From 46e96cdfc54ea9aebad569bd5a3b3f63e707a0b1 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 20 Oct 2021 12:02:15 +0200 Subject: [PATCH] Add proxy_url support to threatintel module's malwarebazaar fileset (#28533) Adds proxy_url config option to malwarebazaar Documents all proxy_url options for threat_intel (cherry picked from commit 15abbe6ea8cae4208626cca385b9cf601d13de5d) --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/modules/threatintel.asciidoc | 24 +++++++++++++++++++ .../module/threatintel/_meta/docs.asciidoc | 24 +++++++++++++++++++ .../malwarebazaar/config/config.yml | 3 +++ .../threatintel/malwarebazaar/manifest.yml | 1 + 5 files changed, 53 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index adffe6266d5..a6a4a72b8b7 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -451,6 +451,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Azure signinlogs - Add support for ManagedIdentitySignInLogs, NonInteractiveUserSignInLogs, and ServicePrincipalSignInLogs. {issue}23653[23653] - Add `base64Decode` and `base64DecodeNoPad` functions to `httpsjon` templates. {pull}28385[28385] - Add latency config option for aws-cloudwatch input. {pull}28509[28509] +- Added proxy support to threatintel/malwarebazaar. {pull}28533[28533] *Heartbeat* diff --git a/filebeat/docs/modules/threatintel.asciidoc b/filebeat/docs/modules/threatintel.asciidoc index 939aae96919..99e1769cbcc 100644 --- a/filebeat/docs/modules/threatintel.asciidoc +++ b/filebeat/docs/modules/threatintel.asciidoc @@ -64,6 +64,10 @@ The URL of the API endpoint to connect with. How often the API is polled for updated information. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + Abuse.ch URL Threat Intel is mapped to the following ECS fields. [options="header"] @@ -104,6 +108,10 @@ The URL of the API endpoint to connect with. How often the API is polled for updated information. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + Abuse.ch Malware Threat Intel is mapped to the following ECS fields. [options="header"] @@ -144,6 +152,10 @@ The URL of the API endpoint to connect with. How often the API is polled for updated information. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + Malware Bazaar Threat Intel is mapped to the following ECS fields. [options="header"] @@ -234,6 +246,10 @@ from the last response as the filter when retrieving new events. List of filters to apply when retrieving new events from the MISP server, this field is optional and defaults to all events. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + MISP Threat Intel is mapped to the following ECS fields. [options="header"] @@ -310,6 +326,10 @@ possible types to filter on can be found in the https://cybersecurity.att.com/documentation/usm-appliance/otx/about-otx.htm[AlientVault OTX documentation]. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + OTX Threat Intel is mapped to the following ECS fields. @@ -391,6 +411,10 @@ possible types to filter on can be found on the https://oasis-open.github.io/cti-documentation/stix/intro.html#stix-21-objects[Stix 2.1 Object types] page. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + Anomali Threat Intel is mapped to the following ECS fields. [options="header"] diff --git a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc index 4cfcb7a5a4b..ac9c0cc81ed 100644 --- a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc @@ -59,6 +59,10 @@ The URL of the API endpoint to connect with. How often the API is polled for updated information. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + Abuse.ch URL Threat Intel is mapped to the following ECS fields. [options="header"] @@ -99,6 +103,10 @@ The URL of the API endpoint to connect with. How often the API is polled for updated information. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + Abuse.ch Malware Threat Intel is mapped to the following ECS fields. [options="header"] @@ -139,6 +147,10 @@ The URL of the API endpoint to connect with. How often the API is polled for updated information. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + Malware Bazaar Threat Intel is mapped to the following ECS fields. [options="header"] @@ -229,6 +241,10 @@ from the last response as the filter when retrieving new events. List of filters to apply when retrieving new events from the MISP server, this field is optional and defaults to all events. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + MISP Threat Intel is mapped to the following ECS fields. [options="header"] @@ -305,6 +321,10 @@ possible types to filter on can be found in the https://cybersecurity.att.com/documentation/usm-appliance/otx/about-otx.htm[AlientVault OTX documentation]. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + OTX Threat Intel is mapped to the following ECS fields. @@ -386,6 +406,10 @@ possible types to filter on can be found on the https://oasis-open.github.io/cti-documentation/stix/intro.html#stix-21-objects[Stix 2.1 Object types] page. +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + Anomali Threat Intel is mapped to the following ECS fields. [options="header"] diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml index 8426de172c5..1a4b64ce6a3 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml @@ -9,6 +9,9 @@ request.method: POST request.ssl: {{ .ssl | tojson }} {{ end }} +{{ if .proxy_url }} +request.proxy_url: {{ .proxy_url }} +{{ end }} request.url: {{ .url }} #request.encode_as: application/x-www-form-encoded diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml index ca7a93e6a4e..e9294ca9e2e 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml @@ -10,6 +10,7 @@ var: - name: ssl - name: tags default: [threatintel-malwarebazaar, forwarded] + - name: proxy_url ingest_pipeline: - ingest/pipeline.yml