRFrqSRKhsfDlU2PqiYmUFwfq7gulXAO+OeOaW+dgbOvHABWhLKjFVIUVIRt0RIRDqyMJ9utfuYATiZ+HxILVKvMn6gu3h3df5mAIQpAQ9cLLjh2orVzU2CNYgDI6vCpBllzrWmNI2GzVWgTr/R/WT1hBGUVYl/yWXALgFtK8BKYJuvBZlCudWTsMAWzpNsdf+bAZvH4/0PL4rYKJSUsFFHNl8PYw1sVm3GnyOe5+1RpbLVRYrS9R0gmZ4JSbVPgzKbcWM6ebRsGh5r2gtVNv4pS2fE5xUNzF5wFRNwm5E8P0hkGiLBhDHbPIYsTVEa37FBIpoRSSKNspHmVRxZHR9//OmnD2d/Pr/46eP+hx/2P5wfHJ6dnYZP3e3At8b8IpvBkDETrYWzZzlXkNoQyDlVmvJpRtUMY9fJ7vn1G7N8nokkEdx/d3b9ZgAxpsht8pHgLdGF1pyjsx/vbwfw+ccLv9Jd8mgAn+9/tOvaynYN4Oy6aHP7y+mhvfYCp0plklSvQri/W7Pbl22pDiob/x0bl/G2lENS4rinC2b38pps92y+vfvxzDg8QnJKBnD14y3h8NEwkKpIlMQwMHIYWqarGZEYD6dMjAkrRMIxHKokTBszZsytTSXYWl5mQ+BXZqFxfotlcQmJ9752b0+v3wwdB12W5JzIpTE5oduC+V8xSaxdKAvTpm2Prd0womHLwrlZ3U1BNYDz61sI8QJg13S5oCyOiIyV8Rx4XL2C0UwmLUS686dyBLxjmVB0yonO5AvvC31yJ/cwIQllS8tqNx13y6dagYshZJwp9Of+a5erDgD5jXMh4dR0efZLgcnfjr8s3XGH4Nq3upvAAsct7drZuXh/zA/QYJoZmdll7P7makaykvgCKEKSeTaKinzospNwJpkBN4rFgjNB4j7oX/nMLNi9v7l64wLBsBSZ9ShzQkAgEunS2Ubq7ph2Ip1TmSl7WDiUqDKm+4B6+qu/72rgSpeyvyEI4xbU4/0OxYQJop+JwWzqXMeb4mCUP/QiNcof8nzzX4vufYmBlrm8yUHhK81j2ovqmn3d5XnpsGujyRO6h/liOXizYTwEuXYO2/vhmeqLBZFL7gbXa86O+5urIXzJb/mWLtWB4IxyHICYTMx/nOPM7ca3E7lLEusLtb/JGAl7V1E4j8hqNFXgl53qHfYApDEj0YPZq6qhyuSY9QHu9v7mp6tVz56tLbw0LTC2LORCj9zHTRGnJHHmvCfgvj84D+HvAuUrk8i+ZHu3oFqjhBnhMSttjR0Vd1g5c4U9XEWUutBhV0ggXPBlIjL1phM8I1JjyJ6MhWBI+ObQL53vhap0pIwVWAb0GJGXkIsi8GkjYHkpgV0tM3tWaa9ovemcV2Taiy04dVEbw20yVUCUEhGt3qT5PUNJXbWIfEzNtYKLhDDa11LhevtjLBGBC/AdqUsvIFmtg9FBNCVmovC+6PruNh3ynDAajyZSJAEAcX1b1Un9txnyKkF7fu8qNU1Exm0Ohi3pwJWZIe6mN41DuPKsiG2hstHHAJGVSRkj62199iddEln5hmyBKKT7gd9eBMEF1uoqMSiHmovzFbMhoqo4ebGmeZEHPIrbVyGxhevyvMCelX7eSJ9tlbZeeGY6yrMAXBGsNaQjd7u0D+IXj1oSe/HXTJmi6RxzIq2qFORJT7vlu8osMp0M7BaxrEJjhJ1cb2w8ZGA32b8QNdu7/eX08Pj9TgiisKGfka8LYRz03uaereVTePyeUmB/5FYp55MqLZEkW1n/butdd5T0g8DyGFI8RpQqDkP74FvTDSK8JHqqIJV0Tlwqls1XIflp0gS9M1wElvwvbFkPiNXc6ZO804F/otq+CJ/5Vp0cCdWRyrmhZvXEp7U6lCBRmVyVeoiiTJJoCbt27PtmFh7s77+plJUqi/t7wzCMqTvNIpywpaaRAo3RjAsmpkvTRcHgblc9Rk0oOwyMrFEpoHNg57YfZ2WMngZtSInvl4l3eMdLe8wGR4edOF/JfQtRtkhHCpWyd/h6AVIC4a7q+O7dXiYywrbbmLKNFLyiBt2g+zLTlxUTvXbS7ZBU+wP5nYH7ZA13/oGm+f8yyRopAztjkTeJDkvdRIerb+1zsEMPU/9dQljRtN6f+a2gbz6sHkni4/y/vsuUyAeMfZN0RtUsf7berfux3NB3oSLC/fdmN14agvIP1LtSmUpdob1SYy2kaWwtn/kgkeuRvTuH0pLqlH1CWIv08zOGp4h/VflL4pRIG1YhxYbPnQIMgMDZrxdweW4zawh3dxSJ1iR6AFu9xujtILiH3GwW1i+BPVOdjetg7dPmlCW6Q7VRJmkfEG6Ms2Us9/3NZROKN8hrDgxwjpLqZR9wziTVNHLlAEPi8XE1uxL7epFpymjdOq21DEwsBpD4YoUzOp0NYI5yuWf+2z1Yy/0+hnrrq/22ix/KS9SpWVlLdzFasY0Mc/pbGFb4NE6lVYr6sW4Iiq7vZJ/LJdORBxEu8lfhkq3j2+k/aZkpjfEoojJiOKJxL974agX1/YPr319dSIpI4KbzPEtjorEnMd7bzuDyfF3svhdiN1dPtGl2UvZ28HluixWVqpdtbhVoOigiA/Zql9/mJfFxc1flF50x+QchzTqzz9tP5UdOP9lO/4gnyFWEof3u65wf/yECzC7XIASqXD01AK55Vb/7DqM7pw7nrTz9xuuqVHrRs9vpem43ZVu2S9tB4vvdGIeZmEEQm1dByLv6GTnKRk3LdVeu1164zlU3v+s2dWTAuOKgXRHRukXKIV3ebRvN5V0rkFLYyJ1QBRS4Ieru1XFV4NDHYX2WzoIoUNk4odqdM3qCLDjRIxHjyFiXXhxNEaM1VWYHUa4onC9d9bm9uhOtmgVkn2ntL2+//LOOjk61lnSc1byCSuXIqCfvo1Kl8UwkScaNe79ymRolTksgtoFhA8pun+FT+oMQnjYDvJRdZry1ccc2subvpsJBnm6fCKUh8rug8MoyEb0owKqgdh6Mp5XtdSUI38ooG85Us36OqIsDLXcn2FiHov8Q8SzrLxB3f19Ti0Y4vVLjM7SqP+30rnjBipi4opt1ynb8PvgWtM/5FB4130zxHB39RSwgIXy56thfaef+9qatMuUqfq5lkX0JiyZJ2gufit6ezayYKjeono4Rzkv9OSe5NGOMYQ9OFilSofIo4IiJKJQu9+Rpc4vavj3HnQ1MM4kxCO6WF3uAZZN3DTVXUpiqteIzjXtKO/EJ5z6Ny4KqCI4qTy1w971mZUb9adWphoXZmts3GwWVKWTZSmV6JOXTkV33e1qiqqcBtmeMHSwFRdRFrV26YqrImBmjIK1KhhX+OXIs9WjP0B2hOK9T3RBtCJ0tNxKr0WuYbqAaElul31FtcTGG/SERNTcjtIp2MMeA6TNRR9TrYz8H0LYkVQH3DFy26HyPFipglAgrHQJLTIRuvgql6jL3qEvtbjPlvnRi0G4VyXvV98rUcPapZi1I/UXrl2PtUwNbsFrF7ANr31rZgtfmeeUKqpY8yotrbKCnhXvXo7KupnXR+1Pn9ApWn0k9uvIai02gVe64+wAwTedHA1cBkfDYXtftHkJENE7r7897SRa87+8FQ9m59tWTTv27DoPZSiUpiJbDkeeq8gpzqdR/poXZcUaEsWWuyHkRlsvz226I21qaurnbjck26dEl9O9WsWLtB+GardDTN41VQEUWeUEH40H9LZf2NBGlv2it1mjilvaSFXu/GoCxrTZZYPYc4xWJpFEW79kxStuVgoTEWLx7psBJtUI26UazrY2K7a+kj/nbr9z3NZ0sXjK3wtWtoMiwr0sP9elSuuOQiHm5JNXmIn6dHVaBFHllm9XDAutTUrex/H/2/nN4atHVzNoIYQd7X+QNFExuKkdx2FfbSa6fa803hPSV017QqN2vLzLabd2THVeNdEYO/MH1npJRcJG3mdaPerhdT1BhJHhM5PL5KtsEui3f8KlgX+AlNge1bW/xRYPbzG8MSKpv/zE0ipd5kk3Q2/IoN5XAZihfx8fsF/NWvM4QxL78z4BGv4YfGhrSczzSgJXZsmcaQt6+bjbx/bF81cBoNlT03r3XTi1/sh8bnJr/RH92K27CK3u4QdXv9nVbMb+Kz9umUk/1fpuj+KN7wUW0VpfrAr4kjefz3V//F1wA//etW/j3rdt/9Vu3q1sykZAxxpMsWGKsOc8776luZgZuPE34aIlubhJKh+O2Al+NSe1prWuSPi9sb+4GQuH+rl6zX889XfeqMNrMOl2XlbpBXmoBs5qGmP+tCsvR9OTgw+Fwf3g4PHi304qyca7ZN05u697+ao1fnivqKyd24t8EfGNe9Q0+dGuyCvMyPXVF/naCGmrz2s/ql/a6Ia6BVy72VZ9Dl6U0ejBkHctF52WgAms6koRPw/VyW35cg/XGvqRQTODyi1p7Kan8vs5c+vtvD963vJSTqoe+Zv4NVQ9+Pj91lkerC3itmjheBkpSbqSGFliJBOzu7x013m8dRHNFxljP+Id+JkcDla1pMoTP3Mr6WnAcwD3PVEbYAG6LO7ID+ERY/t9fUS5Xn9uHhHN3e99dUW+W31xV7iNaIw+8IGjjMX2vCmrNi5x1XCoSgTdttBcWeBp3be9G2h8+dIjbzIHb0GtYoB9Br66bWFA3GcPVS3jcu30mJLK32yf+ZXC8eESa1mts/Nvjo3brbkeXJQlpvPxlk+GtLUS7IQ+cOByMNaMxoz4+KvPKZ3GyZcG1YXO84Cr3j9pMTZknjbIOdYZ0NOBCJqrprVX50enYVbFYAbdKJnC5CZ6qdbKicMPv/icAAP//DoFCRw==" } diff --git a/x-pack/filebeat/module/threatintel/misp/_meta/fields.yml b/x-pack/filebeat/module/threatintel/misp/_meta/fields.yml index c352ecce303..8f88e150045 100644 --- a/x-pack/filebeat/module/threatintel/misp/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/misp/_meta/fields.yml @@ -163,3 +163,63 @@ type: keyword description: > The value of the attribute, depending on the type like "url, sha1, email-src". + - name: context.attribute.id + type: keyword + description: > + The ID of the secondary attribute related to the event object. + - name: context.attribute.type + type: keyword + description: > + The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such. + - name: context.attribute.category + type: keyword + description: > + The category of the secondary attribute related to the event object. For example "Network Activity". + - name: context.attribute.to_ids + type: boolean + description: > + If the secondary attribute should be automatically synced with an IDS. + - name: context.attribute.uuid + type: keyword + description: > + The UUID of the secondary attribute related to the event. + - name: context.attribute.event_id + type: keyword + description: > + The local event ID of the secondary attribute related to the event. + - name: context.attribute.distribution + type: long + description: > + How the secondary attribute has been distributed, represented by integer numbers. + - name: context.attribute.timestamp + type: date + description: > + The timestamp in which the secondary attribute was attached to the event object. + - name: context.attribute.comment + type: keyword + description: > + Comments made to the secondary attribute itself. + - name: context.attribute.sharing_group_id + type: keyword + description: > + The group ID of the sharing group related to the specific secondary attribute. + - name: context.attribute.deleted + type: boolean + description: > + If the secondary attribute has been removed from the event object. + - name: context.attribute.disable_correlation + type: boolean + description: > + If correlation has been enabled on the secondary attribute related to the event object. + - name: context.attribute.object_id + type: keyword + description: > + The ID of the Object in which the secondary attribute is attached. + - name: context.attribute.object_relation + type: keyword + description: > + The type of relation the secondary attribute has with the event object itself. + - name: context.attribute.value + type: keyword + description: > + The value of the attribute, depending on the type like "url, sha1, email-src". diff --git a/x-pack/filebeat/module/threatintel/misp/config/config.yml b/x-pack/filebeat/module/threatintel/misp/config/config.yml index 8efcd615f06..922f794af20 100644 --- a/x-pack/filebeat/module/threatintel/misp/config/config.yml +++ b/x-pack/filebeat/module/threatintel/misp/config/config.yml @@ -33,12 +33,20 @@ response.split: target: body.response split: target: body.Event.Attribute + ignore_empty_value: true keep_parent: true + split: + target: body.Event.Object + keep_parent: true + split: + target: body.Event.Object.Attribute + keep_parent: true response.request_body_on_pagination: true response.pagination: - set: target: body.page value: '[[add .last_response.page 1]]' + fail_on_template_error: true cursor: timestamp: value: '[[.last_event.Event.timestamp]]' @@ -61,8 +69,14 @@ publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - decode_json_fields: fields: [message] - document_id: Event.Attribute.uuid target: json + - fingerprint: + fields: + - json.Event.Attribute.uuid + - json.Event.Object.Attribute.uuid + ignore_missing: true + target_field: "@metadata._id" + encoding: base64 - script: lang: javascript id: my_filter diff --git a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml index 8987e591b9b..e64379422db 100644 --- a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml @@ -41,10 +41,21 @@ processors: - threatintel.misp.Galaxy - threatintel.misp.Attribute.Galaxy - threatintel.misp.Attribute.ShadowAttribute - - threatintel.misp.Object - threatintel.misp.EventReport + - threatintel.misp.Object.Attribute.Galaxy + - threatintel.misp.Object.Attribute.ShadowAttribute - message ignore_missing: true + - remove: + field: + - threatintel.misp.Attribute + ignore_missing: true + if: ctx?.threatintel?.misp?.Attribute.size() == 0 + - remove: + field: + - threatintel.misp.Object + ignore_missing: true + if: ctx?.threatintel?.misp?.Object.size() == 0 - date: field: threatintel.misp.timestamp formats: @@ -54,6 +65,14 @@ processors: field: threatintel.misp.Attribute target_field: threatintel.misp.attribute ignore_missing: true + - rename: + field: threatintel.misp.Object + target_field: threatintel.misp.object + ignore_missing: true + - rename: + field: threatintel.misp.object.Attribute + target_field: threatintel.misp.object.attribute + ignore_missing: true - rename: field: threatintel.misp.Orgc target_field: threatintel.misp.orgc @@ -62,15 +81,25 @@ processors: field: threatintel.misp.Org target_field: threatintel.misp.org ignore_missing: true - - rename: - field: threatintel.misp.Attribute - target_field: threatintel.misp.attribute - ignore_missing: true - rename: field: threatintel.misp.Tag target_field: threatintel.misp.tag ignore_missing: true + # # Dance around issue of not being able to split the document into two. + # # Make the Object.Attribute field primary if it exists, but keep the + # # outer Attribute as context. + - rename: + field: threatintel.misp.attribute + target_field: threatintel.misp.context.attribute + ignore_missing: true + if: ctx?.threatintel?.misp?.object != null + - rename: + field: threatintel.misp.object.attribute + target_field: threatintel.misp.attribute + ignore_missing: true + if: ctx?.threatintel?.misp?.object != null + ##################### # Threat ECS Fields # ##################### @@ -96,7 +125,7 @@ processors: - set: field: threatintel.indicator.type value: file - if: "['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.threatintel?.misp?.attribute?.type) || ctx.threatintel?.misp?.attribute?.type.startsWith('filename')" + if: "ctx?.threatintel?.misp?.attribute?.type != null && (['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.threatintel?.misp?.attribute?.type) || ctx.threatintel?.misp?.attribute?.type.startsWith('filename'))" - rename: field: threatintel.misp.attribute.value target_field: "threatintel.indicator.file.hash.{{threatintel.misp.attribute.type}}" @@ -112,17 +141,17 @@ processors: patterns: - "%{WORD}\\|%{WORD:_tmp.hashtype}" ignore_missing: true - if: ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') + if: ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') - grok: field: threatintel.misp.attribute.value patterns: - "%{DATA:threatintel.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" ignore_missing: true - if: ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') + if: ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') - set: field: threatintel.indicator.file.hash.{{_tmp.hashtype}} value: "{{_tmp.hashvalue}}" - if: "ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null" + if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null" ## URL/URI indicator operations - set: @@ -218,6 +247,14 @@ processors: target_field: threatintel.indicator.email.address ignore_missing: true if: ctx?.threatintel?.indicator?.type == 'email-addr' + - rename: + field: threatintel.misp.event_creator_email + target_field: user.email + ignore_missing: true + - append: + field: user.roles + value: "reporting_user" + if: ctx?.user?.email != null ## MAC Address indicator operations - set: @@ -288,6 +325,14 @@ processors: - threatintel.misp.attribute.value ignore_missing: true if: ctx?.threatintel?.indicator?.type != 'unknown' + - remove: + field: + # This removes a number of fields that may be wanted in the future when + # threatintel.misp.attribute and threatintel.misp.object.attribute can + # be separated. At the root of .object are fields that mirror fields at + # the root of threatintel.misp. + - threatintel.misp.object + ignore_missing: true - remove: field: - threatintel.misp.Attribute.timestamp diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json index 0f51df945c7..9f4dbc50fc8 100644 --- a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json @@ -36,6 +36,7 @@ "threatintel.misp.attribute.timestamp": "1503930272", "threatintel.misp.attribute.to_ids": true, "threatintel.misp.attribute.type": "md5", + "threatintel.misp.attribute.uuid": "59a427a0-f6f8-4178-9e7d-dfd702de0b81", "threatintel.misp.attribute_count": "7", "threatintel.misp.date": "2017-08-25", "threatintel.misp.disable_correlation": false, @@ -95,6 +96,7 @@ "threatintel.misp.attribute.timestamp": "1542652482", "threatintel.misp.attribute.to_ids": false, "threatintel.misp.attribute.type": "domain|ip", + "threatintel.misp.attribute.uuid": "5bf30242-8ef4-4c52-a2d7-0b7b0a016219", "threatintel.misp.attribute_count": "7", "threatintel.misp.date": "2017-08-25", "threatintel.misp.disable_correlation": false, @@ -154,6 +156,7 @@ "threatintel.misp.attribute.timestamp": "1490878550", "threatintel.misp.attribute.to_ids": false, "threatintel.misp.attribute.type": "link", + "threatintel.misp.attribute.uuid": "58dd0056-6e74-43d5-b58b-494802de0b81", "threatintel.misp.attribute_count": "100", "threatintel.misp.date": "2017-03-30", "threatintel.misp.disable_correlation": false, @@ -209,6 +212,7 @@ "threatintel.misp.attribute.timestamp": "1412579394", "threatintel.misp.attribute.to_ids": true, "threatintel.misp.attribute.type": "sha256", + "threatintel.misp.attribute.uuid": "54324042-49fc-4628-a95e-44da950d210b", "threatintel.misp.attribute_count": "29", "threatintel.misp.date": "2014-10-03", "threatintel.misp.disable_correlation": false, @@ -264,6 +268,7 @@ "threatintel.misp.attribute.timestamp": "1412579457", "threatintel.misp.attribute.to_ids": true, "threatintel.misp.attribute.type": "ip-dst", + "threatintel.misp.attribute.uuid": "54324081-3308-4f1f-8674-4953950d210b", "threatintel.misp.attribute_count": "29", "threatintel.misp.date": "2014-10-03", "threatintel.misp.disable_correlation": false, @@ -319,6 +324,7 @@ "threatintel.misp.attribute.timestamp": "1412579548", "threatintel.misp.attribute.to_ids": true, "threatintel.misp.attribute.type": "hostname", + "threatintel.misp.attribute.uuid": "543240dc-f068-437a-baa9-48f2950d210b", "threatintel.misp.attribute_count": "29", "threatintel.misp.date": "2014-10-03", "threatintel.misp.disable_correlation": false, @@ -373,6 +379,7 @@ "threatintel.misp.attribute.timestamp": "1412579577", "threatintel.misp.attribute.to_ids": false, "threatintel.misp.attribute.type": "text", + "threatintel.misp.attribute.uuid": "543240f9-64e8-41f2-958f-4e21950d210b", "threatintel.misp.attribute.value": "Nitro", "threatintel.misp.attribute_count": "29", "threatintel.misp.date": "2014-10-03", @@ -429,6 +436,7 @@ "threatintel.misp.attribute.timestamp": "1455826343", "threatintel.misp.attribute.to_ids": true, "threatintel.misp.attribute.type": "sha1", + "threatintel.misp.attribute.uuid": "56c625a7-f31c-460c-9ea1-c652950d210f", "threatintel.misp.attribute_count": "29", "threatintel.misp.date": "2014-10-03", "threatintel.misp.disable_correlation": false, @@ -484,6 +492,7 @@ "threatintel.misp.attribute.timestamp": "1462454963", "threatintel.misp.attribute.to_ids": false, "threatintel.misp.attribute.type": "domain", + "threatintel.misp.attribute.uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16", "threatintel.misp.attribute_count": "29", "threatintel.misp.date": "2014-10-03", "threatintel.misp.disable_correlation": false, @@ -545,6 +554,7 @@ "threatintel.misp.attribute.timestamp": "1515427692", "threatintel.misp.attribute.to_ids": false, "threatintel.misp.attribute.type": "url", + "threatintel.misp.attribute.uuid": "5a53976c-e7c8-480d-a68a-2fc50a016219", "threatintel.misp.attribute_count": "61", "threatintel.misp.date": "2018-01-08", "threatintel.misp.disable_correlation": false, @@ -600,6 +610,7 @@ "threatintel.misp.attribute.timestamp": "1515429089", "threatintel.misp.attribute.to_ids": false, "threatintel.misp.attribute.type": "uri", + "threatintel.misp.attribute.uuid": "5a539ce1-3de0-4e34-8fc4-2fc50a016219", "threatintel.misp.attribute_count": "61", "threatintel.misp.date": "2018-01-08", "threatintel.misp.disable_correlation": false, @@ -657,6 +668,7 @@ "threatintel.misp.attribute.timestamp": "1515429089", "threatintel.misp.attribute.to_ids": false, "threatintel.misp.attribute.type": "filename|sha1", + "threatintel.misp.attribute.uuid": "5a539ce1-e6a0-426a-942c-2fc50a016219", "threatintel.misp.attribute_count": "61", "threatintel.misp.date": "2018-01-08", "threatintel.misp.disable_correlation": false, @@ -711,6 +723,7 @@ "threatintel.misp.attribute.timestamp": "1456266422", "threatintel.misp.attribute.to_ids": true, "threatintel.misp.attribute.type": "email-src", + "threatintel.misp.attribute.uuid": "56ccdcb6-4d6c-4e48-b955-52849062e56a", "threatintel.misp.attribute_count": "133", "threatintel.misp.date": "2015-12-08", "threatintel.misp.disable_correlation": false, @@ -765,6 +778,7 @@ "threatintel.misp.attribute.timestamp": "1456266454", "threatintel.misp.attribute.to_ids": true, "threatintel.misp.attribute.type": "regkey", + "threatintel.misp.attribute.uuid": "56ccdcd6-f4b8-4383-9624-52849062e56a", "threatintel.misp.attribute_count": "133", "threatintel.misp.date": "2015-12-08", "threatintel.misp.disable_correlation": false, @@ -821,6 +835,7 @@ "threatintel.misp.attribute.timestamp": "1607517728", "threatintel.misp.attribute.to_ids": true, "threatintel.misp.attribute.type": "ip-dst|port", + "threatintel.misp.attribute.uuid": "5fd0c620-a844-4ace-9710-a37bc0a8ab16", "threatintel.misp.attribute_count": "15", "threatintel.misp.date": "2020-12-09", "threatintel.misp.disable_correlation": false, diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log b/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log new file mode 100644 index 00000000000..db8957404b4 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log @@ -0,0 +1,26 @@ +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload installation","comment":"Contextual comment for the file md5 attribute","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3631","first_seen":null,"id":"266258","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621588162","to_ids":false,"type":"md5","uuid":"34c59b06-d35d-4808-919c-4b452f185c52","value":"70461da8b94c6ca5d2fda3260c5a8c3b"},"EventReport":[],"Galaxy":[],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"analysis":"0","date":"2021-05-21","distribution":"1","id":"3633","info":"Test event 3 objects and attributes","org_id":"1","orgc_id":"1","published":false,"threat_level_id":"1","timestamp":"1621592532","uuid":"4edb20c7-8175-484d-bdcd-fce6872c1ef3"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"1","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3631","info":"Test event 1 just atrributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621588162","uuid":"8ca56ae9-3747-4172-93d2-808da1a4eaf3"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"Artefact dropped for test 2","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3632","first_seen":null,"id":"266259","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621588675","to_ids":true,"type":"md5","uuid":"73102a1c-7432-47b7-9644-6f9d46b6887c","value":"60461da8b94c6ca5d2fda3260c5a8c3b"},"EventReport":[],"Galaxy":[],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"2","name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"analysis":"2","date":"2018-03-26","distribution":"3","id":"684","info":"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t","org_id":"1","orgc_id":"2","published":true,"threat_level_id":"3","timestamp":"1523865236","uuid":"5acdb4d0-b534-4713-9612-4a1d950d210f"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"4","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3632","info":"Test event 2 just more atrributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"2","timestamp":"1621588836","uuid":"efbca287-edb5-4ad7-b8e4-fe9da514a763"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Network activity","comment":"Conext for domain type attribute event 2","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3632","first_seen":null,"id":"266260","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621588744","to_ids":true,"type":"domain","uuid":"a52a1b47-a580-4f33-96ba-939cf9146c9b","value":"baddom.madeup.local"},"EventReport":[],"Galaxy":[],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"2","name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"analysis":"2","date":"2018-03-26","distribution":"3","id":"684","info":"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t","org_id":"1","orgc_id":"2","published":true,"threat_level_id":"3","timestamp":"1523865236","uuid":"5acdb4d0-b534-4713-9612-4a1d950d210f"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"4","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3632","info":"Test event 2 just more atrributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"2","timestamp":"1621588836","uuid":"efbca287-edb5-4ad7-b8e4-fe9da514a763"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Network activity","comment":"Ip-src attribute context for event2","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3632","first_seen":null,"id":"266261","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621588800","to_ids":false,"type":"ip-src","uuid":"3dbf224b-7c84-4c4b-9f95-80f28954bd10","value":"10.0.0.1"},"EventReport":[],"Galaxy":[],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"2","name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"analysis":"2","date":"2018-03-26","distribution":"3","id":"684","info":"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t","org_id":"1","orgc_id":"2","published":true,"threat_level_id":"3","timestamp":"1523865236","uuid":"5acdb4d0-b534-4713-9612-4a1d950d210f"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"4","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3632","info":"Test event 2 just more atrributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"2","timestamp":"1621588836","uuid":"efbca287-edb5-4ad7-b8e4-fe9da514a763"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Network activity","comment":"ip-dst context for event id 2","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3632","first_seen":null,"id":"266262","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621588836","to_ids":true,"type":"ip-dst","uuid":"db4bfd36-7374-4f8c-9031-60e56d4bba30","value":"192.168.1.50"},"EventReport":[],"Galaxy":[],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"2","name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"analysis":"2","date":"2018-03-26","distribution":"3","id":"684","info":"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t","org_id":"1","orgc_id":"2","published":true,"threat_level_id":"3","timestamp":"1523865236","uuid":"5acdb4d0-b534-4713-9612-4a1d950d210f"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"4","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3632","info":"Test event 2 just more atrributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"2","timestamp":"1621588836","uuid":"efbca287-edb5-4ad7-b8e4-fe9da514a763"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"filename contect for test event 3","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266263","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621589229","to_ids":false,"type":"filename","uuid":"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3","value":"thetestfile.txt"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266267","last_seen":null,"object_id":"18207","object_relation":"fullpath","sharing_group_id":"0","timestamp":"1621589548","to_ids":false,"type":"text","uuid":"ff97cc32-815e-4fc9-9d4b-cab9822027a6","value":"\\the\\fullpath\\to the file\\filenameofobject.txt"},"ObjectReference":[],"comment":"File object for event 3","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3633","first_seen":null,"id":"18207","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621589548","uuid":"42a88ad4-6834-46a9-a18b-aff9e078a4ea"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"analysis":"0","date":"2021-05-21","distribution":"1","id":"3631","info":"Test event 1 just atrributes","org_id":"1","orgc_id":"1","published":false,"threat_level_id":"1","timestamp":"1621588162","uuid":"8ca56ae9-3747-4172-93d2-808da1a4eaf3"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"6","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3633","info":"Test event 3 objects and attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592532","uuid":"4edb20c7-8175-484d-bdcd-fce6872c1ef3"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"filename contect for test event 3","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266263","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621589229","to_ids":false,"type":"filename","uuid":"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3","value":"thetestfile.txt"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3633","first_seen":null,"id":"266268","last_seen":null,"object_id":"18207","object_relation":"size-in-bytes","sharing_group_id":"0","timestamp":"1621589548","to_ids":false,"type":"size-in-bytes","uuid":"e378b4d9-43e1-4c64-bd4e-70fce2b4e581","value":"505050"},"ObjectReference":[],"comment":"File object for event 3","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3633","first_seen":null,"id":"18207","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621589548","uuid":"42a88ad4-6834-46a9-a18b-aff9e078a4ea"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"analysis":"0","date":"2021-05-21","distribution":"1","id":"3631","info":"Test event 1 just atrributes","org_id":"1","orgc_id":"1","published":false,"threat_level_id":"1","timestamp":"1621588162","uuid":"8ca56ae9-3747-4172-93d2-808da1a4eaf3"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"6","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3633","info":"Test event 3 objects and attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592532","uuid":"4edb20c7-8175-484d-bdcd-fce6872c1ef3"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"filename contect for test event 3","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266263","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621589229","to_ids":false,"type":"filename","uuid":"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3","value":"thetestfile.txt"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266264","last_seen":null,"object_id":"18207","object_relation":"md5","sharing_group_id":"0","timestamp":"1621589548","to_ids":true,"type":"md5","uuid":"787b3822-0bec-4278-b34a-5d649e7bce05","value":"70461da8b94c6ca5d2fda3260c5a8c3b"},"ObjectReference":[],"comment":"File object for event 3","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3633","first_seen":null,"id":"18207","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621589548","uuid":"42a88ad4-6834-46a9-a18b-aff9e078a4ea"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"analysis":"0","date":"2021-05-21","distribution":"1","id":"3631","info":"Test event 1 just atrributes","org_id":"1","orgc_id":"1","published":false,"threat_level_id":"1","timestamp":"1621588162","uuid":"8ca56ae9-3747-4172-93d2-808da1a4eaf3"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"6","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3633","info":"Test event 3 objects and attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592532","uuid":"4edb20c7-8175-484d-bdcd-fce6872c1ef3"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"filename contect for test event 3","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266263","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621589229","to_ids":false,"type":"filename","uuid":"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3","value":"thetestfile.txt"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266265","last_seen":null,"object_id":"18207","object_relation":"sha256","sharing_group_id":"0","timestamp":"1621589548","to_ids":true,"type":"sha256","uuid":"657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e","value":"f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee"},"ObjectReference":[],"comment":"File object for event 3","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3633","first_seen":null,"id":"18207","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621589548","uuid":"42a88ad4-6834-46a9-a18b-aff9e078a4ea"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"analysis":"0","date":"2021-05-21","distribution":"1","id":"3631","info":"Test event 1 just atrributes","org_id":"1","orgc_id":"1","published":false,"threat_level_id":"1","timestamp":"1621588162","uuid":"8ca56ae9-3747-4172-93d2-808da1a4eaf3"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"6","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3633","info":"Test event 3 objects and attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592532","uuid":"4edb20c7-8175-484d-bdcd-fce6872c1ef3"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"filename contect for test event 3","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266263","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621589229","to_ids":false,"type":"filename","uuid":"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3","value":"thetestfile.txt"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3633","first_seen":null,"id":"266266","last_seen":null,"object_id":"18207","object_relation":"filename","sharing_group_id":"0","timestamp":"1621589548","to_ids":true,"type":"filename","uuid":"6648d129-9200-431b-9b41-263a84f7c9d2","value":"filenameofobject.txt"},"ObjectReference":[],"comment":"File object for event 3","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3633","first_seen":null,"id":"18207","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621589548","uuid":"42a88ad4-6834-46a9-a18b-aff9e078a4ea"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"analysis":"0","date":"2021-05-21","distribution":"1","id":"3631","info":"Test event 1 just atrributes","org_id":"1","orgc_id":"1","published":false,"threat_level_id":"1","timestamp":"1621588162","uuid":"8ca56ae9-3747-4172-93d2-808da1a4eaf3"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"6","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3633","info":"Test event 3 objects and attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592532","uuid":"4edb20c7-8175-484d-bdcd-fce6872c1ef3"}} +{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3634","first_seen":null,"id":"266269","last_seen":null,"object_id":"18208","object_relation":"text","sharing_group_id":"0","timestamp":"1621591770","to_ids":false,"type":"text","uuid":"25d2f181-26ae-4d6f-b4fd-85b9d1f82e67","value":"Free text in the file object"},"ObjectReference":[],"comment":"File object for test event 4 ","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3634","first_seen":null,"id":"18208","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621591770","uuid":"190c762c-a389-4ecc-8f6e-68f92d42adef"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"3","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3634","info":"Test event 4 with object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1621591770","uuid":"d98a8418-9f90-4b50-a623-6921ca5b356d"}} +{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3634","first_seen":null,"id":"266270","last_seen":null,"object_id":"18208","object_relation":"sha256","sharing_group_id":"0","timestamp":"1621591770","to_ids":true,"type":"sha256","uuid":"4e579782-346b-44b3-b72c-1cae8d87cb25","value":"567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc666"},"ObjectReference":[],"comment":"File object for test event 4 ","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3634","first_seen":null,"id":"18208","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621591770","uuid":"190c762c-a389-4ecc-8f6e-68f92d42adef"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"3","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3634","info":"Test event 4 with object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1621591770","uuid":"d98a8418-9f90-4b50-a623-6921ca5b356d"}} +{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3634","first_seen":null,"id":"266271","last_seen":null,"object_id":"18208","object_relation":"filename","sharing_group_id":"0","timestamp":"1621591770","to_ids":true,"type":"filename","uuid":"a40343b5-a480-4288-9b0c-7ae074a77140","value":"filenameinmispobject.txt"},"ObjectReference":[],"comment":"File object for test event 4 ","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3634","first_seen":null,"id":"18208","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621591770","uuid":"190c762c-a389-4ecc-8f6e-68f92d42adef"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"3","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3634","info":"Test event 4 with object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1621591770","uuid":"d98a8418-9f90-4b50-a623-6921ca5b356d"}} +{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3635","first_seen":null,"id":"266272","last_seen":null,"object_id":"18209","object_relation":"text","sharing_group_id":"0","timestamp":"1621592379","to_ids":false,"type":"text","uuid":"188a6a15-5704-4e4f-acba-22c55ab08fe8","value":"Object 5 free text attribute in object"},"ObjectReference":[],"comment":"event 5 object comment","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3635","first_seen":null,"id":"18209","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621592379","uuid":"a62cb6fb-fa1c-45ce-abb8-b46da23631d5"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"5","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3635","info":"Test event 5 with an object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592379","uuid":"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e"}} +{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3635","first_seen":null,"id":"266275","last_seen":null,"object_id":"18209","object_relation":"entropy","sharing_group_id":"0","timestamp":"1621592379","to_ids":false,"type":"float","uuid":"2400b103-4a33-4f92-ac04-a558b6c6e252","value":"0.53535445"},"ObjectReference":[],"comment":"event 5 object comment","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3635","first_seen":null,"id":"18209","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621592379","uuid":"a62cb6fb-fa1c-45ce-abb8-b46da23631d5"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"5","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3635","info":"Test event 5 with an object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592379","uuid":"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e"}} +{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3635","first_seen":null,"id":"266276","last_seen":null,"object_id":"18209","object_relation":"size-in-bytes","sharing_group_id":"0","timestamp":"1621592379","to_ids":false,"type":"size-in-bytes","uuid":"e5ea3ec0-cdf4-4d3e-bd66-a7bf384fd3d7","value":"55555"},"ObjectReference":[],"comment":"event 5 object comment","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3635","first_seen":null,"id":"18209","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621592379","uuid":"a62cb6fb-fa1c-45ce-abb8-b46da23631d5"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"5","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3635","info":"Test event 5 with an object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592379","uuid":"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e"}} +{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3635","first_seen":null,"id":"266273","last_seen":null,"object_id":"18209","object_relation":"sha256","sharing_group_id":"0","timestamp":"1621592379","to_ids":true,"type":"sha256","uuid":"803f10bd-9087-4169-8699-277579a92693","value":"567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc665"},"ObjectReference":[],"comment":"event 5 object comment","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3635","first_seen":null,"id":"18209","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621592379","uuid":"a62cb6fb-fa1c-45ce-abb8-b46da23631d5"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"5","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3635","info":"Test event 5 with an object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592379","uuid":"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e"}} +{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3635","first_seen":null,"id":"266274","last_seen":null,"object_id":"18209","object_relation":"filename","sharing_group_id":"0","timestamp":"1621592379","to_ids":true,"type":"filename","uuid":"e5c7a9f0-c0e1-4024-9ab8-de8a1b403e4f","value":"object5.txt"},"ObjectReference":[],"comment":"event 5 object comment","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3635","first_seen":null,"id":"18209","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621592379","uuid":"a62cb6fb-fa1c-45ce-abb8-b46da23631d5"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"5","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3635","info":"Test event 5 with an object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592379","uuid":"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266278","last_seen":null,"object_id":"18210","object_relation":"text","sharing_group_id":"0","timestamp":"1622200348","to_ids":false,"type":"text","uuid":"955e34a5-a630-42c9-868d-6e3dcb575987","value":"Excutable create bad pipe"},"ObjectReference":[],"comment":"","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3636","first_seen":null,"id":"18210","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1622200348","uuid":"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266281","last_seen":null,"object_id":"18211","object_relation":"size-in-bytes","sharing_group_id":"0","timestamp":"1622200780","to_ids":false,"type":"size-in-bytes","uuid":"2fa7721b-ad73-4914-b082-8d44233ced98","value":"3892"},"ObjectReference":[],"comment":"","deleted":false,"description":"Object describing a section of a Portable Executable","distribution":"5","event_id":"3636","first_seen":null,"id":"18211","last_seen":null,"meta-category":"file","name":"pe-section","sharing_group_id":"0","template_uuid":"198a17d2-a135-4b25-9a32-5aa4e632014a","template_version":"3","timestamp":"1622200780","uuid":"023be568-34d6-4df4-ae88-f4de0dbfcd9d"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266283","last_seen":null,"object_id":"18211","object_relation":"name","sharing_group_id":"0","timestamp":"1622200780","to_ids":false,"type":"text","uuid":"d35c1ff8-a69c-482b-8fb0-1182988d9468","value":".data"},"ObjectReference":[],"comment":"","deleted":false,"description":"Object describing a section of a Portable Executable","distribution":"5","event_id":"3636","first_seen":null,"id":"18211","last_seen":null,"meta-category":"file","name":"pe-section","sharing_group_id":"0","template_uuid":"198a17d2-a135-4b25-9a32-5aa4e632014a","template_version":"3","timestamp":"1622200780","uuid":"023be568-34d6-4df4-ae88-f4de0dbfcd9d"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266284","last_seen":null,"object_id":"18211","object_relation":"text","sharing_group_id":"0","timestamp":"1622200780","to_ids":false,"type":"text","uuid":"dc11971a-a676-4676-b24c-a45a8791e0b0","value":"Extracted zip archive data"},"ObjectReference":[],"comment":"","deleted":false,"description":"Object describing a section of a Portable Executable","distribution":"5","event_id":"3636","first_seen":null,"id":"18211","last_seen":null,"meta-category":"file","name":"pe-section","sharing_group_id":"0","template_uuid":"198a17d2-a135-4b25-9a32-5aa4e632014a","template_version":"3","timestamp":"1622200780","uuid":"023be568-34d6-4df4-ae88-f4de0dbfcd9d"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266285","last_seen":null,"object_id":"18211","object_relation":"entropy","sharing_group_id":"0","timestamp":"1622200780","to_ids":false,"type":"float","uuid":"a85c0cbb-25a8-4bc9-b146-3cba1020e5bb","value":"7.93280431051"},"ObjectReference":[],"comment":"","deleted":false,"description":"Object describing a section of a Portable Executable","distribution":"5","event_id":"3636","first_seen":null,"id":"18211","last_seen":null,"meta-category":"file","name":"pe-section","sharing_group_id":"0","template_uuid":"198a17d2-a135-4b25-9a32-5aa4e632014a","template_version":"3","timestamp":"1622200780","uuid":"023be568-34d6-4df4-ae88-f4de0dbfcd9d"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266279","last_seen":null,"object_id":"18210","object_relation":"md5","sharing_group_id":"0","timestamp":"1622200348","to_ids":true,"type":"md5","uuid":"1c97c043-5de2-41a1-b591-3237174cd290","value":"7392463caf95534d56460bc9f360adc1"},"ObjectReference":[],"comment":"","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3636","first_seen":null,"id":"18210","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1622200348","uuid":"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266282","last_seen":null,"object_id":"18211","object_relation":"md5","sharing_group_id":"0","timestamp":"1622200780","to_ids":true,"type":"md5","uuid":"f3b8696e-5390-4383-ace2-6e06bfae497d","value":"7295463caf95534d56460bc9f360adc1"},"ObjectReference":[],"comment":"","deleted":false,"description":"Object describing a section of a Portable Executable","distribution":"5","event_id":"3636","first_seen":null,"id":"18211","last_seen":null,"meta-category":"file","name":"pe-section","sharing_group_id":"0","template_uuid":"198a17d2-a135-4b25-9a32-5aa4e632014a","template_version":"3","timestamp":"1622200780","uuid":"023be568-34d6-4df4-ae88-f4de0dbfcd9d"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266280","last_seen":null,"object_id":"18210","object_relation":"filename","sharing_group_id":"0","timestamp":"1622200348","to_ids":true,"type":"filename","uuid":"2dfcb937-e6af-4b5d-ad50-f8eb975990f3","value":"badmojopipe.exe"},"ObjectReference":[],"comment":"","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3636","first_seen":null,"id":"18210","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1622200348","uuid":"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json new file mode 100644 index 00000000000..6db06ab777c --- /dev/null +++ b/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json @@ -0,0 +1,1687 @@ +[ + { + "@timestamp": "2021-05-21T09:09:22.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 0, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.file.hash.md5": "70461da8b94c6ca5d2fda3260c5a8c3b", + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "file", + "threatintel.misp.attribute.category": "Payload installation", + "threatintel.misp.attribute.comment": "Contextual comment for the file md5 attribute", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3631", + "threatintel.misp.attribute.id": "266258", + "threatintel.misp.attribute.object_id": "0", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1621588162", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "md5", + "threatintel.misp.attribute.uuid": "34c59b06-d35d-4808-919c-4b452f185c52", + "threatintel.misp.attribute_count": "1", + "threatintel.misp.date": "2021-05-21", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "1", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3631", + "threatintel.misp.info": "Test event 1 just atrributes", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "8ca56ae9-3747-4172-93d2-808da1a4eaf3", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-21T09:20:36.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 1614, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.file.hash.md5": "60461da8b94c6ca5d2fda3260c5a8c3b", + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "file", + "threatintel.misp.attribute.category": "Artifacts dropped", + "threatintel.misp.attribute.comment": "Artefact dropped for test 2", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3632", + "threatintel.misp.attribute.id": "266259", + "threatintel.misp.attribute.object_id": "0", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1621588675", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "md5", + "threatintel.misp.attribute.uuid": "73102a1c-7432-47b7-9644-6f9d46b6887c", + "threatintel.misp.attribute_count": "4", + "threatintel.misp.date": "2021-05-21", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "1", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3632", + "threatintel.misp.info": "Test event 2 just more atrributes", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 2, + "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-21T09:20:36.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 3241, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "baddom.madeup.local", + "threatintel.misp.attribute.category": "Network activity", + "threatintel.misp.attribute.comment": "Conext for domain type attribute event 2", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3632", + "threatintel.misp.attribute.id": "266260", + "threatintel.misp.attribute.object_id": "0", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1621588744", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "domain", + "threatintel.misp.attribute.uuid": "a52a1b47-a580-4f33-96ba-939cf9146c9b", + "threatintel.misp.attribute_count": "4", + "threatintel.misp.date": "2021-05-21", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "1", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3632", + "threatintel.misp.info": "Test event 2 just more atrributes", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 2, + "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-21T09:20:36.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 4870, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.ip": "10.0.0.1", + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "ipv4-addr", + "threatintel.misp.attribute.category": "Network activity", + "threatintel.misp.attribute.comment": "Ip-src attribute context for event2", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3632", + "threatintel.misp.attribute.id": "266261", + "threatintel.misp.attribute.object_id": "0", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1621588800", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "ip-src", + "threatintel.misp.attribute.uuid": "3dbf224b-7c84-4c4b-9f95-80f28954bd10", + "threatintel.misp.attribute_count": "4", + "threatintel.misp.date": "2021-05-21", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "1", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3632", + "threatintel.misp.info": "Test event 2 just more atrributes", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 2, + "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-21T09:20:36.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 6484, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.ip": "192.168.1.50", + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "ipv4-addr", + "threatintel.misp.attribute.category": "Network activity", + "threatintel.misp.attribute.comment": "ip-dst context for event id 2", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3632", + "threatintel.misp.attribute.id": "266262", + "threatintel.misp.attribute.object_id": "0", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1621588836", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "ip-dst", + "threatintel.misp.attribute.uuid": "db4bfd36-7374-4f8c-9031-60e56d4bba30", + "threatintel.misp.attribute_count": "4", + "threatintel.misp.date": "2021-05-21", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "1", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3632", + "threatintel.misp.info": "Test event 2 just more atrributes", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 2, + "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-21T10:22:12.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 8095, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Other", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3633", + "threatintel.misp.attribute.id": "266267", + "threatintel.misp.attribute.object_id": "18207", + "threatintel.misp.attribute.object_relation": "fullpath", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1621589548", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "text", + "threatintel.misp.attribute.uuid": "ff97cc32-815e-4fc9-9d4b-cab9822027a6", + "threatintel.misp.attribute.value": "\\the\\fullpath\\to the file\\filenameofobject.txt", + "threatintel.misp.attribute_count": "6", + "threatintel.misp.context.attribute.category": "Payload delivery", + "threatintel.misp.context.attribute.comment": "filename contect for test event 3", + "threatintel.misp.context.attribute.deleted": false, + "threatintel.misp.context.attribute.disable_correlation": false, + "threatintel.misp.context.attribute.distribution": "5", + "threatintel.misp.context.attribute.event_id": "3633", + "threatintel.misp.context.attribute.id": "266263", + "threatintel.misp.context.attribute.object_id": "0", + "threatintel.misp.context.attribute.sharing_group_id": "0", + "threatintel.misp.context.attribute.timestamp": "1621589229", + "threatintel.misp.context.attribute.to_ids": false, + "threatintel.misp.context.attribute.type": "filename", + "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "threatintel.misp.context.attribute.value": "thetestfile.txt", + "threatintel.misp.date": "2021-05-21", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "1", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3633", + "threatintel.misp.info": "Test event 3 objects and attributes", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-21T10:22:12.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 10558, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Other", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": true, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3633", + "threatintel.misp.attribute.id": "266268", + "threatintel.misp.attribute.object_id": "18207", + "threatintel.misp.attribute.object_relation": "size-in-bytes", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1621589548", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "size-in-bytes", + "threatintel.misp.attribute.uuid": "e378b4d9-43e1-4c64-bd4e-70fce2b4e581", + "threatintel.misp.attribute.value": "505050", + "threatintel.misp.attribute_count": "6", + "threatintel.misp.context.attribute.category": "Payload delivery", + "threatintel.misp.context.attribute.comment": "filename contect for test event 3", + "threatintel.misp.context.attribute.deleted": false, + "threatintel.misp.context.attribute.disable_correlation": false, + "threatintel.misp.context.attribute.distribution": "5", + "threatintel.misp.context.attribute.event_id": "3633", + "threatintel.misp.context.attribute.id": "266263", + "threatintel.misp.context.attribute.object_id": "0", + "threatintel.misp.context.attribute.sharing_group_id": "0", + "threatintel.misp.context.attribute.timestamp": "1621589229", + "threatintel.misp.context.attribute.to_ids": false, + "threatintel.misp.context.attribute.type": "filename", + "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "threatintel.misp.context.attribute.value": "thetestfile.txt", + "threatintel.misp.date": "2021-05-21", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "1", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3633", + "threatintel.misp.info": "Test event 3 objects and attributes", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-21T10:22:12.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 12990, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.file.hash.md5": "70461da8b94c6ca5d2fda3260c5a8c3b", + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "file", + "threatintel.misp.attribute.category": "Payload delivery", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3633", + "threatintel.misp.attribute.id": "266264", + "threatintel.misp.attribute.object_id": "18207", + "threatintel.misp.attribute.object_relation": "md5", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1621589548", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "md5", + "threatintel.misp.attribute.uuid": "787b3822-0bec-4278-b34a-5d649e7bce05", + "threatintel.misp.attribute_count": "6", + "threatintel.misp.context.attribute.category": "Payload delivery", + "threatintel.misp.context.attribute.comment": "filename contect for test event 3", + "threatintel.misp.context.attribute.deleted": false, + "threatintel.misp.context.attribute.disable_correlation": false, + "threatintel.misp.context.attribute.distribution": "5", + "threatintel.misp.context.attribute.event_id": "3633", + "threatintel.misp.context.attribute.id": "266263", + "threatintel.misp.context.attribute.object_id": "0", + "threatintel.misp.context.attribute.sharing_group_id": "0", + "threatintel.misp.context.attribute.timestamp": "1621589229", + "threatintel.misp.context.attribute.to_ids": false, + "threatintel.misp.context.attribute.type": "filename", + "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "threatintel.misp.context.attribute.value": "thetestfile.txt", + "threatintel.misp.date": "2021-05-21", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "1", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3633", + "threatintel.misp.info": "Test event 3 objects and attributes", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-21T10:22:12.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 15439, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.file.hash.sha256": "f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee", + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "file", + "threatintel.misp.attribute.category": "Payload delivery", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3633", + "threatintel.misp.attribute.id": "266265", + "threatintel.misp.attribute.object_id": "18207", + "threatintel.misp.attribute.object_relation": "sha256", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1621589548", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "sha256", + "threatintel.misp.attribute.uuid": "657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e", + "threatintel.misp.attribute_count": "6", + "threatintel.misp.context.attribute.category": "Payload delivery", + "threatintel.misp.context.attribute.comment": "filename contect for test event 3", + "threatintel.misp.context.attribute.deleted": false, + "threatintel.misp.context.attribute.disable_correlation": false, + "threatintel.misp.context.attribute.distribution": "5", + "threatintel.misp.context.attribute.event_id": "3633", + "threatintel.misp.context.attribute.id": "266263", + "threatintel.misp.context.attribute.object_id": "0", + "threatintel.misp.context.attribute.sharing_group_id": "0", + "threatintel.misp.context.attribute.timestamp": "1621589229", + "threatintel.misp.context.attribute.to_ids": false, + "threatintel.misp.context.attribute.type": "filename", + "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "threatintel.misp.context.attribute.value": "thetestfile.txt", + "threatintel.misp.date": "2021-05-21", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "1", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3633", + "threatintel.misp.info": "Test event 3 objects and attributes", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-21T10:22:12.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 17926, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.file.name": "filenameofobject.txt", + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "file", + "threatintel.misp.attribute.category": "Payload delivery", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": true, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3633", + "threatintel.misp.attribute.id": "266266", + "threatintel.misp.attribute.object_id": "18207", + "threatintel.misp.attribute.object_relation": "filename", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1621589548", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "filename", + "threatintel.misp.attribute.uuid": "6648d129-9200-431b-9b41-263a84f7c9d2", + "threatintel.misp.attribute_count": "6", + "threatintel.misp.context.attribute.category": "Payload delivery", + "threatintel.misp.context.attribute.comment": "filename contect for test event 3", + "threatintel.misp.context.attribute.deleted": false, + "threatintel.misp.context.attribute.disable_correlation": false, + "threatintel.misp.context.attribute.distribution": "5", + "threatintel.misp.context.attribute.event_id": "3633", + "threatintel.misp.context.attribute.id": "266263", + "threatintel.misp.context.attribute.object_id": "0", + "threatintel.misp.context.attribute.sharing_group_id": "0", + "threatintel.misp.context.attribute.timestamp": "1621589229", + "threatintel.misp.context.attribute.to_ids": false, + "threatintel.misp.context.attribute.type": "filename", + "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "threatintel.misp.context.attribute.value": "thetestfile.txt", + "threatintel.misp.date": "2021-05-21", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "1", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3633", + "threatintel.misp.info": "Test event 3 objects and attributes", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-21T10:09:30.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 20372, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Other", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": true, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3634", + "threatintel.misp.attribute.id": "266269", + "threatintel.misp.attribute.object_id": "18208", + "threatintel.misp.attribute.object_relation": "text", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1621591770", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "text", + "threatintel.misp.attribute.uuid": "25d2f181-26ae-4d6f-b4fd-85b9d1f82e67", + "threatintel.misp.attribute.value": "Free text in the file object", + "threatintel.misp.attribute_count": "3", + "threatintel.misp.date": "2021-05-21", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "1", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3634", + "threatintel.misp.info": "Test event 4 with object", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 3, + "threatintel.misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-21T10:09:30.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 21959, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.file.hash.sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc666", + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "file", + "threatintel.misp.attribute.category": "Payload delivery", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3634", + "threatintel.misp.attribute.id": "266270", + "threatintel.misp.attribute.object_id": "18208", + "threatintel.misp.attribute.object_relation": "sha256", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1621591770", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "sha256", + "threatintel.misp.attribute.uuid": "4e579782-346b-44b3-b72c-1cae8d87cb25", + "threatintel.misp.attribute_count": "3", + "threatintel.misp.date": "2021-05-21", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "1", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3634", + "threatintel.misp.info": "Test event 4 with object", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 3, + "threatintel.misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-21T10:09:30.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 23597, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.file.name": "filenameinmispobject.txt", + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "file", + "threatintel.misp.attribute.category": "Payload delivery", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": true, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3634", + "threatintel.misp.attribute.id": "266271", + "threatintel.misp.attribute.object_id": "18208", + "threatintel.misp.attribute.object_relation": "filename", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1621591770", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "filename", + "threatintel.misp.attribute.uuid": "a40343b5-a480-4288-9b0c-7ae074a77140", + "threatintel.misp.attribute_count": "3", + "threatintel.misp.date": "2021-05-21", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "1", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3634", + "threatintel.misp.info": "Test event 4 with object", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 3, + "threatintel.misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-21T10:19:39.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 25198, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Other", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": true, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3635", + "threatintel.misp.attribute.id": "266272", + "threatintel.misp.attribute.object_id": "18209", + "threatintel.misp.attribute.object_relation": "text", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1621592379", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "text", + "threatintel.misp.attribute.uuid": "188a6a15-5704-4e4f-acba-22c55ab08fe8", + "threatintel.misp.attribute.value": "Object 5 free text attribute in object", + "threatintel.misp.attribute_count": "5", + "threatintel.misp.date": "2021-05-21", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "1", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3635", + "threatintel.misp.info": "Test event 5 with an object", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-21T10:19:39.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 26791, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Other", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": true, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3635", + "threatintel.misp.attribute.id": "266275", + "threatintel.misp.attribute.object_id": "18209", + "threatintel.misp.attribute.object_relation": "entropy", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1621592379", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "float", + "threatintel.misp.attribute.uuid": "2400b103-4a33-4f92-ac04-a558b6c6e252", + "threatintel.misp.attribute.value": "0.53535445", + "threatintel.misp.attribute_count": "5", + "threatintel.misp.date": "2021-05-21", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "1", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3635", + "threatintel.misp.info": "Test event 5 with an object", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-21T10:19:39.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 28360, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Other", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": true, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3635", + "threatintel.misp.attribute.id": "266276", + "threatintel.misp.attribute.object_id": "18209", + "threatintel.misp.attribute.object_relation": "size-in-bytes", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1621592379", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "size-in-bytes", + "threatintel.misp.attribute.uuid": "e5ea3ec0-cdf4-4d3e-bd66-a7bf384fd3d7", + "threatintel.misp.attribute.value": "55555", + "threatintel.misp.attribute_count": "5", + "threatintel.misp.date": "2021-05-21", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "1", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3635", + "threatintel.misp.info": "Test event 5 with an object", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-21T10:19:39.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 29938, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.file.hash.sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc665", + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "file", + "threatintel.misp.attribute.category": "Payload delivery", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3635", + "threatintel.misp.attribute.id": "266273", + "threatintel.misp.attribute.object_id": "18209", + "threatintel.misp.attribute.object_relation": "sha256", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1621592379", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "sha256", + "threatintel.misp.attribute.uuid": "803f10bd-9087-4169-8699-277579a92693", + "threatintel.misp.attribute_count": "5", + "threatintel.misp.date": "2021-05-21", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "1", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3635", + "threatintel.misp.info": "Test event 5 with an object", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-21T10:19:39.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 31572, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.file.name": "object5.txt", + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "file", + "threatintel.misp.attribute.category": "Payload delivery", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": true, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3635", + "threatintel.misp.attribute.id": "266274", + "threatintel.misp.attribute.object_id": "18209", + "threatintel.misp.attribute.object_relation": "filename", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1621592379", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "filename", + "threatintel.misp.attribute.uuid": "e5c7a9f0-c0e1-4024-9ab8-de8a1b403e4f", + "threatintel.misp.attribute_count": "5", + "threatintel.misp.date": "2021-05-21", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "1", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3635", + "threatintel.misp.info": "Test event 5 with an object", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-28T11:19:41.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 33156, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Other", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": true, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3636", + "threatintel.misp.attribute.id": "266278", + "threatintel.misp.attribute.object_id": "18210", + "threatintel.misp.attribute.object_relation": "text", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1622200348", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "text", + "threatintel.misp.attribute.uuid": "955e34a5-a630-42c9-868d-6e3dcb575987", + "threatintel.misp.attribute.value": "Excutable create bad pipe", + "threatintel.misp.attribute_count": "9", + "threatintel.misp.context.attribute.category": "Artifacts dropped", + "threatintel.misp.context.attribute.comment": "", + "threatintel.misp.context.attribute.deleted": false, + "threatintel.misp.context.attribute.disable_correlation": false, + "threatintel.misp.context.attribute.distribution": "5", + "threatintel.misp.context.attribute.event_id": "3636", + "threatintel.misp.context.attribute.id": "266277", + "threatintel.misp.context.attribute.object_id": "0", + "threatintel.misp.context.attribute.sharing_group_id": "0", + "threatintel.misp.context.attribute.timestamp": "1622200249", + "threatintel.misp.context.attribute.to_ids": false, + "threatintel.misp.context.attribute.type": "windows-service-name", + "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "threatintel.misp.context.attribute.value": "badmojopipe", + "threatintel.misp.date": "2021-05-28", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "0", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3636", + "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-28T11:19:41.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 35151, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Other", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": true, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3636", + "threatintel.misp.attribute.id": "266281", + "threatintel.misp.attribute.object_id": "18211", + "threatintel.misp.attribute.object_relation": "size-in-bytes", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1622200780", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "size-in-bytes", + "threatintel.misp.attribute.uuid": "2fa7721b-ad73-4914-b082-8d44233ced98", + "threatintel.misp.attribute.value": "3892", + "threatintel.misp.attribute_count": "9", + "threatintel.misp.context.attribute.category": "Artifacts dropped", + "threatintel.misp.context.attribute.comment": "", + "threatintel.misp.context.attribute.deleted": false, + "threatintel.misp.context.attribute.disable_correlation": false, + "threatintel.misp.context.attribute.distribution": "5", + "threatintel.misp.context.attribute.event_id": "3636", + "threatintel.misp.context.attribute.id": "266277", + "threatintel.misp.context.attribute.object_id": "0", + "threatintel.misp.context.attribute.sharing_group_id": "0", + "threatintel.misp.context.attribute.timestamp": "1622200249", + "threatintel.misp.context.attribute.to_ids": false, + "threatintel.misp.context.attribute.type": "windows-service-name", + "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "threatintel.misp.context.attribute.value": "badmojopipe", + "threatintel.misp.date": "2021-05-28", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "0", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3636", + "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-28T11:19:41.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 37149, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Other", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": true, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3636", + "threatintel.misp.attribute.id": "266283", + "threatintel.misp.attribute.object_id": "18211", + "threatintel.misp.attribute.object_relation": "name", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1622200780", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "text", + "threatintel.misp.attribute.uuid": "d35c1ff8-a69c-482b-8fb0-1182988d9468", + "threatintel.misp.attribute.value": ".data", + "threatintel.misp.attribute_count": "9", + "threatintel.misp.context.attribute.category": "Artifacts dropped", + "threatintel.misp.context.attribute.comment": "", + "threatintel.misp.context.attribute.deleted": false, + "threatintel.misp.context.attribute.disable_correlation": false, + "threatintel.misp.context.attribute.distribution": "5", + "threatintel.misp.context.attribute.event_id": "3636", + "threatintel.misp.context.attribute.id": "266277", + "threatintel.misp.context.attribute.object_id": "0", + "threatintel.misp.context.attribute.sharing_group_id": "0", + "threatintel.misp.context.attribute.timestamp": "1622200249", + "threatintel.misp.context.attribute.to_ids": false, + "threatintel.misp.context.attribute.type": "windows-service-name", + "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "threatintel.misp.context.attribute.value": "badmojopipe", + "threatintel.misp.date": "2021-05-28", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "0", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3636", + "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-28T11:19:41.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 39130, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Other", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": true, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3636", + "threatintel.misp.attribute.id": "266284", + "threatintel.misp.attribute.object_id": "18211", + "threatintel.misp.attribute.object_relation": "text", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1622200780", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "text", + "threatintel.misp.attribute.uuid": "dc11971a-a676-4676-b24c-a45a8791e0b0", + "threatintel.misp.attribute.value": "Extracted zip archive data", + "threatintel.misp.attribute_count": "9", + "threatintel.misp.context.attribute.category": "Artifacts dropped", + "threatintel.misp.context.attribute.comment": "", + "threatintel.misp.context.attribute.deleted": false, + "threatintel.misp.context.attribute.disable_correlation": false, + "threatintel.misp.context.attribute.distribution": "5", + "threatintel.misp.context.attribute.event_id": "3636", + "threatintel.misp.context.attribute.id": "266277", + "threatintel.misp.context.attribute.object_id": "0", + "threatintel.misp.context.attribute.sharing_group_id": "0", + "threatintel.misp.context.attribute.timestamp": "1622200249", + "threatintel.misp.context.attribute.to_ids": false, + "threatintel.misp.context.attribute.type": "windows-service-name", + "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "threatintel.misp.context.attribute.value": "badmojopipe", + "threatintel.misp.date": "2021-05-28", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "0", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3636", + "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-28T11:19:41.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 41132, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Other", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": true, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3636", + "threatintel.misp.attribute.id": "266285", + "threatintel.misp.attribute.object_id": "18211", + "threatintel.misp.attribute.object_relation": "entropy", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1622200780", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "float", + "threatintel.misp.attribute.uuid": "a85c0cbb-25a8-4bc9-b146-3cba1020e5bb", + "threatintel.misp.attribute.value": "7.93280431051", + "threatintel.misp.attribute_count": "9", + "threatintel.misp.context.attribute.category": "Artifacts dropped", + "threatintel.misp.context.attribute.comment": "", + "threatintel.misp.context.attribute.deleted": false, + "threatintel.misp.context.attribute.disable_correlation": false, + "threatintel.misp.context.attribute.distribution": "5", + "threatintel.misp.context.attribute.event_id": "3636", + "threatintel.misp.context.attribute.id": "266277", + "threatintel.misp.context.attribute.object_id": "0", + "threatintel.misp.context.attribute.sharing_group_id": "0", + "threatintel.misp.context.attribute.timestamp": "1622200249", + "threatintel.misp.context.attribute.to_ids": false, + "threatintel.misp.context.attribute.type": "windows-service-name", + "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "threatintel.misp.context.attribute.value": "badmojopipe", + "threatintel.misp.date": "2021-05-28", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "0", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3636", + "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-28T11:19:41.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 43125, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.file.hash.md5": "7392463caf95534d56460bc9f360adc1", + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "file", + "threatintel.misp.attribute.category": "Payload delivery", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3636", + "threatintel.misp.attribute.id": "266279", + "threatintel.misp.attribute.object_id": "18210", + "threatintel.misp.attribute.object_relation": "md5", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1622200348", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "md5", + "threatintel.misp.attribute.uuid": "1c97c043-5de2-41a1-b591-3237174cd290", + "threatintel.misp.attribute_count": "9", + "threatintel.misp.context.attribute.category": "Artifacts dropped", + "threatintel.misp.context.attribute.comment": "", + "threatintel.misp.context.attribute.deleted": false, + "threatintel.misp.context.attribute.disable_correlation": false, + "threatintel.misp.context.attribute.distribution": "5", + "threatintel.misp.context.attribute.event_id": "3636", + "threatintel.misp.context.attribute.id": "266277", + "threatintel.misp.context.attribute.object_id": "0", + "threatintel.misp.context.attribute.sharing_group_id": "0", + "threatintel.misp.context.attribute.timestamp": "1622200249", + "threatintel.misp.context.attribute.to_ids": false, + "threatintel.misp.context.attribute.type": "windows-service-name", + "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "threatintel.misp.context.attribute.value": "badmojopipe", + "threatintel.misp.date": "2021-05-28", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "0", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3636", + "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-28T11:19:41.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 45136, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.file.hash.md5": "7295463caf95534d56460bc9f360adc1", + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "file", + "threatintel.misp.attribute.category": "Payload delivery", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3636", + "threatintel.misp.attribute.id": "266282", + "threatintel.misp.attribute.object_id": "18211", + "threatintel.misp.attribute.object_relation": "md5", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1622200780", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "md5", + "threatintel.misp.attribute.uuid": "f3b8696e-5390-4383-ace2-6e06bfae497d", + "threatintel.misp.attribute_count": "9", + "threatintel.misp.context.attribute.category": "Artifacts dropped", + "threatintel.misp.context.attribute.comment": "", + "threatintel.misp.context.attribute.deleted": false, + "threatintel.misp.context.attribute.disable_correlation": false, + "threatintel.misp.context.attribute.distribution": "5", + "threatintel.misp.context.attribute.event_id": "3636", + "threatintel.misp.context.attribute.id": "266277", + "threatintel.misp.context.attribute.object_id": "0", + "threatintel.misp.context.attribute.sharing_group_id": "0", + "threatintel.misp.context.attribute.timestamp": "1622200249", + "threatintel.misp.context.attribute.to_ids": false, + "threatintel.misp.context.attribute.type": "windows-service-name", + "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "threatintel.misp.context.attribute.value": "badmojopipe", + "threatintel.misp.date": "2021-05-28", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "0", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3636", + "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + }, + { + "@timestamp": "2021-05-28T11:19:41.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 47153, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-misp" + ], + "threatintel.indicator.file.name": "badmojopipe.exe", + "threatintel.indicator.provider": "misp", + "threatintel.indicator.scanner_stats": 0, + "threatintel.indicator.type": "file", + "threatintel.misp.attribute.category": "Payload delivery", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": true, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "3636", + "threatintel.misp.attribute.id": "266280", + "threatintel.misp.attribute.object_id": "18210", + "threatintel.misp.attribute.object_relation": "filename", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1622200348", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "filename", + "threatintel.misp.attribute.uuid": "2dfcb937-e6af-4b5d-ad50-f8eb975990f3", + "threatintel.misp.attribute_count": "9", + "threatintel.misp.context.attribute.category": "Artifacts dropped", + "threatintel.misp.context.attribute.comment": "", + "threatintel.misp.context.attribute.deleted": false, + "threatintel.misp.context.attribute.disable_correlation": false, + "threatintel.misp.context.attribute.distribution": "5", + "threatintel.misp.context.attribute.event_id": "3636", + "threatintel.misp.context.attribute.id": "266277", + "threatintel.misp.context.attribute.object_id": "0", + "threatintel.misp.context.attribute.sharing_group_id": "0", + "threatintel.misp.context.attribute.timestamp": "1622200249", + "threatintel.misp.context.attribute.to_ids": false, + "threatintel.misp.context.attribute.type": "windows-service-name", + "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "threatintel.misp.context.attribute.value": "badmojopipe", + "threatintel.misp.date": "2021-05-28", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "0", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "3636", + "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "1", + "threatintel.misp.orgc.local": true, + "threatintel.misp.orgc.name": "ORGNAME", + "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "threatintel.misp.orgc_id": "1", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "0", + "threatintel.misp.published": false, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "user.email": "admin@admin.test", + "user.roles": [ + "reporting_user" + ] + } +] \ No newline at end of file