From 78d34d7f7a197cbbe5caa61913694ea1ce36a055 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 20 Oct 2021 12:02:15 +0200 Subject: [PATCH] Add proxy_url support to threatintel module's malwarebazaar fileset (#28533) Adds proxy_url config option to malwarebazaar Documents all proxy_url options for threat_intel --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/modules/threatintel.asciidoc | 24 +++++++++++++++++++ .../module/threatintel/_meta/docs.asciidoc | 24 +++++++++++++++++++ .../malwarebazaar/config/config.yml | 3 +++ .../threatintel/malwarebazaar/manifest.yml | 1 + 5 files changed, 53 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index de7e8608e7e..d7816000cd6 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -777,6 +777,7 @@ for a few releases. Please use other tools provided by Elastic to fetch data fro - Azure signinlogs - Add support for ManagedIdentitySignInLogs, NonInteractiveUserSignInLogs, and ServicePrincipalSignInLogs. {issue}23653[23653] - Add `base64Decode` and `base64DecodeNoPad` functions to `httpsjon` templates. {pull}28385[28385] - Add latency config option for aws-cloudwatch input. {pull}28509[28509] +- Added proxy support to threatintel/malwarebazaar. {pull}28533[28533] *Heartbeat* diff --git a/filebeat/docs/modules/threatintel.asciidoc b/filebeat/docs/modules/threatintel.asciidoc index 411486ac6b8..a05384ff446 100644 --- a/filebeat/docs/modules/threatintel.asciidoc +++ b/filebeat/docs/modules/threatintel.asciidoc @@ -64,6 +64,10 @@ The URL of the API endpoint to connect with. How often the API is polled for updated information. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + Abuse.ch URL Threat Intel is mapped to the following ECS fields. [options="header"] @@ -104,6 +108,10 @@ The URL of the API endpoint to connect with. How often the API is polled for updated information. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + Abuse.ch Malware Threat Intel is mapped to the following ECS fields. [options="header"] @@ -144,6 +152,10 @@ The URL of the API endpoint to connect with. How often the API is polled for updated information. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + Malware Bazaar Threat Intel is mapped to the following ECS fields. [options="header"] @@ -234,6 +246,10 @@ from the last response as the filter when retrieving new events. List of filters to apply when retrieving new events from the MISP server, this field is optional and defaults to all events. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + MISP Threat Intel is mapped to the following ECS fields. [options="header"] @@ -310,6 +326,10 @@ possible types to filter on can be found in the https://cybersecurity.att.com/documentation/usm-appliance/otx/about-otx.htm[AlientVault OTX documentation]. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + OTX Threat Intel is mapped to the following ECS fields. @@ -391,6 +411,10 @@ possible types to filter on can be found on the https://oasis-open.github.io/cti-documentation/stix/intro.html#stix-21-objects[Stix 2.1 Object types] page. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + Anomali Threat Intel is mapped to the following ECS fields. [options="header"] diff --git a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc index 23664bfcd64..a7acdb5f4bd 100644 --- a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc @@ -59,6 +59,10 @@ The URL of the API endpoint to connect with. How often the API is polled for updated information. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + Abuse.ch URL Threat Intel is mapped to the following ECS fields. [options="header"] @@ -99,6 +103,10 @@ The URL of the API endpoint to connect with. How often the API is polled for updated information. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + Abuse.ch Malware Threat Intel is mapped to the following ECS fields. [options="header"] @@ -139,6 +147,10 @@ The URL of the API endpoint to connect with. How often the API is polled for updated information. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + Malware Bazaar Threat Intel is mapped to the following ECS fields. [options="header"] @@ -229,6 +241,10 @@ from the last response as the filter when retrieving new events. List of filters to apply when retrieving new events from the MISP server, this field is optional and defaults to all events. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + MISP Threat Intel is mapped to the following ECS fields. [options="header"] @@ -305,6 +321,10 @@ possible types to filter on can be found in the https://cybersecurity.att.com/documentation/usm-appliance/otx/about-otx.htm[AlientVault OTX documentation]. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + OTX Threat Intel is mapped to the following ECS fields. @@ -386,6 +406,10 @@ possible types to filter on can be found on the https://oasis-open.github.io/cti-documentation/stix/intro.html#stix-21-objects[Stix 2.1 Object types] page. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + Anomali Threat Intel is mapped to the following ECS fields. [options="header"] diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml index af6d77335d2..a8cbef0b52b 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml @@ -8,6 +8,9 @@ request.method: POST request.ssl: {{ .ssl | tojson }} {{ end }} +{{ if .proxy_url }} +request.proxy_url: {{ .proxy_url }} +{{ end }} request.url: {{ .url }} #request.encode_as: application/x-www-form-encoded diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml index ca7a93e6a4e..e9294ca9e2e 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml @@ -10,6 +10,7 @@ var: - name: ssl - name: tags default: [threatintel-malwarebazaar, forwarded] + - name: proxy_url ingest_pipeline: - ingest/pipeline.yml