x-pack/filebeat/module/threatintel/misp: fix final test case line end…

…ing (#27881)
elastic · Sep 21, 2021 · 3587194 · 3587194
1 parent 12c386c
commit 3587194
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 1 deletion.
diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log
@@ -12,4 +12,4 @@
 {"Event":{"id":"158","orgc_id":"5","org_id":"1","date":"2018-01-08","threat_level_id":"1","info":"Turla: Mosquito Whitepaper","published":true,"uuid":"5a5395d1-40a0-45fc-b692-334a0a016219","attribute_count":"61","analysis":"0","timestamp":"1535462417","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637953","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f","local":false},"Attribute":{"id":"17322","type":"filename|sha1","category":"Artifacts dropped","to_ids":false,"uuid":"5a539ce1-e6a0-426a-942c-2fc50a016219","event_id":"158","distribution":"5","timestamp":"1515429089","comment":"JavaScript backdoor","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"google_update_checker.js|c51d288469df9f25e2fb7ac491918b3e579282ea","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[{"Event":{"id":"58","date":"2018-08-17","threat_level_id":"1","info":"Turla Outlook White Paper","published":true,"uuid":"5b773e07-e694-458b-b99c-27f30a016219","analysis":"0","timestamp":"1535462383","distribution":"3","org_id":"1","orgc_id":"5","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5"},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f"}}}],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"7","name":"misp-galaxy:threat-actor=\"Turla Group\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local":0},{"id":"70","name":"Turla","colour":"#f20f53","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}}
 {"Event":{"id":"22","orgc_id":"4","org_id":"1","date":"2015-12-08","threat_level_id":"3","info":"Packrat: Seven Years of a South American Threat Actor","published":true,"uuid":"56ccdcaf-f7e4-40d8-bca1-51299062e56a","attribute_count":"133","analysis":"2","timestamp":"1516723796","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637901","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"4","name":"CUDESO","uuid":"56c42374-fdb8-4544-a218-41ffc0a8ab16","local":false},"Attribute":{"id":"12268","type":"email-src","category":"Payload delivery","to_ids":true,"uuid":"56ccdcb6-4d6c-4e48-b955-52849062e56a","event_id":"22","distribution":"5","timestamp":"1456266422","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"[email protected]","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}}
 {"Event":{"id":"22","orgc_id":"4","org_id":"1","date":"2015-12-08","threat_level_id":"3","info":"Packrat: Seven Years of a South American Threat Actor","published":true,"uuid":"56ccdcaf-f7e4-40d8-bca1-51299062e56a","attribute_count":"133","analysis":"2","timestamp":"1516723796","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637901","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"4","name":"CUDESO","uuid":"56c42374-fdb8-4544-a218-41ffc0a8ab16","local":false},"Attribute":{"id":"12298","type":"regkey","category":"Artifacts dropped","to_ids":true,"uuid":"56ccdcd6-f4b8-4383-9624-52849062e56a","event_id":"22","distribution":"5","timestamp":"1456266454","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"HKLM\\SOFTWARE\\Microsoft\\Active","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}}
-{"Event":{"id":"10","orgc_id":"4","org_id":"1","date":"2020-12-09","threat_level_id":"3","info":"Recent Qakbot (Qbot) activity","published":true,"uuid":"5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16","attribute_count":"15","analysis":"2","timestamp":"1607868196","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637888","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"4","name":"CUDESO","uuid":"56c42374-fdb8-4544-a218-41ffc0a8ab16","local":false},"Attribute":{"id":"10686","type":"ip-dst|port","category":"Network activity","to_ids":true,"uuid":"5fd0c620-a844-4ace-9710-a37bc0a8ab16","event_id":"10","distribution":"5","timestamp":"1607517728","comment":"On port 2222","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"62.38.114.12|2222","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"6","name":"misp-galaxy:banker=\"Qakbot\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local":0}]}}
+{"Event":{"id":"10","orgc_id":"4","org_id":"1","date":"2020-12-09","threat_level_id":"3","info":"Recent Qakbot (Qbot) activity","published":true,"uuid":"5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16","attribute_count":"15","analysis":"2","timestamp":"1607868196","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637888","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"4","name":"CUDESO","uuid":"56c42374-fdb8-4544-a218-41ffc0a8ab16","local":false},"Attribute":{"id":"10686","type":"ip-dst|port","category":"Network activity","to_ids":true,"uuid":"5fd0c620-a844-4ace-9710-a37bc0a8ab16","event_id":"10","distribution":"5","timestamp":"1607517728","comment":"On port 2222","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"62.38.114.12|2222","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"6","name":"misp-galaxy:banker=\"Qakbot\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local":0}]}}
diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json
@@ -785,5 +785,61 @@
         "threatintel.misp.sharing_group_id": "0",
         "threatintel.misp.threat_level_id": 3,
         "threatintel.misp.uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a"
+    },
+    {
+        "@timestamp": "2020-12-13T14:03:16.000Z",
+        "event.category": "threat",
+        "event.dataset": "threatintel.misp",
+        "event.kind": "enrichment",
+        "event.module": "threatintel",
+        "event.type": "indicator",
+        "fileset.name": "misp",
+        "input.type": "log",
+        "log.offset": 38330,
+        "service.type": "threatintel",
+        "tags": [
+            "misp-galaxy:banker=Qakbot",
+            "tlp:white"
+        ],
+        "threatintel.indicator.ip": "62.38.114.12",
+        "threatintel.indicator.marking.tlp": [
+            "white"
+        ],
+        "threatintel.indicator.port": "2222",
+        "threatintel.indicator.provider": "misp",
+        "threatintel.indicator.scanner_stats": 2,
+        "threatintel.indicator.type": "ipv4-addr",
+        "threatintel.misp.attribute.category": "Network activity",
+        "threatintel.misp.attribute.comment": "On port 2222",
+        "threatintel.misp.attribute.deleted": false,
+        "threatintel.misp.attribute.disable_correlation": false,
+        "threatintel.misp.attribute.distribution": "5",
+        "threatintel.misp.attribute.event_id": "10",
+        "threatintel.misp.attribute.id": "10686",
+        "threatintel.misp.attribute.object_id": "0",
+        "threatintel.misp.attribute.sharing_group_id": "0",
+        "threatintel.misp.attribute.timestamp": "1607517728",
+        "threatintel.misp.attribute.to_ids": true,
+        "threatintel.misp.attribute.type": "ip-dst|port",
+        "threatintel.misp.attribute_count": "15",
+        "threatintel.misp.date": "2020-12-09",
+        "threatintel.misp.disable_correlation": false,
+        "threatintel.misp.distribution": "3",
+        "threatintel.misp.extends_uuid": "",
+        "threatintel.misp.id": "10",
+        "threatintel.misp.info": "Recent Qakbot (Qbot) activity",
+        "threatintel.misp.locked": false,
+        "threatintel.misp.org_id": "1",
+        "threatintel.misp.orgc.id": "4",
+        "threatintel.misp.orgc.local": false,
+        "threatintel.misp.orgc.name": "CUDESO",
+        "threatintel.misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16",
+        "threatintel.misp.orgc_id": "4",
+        "threatintel.misp.proposal_email_lock": false,
+        "threatintel.misp.publish_timestamp": "1610637888",
+        "threatintel.misp.published": true,
+        "threatintel.misp.sharing_group_id": "0",
+        "threatintel.misp.threat_level_id": 3,
+        "threatintel.misp.uuid": "5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16"
     }
 ]