diff --git a/x-pack/filebeat/module/threatintel/anomali/config/config.yml b/x-pack/filebeat/module/threatintel/anomali/config/config.yml index f266fe17ff9..19e58b4bc12 100644 --- a/x-pack/filebeat/module/threatintel/anomali/config/config.yml +++ b/x-pack/filebeat/module/threatintel/anomali/config/config.yml @@ -4,9 +4,12 @@ type: httpjson config_version: "2" interval: {{ .interval }} +{{ if .username }} auth.basic.user: {{ .username }} +{{ end }} +{{ if .password }} auth.basic.password: {{ .password }} - +{{ end }} request.method: GET {{ if .ssl }} - request.ssl: {{ .ssl | tojson }} @@ -32,7 +35,7 @@ request.transforms: default: '[[ formatDate (now (parseDuration "-{{ .first_interval }}")) "2006-01-02T15:04:05.999Z" ]]' response.split: - target: body.results + target: body.objects cursor: timestamp: diff --git a/x-pack/filebeat/module/threatintel/anomali/manifest.yml b/x-pack/filebeat/module/threatintel/anomali/manifest.yml index 83836cfdd19..b7b87d8fe66 100644 --- a/x-pack/filebeat/module/threatintel/anomali/manifest.yml +++ b/x-pack/filebeat/module/threatintel/anomali/manifest.yml @@ -5,6 +5,8 @@ var: default: httpjson - name: interval default: 60m + - name: first_interval + default: 24h - name: ssl - name: types default: indicators @@ -13,7 +15,7 @@ var: - name: url default: "https://otx.alienvault.com/api/v1/indicators/export" - name: tags - default: [threatintel-otx, forwarded] + default: [threatintel-anomali, forwarded] ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json index b6d6f76e1ee..69205da6d59 100644 --- a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json @@ -10,7 +10,7 @@ "log.offset": 0, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332361; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", @@ -45,7 +45,7 @@ "log.offset": 609, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332307; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", @@ -80,7 +80,7 @@ "log.offset": 1255, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332302; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", @@ -114,7 +114,7 @@ "log.offset": 1867, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332312; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime", @@ -148,7 +148,7 @@ "log.offset": 2441, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332386; iType: mal_url; State: active; Source: CyberCrime", @@ -183,7 +183,7 @@ "log.offset": 3015, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332391; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", @@ -218,7 +218,7 @@ "log.offset": 3598, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332372; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime", @@ -249,7 +249,7 @@ "log.offset": 4149, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332313; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", @@ -284,7 +284,7 @@ "log.offset": 4747, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332350; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", @@ -319,7 +319,7 @@ "log.offset": 5356, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332291; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", @@ -353,7 +353,7 @@ "log.offset": 5971, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332343; iType: mal_ip; State: active; Source: CyberCrime", @@ -384,7 +384,7 @@ "log.offset": 6501, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332316; iType: mal_url; State: active; Org: Sksa Technology Sdn Bhd; Source: CyberCrime", @@ -419,7 +419,7 @@ "log.offset": 7147, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332284; iType: mal_url; State: active; Org: Oltelecom Jsc; Source: CyberCrime", @@ -453,7 +453,7 @@ "log.offset": 7711, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332337; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", @@ -484,7 +484,7 @@ "log.offset": 8259, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332324; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", @@ -515,7 +515,7 @@ "log.offset": 8812, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332296; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", @@ -549,7 +549,7 @@ "log.offset": 9427, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332400; iType: mal_url; State: active; Source: CyberCrime", @@ -584,7 +584,7 @@ "log.offset": 9997, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332396; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", @@ -619,7 +619,7 @@ "log.offset": 10580, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332363; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", @@ -654,7 +654,7 @@ "log.offset": 11189, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332320; iType: mal_url; State: active; Source: CyberCrime", @@ -689,7 +689,7 @@ "log.offset": 11769, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332367; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", @@ -724,7 +724,7 @@ "log.offset": 12378, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332317; iType: mal_url; State: active; Org: SoftLayer Technologies; Source: CyberCrime", @@ -759,7 +759,7 @@ "log.offset": 12985, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332309; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", @@ -794,7 +794,7 @@ "log.offset": 13633, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332286; iType: mal_url; State: active; Org: Garanntor-Hosting; Source: CyberCrime", @@ -829,7 +829,7 @@ "log.offset": 14255, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332339; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", @@ -864,7 +864,7 @@ "log.offset": 14830, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332319; iType: mal_ip; State: active; Org: SoftLayer Technologies; Source: CyberCrime", @@ -895,7 +895,7 @@ "log.offset": 15387, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332305; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", @@ -929,7 +929,7 @@ "log.offset": 15942, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332346; iType: mal_url; State: active; Org: Ifx Networks Colombia; Source: CyberCrime", @@ -964,7 +964,7 @@ "log.offset": 16606, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332323; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", @@ -999,7 +999,7 @@ "log.offset": 17261, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332399; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", @@ -1034,7 +1034,7 @@ "log.offset": 17841, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332328; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime", @@ -1065,7 +1065,7 @@ "log.offset": 18385, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332377; iType: mal_url; State: active; Org: A100 ROW GmbH; Source: CyberCrime", @@ -1100,7 +1100,7 @@ "log.offset": 18973, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332101; iType: mal_ip; State: active; Source: CyberCrime", @@ -1131,7 +1131,7 @@ "log.offset": 19501, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332357; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", @@ -1166,7 +1166,7 @@ "log.offset": 20107, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332289; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", @@ -1200,7 +1200,7 @@ "log.offset": 20722, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332334; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", @@ -1235,7 +1235,7 @@ "log.offset": 21304, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332326; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime", @@ -1270,7 +1270,7 @@ "log.offset": 21882, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332311; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", @@ -1305,7 +1305,7 @@ "log.offset": 22491, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332341; iType: mal_url; State: active; Org: Institute of Philosophy, Russian Academy of Scienc; Source: CyberCrime", @@ -1339,7 +1339,7 @@ "log.offset": 23094, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332303; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", @@ -1373,7 +1373,7 @@ "log.offset": 23709, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55241332380; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", @@ -1408,7 +1408,7 @@ "log.offset": 24318, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55245868747; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", @@ -1439,7 +1439,7 @@ "log.offset": 24871, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55245868770; iType: mal_url; State: active; Org: Mills College; Source: CyberCrime", @@ -1474,7 +1474,7 @@ "log.offset": 25529, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55245868769; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", @@ -1509,7 +1509,7 @@ "log.offset": 26146, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55245868772; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", @@ -1544,7 +1544,7 @@ "log.offset": 26788, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55245868766; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", @@ -1578,7 +1578,7 @@ "log.offset": 27403, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55245868749; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", @@ -1613,7 +1613,7 @@ "log.offset": 28008, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55245868767; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", @@ -1648,7 +1648,7 @@ "log.offset": 28643, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55245868768; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", @@ -1683,7 +1683,7 @@ "log.offset": 29278, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078037; iType: mal_url; State: active; Source: CyberCrime", @@ -1718,7 +1718,7 @@ "log.offset": 29854, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078030; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", @@ -1749,7 +1749,7 @@ "log.offset": 30419, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078019; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", @@ -1783,7 +1783,7 @@ "log.offset": 31024, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078035; iType: mal_url; State: active; Source: CyberCrime", @@ -1818,7 +1818,7 @@ "log.offset": 31656, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078008; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", @@ -1853,7 +1853,7 @@ "log.offset": 32244, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078038; iType: mal_url; State: active; Source: CyberCrime", @@ -1888,7 +1888,7 @@ "log.offset": 32820, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078026; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime", @@ -1922,7 +1922,7 @@ "log.offset": 33391, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078034; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime", @@ -1957,7 +1957,7 @@ "log.offset": 34081, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078032; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", @@ -1992,7 +1992,7 @@ "log.offset": 34720, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078031; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime", @@ -2027,7 +2027,7 @@ "log.offset": 35346, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078027; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime", @@ -2062,7 +2062,7 @@ "log.offset": 36034, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078013; iType: mal_url; State: active; Source: CyberCrime", @@ -2096,7 +2096,7 @@ "log.offset": 36604, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078017; iType: mal_url; State: active; Source: CyberCrime", @@ -2130,7 +2130,7 @@ "log.offset": 37152, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078012; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", @@ -2164,7 +2164,7 @@ "log.offset": 37767, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078018; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", @@ -2198,7 +2198,7 @@ "log.offset": 38372, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078033; iType: mal_ip; State: active; Org: ColoCrossing; Source: CyberCrime", @@ -2229,7 +2229,7 @@ "log.offset": 38925, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078010; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime", @@ -2264,7 +2264,7 @@ "log.offset": 39521, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078000; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", @@ -2295,7 +2295,7 @@ "log.offset": 40072, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078020; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", @@ -2329,7 +2329,7 @@ "log.offset": 40677, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078009; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", @@ -2364,7 +2364,7 @@ "log.offset": 41300, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078023; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", @@ -2398,7 +2398,7 @@ "log.offset": 41865, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078025; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", @@ -2432,7 +2432,7 @@ "log.offset": 42434, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078014; iType: mal_ip; State: active; Source: CyberCrime", @@ -2463,7 +2463,7 @@ "log.offset": 42960, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078036; iType: mal_ip; State: active; Org: Global Frag Networks; Source: CyberCrime", @@ -2494,7 +2494,7 @@ "log.offset": 43521, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078011; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", @@ -2529,7 +2529,7 @@ "log.offset": 44126, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078015; iType: mal_url; State: active; Source: CyberCrime", @@ -2563,7 +2563,7 @@ "log.offset": 44700, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078029; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime", @@ -2598,7 +2598,7 @@ "log.offset": 45330, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078016; iType: mal_url; State: active; Source: CyberCrime", @@ -2632,7 +2632,7 @@ "log.offset": 45890, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078024; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", @@ -2667,7 +2667,7 @@ "log.offset": 46491, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078022; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", @@ -2701,7 +2701,7 @@ "log.offset": 47096, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078021; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", @@ -2735,7 +2735,7 @@ "log.offset": 47701, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55250078007; iType: mal_ip; State: active; Source: CyberCrime", @@ -2766,7 +2766,7 @@ "log.offset": 48229, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55253484365; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", @@ -2800,7 +2800,7 @@ "log.offset": 48824, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55253484350; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", @@ -2834,7 +2834,7 @@ "log.offset": 49397, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55253484356; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", @@ -2869,7 +2869,7 @@ "log.offset": 50023, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55253484343; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", @@ -2903,7 +2903,7 @@ "log.offset": 50638, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55253484367; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", @@ -2938,7 +2938,7 @@ "log.offset": 51243, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55253484342; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", @@ -2972,7 +2972,7 @@ "log.offset": 51858, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55253484363; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", @@ -3007,7 +3007,7 @@ "log.offset": 52460, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55253484339; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime", @@ -3041,7 +3041,7 @@ "log.offset": 53022, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55253484351; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", @@ -3076,7 +3076,7 @@ "log.offset": 53740, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55253484366; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", @@ -3110,7 +3110,7 @@ "log.offset": 54330, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55253484354; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime", @@ -3145,7 +3145,7 @@ "log.offset": 54924, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55253484362; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", @@ -3180,7 +3180,7 @@ "log.offset": 55526, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55253484364; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", @@ -3214,7 +3214,7 @@ "log.offset": 56123, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55253484357; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", @@ -3249,7 +3249,7 @@ "log.offset": 56745, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55253484359; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", @@ -3284,7 +3284,7 @@ "log.offset": 57364, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55253484358; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", @@ -3319,7 +3319,7 @@ "log.offset": 57988, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55253484352; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", @@ -3354,7 +3354,7 @@ "log.offset": 58627, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55253484224; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", @@ -3385,7 +3385,7 @@ "log.offset": 59173, "service.type": "threatintel", "tags": [ - "threatintel-otx", + "threatintel-anomali", "forwarded" ], "threatintel.anomali.description": "TS ID: 55253484361; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", diff --git a/x-pack/filebeat/module/threatintel/misp/config/config.yml b/x-pack/filebeat/module/threatintel/misp/config/config.yml index 50f41e23b00..c0700f6b425 100644 --- a/x-pack/filebeat/module/threatintel/misp/config/config.yml +++ b/x-pack/filebeat/module/threatintel/misp/config/config.yml @@ -17,9 +17,11 @@ request.body: {{ range $key, $value := .filters}}{{$key}}: {{$value | tojson}}{{end}} {{end}} request.transforms: +{{ if .api_token }} - set: target: header.Authorization value: {{ .api_token }} +{{end}} - set: target: body.timestamp value: '[[.cursor.timestamp]]' diff --git a/x-pack/filebeat/module/threatintel/otx/config/config.yml b/x-pack/filebeat/module/threatintel/otx/config/config.yml index 7cb4b936867..42af0a0c8e1 100644 --- a/x-pack/filebeat/module/threatintel/otx/config/config.yml +++ b/x-pack/filebeat/module/threatintel/otx/config/config.yml @@ -13,12 +13,16 @@ request.transforms: - set: target: header.Content-Type value: application/json +{{ if .api_token }} - set: target: header.X-OTX-API-KEY value: {{ .api_token }} +{{ end }} +{{ if .types }} - set: target: url.params.types value: {{ .types }} +{{ end }} - set: target: url.params.modified_since value: '[[.cursor.timestamp]]' diff --git a/x-pack/filebeat/module/threatintel/otx/manifest.yml b/x-pack/filebeat/module/threatintel/otx/manifest.yml index 4c349d40fa0..5bc84d42da3 100644 --- a/x-pack/filebeat/module/threatintel/otx/manifest.yml +++ b/x-pack/filebeat/module/threatintel/otx/manifest.yml @@ -5,6 +5,8 @@ var: default: httpjson - name: interval default: 60m + - name: first_interval + default: 24h - name: api_token - name: ssl - name: types