diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index dc2041a7ad91..61d5adaaf7da 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -595,6 +595,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add support for `copytruncate` method when rotating input logs with an external tool in `filestream` input. {pull}23457[23457] - Add `uri_parts` and `user_agent` ingest processors to `aws.elb` module. {issue}26435[26435] {pull}26441[26441] +- Added dataset `recordedfuture` to the `threatintel` module to ingest indicators from Recorded Future Connect API {pull}26481[26481] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 159a956a0143..0b78f915eae9 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -145918,6 +145918,17 @@ example: Montreal -- +*`threatintel.indicator.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + *`threatintel.indicator.geo.country_iso_code`*:: + -- @@ -147353,6 +147364,166 @@ type: keyword -- +[float] +=== recordedfuture + +Fields for Recorded Future Threat Intel + + + +[float] +=== entity + +Entity that represents a threat. + + + +*`threatintel.recordedfuture.entity.id`*:: ++ +-- +Entity ID. + + +type: keyword + +example: ip:192.0.2.13 + +-- + +*`threatintel.recordedfuture.entity.name`*:: ++ +-- +Entity name. Value for the entity. + + +type: keyword + +example: 192.0.2.13 + +-- + +*`threatintel.recordedfuture.entity.type`*:: ++ +-- +Entity type. + + +type: keyword + +example: IpAddress + +-- + +*`threatintel.recordedfuture.intelCard`*:: ++ +-- +Link to the Recorded Future Intelligence Card for to this indicator. + + +type: keyword + +-- + +*`threatintel.recordedfuture.ip_range`*:: ++ +-- +Range of IPs for this indicator. + + +type: ip_range + +example: 192.0.2.0/16 + +-- + +[float] +=== risk + +Risk fields. + + + +*`threatintel.recordedfuture.risk.criticality`*:: ++ +-- +Risk criticality (0-4). + + +type: byte + +-- + +*`threatintel.recordedfuture.risk.criticalityLabel`*:: ++ +-- +Risk criticality label. One of None, Unusual, Suspicious, Malicious, Very Malicious. + + +type: keyword + +-- + +*`threatintel.recordedfuture.risk.evidenceDetails`*:: ++ +-- +Risk's evidence details. + + +type: flattened + +-- + +*`threatintel.recordedfuture.risk.score`*:: ++ +-- +Risk score (0-99). + + +type: short + +-- + +*`threatintel.recordedfuture.risk.riskString`*:: ++ +-- +Number of Risk Rules observed as a factor of total number of rules. + + +type: keyword + +example: 1/54 + +-- + +*`threatintel.recordedfuture.risk.riskSummary`*:: ++ +-- +Risk summary. + + +type: keyword + +example: 1 of 54 Risk Rules currently observed. + +-- + +*`threatintel.recordedfuture.risk.riskSummary.text`*:: ++ +-- +type: text + +-- + +*`threatintel.recordedfuture.risk.rules`*:: ++ +-- +Number of rules observed. + + +type: long + +-- + [[exported-fields-tomcat]] == Apache Tomcat fields diff --git a/filebeat/docs/modules/threatintel.asciidoc b/filebeat/docs/modules/threatintel.asciidoc index 70e98988bee2..01aa5336e328 100644 --- a/filebeat/docs/modules/threatintel.asciidoc +++ b/filebeat/docs/modules/threatintel.asciidoc @@ -30,6 +30,7 @@ fields. * <>: Supports gathering threat intel attributes from AlientVault OTX. * <>: Supports gathering threat intel attributes from Anomali Limo. * <>: Supports gathering threat intel attributes from Anomali ThreatStream. +* <>: Supports gathering threat intel attributes from Recorded Future. include::../include/gs-link.asciidoc[] @@ -224,7 +225,7 @@ How often the API is polled for updated information. *`var.first_interval`*:: -How far back to search when retrieving events the first time the beat starts up. +How far back to search when retrieving events the first time {beatname_uc} starts up. After the first interval has passed the module itself will use the timestamp from the last response as the filter when retrieving new events. @@ -298,7 +299,7 @@ How often the API is polled for updated information. *`var.first_interval`*:: -How far back to search when retrieving events the first time the beat starts up. +How far back to search when retrieving events the first time the {beatname_uc} starts up. After the first interval has passed the module itself will use the timestamp from the last response as the filter when retrieving new events. @@ -410,7 +411,7 @@ Anomali Threat Intel is mapped to the following ECS fields. To configure the ThreatStream integration you first need to define an output in the Anomali ThreatStream Integrator using the Elastic SDK provided by Anomali. -It will deliver indicators via HTTP or HTTPS to a Filebeat instance running as +It will deliver indicators via HTTP or HTTPS to a {beatname_uc} instance running as a server. Configure an Integrator output with the following settings: @@ -420,12 +421,12 @@ Configure an Integrator output with the following settings: Adjust the paths to the python executable and the directory where the Elastic SDK has been unpacked. * Metadata in JSON Format: `{"url": "https://filebeat:8080/", "server_certificate": "/path/to/cert.pem", "secret": "my secret"}`. - - `url`: Use the host and port where Filebeat will be running, and `http` or `https` accordingly. + - `url`: Use the host and port where {beatname_uc} will be running, and `http` or `https` accordingly. - `server_certificate`: If using HTTPS, absolute path to the server certificate. Otherwise don't set this field. - - `secret`: A shared secret string to authenticate messages between the SDK and Filebeat. + - `secret`: A shared secret string to authenticate messages between the SDK and {beatname_uc}. -Then configure the `anomalithreatstream` fileset in Filebeat accordingly: +Then configure the `anomalithreatstream` fileset in {beatname_uc} accordingly: [source,yaml] ---- - module: threatintel @@ -450,11 +451,11 @@ Port number to use for the HTTP server. *`var.secret`*:: -Shared secret between the SDK and Filebeat, used to authenticate messages. +Shared secret between the SDK and {beatname_uc}, used to authenticate messages. *`var.ssl_certificate`*:: -Path to the public SSL certificate for the HTTPS server. If unset, Filebeat +Path to the public SSL certificate for the HTTPS server. If unset, {beatname_uc} will use unsecure HTTP connections. *`var.ssl_key`*:: @@ -489,6 +490,94 @@ Anomali ThreatStream fields are mapped to the following ECS fields: [[a]] [small]#[1]: Field is used to derive a value for the ECS field but its original value is kept under `threatintel.anomalithreatstream`.# +[[recordedfuture]] +[float] +==== `recordedfuture` fileset settings + +The `recordedfuture` fileset fetches intelligence from the Recorded Future Connect API. +It supports `domain`, `hash`, `ip` and `url` data types. + +To enable it you need to define the URL to fetch data from. You can construct this URL +using the https://api.recordedfuture.com/index.html[Recorded Future API Explorer.] The URL +must point to the `/search` endpoint and contain a suitable `limit` +(how many records to return from a single request) and `fields` parameters. +The `entity` and `timestamps` fields are required. + +Sample configuration: +[source,yaml] +---- +- module: threatintel + recordedfuture: + enabled: true + var.input: httpjson + var.interval: 5m + var.first_interval: 168h + var.url: "https://api.recordedfuture.com/v2/ip/search?limit=200&fields=entity,timestamps,risk,intelCard,location&metadata=false" + var.api_token: "" +---- + +To fetch threat intelligence from multiple data types, you must define more than +one instance of the module: +[source,yaml] +---- +- module: threatintel + recordedfuture: + enabled: true + var.input: httpjson + var.interval: 5m + var.first_interval: 168h + var.url: "https://api.recordedfuture.com/v2/ip/search?limit=200&fields=entity,timestamps,risk,intelCard,location&metadata=false" + var.api_token: "" +- module: threatintel + recordedfuture: + enabled: true + var.input: httpjson + var.interval: 1m + var.first_interval: 168h + var.url: "https://api.recordedfuture.com/v2/hash/search?limit=200&fields=entity,fileHashes,timestamps,risk,intelCard,location&metadata=false" + var.api_token: "" +---- + +*`var.url`*:: + +The URL of the API endpoint to connect with. + +*`var.api_token`*:: + +The API token used to access Recorded Future API. + +*`var.interval`*:: + +How often the API is polled for updated information. + +*`var.first_interval`*:: + +How far back to search when retrieving events the first time {beatname_uc} starts up. +After the first interval has passed the module itself will use the timestamp +from the last response as the filter when retrieving new events. + +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + + +Recorded Future fields are mapped to the following ECS fields: + +[options="header"] +|============================================================= +| Recorded Future fields | ECS Fields +| entity.name | threatintel.indicator.{url,ip,domain,file.hash} +| entity.type | threatintel.indicator.type +| fileHashes | threatintel.indicator.file.hash +| intelCard | event.reference +| location.asn | threatintel.indicator.as.number +| location.location | threatintel.indicator.geo +| location.organization | threatintel.indicator.as.organization.name +| risk.score | event.risk_score +| timestamps.firstSeen | threatintel.indicator.first_seen +| timestamps.lastSeen | threatintel.indicator.last_seen +|============================================================= + :has-dashboards!: [float] diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index 1e61240ee6f9..b2e6c03b1c52 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -287,6 +287,7 @@ def clean_keys(obj): "threatintel.anomali", "threatintel.anomalithreatstream", "threatintel.malwarebazaar", + "threatintel.recordedfuture", "snyk.vulnerabilities", "snyk.audit", "awsfargate.log", diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 696e04be941a..a0936b8e6f24 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -2274,6 +2274,38 @@ filebeat.modules: # var.ssl_certificate: path/to/server_ssl_cert.pem # var.ssl_key: path/to/ssl_key.pem + recordedfuture: + enabled: true + + # Input used for ingesting threat intel data + var.input: httpjson + + # The interval to poll the API for updates + var.interval: 5m + + # How far back in time to start fetching intelligence when run for the + # first time. Value must be in hours. Default: 168h (1 week). + var.first_interval: 168h + + # The URL used for Threat Intel API calls. + # Must include the `limit` parameter and at least `entity` and `timestamps` fields. + # See the Connect API Explorer for a list of possible parameters. + # + # For `ip` entities: + var.url: "https://api.recordedfuture.com/v2/ip/search?limit=200&fields=entity,timestamps,risk,intelCard,location&metadata=false" + + # For `domain` entities: + # var.url: "https://api.recordedfuture.com/v2/domain/search?limit=200&fields=entity,timestamps,risk,intelCard,location&metadata=false" + + # For `hash` entities: + # var.url: "https://api.recordedfuture.com/v2/hash/search?limit=200&fields=entity,fileHashes,timestamps,risk,intelCard,location&metadata=false" + + # For `url` entities: + # var.url: "https://api.recordedfuture.com/v2/url/search?limit=200&fields=entity,timestamps,risk&metadata=false" + + # Set your API Token. + var.api_token: "" + #---------------------------- Apache Tomcat Module ---------------------------- - module: tomcat log: diff --git a/x-pack/filebeat/module/threatintel/_meta/config.yml b/x-pack/filebeat/module/threatintel/_meta/config.yml index ce5b52714723..f2cf00bcf0de 100644 --- a/x-pack/filebeat/module/threatintel/_meta/config.yml +++ b/x-pack/filebeat/module/threatintel/_meta/config.yml @@ -137,3 +137,35 @@ # # var.ssl_certificate: path/to/server_ssl_cert.pem # var.ssl_key: path/to/ssl_key.pem + + recordedfuture: + enabled: true + + # Input used for ingesting threat intel data + var.input: httpjson + + # The interval to poll the API for updates + var.interval: 5m + + # How far back in time to start fetching intelligence when run for the + # first time. Value must be in hours. Default: 168h (1 week). + var.first_interval: 168h + + # The URL used for Threat Intel API calls. + # Must include the `limit` parameter and at least `entity` and `timestamps` fields. + # See the Connect API Explorer for a list of possible parameters. + # + # For `ip` entities: + var.url: "https://api.recordedfuture.com/v2/ip/search?limit=200&fields=entity,timestamps,risk,intelCard,location&metadata=false" + + # For `domain` entities: + # var.url: "https://api.recordedfuture.com/v2/domain/search?limit=200&fields=entity,timestamps,risk,intelCard,location&metadata=false" + + # For `hash` entities: + # var.url: "https://api.recordedfuture.com/v2/hash/search?limit=200&fields=entity,fileHashes,timestamps,risk,intelCard,location&metadata=false" + + # For `url` entities: + # var.url: "https://api.recordedfuture.com/v2/url/search?limit=200&fields=entity,timestamps,risk&metadata=false" + + # Set your API Token. + var.api_token: "" diff --git a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc index fb52ee05b2dc..4dd92b663e00 100644 --- a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc @@ -25,6 +25,7 @@ fields. * <>: Supports gathering threat intel attributes from AlientVault OTX. * <>: Supports gathering threat intel attributes from Anomali Limo. * <>: Supports gathering threat intel attributes from Anomali ThreatStream. +* <>: Supports gathering threat intel attributes from Recorded Future. include::../include/gs-link.asciidoc[] @@ -219,7 +220,7 @@ How often the API is polled for updated information. *`var.first_interval`*:: -How far back to search when retrieving events the first time the beat starts up. +How far back to search when retrieving events the first time {beatname_uc} starts up. After the first interval has passed the module itself will use the timestamp from the last response as the filter when retrieving new events. @@ -293,7 +294,7 @@ How often the API is polled for updated information. *`var.first_interval`*:: -How far back to search when retrieving events the first time the beat starts up. +How far back to search when retrieving events the first time the {beatname_uc} starts up. After the first interval has passed the module itself will use the timestamp from the last response as the filter when retrieving new events. @@ -405,7 +406,7 @@ Anomali Threat Intel is mapped to the following ECS fields. To configure the ThreatStream integration you first need to define an output in the Anomali ThreatStream Integrator using the Elastic SDK provided by Anomali. -It will deliver indicators via HTTP or HTTPS to a Filebeat instance running as +It will deliver indicators via HTTP or HTTPS to a {beatname_uc} instance running as a server. Configure an Integrator output with the following settings: @@ -415,12 +416,12 @@ Configure an Integrator output with the following settings: Adjust the paths to the python executable and the directory where the Elastic SDK has been unpacked. * Metadata in JSON Format: `{"url": "https://filebeat:8080/", "server_certificate": "/path/to/cert.pem", "secret": "my secret"}`. - - `url`: Use the host and port where Filebeat will be running, and `http` or `https` accordingly. + - `url`: Use the host and port where {beatname_uc} will be running, and `http` or `https` accordingly. - `server_certificate`: If using HTTPS, absolute path to the server certificate. Otherwise don't set this field. - - `secret`: A shared secret string to authenticate messages between the SDK and Filebeat. + - `secret`: A shared secret string to authenticate messages between the SDK and {beatname_uc}. -Then configure the `anomalithreatstream` fileset in Filebeat accordingly: +Then configure the `anomalithreatstream` fileset in {beatname_uc} accordingly: [source,yaml] ---- - module: threatintel @@ -445,11 +446,11 @@ Port number to use for the HTTP server. *`var.secret`*:: -Shared secret between the SDK and Filebeat, used to authenticate messages. +Shared secret between the SDK and {beatname_uc}, used to authenticate messages. *`var.ssl_certificate`*:: -Path to the public SSL certificate for the HTTPS server. If unset, Filebeat +Path to the public SSL certificate for the HTTPS server. If unset, {beatname_uc} will use unsecure HTTP connections. *`var.ssl_key`*:: @@ -484,6 +485,94 @@ Anomali ThreatStream fields are mapped to the following ECS fields: [[a]] [small]#[1]: Field is used to derive a value for the ECS field but its original value is kept under `threatintel.anomalithreatstream`.# +[[recordedfuture]] +[float] +==== `recordedfuture` fileset settings + +The `recordedfuture` fileset fetches intelligence from the Recorded Future Connect API. +It supports `domain`, `hash`, `ip` and `url` data types. + +To enable it you need to define the URL to fetch data from. You can construct this URL +using the https://api.recordedfuture.com/index.html[Recorded Future API Explorer.] The URL +must point to the `/search` endpoint and contain a suitable `limit` +(how many records to return from a single request) and `fields` parameters. +The `entity` and `timestamps` fields are required. + +Sample configuration: +[source,yaml] +---- +- module: threatintel + recordedfuture: + enabled: true + var.input: httpjson + var.interval: 5m + var.first_interval: 168h + var.url: "https://api.recordedfuture.com/v2/ip/search?limit=200&fields=entity,timestamps,risk,intelCard,location&metadata=false" + var.api_token: "" +---- + +To fetch threat intelligence from multiple data types, you must define more than +one instance of the module: +[source,yaml] +---- +- module: threatintel + recordedfuture: + enabled: true + var.input: httpjson + var.interval: 5m + var.first_interval: 168h + var.url: "https://api.recordedfuture.com/v2/ip/search?limit=200&fields=entity,timestamps,risk,intelCard,location&metadata=false" + var.api_token: "" +- module: threatintel + recordedfuture: + enabled: true + var.input: httpjson + var.interval: 1m + var.first_interval: 168h + var.url: "https://api.recordedfuture.com/v2/hash/search?limit=200&fields=entity,fileHashes,timestamps,risk,intelCard,location&metadata=false" + var.api_token: "" +---- + +*`var.url`*:: + +The URL of the API endpoint to connect with. + +*`var.api_token`*:: + +The API token used to access Recorded Future API. + +*`var.interval`*:: + +How often the API is polled for updated information. + +*`var.first_interval`*:: + +How far back to search when retrieving events the first time {beatname_uc} starts up. +After the first interval has passed the module itself will use the timestamp +from the last response as the filter when retrieving new events. + +*`var.proxy_url`*:: + +Optional URL to use as HTTP proxy. + + +Recorded Future fields are mapped to the following ECS fields: + +[options="header"] +|============================================================= +| Recorded Future fields | ECS Fields +| entity.name | threatintel.indicator.{url,ip,domain,file.hash} +| entity.type | threatintel.indicator.type +| fileHashes | threatintel.indicator.file.hash +| intelCard | event.reference +| location.asn | threatintel.indicator.as.number +| location.location | threatintel.indicator.geo +| location.organization | threatintel.indicator.as.organization.name +| risk.score | event.risk_score +| timestamps.firstSeen | threatintel.indicator.first_seen +| timestamps.lastSeen | threatintel.indicator.last_seen +|============================================================= + :has-dashboards!: [float] diff --git a/x-pack/filebeat/module/threatintel/_meta/fields.yml b/x-pack/filebeat/module/threatintel/_meta/fields.yml index 48222e31ebdc..fce6811f5fee 100644 --- a/x-pack/filebeat/module/threatintel/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/_meta/fields.yml @@ -167,6 +167,11 @@ ignore_above: 1024 description: City name. example: Montreal + - name: continent_name + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America - name: country_iso_code type: keyword ignore_above: 1024 diff --git a/x-pack/filebeat/module/threatintel/fields.go b/x-pack/filebeat/module/threatintel/fields.go index de37293b142f..a0b33b519a2d 100644 --- a/x-pack/filebeat/module/threatintel/fields.go +++ b/x-pack/filebeat/module/threatintel/fields.go @@ -19,5 +19,5 @@ func init() { // AssetThreatintel returns asset data. // This is the base64 encoded gzipped contents of module/threatintel. func AssetThreatintel() string { - return "eJzsfW1z2ziS//v5FF3+v4i9JSm2Y2cnrsr/ymM7E9U5TtYPM1t7uVIgsiViDQIMAErWXt13v8IDKT6Jki0qN7e1fpNIBLt/aDQaje4G1IdHXJyBjiQSTblG9hOAppph9UuJDInCMxijJj8BhKgCSRNNBT+D//8TAMC9fQHsG4xOkQcIHyjDsfn2kwhThoOfACYUWajO7Ct94CSu8TJ/IU5IyvTItj6DCWEK/SO9SPAMplKkSd64Bsb8fbCcYCJFDDrCIpclsDgHZv6K4IoAKQ9pQLSQgwmVSo8UIs8bZZAecTEXMix8vwKYkxZCSDQC4SFoGiPMI+Rl6SmRygDBsgSJiZAaQ1B0GmnKp6AjqgrIWkAzsgqzgdA5YMNuK7zZK6qGlwk+3QzvTRqPUYKYWLCqwh3mRIEYK5QzDCEQPEwDD9JqMQk0nVG9aENpEG2pBIsEDcIlLKKM4CQq5EZ24wVcLEw3PluoZMwQKIe7++Ff4XhwOChRu3pKMDBvzQhLUZWeAfwJSKoFF7FIVV8tlMa43kJqOiGBrj0IqcRAC7moPxExobxvZFN7hjGhrE/CUNYeTSirt6fJ7KS5OU1mb5ufxCRY8SDV+FT7NpEiQFWXjRITPSeyjimVrP6dQtknQSBSXhfVnPJQzFVf4pQqLRf9R6xL7al/eviuH6CRtxl5bFGzgv5sp22X9tHYzgW0BIzuGU0XPJsCTueW1rJ1lgaEc5QjpYneZqZeGDkaKOe/vb66vIUZ8lBIg5JoUGlgBmySMraAELXT8JgwGlCRKqtIICQ83F63YU2kmNEQ5XYSHIbIzYh5ERom1sBEWLaDGbc2RIHgExqa5p1iWpIFSaxFI0rRKV8ObAYOUmUeW1tSeEsFhKF6nmW5ERruEgwMjLAHN4JjD67FvAefMKRp3IOPdBrVXjvsHx3WvjwPYyoJo3oBdwYK7B/13x7Uml3eDLPnp/13p/UGv199yRoM40QoRY3x7MMFSk0oP2gZGucT7ERVlJNS4P0OtyqFRBOgCgIRmxExDkub5pjmCvVu8XkmS++pYaFvA0mTGr7SV5tBI9l6XFohCYfhFzBWH5WCfSolGtyazmwf3GJFBT9olaJduDoT4gqkfn18KUjjQm1hWTfAZzgAd77SC0HaZX7gh2PXAuXOq9h29GMiHymfDjSr6+nzXDhJJma+XBuXFb5IoUUgGKiISDOXPZ92ewpE4lndgEVU1/2RX2XZjXffnpvxq317i2GrCHQQYVjrfnFnBQ17oiUtokVMgxLbVRJslWHNGjnChZG3roAHDASYCAgD5DMqBY+Ra0AeJoIaN0ICRz0X8hFwhlwPGnDbHu0AtqWbOQQ77kNl89FVFzKvcGc9qOshqduMzVXQWa4GQVSMZEUKD5x+TzGze4SZrpj5qIXreb5TArdTGtjtb+3r3HCe391UPZDUsmALoEsJIwmiXDCCW15DrlFy1GULgU8kThiewdHp0dt3DR0Xcko4/Qcx/RnUdl+rlYFOuZA4ImMxM9QPj09Kj+OUaTqqy7ugePhU3fQ4bg0PuJCxKkdvGgbjc6ErlskKUfwqxJQhXF9ftGhTtu3aQqeM6zNQWlYCEFtItXUGXgiuzeSx4ZS5pNZpd+wtx8raAfBFJCmz6uoWRCIlWTS+bh1Lr9OZYAbwQUgwrn9tB+7fylo67rB/e/Xr6O5vPTD/Xv31y/nN5ejubwc957uqSKQshDEWkFBd9fUFR0/ds8fvqXEklfU5HVvzmuXx6eH6fmg5Wg4ZUcZgXEU8I5LaoAhDPtWRI87TGKV3YXtmAxkZQRnKl79/vr20ASzz6S/mU6kbFepjhCSXtYVnBBliQGPClnEap7j7OJjCt72jvW8HK/T31X/sXZx9lZp8lRiOtE6+jin/Gi9IkgzwCff+81WDMiakIsxulPBDypil3QPKA5aGZgQiOsOeIW1FZH2T5p58/PfrT1/vPn+4//389urrJxpIocREf/3dxT7g5v7rRSolcv0bSkUF/zqMydSFg+HqCYO0Es0wf58tNPV1TrnpmhHJ10scp9NpycBngqnD60YyN4VNveVhJ5VGvmJUWyBWIz/dALzNpqcZqLIU6uZwimILSxhQvRh1t7iUunFhdvgt1v6T4FoiYU2wRMq1XIyoEqNAhDtB51jA8O4zGBYrQF6ct8DbleA8tBbZXRBOQtIAzfo51anntQLFyDpvqzlfCz6lOg1dDoARbT+ssnb/BXtM8L0z6P/5zeDt0cnPbw57sMeI3juDk9PB6eHpu6Of4b+bjJ5ZgQTf5fjeWg7rh7f/l4vV+HY0wB5by/j+JcUxBi3TfkIZDhIc0DiJiIo22OK2AizBe3UOhmYe+IwTIbUCyoHAlysbkB3AOQfPG/p9sx1wzaCCBszTgHCz1KbKOeATyqcoE2n2EWPKibSe8ww5kIlGCRIDESeUuWVXSBA6QmmHsc9whuV4vZaEq4mQsW2uICIzBBEEZnkKezCPaBDB3PowQUT4FCEWEs1rITVvEOZ663bq5fG4RiK5a080RFon6uz16/l8PphQibjAQSDi12Mmpq9dLKNvHAYig+j18eHRyevDo9dakuCR8mk/JmxOJPadnPqGp/GWIh2zQXGK5DpwGLz9+fBNcILvjo+PzH/CgJy+e/uGkPDN2zCcrNGOLVaF2hg2E2giUdhGMFV1ElfPnjUetEtOml69UpmiGfo9oBMgM0KZ8REHjTiUChGTnSBxpK24NkESh6c7gRGHpxtjUBE52o0sInL0HBTHp293heP49O1zkLz5+WRXSN78fPIcJKdHx7tCcnp0vAbJC+JO22yKM3iWfBMORf/RhKM97LOKyysFWmjCLNUmbs9Y6TdlWF3eM1b4pJGrZh9tG3453SamMY1x1FVIscD00/DTVWUI68tROcX+7GhNNY/zYtyXLlXj/ZpUsmXwYM8s6siI0jQYBGKvi4Hbfnogs6UrmlCeBaAZLnEsc3dC0inlNmbxPUWlG9BPJJnGWPH+dwP+i5DOdcsF7T078+nb//tWELsWSaOsJyljXQz5cGJJwcPttc3CeO+BcG080YVIpXFLISAKewbeohDvUlpIrFpdyuFbKtnAUP1m3Eu0zqmNMbkBo8p6sFxp6eothAQfSDJvGxnYkHmFcDXjWowEu8HtQh4PPBahzeIvdcaOjwKFttprCbABkvm7ERpdpoDyPNYdC061kJRPe04hs8qrh9triMnCxg/zobByk0iqhQZmi2GrQYCJqXKUDAGqQEw0cvh76grP8vopl+IkOqqivC8NSIx+xPN3c9pEAdWlarEemP0HQ23rTrhoTM8kRKma6Hc0nTyrbD75Od6MauNg4hqWOqqwK0za126P0zhxKwntlcu227Gd+djw82zLSmQnJ2+aMH1PUe4iUNdktC0vr3hhqR7LPfGx8KYeVKgZSX9/79ekBolnHL/92zej4vgUsDTEcLkoFBkOjCUkVuHzBYUL866dZbW6OGofFzpjCdiW5hmxXMepzlv1Cixd7/GJKl2d4TbIbnP8iV5is91w7b95GpWYQUgnE5TINSUaYYx6Xs+S2/TmXFhjrpr0wOU9UGI46s6pMNgjOo3QWqaMgTWqjknPdjNJMJ/AKh27R9Xh/CBktv/vFXI6lqCvM5kICXsTIQa+3SAQ8Z4Zkr3iF43W0AW7vWBD1ChjyjE0i1NAFbKFHx1gVGlg9BFdOVk6ZjQAlU4mtFpvaVvuR1onZ69fu4au3UDI6cEA7uXCZrkEkCSR4onGRPuaqPECFI0TtgBNHqsmwA2mLTM2I8rIGJlyKSIuNNglZ46MWXHcX1+qpXEKxCB9bDRNKohwJ/G8qkrcWUar7acNJDVDzDTjB1mrnJ+1295nc+v0Ar6nhDlXwbexNWQum1SrESSMZR02zaw9wsQts5FQ2r2c8tC7gbW5OAAYcruYS00JY9Wa2iqang06TnwpK2bPXfgbbJwwA2TdDss/IJyLqudVmg29gkxyS1nr3BiZmDfP0JY5XZ78RZG77QdRehAvPBmnx25mE6VrU9qZ42xoIqJcaj+xudKZmS5ismRW0D6Vjo8HKh0flUxIr2H+LaE6i+5dYy+WAqW9njMdXICWhDIz5xOUVISNEQaRjCzE51nhbXUdJxNfRKZF4hUkK97D++vLgx4QpgQ8cjHnRlJL8VZddWviemZscjNl1DbTkcJ0GdRtepV7hfhk2d4MjFWAfzKTbs35Kmu+HKZN7XqqUO4oU1PbPnlWK13xevDj6fTw3RbRD4WSEjZaWQa1bQ99oZRjk5U7UaXSZT154RQDkFRHQlLtq0zMNteYPx4sqgbEmuZcRY3PyJKI+NKNntlzLXfabjOQFWGIVEMgmDCGl4eQJglK49NVGAQRkSTQKNWKJNrp6Ydffnl38efLq18+HL77+fDd5dHxxcV5U0bXdngX4s2KDQwDM21WyPIikwRSG064pEpTPk2pijB0RPYvbw7Mknch4lhw/93FzUEPQkyQ2/oOwRv37Mt05/uHux58fn/l16MhD3rw+eG9XX2WNqcHFzd5m7uP58e2uh/OlUolKZ9nMH93Ztcsm1PlKh3/HYNdBJ2KZRxFqXqOYPYKP1y0d/fvL4wbIiSnpAfX7+8Ihw9GaFQFoiD6npH9wApaRURiOJgyMSYsHwaOTUE8wrQxQMY82uT0LsrXrs0C4HwHK8gCT+/97N+d3xwMnJxcCdmMyIUxF00Hntxfrux2ThcHzFakju2cN+Jni9zBWJ4BQNWDy5s7qPcZYN8QnFMWBkSGyqziPCzXkFfTussShj8VYr6vWoy4olNOdCq3PDPyyeWAYUJiyhZWyG6S7RezMg117WScKvQZ5LWLSQuA7MSskHBuSF58zDH5073DwhldaF2ZJpR1l1L4kKWCYJqaEbOLz8PtdUTSwuA1GZiGkXkxitL40EUr41QyA24UijlngnRSbn7tq3dg/+H2+sAFSWEhUuvhZYyAQCCShbN91B2Qa0U6ozJVNv01kKhStqk1boV6/ps/rGfgSlelvCEIs5w3JyImTJCW8qRWDGZD5QhvioNR/tjJqFH+mBXh/paT9+ejV8zlTVJiP2ge005U1+ywhpeFlM9Gk0eijeoFnczebBy82TAegFw7h+3h1nTTdXStCAJXFQuOaiaOh9vrAXzJjigWzgSB4Ixy7IGYTMx/nMPL7Ra0FbkrN+oKtT+IFQh71Eo4j8dqNFXgl53yAdwGSGNGgkeze1QDlcpxJ+mqu4fbX66XlL1YV8jStMDQipALPXIfN0WckNiZ846Ae3pw2YS/DZS/VmHTzcjasb2fU61RQkR4yAobV8fFJfIidyuBu86hOuiwLyQQLvgiFqk6aAXPiNTYZE/GQjAkfHPoQ+d7oSqkWLEEy4AeI/ICcpGHG20EKjsHva9lanN59pzKQeu8IhsfCWlfmlwcxUibTBUQpURAy8cMvqcoqTvqnvWpvlZwERNGu1oqHLU/xhLRcE/Ibspxyof4W5gmxEyUzpJCntymXZ4RRsPRRIq4AUBY3VC1cv89Ql5maPPb7pqZiUi5rUmw59G5MjPEHVSljdHarF5gV6hsRLCBydKkjJF1tj77TJJEVjwOmCNq0v2GZ1tBcAGxqkr0ioHfPK9hNkRU5RkPa5rnWUAjP8DSNGzNl4psYc8KjzfSZ3vLVCcyM4SyXLq7wWcN68AduOuC+dWTlsSefDRTJm86w4zJSlXa5Zne+9IsMkR6dotYVKExwl6mNzYa0rOb7I9ERf27j+fHp28bg+nCBn1G/li7cdA7m3v2IpLc4/ecGvZHbpVyPqnSEkm8k/Xvrkq65UoyaFgemxSPEaXyJGQXcqu7QYQXhp4qSCSdEVeqZCs/SJbdmaB3hvPAkn/CFvUDpyV3+iwj2vNvrAif+VatEmm6BCeThoqqxUJrdShGolK5PMEeBKkkwQL2bd8PzSw8Ojw8KN2JUxzuV0ZgGFKXYSKcsIWmgQKNQcQFE9OFIZELuN1VD1ETyo4belY7Kt1el2rpOCtj9LTRhhTkPoy9wzte2OQXnBy34vxB7lsTZ4t0pFApe96rm0sZLstHk8CTd3uZwAy23cYUbaTgJTVoB93Z1QslE7120u2RRPuU+F7PfbKGO/tAk+x/qWS1hP3eWGRNguMCmeB4+a19D/boceK/iwnLm1bpmWc5f/Nh+Uocnmb/9SQTIh8x9E2SiKooe7dK1j0sNvQkVEC4/97sxgtdUP6FKimVqsTdElZorIU0ja3lMx8kcj2yp7BQWlatYx8TtmL0swzDc4Y/P5YGEqdE2rAKyTd8LgvQAwIXv13B8NJWtBDuTrsRrUnwCPZSDqO3vcY95GazsHrw6IXqbFwHa5825yzRJc1GqaRdQLg1zpax3A+3wzoUb5DXJAxwhpLqTetB2292kFTTwN1l1jQ8Pq5mV2J/2V2SMFq1TmstAxPzHsT+prWITqMezFAu+ua/7Z210u+iq3f+qtLVww/FJercrKyFcwgrsY2McLpbGJb4NE6lVYpq2rYJiq7uZF8qJUPIg2i+C7UkJXsJaav/pGWqNIajgMqA4YiGnXjjyxXU0wdH35f1x3kkcNN5niYh0djRMD5YYjC8XBe774TZ7fUzbZqdlJ0lPi/tDS6FS5k2two06eWRAXuYyW/z4vC0vqvyi86Y/IOQ+iWZL9tPZSmnXyzRP2IGuYyw+Zjhj8gf/yECzK7WoAlU8erHBnDPO/id5amrdRorDoKsPci6vOc5p+x2ul7a9bEt2qXdIPF0N8ZhJmYjiLpom4W7JPUrcpSVS/lgzVHhtT1bqm52Cmzq2IBxxUG7OxCrFimDNLzfNZrh/UoghbCRy1A1KPDzDg0XbszzcVhfpTMnClQ6jql2eUbPkDVO9ECEODLWpRNHU4RoTZXZQdDCviJbuqpze3nuV9Xvv3yhtR/effnfSh2day3pOK14BaXL8oKOvI/SZXUXIo5Tbtz7pcu08sZGIae7wLABZ7fP8EX1jRCee2zejrKrUrc27tRG1vy5TTjKSt9joTQEfhfUvLJMRCcKEOa3tWTBeFraXpeC8CsFZcOZKuomRZ0ntNxpWWMdcvqNdeppd4G4h4eKWtTC6aXrDptW9edl7/JfhxATdxNhlbPtvw++NdrnbAqP6tfqv0RHP4o5xIQvloT9AW/uz0Ha+4rcNYhrRWR/QUKTOOlETjm1FwsrpMp1qqM0wmWBnnOSCzPGGPbGySJFIlQWBRwxETSVyz172tyhtj/94XID01RiCIK75cUmsGzpruHmblClau3wmcYdlZ34gnJfxmVBlQaOKs+t7Wy4swKj7rTqXMPcbM3tz7I0KlOTZStcLSMpn47sut/RElXOBljKGDpYCvKoi1q7dIVUkTEzRkFalWxW+JeMY4GizaE7RmF2LW9taFde+RGq0Y8w3UA1xPaSccd1hYsx6A6JqLgZTatoi3AMmC4LdUT1muCXANrVSJXAvQCXvUu7QwvVYJQIKySBJcZC13/Hoewyd6hLq91myv0lfI12Ky/eK/8oRgVnl2q2Aqk/3Lw91i41cAVWq5hdYO1aK1fgtXVemYKqBQ+yayo20NPcvetQWZfTOqf+3Dm9hNVlUY8u3c6/CbTS+XIfAKbJ7KTnbuQjPLRHaNu7EBCN0+qPf21TBe/pbdGVvRt/s9C5/6G2xmqlwiiIFcmRl6ryEnPhBvRUC7PjDAhji0yRsytNhpd37RB3tTS1S7cdk23SoUvofzLCDms3CNdshZ6/aSwDyqvIcz4Y9qo/0WeziSj98ejGu2UKmrijvWTJ3i87YGyrLRaIXmK8AhE/41K4NTFKS0pBTELMf2gjx0m1QjZpR7OrjYqlV9DH7Md73PcVncx/IWuJq11BkWFXhx6q06VwxiEWs+LlTpsP8Y/ZYeVIkZe2WR0ssL4kdRfL/2fvPzdPLbqcWRshbBHvVt5ALuS6cuTJvspOcv1ce87PKzyvpj3nUTk/n1e023tI9tz9mxE58onrvpLBXj2DIXTxhpJtEhif7//6f+Doy7/OG8C/zhv8s543+J8AAAD//2Eg0rs=" + return "eJzsfd1z2ziy7/v8FV2+D7G3JMV27OzEVXNveWxnRnUdJ+uPzNbe3FIgsiViDQIMAErRnjr/+yl8kOK3ZJvK2bO1fkkkQugfuhuNRncDHMIjrs5ARxKJplwj+wlAU82w+qVEhkThGUxRk58AQlSBpImmgp/B//4JAODe/gDsLxidIw8Q3lOGU/PtBxGmDEc/AcwoslCd2Z8MgZO4Rsv8hTgjKdMT2/oMZoQp9I/0KsEzmEuRJnnjGhjz995SgpkUMegIi1TWwOIcmPkrgisCpDykAdFCjmZUKj1RiDxvlEF6xNVSyLDwfQswxy2EkGgEwkPQNEZYRsjL3FMilQGCJQkSEyE1hqDoPNKUz0FHVBWQdYBmpA2zgdA7YEPuRXizn6gaXib4fDu8N2k8RQliZsGqCnVYEgViqlAuMIRA8DANPEirxSTQdEH1qgulQfRCJVglaBCuYRFlGCdRITe8m67gYmWG8dFCJVOGQDnc3Y//Csejw1Gpt6vvCQbmVwvCUlSlZwB/ApJqwUUsUjVUK6UxrreQms5IoGsPQiox0EKu6k9ETCgfGt7UnmFMKBuSMJS1RzPK6u1psjhpbk6TxdvmJzEJWh6kGr/Xvk2kCFDVeaPETC+JrGNKJat/p1AOSRCIlNdZtaQ8FEs1lDinSsvV8BHrXPs+PD18NwzQ8NtIHjvUrKA/L9O2S/toaucC2g6M7hlNFzybAk7n1tayc5YGhHOUE6WJfslMvTB8NFDOP7++uryFBfJQSIOSaFBpYAQ2SxlbQYjaaXhMGA2oSJVVJBASHm6vu7AmUixoiPJlHByHyI3EPAsNEWtgIizbwYxaF6JA8BkNTfNeMa27BUmsRSNK0TlfCzYDB6kyj60tKfxKBYSheppluREa7hIMDIxwADeC4wCuxXIAHzCkaTyA3+k8qv3scHh0WPvyPIypJIzqFdwZKLB/NHx7UGt2eTPOnp8O353WG/xx9SlrMI4ToRQ1xnMIFyg1ofygQzTOJ9iJqijHpcD7HW5VCokmQBUEIjYSMQ5Ll+aY5gr1bvF5ImvvqWGh7wJJkxq+0lfbQSPZelxaIQmH8ScwVh+Vgn0qJRrcmi7sGNxiRQU/6OSiXbh6Y2ILUr8+PhekcaFeYFm3wGcoAHe+0jNB2mV+5MWxa4Zy51W8VPoxkY+Uz0ea1fX0aS6cJDMzX66NywqfpNAiEAxURKSZy55Otz0FIvGsbsAiquv+yG+y7Ma7b8+N/Grf3mLYyQIdRBjWhl/cWUHDnmjdF9EipkGJbBsHO3lYs0au44LkrSvgAQMBJgLCAPmCSsFj5BqQh4mgxo2QwFEvhXwEXCDXowbcdkQ7gG37zRyCHY+hsvnoawiZV7izEdT1kNRtxvYq6CxXAyMqRrLChQdOv6WY2T3CzFDMfNTCjTzfKYHbKY3s9rf2dW44z+9uqh5IakmwFdA1h5EEUc4YwS2tMdcoOeqyhcDvJE4YnsHR6dHbdw0DF3JOOP0HMeMZ1XZf7cpA51xInJCpWJjeD49PSo/jlGk6qfO7oHj4vbrpcdQaHnAhY1WO3jQI42NhKJZICyt+E2LOEK6vLzq0Kdt2vUCnjOszUlpWAhAv4GrnDLwQXJvJY8MpS0mt0+7IW4qVtQPgk0hSZtXVLYhESrJq/Ll1LL1OZ4wZwXshwbj+tR24/1XW0lGH/dur3yZ3fxuA+ffqr5/Oby4nd387GDjfVUUiZSFMsYCE6qqvLzj63j15/JYaR1JZn9ORNT+zND48XN+PLUVLIeuUMZhWES+IpDYowpDPdeQ652mM0ruwA7OBjAyjTM+Xf3y8vbQBLPPpL+ZTaRiV3qcISc5rC88wMsSAxoSt4zROcfdxNIeve0d7Xw9a9PfV/9u7OPsiNfkiMZxonXyZUv4lXpEkGeF33Pv/rxqUMSEVZvajhO9TxmzfA6A8YGloJBDRBQ5M15ZF1jdpHsnv//f6w5e7j+/v/zi/vfrygQZSKDHTX/5wsQ+4uf9ykUqJXH9GqajgX8YxmbtwMFx9xyCtRDPM30cLTX1ZUm6GZljy5RKn6XxeMvAZY+rw+uHMTWFTb2nYSaWRt0i1A2I18tMPwNtsehpBlblQN4dzFC+whAHVq0l/i0tpGBdmh99h7T8IriUS1gRLcE05cr0rbEUdyIm14LwRUkdwbk0OaQSbci1XE6rEJBDhTljpSMD47iMYEi1IL8474O1Kyh5ah6AvCCdhE+esU1a1E16FUUysp9lO+VrwOdVp6BIWjGj7oc00/wfsMcH3zmD45zejt0cnP785HMAeI3rvDE5OR6eHp++Ofob/bLLQZrkUfJfyvbUUNot3+JeLdnw7ErDH1iHfv6Q4xaDDRs0ow1GCIxonEVHRFvvxToAleK/OwfSZR2njREitgHIg8OnKRo9HcM7B04bh0OxdXDOooAHzNCDc+AWpcruFGeVzlIk0m54p5URaN3+BHMhMowSJgYgTypyPICQIHaG0YhwyXGA5uaAl4WomZGybK4jIAkEEgVlLwwEsIxpEsLQOVxARPkeIhUTzs5CaXxDmRuvCCmV5XCOR3LUnGiKtE3X2+vVyuRzNqERc4SgQ8espE/PXLvAyNN4NkUH0+vjw6OT14dFrLUnwSPl8GBO2JBKHjk9DQ9O4dpGO2ag4RXIdOAze/nz4JjjBd8fHR+Y/YUBO3719Q0j45m0YzjZoxwuWsJoMmzto6qKw52Gq6tG2z54N7r7LpJpRvVKZopn+B0BnQBaEMuPQjhpxKBUiJjtB4rq27NoGSRye7gRGHJ5ujUFF5Gg3vIjI0VNQHJ++3RWO49O3T0Hy5ueTXSF58/PJU5CcHh3vCsnp0fEGJM8Ikr1kB5/Bs9034VD0H004umNUbVReKdBCE2Z7baL2hJV+W4LV5T0jhd81ctXso72EXt5vE9GYxjjpK/5ZIPph/OGqIsL6clSuB3hyaKmadHo27kuXV/J+TSrZOtKxZxZ1ZERpGowCsdeH4F4+PZDZOhtNKM+i5QzXONaJRiHpnHIbYPmWotIN6GeSzGOseP+7Af9JSOe65Yz2np359PV/fS2wXYukkdezlLE+RD6e2a7g4fbapoy890C4Np7oSqTSuKUQEIUDA29VCM4pLSRWrS7l8DWVbGR6/WrcS7TOqQ2IOYFRZT1YrrR0xSFCgo96mV8bHtj4fqXjanq4GLZ2wu2DHw88FqEtOVjrjJWPAoW2NG0NsAGS+bsRGl1ag/I8MB8LTrWQlM8HTiGzMrGH22uIycoGO3NRWL5JJNWqCLPFsKUrwMRcuZ5MB1SBmGnk8PfUVcnlxV4uH0t0VEV5XxJIjF7i+W/zvokCqkulbQMw+w+G2hbJcNGYS0qIUjXW72g6eVLZfPJzvBnV1pHPDSR1VCFXmLSv3R6nceJWsu+ty7bbsZ35QPbTbEsrspOTN02YvqUodxFVbDLalpZXvLBUPOae+MB90wgqvRlOf/vFr0kNHM8ofv0/X42K4/eApSGG60WhSHBkLCGxCp8vKFyY39pZVivio/ZxYTC2A9vSPCOW6jTVeatBgaQbPX6nSldnuM0I2IKERK+x2WG49l99H5WYQUhnM5TINSUaYYp6WU/p21zsUlhjrpr0wCVpUGI46c+pMNgjOo/QWqaMgDWqjsjADjNJMJ/AKp26R1Vxvhcy2/8PCgko26EvipkJCXszIUa+3SgQ8Z4RyV7xi0Zr6CLznrEhapQx5RiaxSmgCtnKSwcYVRoYfURX+5ZOGQ1ApbMZrRaH2pb7kdbJ2evXrqFrNxJyfjCCe7myKTkBJEmk+E5jon0B13QFisYJW4Emj1UT4IRpa6KNRBmZIlMun8WFBrvkLJExy47760u1Nk6BGKWPjaZJBRHuJJ5XVYk7S6jdftpAUjPETDN+kLXK6Vm77X02t06v4FtKmHMVfBtb8OZSX7WCRsJYNmDTzNojTNwyGwml3Y9THno3sDYXRwBjbhdzqSlhrFoAXEUzsEHHma+7xey5C3+DjRNmgKzbYekHhHNR9bxKs2FQ4EluKWuDmyITy+YZ2jGny5O/yHK3/SBKj+KV78bpsZvZROnalHbmOBNNRJSrQ0hsYndhpouYrYkVtE+l0+ORSqdHJRMyaJh/a6jOonvX2LOl0NPewJkOLkBLQpmZ8wlKKsLGCINIJhbi06zwS3UdZzNf8aZF4hUkqzTE++vLgwEQpgQ8crHkhlNr9lZddWviBkY2uZkyapvpSGG6jOo2vUq90vls3d4IxirAv5hJt+a8zZqvxbStXU8Vyh1lamrbJ0+q1RWvBz++nx6+e0H0Q6GkhE1aa7ZeOkJf1eXIZLVZVKl0XfxeOHIBJNWRkFT7khizzTXmjwerqgGxpjlXUeMzsiQivs5kYPZc65222wxkFSMi1RAIJozh5SGkSYLS+HQVAkFEJAk0StWSRDs9ff/rr+8u/nx59ev7w3c/H767PDq+uDhvyujaAe+CvVlW3BAw06aFlxcZJ5DacMIlVZryeUpVhKHrZP/y5sAseRcijgX3313cHAwgxAS5LUYRvHHPvk53/vJwN4CPv1z59WjMgwF8fPjFrj5rmzOAi5u8zd3v58f2KAKcK5VKUj58Yf7uzK5ZNqfKVTr9Owa7CDqV6g0KXPUUwewVfjhr7+5/uTBuiJCckgFc/3JHOLw3TKMqEAXWDwzvR5bRKiISw9GciSlhuRg4NgXxCNPGABnzaJPTu6i1uzYLgPMdLCMLNL33s393fnMwcnxy9W4LIlfGXDSdznJ/ubLbOV0UmC2fndo5b9jPVrmDsT6wgGoAlzd3UB8zwL7pcElZGBAZKrOK87Bc8F5N665LGP5UiPm+6jDiis450al84QGXDy4HDDMSU7ayTHaTbL+YlWkowifTVKHPIG9cTDoAZMd7hYRz0+XF7zkmfxR5XDhQDJ0r04yy/lIK77NUEMxTIzG7+DzcXkckLQivycA0SObZKEryoatOwqlkBtwkFEvOBOmlNv7aV+/A/sPt9YELksJKpNbDywgBgUAkK2f7qDvN14l0QWWqbPprJFGlbFtr3An1/LM/WWjgSldSvSUIs5w3JyJmTJCO8qRODGZD5TreFgej/LEXqVH+mFUMf86794e5W+byNimxHzSPaS+qa3ZY48tCymerySPRRvWCXmZvJgdvNowHIDfOYXsSN912Hd3IgsCV8ILrNWPHw+31CD5l5ykLB5hAcEY5DkDMZuY/zuHldgvaidyVG/WF2p8aC4Q9Fyacx2M1mirwy075tHADpCkjwaPZPaqRSuW0l3TV3cPtr9frnj1bW3hpWmBoWciFnriP2yJOSOzMeU/AfX9w2YS/C5S/A2LbzchG2d4vqdYoISI8ZIWNq6PiEnmRu0LB3T1RFTrsCwmEC76KRaoOOsEzIjU22ZOpEAwJ3x762PleqAopVizBMqCniLyAXOThRhuByg5t72uZ2lyePVRz0DmvyNbnV7qXJhdHMdwmcwVEKRHQ8pmIbylK6s7lZ2OqrxVcxITRvpYK19s/xxLRcKnJbspxyjcOdBBNiJkovSWFfHfbDnlBGA0nMyniBgBhdUPVSf2PCHmZoM1vuztxZiLltibBHp7nyswQd6qWNkZrs3qBXaGyEcEGImuTMkXW2/rsM0kSWfHsYo6oSfcbnr0IgguIVVViUAz85nkNsyGiKs94WNO8zAIa+WmbJrE134DyAntWeLyVPtsrsXrhmekoy6W764Y2kA7c6cA+iF9915LYY5pmyuRNF5gRaVWlXR5Avi/NItPJwG4Riyo0RdjL9MZGQwZ2k/07UdHw7vfz49O3jcF0YYM+E38G3zjovc09e2tK7vF7Sg37I7dKOZ9UaYkk3sn6d1ftuuP+NGhYHpsUjxGl8iRkH3yru0GEF0RPFSSSLogrVbKVHyTL7szQO8N5YMk/Yav66diSO32WdTrwv2gJn/lWnRxpurEn44aKqsVCG3UoRqJSuT5uHwSpJMEK9u3YD80sPDo8PChd4FMU9yvDMAypyzARTthK00CBxiDigon5ynSRM7jbVQ9RE8qOG0ZWO9fdXZdq+3FWxuhpow0p8H0ce4d3urLJLzg57sT5g9y3JsoW6UShUva8Vz83SFyWjyaB797tZQIjbLuNKdpIwUtq0A26t3siSiZ646TbI4n2KfG9gftkDXf2gSbZ/1LJagn7vanImgTHhW6C4/W39newR48T/11MWN602p95ltM3H9Y/icPT7L++y4TIRwx9kySiKsp+W+3WPSw29F2ogHD/vdmNF4ag/A+qXalUJe5Ks0JjLaRpbC2f+SCR64k9hYXSkuqUfUxYi/SzDMNTxJ8fSwOJcyJtWIXkGz6XBRgAgYvPVzC+tBUthLvTbkRrEjyCvUHE6O2gcQ+53SysHjx6pjob18Hap+0pS3RJs0kqaR8Qbo2zZSz3w+24DsUb5A0JA1ygpHrbetDuaygk1TRwF681icfH1exK7G/mSxJGq9Zpo2VgYjmA2F8LF9F5NIAFytXQ/Ld7sJb7fQz1zt+r2i5+KC5R52ZlLZxDaMU2Mczpb2FY49M4l1YpqmnbJii6upN9LpdMRx5E88WtJS7ZG1M7/SctU6UxnARUBgwnNOzFG1+voL5/cP37sv44jwRuO8/TJCQaexLjg+0MxpebYve9ELu9fqJNs5Oyt8Tnpb1upnCD1PZWgSaDPDJgDzP5bV4cntZ3VX7RmZJ/EFK/0fN5+6ks5fSr7fSfMYNcRth8zPBH5I//KQLMrtagCVTxnsoGcE87+J3lqat1Gi0HQTYeZF1fSp337Ha6ntt12Rbt0m6Q+H63xmEmZiOIOmubmbvu6jfkKCs3CMKGo8IbR7ZW3ewU2NyRAeOKg3YXNlYtUgZpfL9rNOP7ViCFsJHLUDUo8NMODReu9/NxWF+lsyQKVDqNqXZ5Rk+QNU70QIQ4MdalF0dThGhNldlB0MK+Ilu6qnN7fe5X1S/rfKa1H999+u9KHZ1rLek0rXgFpZv9gp68j9LNehcijlNu3Pu1y9R6vaSQ811g2IKy22f4ovpGCE89Nm+l7KrUrY07tZE1f24TjrLS91goDYHfBTWvLDPRiwKE+W0tWTCelrbXpSB8K6NsOFNF/aSo84SWOy1rrEPef2OdetpfIO7hoaIWtXB66W7GplX9adm7/FUWYuauTaxStuP3wbdG+5xN4Un9HQDP0dHfxRJiwlfrjv0Bb+7PQdr7itydjRtZZF93oUmc9MKnvLdnMyukyg2qpzTCZaE/5yQXZowx7I2TRYpEqCwKOGEiaCqXe/K0uUNt31PicgPzVGIIgrvlxSawbOmuoeaue6Vqo/hM457KTnxBuS/jsqBKgqPKU+s6G+6swKQ/rTrXsDRbc/sOmUZlarJshatlJOXziV33e1qiytkA2zOGDpaCPOqiNi5dIVVkyoxRkFYlmxX+OXIs9Ghz6I5QmN0hXBNt65UfoZr8CNMNVENsb0R3VFtcjFF/SETFzWhaRTuYY8D0WagjqncaPwfQriRVAvcMXPbi7x4tVINRIqyQBJYYC11/6UTZZe5Rl9rdZsr9JXyNdisv3iu/waOCs081a0HqDze/HGufGtiC1SpmH1j71soWvLbOK1NQteJBdk3FFnqau3c9Kut6Wue9P3VOr2H1WdSjS68S2AZa6Xy5DwDTZHEycDfyER7aI7TdQwiIxnn1TWUvqYL3/b1gKHs3/mahc/9WucZqpYIUREty5LmqvMZcuK491cLsOAPC2CpT5OxKk/HlXTfEXS1N3dztxmSb9OgS+vdbWLH2g3DDVujpm8YyoLyKPKeD4aD6PkGbTUTpj0c33i1T0MQd7SVL9n49AGNbbbFA9BzjFYj4CZfCbYhR2q4UxCTE/K0gOU6qFbJZN5pdbVRsfwV9zN405L6v6GT+Oq81rm4FRYZ9HXqoTpfCGYdYLIqXO20v4h+zw8qRIi9ts3pYYH1J6i6W/4/ef26eWnQ9s7ZC2MHeF3kDOZPrypEn+yo7yc1z7SnvgnhaTXtOo3J+Pq9ot/eQ7Ln7NyNy5BPXQyWDvXoGQ+jiDSUvSWB8vP/r/4CjL/8+bwD/Pm/wr37eYF0fGAgZYjhLGy9XqM/zzgr97czAracJ7y3R7U1CISxo7xapMKk9ob8h3X1le3O1V7njuX6ZYzXr3lwe0GqxiuDa8vFbZORzmOUEbPaXl7Tt0eTs6N3x6HB0PDp6s9eKshbR6Rsnt7dvfbbGL8uS+zthOvFvA742r/oG31QvXoY5Ts7d5SZ7jRpqK3ouquXK3RA3wCtec1CdQ+Pii24NWcdy0VkGmWNNJpLweZWjDmrLww1Yb+2LPsQMxp/UxnLM4oUwmfQPXx+9fdWIVlL12NfMv6Xq0c/np87yYF163KqJ01XtGp4tQOXACiRg/3B4clDXyAY012SK1Von6Gdy1FDZ05wj+MitrN0rtB94qlLCBnCXnw4YwIfs3ecD+Ixytf7cPiRcuHNL7nBOtYQMCneWEK2R1y4Kf8KYXqmcWr2EvYpLBaJ2Wy90HKl6Gndt70ba7951iNvMgbv6xc1FIC8S9LrQzoK6TRmur+d2d37PSGDP9cz8ix14/hOZ1t7F7v4KNv716Um7dbejS+OYyPap1T68DVdtbc0DJw4HY8NozKhPT4q88vlrtsq5NqqPt+vNpVWeNLyotMyQjgatbzQt8qPTsStjsQJulUxDWSc8VetkSeFGP/1XAAAA///mLJ1d" } diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/_meta/fields.yml b/x-pack/filebeat/module/threatintel/recordedfuture/_meta/fields.yml new file mode 100644 index 000000000000..3e4a82a2ec24 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/recordedfuture/_meta/fields.yml @@ -0,0 +1,76 @@ +- name: recordedfuture + type: group + default_field: false + description: > + Fields for Recorded Future Threat Intel + fields: + - name: entity + type: group + description: > + Entity that represents a threat. + fields: + - name: id + type: keyword + description: > + Entity ID. + example: "ip:192.0.2.13" + - name: name + type: keyword + description: > + Entity name. Value for the entity. + example: "192.0.2.13" + - name: type + type: keyword + description: > + Entity type. + example: "IpAddress" + - name: intelCard + type: keyword + description: > + Link to the Recorded Future Intelligence Card for to this indicator. + - name: ip_range + type: ip_range + description: > + Range of IPs for this indicator. + example: '192.0.2.0/16' + - name: risk + type: group + description: > + Risk fields. + fields: + - name: criticality + type: byte + description: > + Risk criticality (0-4). + - name: criticalityLabel + type: keyword + description: > + Risk criticality label. One of None, Unusual, Suspicious, Malicious, Very Malicious. + - name: evidenceDetails + type: flattened + description: > + Risk's evidence details. + - name: score + type: short + description: > + Risk score (0-99). + - name: riskString + type: keyword + description: > + Number of Risk Rules observed as a factor of total number of rules. + example: "1/54" + - name: riskSummary + type: keyword + ignore_above: 1024 + description: > + Risk summary. + example: "1 of 54 Risk Rules currently observed." + multi_fields: + - name: text + type: text + norms: false + default_field: false + - name: rules + type: long + description: > + Number of rules observed. diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml b/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml new file mode 100644 index 000000000000..238d55d170c9 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml @@ -0,0 +1,65 @@ +{{ if eq .input "httpjson" }} + +type: httpjson +config_version: "2" +interval: {{ .interval }} + +request.method: GET +{{ if .ssl }} +request.ssl: {{ .ssl | tojson }} +{{ end }} +{{ if .proxy_url }} +request.proxy_url: {{ .proxy_url }} +{{ end }} +request.url: "{{ .url }}&orderby=lastseen&direction=asc" +request.transforms: +{{ if .api_token }} +- set: + target: header.X-RFToken + value: {{ .api_token }} +- set: + target: url.params.lastSeen + value: '[[ .cursor.timestamp ]]' + default: '([[ formatDate (now (parseDuration "-{{ .first_interval }}")) "2006-01-02T15:04:05.000Z" ]],]' + {{ end }} +response.split: + target: body.data.results +cursor: + timestamp: + value: '([[ .first_event.timestamps.lastSeen ]],]' + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + fields: [message] + target: json + - fingerprint: + fields: + - event.dataset + - json.entity.id + target_field: "@metadata._id" + encoding: base64 + - add_fields: + target: '' + fields: + ecs.version: 1.10.0 + - script: + lang: javascript + id: set_opt_type + source: > + function process(event) { + event.Put("@metadata.op_type", "index"); + } diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml new file mode 100644 index 000000000000..0a5e9937ed43 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml @@ -0,0 +1,236 @@ +description: Pipeline for parsing Recorded Future threat intel. +processors: + # + # Safeguard against feeding the pipeline with documents other + # that the ones generated by Filebeat's httpjson input. + # + - fail: + if: 'ctx.json == null || !(ctx.json instanceof Map)' + message: 'missing json object in input document' + + # + # Set basic ECS fields. + # + - set: + field: event.ingested + value: '{{{ _ingest.timestamp }}}' + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator + + # + # Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). + # + - script: + lang: painless + if: 'ctx.json.entity?.type != null' + description: > + Map entity.type field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). + params: + IpAddress: ipv4-addr + InternetDomainName: domain-name + Hash: file + URL: url + source: > + String mapping = params[ctx.json.entity.type]; + if (mapping != null) { + ctx["threatintel_indicator_type"] = mapping; + } + on_failure: + - append: + field: error.message + value: 'Unable to determine indicator type from "{{{ json.entity.type }}}": {{{ _ingest.on_failure_message }}}' + + - rename: + field: threatintel_indicator_type + target_field: threatintel.indicator.type + ignore_missing: true + + # + # Detect ipv6 for ipv4-addr types. + # + - set: + field: threatintel.indicator.type + value: ipv6-addr + if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && ctx.json.entity.name.contains(":")' + + # + # Map first and last seen dates. + # + - date: + field: json.timestamps.firstSeen + target_field: threatintel.indicator.first_seen + formats: + - ISO8601 + if: 'ctx.json.timestamps?.firstSeen != null' + on_failure: + - append: + field: error.message + value: 'Error parsing firstSeen field value "{{{ json.timestamps.firstSeen }}}": {{{ _ingest.on_failure_message }}}' + - date: + field: json.timestamps.lastSeen + target_field: threatintel.indicator.last_seen + formats: + - ISO8601 + if: 'ctx.json.timestamps?.lastSeen != null' + on_failure: + - append: + field: error.message + value: 'Error parsing lastSeen field value "{{{ json.timestamps.lastSeen }}}": {{{ _ingest.on_failure_message }}}' + + + # + # Map location fields. + # + - rename: + field: json.location.location.city + target_field: threatintel.indicator.geo.city_name + ignore_missing: true + - rename: + field: json.location.location.continent + target_field: threatintel.indicator.geo.continent_name + ignore_missing: true + - rename: + field: json.location.location.country + target_field: threatintel.indicator.geo.country_name + ignore_missing: true + - grok: + field: json.location.asn + patterns: + - '^(?:[Aa][Ss])?%{NUMBER:threatintel.indicator.as.number:long}$' + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Cannot parse asn field `{{{ json.location.asn }}}`: {{{ _ingest.on_failure_message }}}' + + - rename: + field: json.location.organization + target_field: threatintel.indicator.as.organization.name + ignore_missing: true + + - set: + field: event.reference + value: '{{{ json.intelCard }}}' + ignore_empty_value: true + + - set: + field: json.ip_range + copy_from: json.entity.name + if: 'ctx.json.entity?.type == "IpAddress" && ctx.json.entity.name != null && ctx.json.entity.name.contains("/")' + - set: + field: json.ip_range + value: '{{{ json.entity.name }}}/32' + if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' + - set: + field: json.ip_range + value: '{{{ json.entity.name }}}/128' + if: 'ctx.threatintel?.indicator?.type == "ipv6-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' + - set: + field: json.ip_range + copy_from: json.entity.name + if: 'ctx.json.entity?.type == "IpAddress" && ctx.json.entity.name != null && ctx.json.entity.name.contains("/")' + + - rename: + field: json.entity.name + target_field: threatintel.indicator.ip + if: 'ctx.json.entity?.type == "IpAddress" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' + + - rename: + field: json.entity.name + target_field: threatintel.indicator.domain + ignore_missing: true + if: 'ctx.threatintel?.indicator?.type == "domain-name"' + + - uri_parts: + field: json.entity.name + target_field: threatintel.indicator.url + keep_original: true + remove_if_successful: true + if: 'ctx.threatintel?.indicator?.type == "url"' + on_failure: + - append: + field: error.message + value: 'Cannot parse url field `{{{ json.entity.name }}}`: {{{ _ingest.on_failure_message }}}' + + # At this point fileHashes may exist if "fileHashes" field is requested. + - append: + field: json.fileHashes + value: '{{{ json.entity.name }}}' + allow_duplicates: false + if: 'ctx.threatintel?.indicator?.type == "file"' + + - remove: + field: json.entity.name + if: 'ctx.threatintel?.indicator?.type == "file"' + + - script: + lang: painless + description: > + Map file hashes. + if: 'ctx.json.fileHashes != null' + params: + '4': crc32 + '32': md5 + '40': sha1 + '64': sha256 + '128': sha512 + source: > + def hashes = new HashMap(); + for (def hash : ctx.json.fileHashes) { + def algo = params[String.valueOf(hash.length())]; + if (algo != null) { + hashes[algo] = hash; + } + } + ctx["_hashes"] = hashes; + on_failure: + - append: + field: error.message + value: 'Failed to map fileHashes field: {{ _ingest.on_failure_message }}' + + - rename: + field: _hashes + target_field: threatintel.indicator.file.hash + ignore_missing: true + + # + # Map risk.score to event.risk_score. + # + - convert: + field: json.risk.score + target_field: event.risk_score + ignore_missing: true + type: float + on_failure: + - append: + field: error.message + value: 'Risk score `{{{ json.risk.score }}}` cannot be converted to float: {{ _ingest.on_failure_message }}' + # + # Remove fields converted to an ECS field. + # + - remove: + field: + - json.timestamps + - json.location + - json.fileHashes + - message + ignore_missing: true + + # + # Save fields without an ECS mapping under `threatintel.recordedfuture`. + # + - rename: + field: json + target_field: threatintel.recordedfuture + +on_failure: + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml b/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml new file mode 100644 index 000000000000..93df3884160a --- /dev/null +++ b/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml @@ -0,0 +1,19 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: first_interval + default: 168h + - name: interval + default: 1m + - name: url + default: "https://api.recordedfuture.com/v2/ip/search?limit=200&fields=entity,timestamps,risk,intelCard,location&metadata=false" + - name: ssl + - name: tags + default: [threatintel-recordedfuture, forwarded] + - name: proxy_url + - name: api_token +ingest_pipeline: + - ingest/pipeline.yml +input: config/config.yml diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log b/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log new file mode 100644 index 000000000000..54f047c3ab6a --- /dev/null +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log @@ -0,0 +1,10 @@ +{"entity": {"id": "idn:16url-gy.example.net", "name": "16url-gy.example.net", "type": "InternetDomainName"}, "intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", "risk": {"criticality": 0, "criticalityLabel": "None", "evidenceDetails": [], "riskString": "0/44", "riskSummary": "No Risk Rules are currently observed.", "rules": 0, "score": 0}, "timestamps": {"firstSeen": "2016-07-25T20:29:32.750Z", "lastSeen": "2021-06-20T18:23:47.901Z"}} +{"entity": {"id": "idn:b999f.example.org", "name": "b999f.example.org", "type": "InternetDomainName"}, "intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", "risk": {"criticality": 0, "criticalityLabel": "None", "evidenceDetails": [], "riskString": "0/44", "riskSummary": "No Risk Rules are currently observed.", "rules": 0, "score": 0}, "timestamps": {"firstSeen": "2012-11-21T01:54:04.292Z", "lastSeen": "2021-06-20T18:23:47.812Z"}} +{"entity": {"id": "idn:c422.example.net", "name": "c422.example.net", "type": "InternetDomainName"}, "intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", "risk": {"criticality": 0, "criticalityLabel": "None", "evidenceDetails": [], "riskString": "0/44", "riskSummary": "No Risk Rules are currently observed.", "rules": 0, "score": 0}, "timestamps": {"firstSeen": "2018-02-21T13:53:46.470Z", "lastSeen": "2021-06-20T18:23:47.778Z"}} +{"entity": {"id": "idn:8rwcvgjsp.example.net", "name": "8rwcvgjsp.example.net", "type": "InternetDomainName"}, "intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", "risk": {"criticality": 0, "criticalityLabel": "None", "evidenceDetails": [], "riskString": "0/44", "riskSummary": "No Risk Rules are currently observed.", "rules": 0, "score": 0}, "timestamps": {"firstSeen": "2016-08-15T11:56:24.964Z", "lastSeen": "2021-06-20T18:23:47.747Z"}} +{"entity": {"id": "idn:c9px.example.net", "name": "c9px.example.net", "type": "InternetDomainName"}, "intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", "risk": {"criticality": 0, "criticalityLabel": "None", "evidenceDetails": [], "riskString": "0/44", "riskSummary": "No Risk Rules are currently observed.", "rules": 0, "score": 0}, "timestamps": {"firstSeen": "2016-06-29T21:06:06.066Z", "lastSeen": "2021-06-20T18:23:47.460Z"}} +{"entity": {"id": "idn:ttj1i9z7.example.com", "name": "ttj1i9z7.example.com", "type": "InternetDomainName"}, "intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", "risk": {"criticality": 0, "criticalityLabel": "None", "evidenceDetails": [], "riskString": "0/44", "riskSummary": "No Risk Rules are currently observed.", "rules": 0, "score": 0}, "timestamps": {"firstSeen": "2018-09-20T03:26:08.564Z", "lastSeen": "2021-06-20T18:23:47.373Z"}} +{"entity": {"id": "idn:7pgc.example.org", "name": "7pgc.example.org", "type": "InternetDomainName"}, "intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", "risk": {"criticality": 0, "criticalityLabel": "None", "evidenceDetails": [], "riskString": "0/44", "riskSummary": "No Risk Rules are currently observed.", "rules": 0, "score": 0}, "timestamps": {"firstSeen": "2017-02-23T17:44:16.104Z", "lastSeen": "2021-06-20T18:23:47.373Z"}} +{"entity": {"id": "idn:xm5u434.example.net", "name": "xm5u434.example.net", "type": "InternetDomainName"}, "intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", "risk": {"criticality": 0, "criticalityLabel": "None", "evidenceDetails": [], "riskString": "0/44", "riskSummary": "No Risk Rules are currently observed.", "rules": 0, "score": 0}, "timestamps": {"firstSeen": "2017-04-10T06:55:27.658Z", "lastSeen": "2021-06-20T18:23:47.373Z"}} +{"entity": {"id": "idn:gpgju.example.com", "name": "gpgju.example.com", "type": "InternetDomainName"}, "intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", "risk": {"criticality": 0, "criticalityLabel": "None", "evidenceDetails": [], "riskString": "0/44", "riskSummary": "No Risk Rules are currently observed.", "rules": 0, "score": 0}, "timestamps": {"firstSeen": "2018-07-27T15:22:39.390Z", "lastSeen": "2021-06-20T18:23:47.373Z"}} +{"entity": {"id": "idn:55g.example.com", "name": "55g.example.com", "type": "InternetDomainName"}, "intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", "risk": {"criticality": 0, "criticalityLabel": "None", "evidenceDetails": [], "riskString": "0/44", "riskSummary": "No Risk Rules are currently observed.", "rules": 0, "score": 0}, "timestamps": {"firstSeen": "2021-01-10T21:24:38.353Z", "lastSeen": "2021-06-20T18:23:45.025Z"}} diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json new file mode 100644 index 000000000000..12d7044c9a17 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json @@ -0,0 +1,312 @@ +[ + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", + "event.risk_score": 0.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 0, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.domain": "16url-gy.example.net", + "threatintel.indicator.first_seen": "2016-07-25T20:29:32.750Z", + "threatintel.indicator.last_seen": "2021-06-20T18:23:47.901Z", + "threatintel.indicator.type": "domain-name", + "threatintel.recordedfuture.entity.id": "idn:16url-gy.example.net", + "threatintel.recordedfuture.entity.type": "InternetDomainName", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", + "threatintel.recordedfuture.risk.criticality": 0, + "threatintel.recordedfuture.risk.criticalityLabel": "None", + "threatintel.recordedfuture.risk.evidenceDetails": [], + "threatintel.recordedfuture.risk.riskString": "0/44", + "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "threatintel.recordedfuture.risk.rules": 0, + "threatintel.recordedfuture.risk.score": 0 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", + "event.risk_score": 0.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 482, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.domain": "b999f.example.org", + "threatintel.indicator.first_seen": "2012-11-21T01:54:04.292Z", + "threatintel.indicator.last_seen": "2021-06-20T18:23:47.812Z", + "threatintel.indicator.type": "domain-name", + "threatintel.recordedfuture.entity.id": "idn:b999f.example.org", + "threatintel.recordedfuture.entity.type": "InternetDomainName", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", + "threatintel.recordedfuture.risk.criticality": 0, + "threatintel.recordedfuture.risk.criticalityLabel": "None", + "threatintel.recordedfuture.risk.evidenceDetails": [], + "threatintel.recordedfuture.risk.riskString": "0/44", + "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "threatintel.recordedfuture.risk.rules": 0, + "threatintel.recordedfuture.risk.score": 0 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", + "event.risk_score": 0.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 955, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.domain": "c422.example.net", + "threatintel.indicator.first_seen": "2018-02-21T13:53:46.470Z", + "threatintel.indicator.last_seen": "2021-06-20T18:23:47.778Z", + "threatintel.indicator.type": "domain-name", + "threatintel.recordedfuture.entity.id": "idn:c422.example.net", + "threatintel.recordedfuture.entity.type": "InternetDomainName", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", + "threatintel.recordedfuture.risk.criticality": 0, + "threatintel.recordedfuture.risk.criticalityLabel": "None", + "threatintel.recordedfuture.risk.evidenceDetails": [], + "threatintel.recordedfuture.risk.riskString": "0/44", + "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "threatintel.recordedfuture.risk.rules": 0, + "threatintel.recordedfuture.risk.score": 0 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", + "event.risk_score": 0.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 1425, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.domain": "8rwcvgjsp.example.net", + "threatintel.indicator.first_seen": "2016-08-15T11:56:24.964Z", + "threatintel.indicator.last_seen": "2021-06-20T18:23:47.747Z", + "threatintel.indicator.type": "domain-name", + "threatintel.recordedfuture.entity.id": "idn:8rwcvgjsp.example.net", + "threatintel.recordedfuture.entity.type": "InternetDomainName", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", + "threatintel.recordedfuture.risk.criticality": 0, + "threatintel.recordedfuture.risk.criticalityLabel": "None", + "threatintel.recordedfuture.risk.evidenceDetails": [], + "threatintel.recordedfuture.risk.riskString": "0/44", + "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "threatintel.recordedfuture.risk.rules": 0, + "threatintel.recordedfuture.risk.score": 0 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", + "event.risk_score": 0.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 1910, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.domain": "c9px.example.net", + "threatintel.indicator.first_seen": "2016-06-29T21:06:06.066Z", + "threatintel.indicator.last_seen": "2021-06-20T18:23:47.460Z", + "threatintel.indicator.type": "domain-name", + "threatintel.recordedfuture.entity.id": "idn:c9px.example.net", + "threatintel.recordedfuture.entity.type": "InternetDomainName", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", + "threatintel.recordedfuture.risk.criticality": 0, + "threatintel.recordedfuture.risk.criticalityLabel": "None", + "threatintel.recordedfuture.risk.evidenceDetails": [], + "threatintel.recordedfuture.risk.riskString": "0/44", + "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "threatintel.recordedfuture.risk.rules": 0, + "threatintel.recordedfuture.risk.score": 0 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", + "event.risk_score": 0.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 2380, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.domain": "ttj1i9z7.example.com", + "threatintel.indicator.first_seen": "2018-09-20T03:26:08.564Z", + "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threatintel.indicator.type": "domain-name", + "threatintel.recordedfuture.entity.id": "idn:ttj1i9z7.example.com", + "threatintel.recordedfuture.entity.type": "InternetDomainName", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", + "threatintel.recordedfuture.risk.criticality": 0, + "threatintel.recordedfuture.risk.criticalityLabel": "None", + "threatintel.recordedfuture.risk.evidenceDetails": [], + "threatintel.recordedfuture.risk.riskString": "0/44", + "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "threatintel.recordedfuture.risk.rules": 0, + "threatintel.recordedfuture.risk.score": 0 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", + "event.risk_score": 0.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 2862, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.domain": "7pgc.example.org", + "threatintel.indicator.first_seen": "2017-02-23T17:44:16.104Z", + "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threatintel.indicator.type": "domain-name", + "threatintel.recordedfuture.entity.id": "idn:7pgc.example.org", + "threatintel.recordedfuture.entity.type": "InternetDomainName", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", + "threatintel.recordedfuture.risk.criticality": 0, + "threatintel.recordedfuture.risk.criticalityLabel": "None", + "threatintel.recordedfuture.risk.evidenceDetails": [], + "threatintel.recordedfuture.risk.riskString": "0/44", + "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "threatintel.recordedfuture.risk.rules": 0, + "threatintel.recordedfuture.risk.score": 0 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", + "event.risk_score": 0.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 3332, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.domain": "xm5u434.example.net", + "threatintel.indicator.first_seen": "2017-04-10T06:55:27.658Z", + "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threatintel.indicator.type": "domain-name", + "threatintel.recordedfuture.entity.id": "idn:xm5u434.example.net", + "threatintel.recordedfuture.entity.type": "InternetDomainName", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", + "threatintel.recordedfuture.risk.criticality": 0, + "threatintel.recordedfuture.risk.criticalityLabel": "None", + "threatintel.recordedfuture.risk.evidenceDetails": [], + "threatintel.recordedfuture.risk.riskString": "0/44", + "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "threatintel.recordedfuture.risk.rules": 0, + "threatintel.recordedfuture.risk.score": 0 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", + "event.risk_score": 0.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 3811, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.domain": "gpgju.example.com", + "threatintel.indicator.first_seen": "2018-07-27T15:22:39.390Z", + "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threatintel.indicator.type": "domain-name", + "threatintel.recordedfuture.entity.id": "idn:gpgju.example.com", + "threatintel.recordedfuture.entity.type": "InternetDomainName", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", + "threatintel.recordedfuture.risk.criticality": 0, + "threatintel.recordedfuture.risk.criticalityLabel": "None", + "threatintel.recordedfuture.risk.evidenceDetails": [], + "threatintel.recordedfuture.risk.riskString": "0/44", + "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "threatintel.recordedfuture.risk.rules": 0, + "threatintel.recordedfuture.risk.score": 0 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", + "event.risk_score": 0.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 4284, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.domain": "55g.example.com", + "threatintel.indicator.first_seen": "2021-01-10T21:24:38.353Z", + "threatintel.indicator.last_seen": "2021-06-20T18:23:45.025Z", + "threatintel.indicator.type": "domain-name", + "threatintel.recordedfuture.entity.id": "idn:55g.example.com", + "threatintel.recordedfuture.entity.type": "InternetDomainName", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", + "threatintel.recordedfuture.risk.criticality": 0, + "threatintel.recordedfuture.risk.criticalityLabel": "None", + "threatintel.recordedfuture.risk.evidenceDetails": [], + "threatintel.recordedfuture.risk.riskString": "0/44", + "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "threatintel.recordedfuture.risk.rules": 0, + "threatintel.recordedfuture.risk.score": 0 + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log b/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log new file mode 100644 index 000000000000..284429cc3e32 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log @@ -0,0 +1,10 @@ +{"entity": {"id": "hash:dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", "name": "dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", "type": "Hash"}, "fileHashes": ["25328d1a481903f2d900479570842247", "d73c663e2ac0c7a14ca0e2681dd599b2e7a24f65", "dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6"], "intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", "risk": {"criticality": 3, "criticalityLabel": "Malicious", "evidenceDetails": [{"criticality": 2, "criticalityLabel": "Suspicious", "evidenceString": "6 sightings on 1 source: PolySwarm. Most recent link (Jun 20, 2021): https://23l04ha7h.network.local/scan/results/file/dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", "mitigationString": "", "rule": "Linked to Malware", "timestamp": "2021-06-20T18:40:18.503Z"}, {"criticality": 3, "criticalityLabel": "Malicious", "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://frj972mua.network.local/scan/results/file/dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", "mitigationString": "", "rule": "Positive Malware Verdict", "timestamp": "2021-06-19T17:39:26.000Z"}], "riskString": "2/14", "riskSummary": "2 of 14 Risk Rules currently observed.", "rules": 2, "score": 65}, "timestamps": {"firstSeen": "2021-06-20T18:40:18.503Z", "lastSeen": "2021-06-20T18:40:18.503Z"}} +{"entity": {"id": "hash:4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", "name": "4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", "type": "Hash"}, "fileHashes": ["7b8d9afd032f0c253b7dd68aca6fb50b", "f9ece49c249aabab29fd9c2193d897b7d131ed17", "4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2"], "intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", "risk": {"criticality": 3, "criticalityLabel": "Malicious", "evidenceDetails": [{"criticality": 2, "criticalityLabel": "Suspicious", "evidenceString": "8 sightings on 1 source: PolySwarm. Most recent link (Jun 20, 2021): https://poapoq2z.network.local/scan/results/file/4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", "mitigationString": "", "rule": "Linked to Malware", "timestamp": "2021-06-20T18:40:18.452Z"}, {"criticality": 3, "criticalityLabel": "Malicious", "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://mezsa92p.network.local/scan/results/file/4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", "mitigationString": "", "rule": "Positive Malware Verdict", "timestamp": "2021-06-19T17:39:27.000Z"}], "riskString": "2/14", "riskSummary": "2 of 14 Risk Rules currently observed.", "rules": 2, "score": 65}, "timestamps": {"firstSeen": "2021-06-20T18:40:18.452Z", "lastSeen": "2021-06-20T18:40:18.452Z"}} +{"entity": {"id": "hash:299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", "name": "299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", "type": "Hash"}, "fileHashes": ["7b65b50ed4554c86cb777e35e7750209", "e10942ba3fbb937c90c7cb3e39c06a13324981a8", "299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5"], "intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", "risk": {"criticality": 3, "criticalityLabel": "Malicious", "evidenceDetails": [{"criticality": 2, "criticalityLabel": "Suspicious", "evidenceString": "9 sightings on 1 source: PolySwarm. 1 related malware: Trojan. Most recent link (Jun 20, 2021): https://kyvhpghg.network.local/scan/results/file/299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", "mitigationString": "", "rule": "Linked to Malware", "timestamp": "2021-06-20T18:40:18.343Z"}, {"criticality": 3, "criticalityLabel": "Malicious", "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://fdxeziea.network.local/scan/results/file/299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", "mitigationString": "", "rule": "Positive Malware Verdict", "timestamp": "2021-06-19T17:39:25.000Z"}], "riskString": "2/14", "riskSummary": "2 of 14 Risk Rules currently observed.", "rules": 2, "score": 65}, "timestamps": {"firstSeen": "2021-06-20T18:40:18.343Z", "lastSeen": "2021-06-20T18:40:18.343Z"}} +{"entity": {"id": "hash:e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", "name": "e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", "type": "Hash"}, "fileHashes": ["c6353df35499ca6934da2169b7bd1635", "3e208c649da0a9efbde7bbde6eece2142fdac3f9", "e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61"], "intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", "risk": {"criticality": 3, "criticalityLabel": "Malicious", "evidenceDetails": [{"criticality": 2, "criticalityLabel": "Suspicious", "evidenceString": "3 sightings on 1 source: PolySwarm. Most recent link (Jun 20, 2021): https://k40z19-by.network.local/scan/results/file/e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", "mitigationString": "", "rule": "Linked to Malware", "timestamp": "2021-06-20T18:40:18.257Z"}, {"criticality": 3, "criticalityLabel": "Malicious", "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://4e-6k-.network.local/scan/results/file/e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", "mitigationString": "", "rule": "Positive Malware Verdict", "timestamp": "2021-06-19T17:39:29.000Z"}], "riskString": "2/14", "riskSummary": "2 of 14 Risk Rules currently observed.", "rules": 2, "score": 65}, "timestamps": {"firstSeen": "2021-06-20T18:40:18.258Z", "lastSeen": "2021-06-20T18:40:18.258Z"}} +{"entity": {"id": "hash:184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", "name": "184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", "type": "Hash"}, "fileHashes": ["3d568bd03766a8d47c8fabb7d392c32e", "3ea8b08bc9ed3009a4d6a0ab5851b8e3fc10ead2", "184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1"], "intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", "risk": {"criticality": 3, "criticalityLabel": "Malicious", "evidenceDetails": [{"criticality": 3, "criticalityLabel": "Malicious", "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://ksmt6j.network.local/scan/results/file/184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", "mitigationString": "", "rule": "Positive Malware Verdict", "timestamp": "2021-06-19T17:39:24.000Z"}], "riskString": "1/14", "riskSummary": "1 of 14 Risk Rules currently observed.", "rules": 1, "score": 65}, "timestamps": {"firstSeen": "2021-06-20T18:40:18.131Z", "lastSeen": "2021-06-20T18:40:18.131Z"}} +{"entity": {"id": "hash:1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", "name": "1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", "type": "Hash"}, "fileHashes": ["a40e91f2d29616076114eea0f2a693af", "e38ccd47629c1b75385a83fbfbba0ea7f3b3a705", "1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8"], "intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", "risk": {"criticality": 3, "criticalityLabel": "Malicious", "evidenceDetails": [{"criticality": 2, "criticalityLabel": "Suspicious", "evidenceString": "8 sightings on 1 source: PolySwarm. 1 related malware: Trojan. Most recent link (Jun 20, 2021): https://m-1z.network.local/scan/results/file/1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", "mitigationString": "", "rule": "Linked to Malware", "timestamp": "2021-06-20T18:40:18.093Z"}, {"criticality": 3, "criticalityLabel": "Malicious", "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://llt6m.network.local/scan/results/file/1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", "mitigationString": "", "rule": "Positive Malware Verdict", "timestamp": "2021-06-19T17:39:29.000Z"}], "riskString": "2/14", "riskSummary": "2 of 14 Risk Rules currently observed.", "rules": 2, "score": 65}, "timestamps": {"firstSeen": "2021-06-20T18:40:18.093Z", "lastSeen": "2021-06-20T18:40:18.093Z"}} +{"entity": {"id": "hash:bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", "name": "bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", "type": "Hash"}, "fileHashes": ["02062782c7eeaff185ea6966460f7c9a", "64355796dc38992ca5e434682ddbf63bdfabeb4e", "bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1"], "intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", "risk": {"criticality": 3, "criticalityLabel": "Malicious", "evidenceDetails": [{"criticality": 2, "criticalityLabel": "Suspicious", "evidenceString": "4 sightings on 1 source: PolySwarm. Most recent link (Jun 20, 2021): https://46h0mn.network.local/scan/results/file/bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", "mitigationString": "", "rule": "Linked to Malware", "timestamp": "2021-06-20T18:40:18.070Z"}, {"criticality": 3, "criticalityLabel": "Malicious", "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://j94d.network.local/scan/results/file/bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", "mitigationString": "", "rule": "Positive Malware Verdict", "timestamp": "2021-06-19T17:39:28.000Z"}], "riskString": "2/14", "riskSummary": "2 of 14 Risk Rules currently observed.", "rules": 2, "score": 65}, "timestamps": {"firstSeen": "2021-06-20T18:40:18.070Z", "lastSeen": "2021-06-20T18:40:18.070Z"}} +{"entity": {"id": "hash:c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", "name": "c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", "type": "Hash"}, "fileHashes": ["bdd205ffc81c54e7cc1a9080cfa093e4", "a6b928fd6fee43495b96941ef80b25d074f6e0e2", "c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9"], "intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", "risk": {"criticality": 3, "criticalityLabel": "Malicious", "evidenceDetails": [{"criticality": 2, "criticalityLabel": "Suspicious", "evidenceString": "3 sightings on 1 source: PolySwarm. Most recent link (Jun 20, 2021): https://5twber.network.local/scan/results/file/c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", "mitigationString": "", "rule": "Linked to Malware", "timestamp": "2021-06-20T18:40:18.010Z"}, {"criticality": 3, "criticalityLabel": "Malicious", "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://b5qxg4.network.local/scan/results/file/c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", "mitigationString": "", "rule": "Positive Malware Verdict", "timestamp": "2021-06-19T17:39:28.000Z"}], "riskString": "2/14", "riskSummary": "2 of 14 Risk Rules currently observed.", "rules": 2, "score": 65}, "timestamps": {"firstSeen": "2021-06-20T18:40:18.011Z", "lastSeen": "2021-06-20T18:40:18.011Z"}} +{"entity": {"id": "hash:c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", "name": "c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", "type": "Hash"}, "fileHashes": ["af45390e39574cdb037d684074e6a542", "f6a14c7424604cd51ba6a6d3f7594ec762f48645", "c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc"], "intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", "risk": {"criticality": 3, "criticalityLabel": "Malicious", "evidenceDetails": [{"criticality": 2, "criticalityLabel": "Suspicious", "evidenceString": "6 sightings on 1 source: PolySwarm. Most recent link (Jun 20, 2021): https://wor2ca.network.local/scan/results/file/c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", "mitigationString": "", "rule": "Linked to Malware", "timestamp": "2021-06-20T18:40:17.964Z"}, {"criticality": 3, "criticalityLabel": "Malicious", "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://l4tlgg.network.local/scan/results/file/c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", "mitigationString": "", "rule": "Positive Malware Verdict", "timestamp": "2021-06-19T17:39:31.000Z"}], "riskString": "2/14", "riskSummary": "2 of 14 Risk Rules currently observed.", "rules": 2, "score": 65}, "timestamps": {"firstSeen": "2021-06-20T18:40:17.964Z", "lastSeen": "2021-06-20T18:40:17.964Z"}} +{"entity": {"id": "hash:0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", "name": "0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", "type": "Hash"}, "fileHashes": ["5b8bcd367f802cd104210bb47abb3ab1", "b40d1796bd6974860ce6be691152ad963300c711", "0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c"], "intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", "risk": {"criticality": 3, "criticalityLabel": "Malicious", "evidenceDetails": [{"criticality": 2, "criticalityLabel": "Suspicious", "evidenceString": "6 sightings on 1 source: PolySwarm. Most recent link (Jun 20, 2021): https://79073cr.network.local/scan/results/file/0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", "mitigationString": "", "rule": "Linked to Malware", "timestamp": "2021-06-20T18:40:17.919Z"}, {"criticality": 3, "criticalityLabel": "Malicious", "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://c2ilj.network.local/scan/results/file/0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", "mitigationString": "", "rule": "Positive Malware Verdict", "timestamp": "2021-06-19T17:39:26.000Z"}], "riskString": "2/14", "riskSummary": "2 of 14 Risk Rules currently observed.", "rules": 2, "score": 65}, "timestamps": {"firstSeen": "2021-06-20T18:40:17.919Z", "lastSeen": "2021-06-20T18:40:17.919Z"}} diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json new file mode 100644 index 000000000000..32a800a15745 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json @@ -0,0 +1,494 @@ +[ + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", + "event.risk_score": 65.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 0, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.file.hash.md5": "25328d1a481903f2d900479570842247", + "threatintel.indicator.file.hash.sha1": "d73c663e2ac0c7a14ca0e2681dd599b2e7a24f65", + "threatintel.indicator.file.hash.sha256": "dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", + "threatintel.indicator.first_seen": "2021-06-20T18:40:18.503Z", + "threatintel.indicator.last_seen": "2021-06-20T18:40:18.503Z", + "threatintel.indicator.type": "file", + "threatintel.recordedfuture.entity.id": "hash:dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", + "threatintel.recordedfuture.entity.type": "Hash", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", + "threatintel.recordedfuture.risk.criticality": 3, + "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 3, + "criticalityLabel": "Malicious", + "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://frj972mua.network.local/scan/results/file/dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", + "mitigationString": "", + "rule": "Positive Malware Verdict", + "timestamp": "2021-06-19T17:39:26.000Z" + }, + { + "criticality": 2, + "criticalityLabel": "Suspicious", + "evidenceString": "6 sightings on 1 source: PolySwarm. Most recent link (Jun 20, 2021): https://23l04ha7h.network.local/scan/results/file/dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", + "mitigationString": "", + "rule": "Linked to Malware", + "timestamp": "2021-06-20T18:40:18.503Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "2/14", + "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 2, + "threatintel.recordedfuture.risk.score": 65 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", + "event.risk_score": 65.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 1478, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.file.hash.md5": "7b8d9afd032f0c253b7dd68aca6fb50b", + "threatintel.indicator.file.hash.sha1": "f9ece49c249aabab29fd9c2193d897b7d131ed17", + "threatintel.indicator.file.hash.sha256": "4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", + "threatintel.indicator.first_seen": "2021-06-20T18:40:18.452Z", + "threatintel.indicator.last_seen": "2021-06-20T18:40:18.452Z", + "threatintel.indicator.type": "file", + "threatintel.recordedfuture.entity.id": "hash:4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", + "threatintel.recordedfuture.entity.type": "Hash", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", + "threatintel.recordedfuture.risk.criticality": 3, + "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 3, + "criticalityLabel": "Malicious", + "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://mezsa92p.network.local/scan/results/file/4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", + "mitigationString": "", + "rule": "Positive Malware Verdict", + "timestamp": "2021-06-19T17:39:27.000Z" + }, + { + "criticality": 2, + "criticalityLabel": "Suspicious", + "evidenceString": "8 sightings on 1 source: PolySwarm. Most recent link (Jun 20, 2021): https://poapoq2z.network.local/scan/results/file/4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", + "mitigationString": "", + "rule": "Linked to Malware", + "timestamp": "2021-06-20T18:40:18.452Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "2/14", + "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 2, + "threatintel.recordedfuture.risk.score": 65 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", + "event.risk_score": 65.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 2954, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.file.hash.md5": "7b65b50ed4554c86cb777e35e7750209", + "threatintel.indicator.file.hash.sha1": "e10942ba3fbb937c90c7cb3e39c06a13324981a8", + "threatintel.indicator.file.hash.sha256": "299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", + "threatintel.indicator.first_seen": "2021-06-20T18:40:18.343Z", + "threatintel.indicator.last_seen": "2021-06-20T18:40:18.343Z", + "threatintel.indicator.type": "file", + "threatintel.recordedfuture.entity.id": "hash:299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", + "threatintel.recordedfuture.entity.type": "Hash", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", + "threatintel.recordedfuture.risk.criticality": 3, + "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 3, + "criticalityLabel": "Malicious", + "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://fdxeziea.network.local/scan/results/file/299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", + "mitigationString": "", + "rule": "Positive Malware Verdict", + "timestamp": "2021-06-19T17:39:25.000Z" + }, + { + "criticality": 2, + "criticalityLabel": "Suspicious", + "evidenceString": "9 sightings on 1 source: PolySwarm. 1 related malware: Trojan. Most recent link (Jun 20, 2021): https://kyvhpghg.network.local/scan/results/file/299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", + "mitigationString": "", + "rule": "Linked to Malware", + "timestamp": "2021-06-20T18:40:18.343Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "2/14", + "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 2, + "threatintel.recordedfuture.risk.score": 65 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", + "event.risk_score": 65.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 4457, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.file.hash.md5": "c6353df35499ca6934da2169b7bd1635", + "threatintel.indicator.file.hash.sha1": "3e208c649da0a9efbde7bbde6eece2142fdac3f9", + "threatintel.indicator.file.hash.sha256": "e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", + "threatintel.indicator.first_seen": "2021-06-20T18:40:18.258Z", + "threatintel.indicator.last_seen": "2021-06-20T18:40:18.258Z", + "threatintel.indicator.type": "file", + "threatintel.recordedfuture.entity.id": "hash:e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", + "threatintel.recordedfuture.entity.type": "Hash", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", + "threatintel.recordedfuture.risk.criticality": 3, + "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 3, + "criticalityLabel": "Malicious", + "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://4e-6k-.network.local/scan/results/file/e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", + "mitigationString": "", + "rule": "Positive Malware Verdict", + "timestamp": "2021-06-19T17:39:29.000Z" + }, + { + "criticality": 2, + "criticalityLabel": "Suspicious", + "evidenceString": "3 sightings on 1 source: PolySwarm. Most recent link (Jun 20, 2021): https://k40z19-by.network.local/scan/results/file/e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", + "mitigationString": "", + "rule": "Linked to Malware", + "timestamp": "2021-06-20T18:40:18.257Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "2/14", + "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 2, + "threatintel.recordedfuture.risk.score": 65 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", + "event.risk_score": 65.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 5932, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.file.hash.md5": "3d568bd03766a8d47c8fabb7d392c32e", + "threatintel.indicator.file.hash.sha1": "3ea8b08bc9ed3009a4d6a0ab5851b8e3fc10ead2", + "threatintel.indicator.file.hash.sha256": "184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", + "threatintel.indicator.first_seen": "2021-06-20T18:40:18.131Z", + "threatintel.indicator.last_seen": "2021-06-20T18:40:18.131Z", + "threatintel.indicator.type": "file", + "threatintel.recordedfuture.entity.id": "hash:184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", + "threatintel.recordedfuture.entity.type": "Hash", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", + "threatintel.recordedfuture.risk.criticality": 3, + "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 3, + "criticalityLabel": "Malicious", + "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://ksmt6j.network.local/scan/results/file/184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", + "mitigationString": "", + "rule": "Positive Malware Verdict", + "timestamp": "2021-06-19T17:39:24.000Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "1/14", + "threatintel.recordedfuture.risk.riskSummary": "1 of 14 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 1, + "threatintel.recordedfuture.risk.score": 65 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", + "event.risk_score": 65.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 7054, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.file.hash.md5": "a40e91f2d29616076114eea0f2a693af", + "threatintel.indicator.file.hash.sha1": "e38ccd47629c1b75385a83fbfbba0ea7f3b3a705", + "threatintel.indicator.file.hash.sha256": "1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", + "threatintel.indicator.first_seen": "2021-06-20T18:40:18.093Z", + "threatintel.indicator.last_seen": "2021-06-20T18:40:18.093Z", + "threatintel.indicator.type": "file", + "threatintel.recordedfuture.entity.id": "hash:1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", + "threatintel.recordedfuture.entity.type": "Hash", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", + "threatintel.recordedfuture.risk.criticality": 3, + "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 3, + "criticalityLabel": "Malicious", + "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://llt6m.network.local/scan/results/file/1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", + "mitigationString": "", + "rule": "Positive Malware Verdict", + "timestamp": "2021-06-19T17:39:29.000Z" + }, + { + "criticality": 2, + "criticalityLabel": "Suspicious", + "evidenceString": "8 sightings on 1 source: PolySwarm. 1 related malware: Trojan. Most recent link (Jun 20, 2021): https://m-1z.network.local/scan/results/file/1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", + "mitigationString": "", + "rule": "Linked to Malware", + "timestamp": "2021-06-20T18:40:18.093Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "2/14", + "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 2, + "threatintel.recordedfuture.risk.score": 65 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", + "event.risk_score": 65.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 8550, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.file.hash.md5": "02062782c7eeaff185ea6966460f7c9a", + "threatintel.indicator.file.hash.sha1": "64355796dc38992ca5e434682ddbf63bdfabeb4e", + "threatintel.indicator.file.hash.sha256": "bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", + "threatintel.indicator.first_seen": "2021-06-20T18:40:18.070Z", + "threatintel.indicator.last_seen": "2021-06-20T18:40:18.070Z", + "threatintel.indicator.type": "file", + "threatintel.recordedfuture.entity.id": "hash:bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", + "threatintel.recordedfuture.entity.type": "Hash", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", + "threatintel.recordedfuture.risk.criticality": 3, + "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 3, + "criticalityLabel": "Malicious", + "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://j94d.network.local/scan/results/file/bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", + "mitigationString": "", + "rule": "Positive Malware Verdict", + "timestamp": "2021-06-19T17:39:28.000Z" + }, + { + "criticality": 2, + "criticalityLabel": "Suspicious", + "evidenceString": "4 sightings on 1 source: PolySwarm. Most recent link (Jun 20, 2021): https://46h0mn.network.local/scan/results/file/bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", + "mitigationString": "", + "rule": "Linked to Malware", + "timestamp": "2021-06-20T18:40:18.070Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "2/14", + "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 2, + "threatintel.recordedfuture.risk.score": 65 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", + "event.risk_score": 65.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 10020, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.file.hash.md5": "bdd205ffc81c54e7cc1a9080cfa093e4", + "threatintel.indicator.file.hash.sha1": "a6b928fd6fee43495b96941ef80b25d074f6e0e2", + "threatintel.indicator.file.hash.sha256": "c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", + "threatintel.indicator.first_seen": "2021-06-20T18:40:18.011Z", + "threatintel.indicator.last_seen": "2021-06-20T18:40:18.011Z", + "threatintel.indicator.type": "file", + "threatintel.recordedfuture.entity.id": "hash:c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", + "threatintel.recordedfuture.entity.type": "Hash", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", + "threatintel.recordedfuture.risk.criticality": 3, + "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 3, + "criticalityLabel": "Malicious", + "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://b5qxg4.network.local/scan/results/file/c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", + "mitigationString": "", + "rule": "Positive Malware Verdict", + "timestamp": "2021-06-19T17:39:28.000Z" + }, + { + "criticality": 2, + "criticalityLabel": "Suspicious", + "evidenceString": "3 sightings on 1 source: PolySwarm. Most recent link (Jun 20, 2021): https://5twber.network.local/scan/results/file/c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", + "mitigationString": "", + "rule": "Linked to Malware", + "timestamp": "2021-06-20T18:40:18.010Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "2/14", + "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 2, + "threatintel.recordedfuture.risk.score": 65 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", + "event.risk_score": 65.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 11492, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.file.hash.md5": "af45390e39574cdb037d684074e6a542", + "threatintel.indicator.file.hash.sha1": "f6a14c7424604cd51ba6a6d3f7594ec762f48645", + "threatintel.indicator.file.hash.sha256": "c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", + "threatintel.indicator.first_seen": "2021-06-20T18:40:17.964Z", + "threatintel.indicator.last_seen": "2021-06-20T18:40:17.964Z", + "threatintel.indicator.type": "file", + "threatintel.recordedfuture.entity.id": "hash:c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", + "threatintel.recordedfuture.entity.type": "Hash", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", + "threatintel.recordedfuture.risk.criticality": 3, + "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 3, + "criticalityLabel": "Malicious", + "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://l4tlgg.network.local/scan/results/file/c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", + "mitigationString": "", + "rule": "Positive Malware Verdict", + "timestamp": "2021-06-19T17:39:31.000Z" + }, + { + "criticality": 2, + "criticalityLabel": "Suspicious", + "evidenceString": "6 sightings on 1 source: PolySwarm. Most recent link (Jun 20, 2021): https://wor2ca.network.local/scan/results/file/c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", + "mitigationString": "", + "rule": "Linked to Malware", + "timestamp": "2021-06-20T18:40:17.964Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "2/14", + "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 2, + "threatintel.recordedfuture.risk.score": 65 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", + "event.risk_score": 65.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 12964, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.file.hash.md5": "5b8bcd367f802cd104210bb47abb3ab1", + "threatintel.indicator.file.hash.sha1": "b40d1796bd6974860ce6be691152ad963300c711", + "threatintel.indicator.file.hash.sha256": "0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", + "threatintel.indicator.first_seen": "2021-06-20T18:40:17.919Z", + "threatintel.indicator.last_seen": "2021-06-20T18:40:17.919Z", + "threatintel.indicator.type": "file", + "threatintel.recordedfuture.entity.id": "hash:0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", + "threatintel.recordedfuture.entity.type": "Hash", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", + "threatintel.recordedfuture.risk.criticality": 3, + "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 3, + "criticalityLabel": "Malicious", + "evidenceString": "1 sighting on 1 source: PolySwarm. Most recent link (Jun 19, 2021): https://c2ilj.network.local/scan/results/file/0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", + "mitigationString": "", + "rule": "Positive Malware Verdict", + "timestamp": "2021-06-19T17:39:26.000Z" + }, + { + "criticality": 2, + "criticalityLabel": "Suspicious", + "evidenceString": "6 sightings on 1 source: PolySwarm. Most recent link (Jun 20, 2021): https://79073cr.network.local/scan/results/file/0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", + "mitigationString": "", + "rule": "Linked to Malware", + "timestamp": "2021-06-20T18:40:17.919Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "2/14", + "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 2, + "threatintel.recordedfuture.risk.score": 65 + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log b/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log new file mode 100644 index 000000000000..bb05454a584e --- /dev/null +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log @@ -0,0 +1,10 @@ +{"entity": {"id": "ip:2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", "name": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", "type": "IpAddress"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", "location": {"asn": "AS31287", "cidr": {"id": "ip:151.237.36.0/23", "name": "151.237.36.0/23", "type": "IpAddress"}, "location": {"city": "Radnevo", "continent": "Europe", "country": "Bulgaria"}, "organization": "IPACCT CABLE Ltd"}, "risk": {"criticality": 0, "criticalityLabel": "None", "evidenceDetails": [], "riskString": "0/54", "riskSummary": "No Risk Rules are currently observed.", "rules": 0, "score": 0}, "timestamps": {"firstSeen": "2021-04-18T00:11:48.512Z", "lastSeen": "2021-06-19T19:40:32.897Z"}} +{"entity": {"id": "ip:2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", "name": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", "type": "IpAddress"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", "location": {"asn": "AS197207", "cidr": {"id": "ip:93.110.128.0/17", "name": "93.110.128.0/17", "type": "IpAddress"}, "location": {"city": null, "continent": "Asia", "country": "Iran"}, "organization": "Mobile Communication Company of Iran PLC"}, "risk": {"criticality": 0, "criticalityLabel": "None", "evidenceDetails": [], "riskString": "0/54", "riskSummary": "No Risk Rules are currently observed.", "rules": 0, "score": 0}, "timestamps": {"firstSeen": "2021-06-19T17:55:58.019Z", "lastSeen": "2021-06-19T19:40:32.839Z"}} +{"entity": {"id": "ip:203.0.113.55", "name": "203.0.113.55", "type": "IpAddress"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55", "location": {"asn": null, "cidr": {"id": "ip:0.0.0.0/8", "name": "0.0.0.0/8", "type": "IpAddress"}, "location": {"city": null, "continent": null, "country": null}, "organization": null}, "risk": {"criticality": 0, "criticalityLabel": "None", "evidenceDetails": [], "riskString": "0/54", "riskSummary": "No Risk Rules are currently observed.", "rules": 0, "score": 0}, "timestamps": {"firstSeen": "2021-06-19T19:40:30.596Z", "lastSeen": "2021-06-19T19:40:30.596Z"}} +{"entity": {"id": "ip:203.0.113.108", "name": "203.0.113.108", "type": "IpAddress"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108", "location": {"asn": "AS17622", "cidr": {"id": "ip:58.248.128.0/19", "name": "58.248.128.0/19", "type": "IpAddress"}, "location": {"city": "Guangzhou", "continent": "Asia", "country": "China"}, "organization": "China Unicom Guangzhou network"}, "risk": {"criticality": 0, "criticalityLabel": "None", "evidenceDetails": [], "riskString": "0/54", "riskSummary": "No Risk Rules are currently observed.", "rules": 0, "score": 0}, "timestamps": {"firstSeen": "2021-06-19T19:40:20.534Z", "lastSeen": "2021-06-19T19:40:20.534Z"}} +{"entity": {"id": "ip:203.0.113.139", "name": "203.0.113.139", "type": "IpAddress"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139", "location": {"asn": "AS7713", "cidr": {"id": "ip:125.162.0.0/16", "name": "125.162.0.0/16", "type": "IpAddress"}, "location": {"city": null, "continent": "Asia", "country": "Indonesia"}, "organization": "PT Telekomunikasi Indonesia"}, "risk": {"criticality": 0, "criticalityLabel": "None", "evidenceDetails": [], "riskString": "0/54", "riskSummary": "No Risk Rules are currently observed.", "rules": 0, "score": 0}, "timestamps": {"firstSeen": "2016-06-23T07:39:06.418Z", "lastSeen": "2021-06-19T19:40:03.882Z"}} +{"entity": {"id": "ip:2001:db8:bf58:c5c3:7a06:5267:82e0:621a", "name": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a", "type": "IpAddress"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a", "location": {"asn": "AS17622", "cidr": {"id": "ip:58.249.64.0/19", "name": "58.249.64.0/19", "type": "IpAddress"}, "location": {"city": "Guangzhou", "continent": "Asia", "country": "China"}, "organization": "China Unicom Guangzhou network"}, "risk": {"criticality": 0, "criticalityLabel": "None", "evidenceDetails": [], "riskString": "0/54", "riskSummary": "No Risk Rules are currently observed.", "rules": 0, "score": 0}, "timestamps": {"firstSeen": "2021-06-19T19:40:02.557Z", "lastSeen": "2021-06-19T19:40:02.557Z"}} +{"entity": {"id": "ip:192.0.2.147", "name": "192.0.2.147", "type": "IpAddress"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147", "location": {"asn": "AS4837", "cidr": {"id": "ip:61.53.0.0/17", "name": "61.53.0.0/17", "type": "IpAddress"}, "location": {"city": "Zhengzhou", "continent": "Asia", "country": "China"}, "organization": "CHINA UNICOM China169 Backbone"}, "risk": {"criticality": 0, "criticalityLabel": "None", "evidenceDetails": [], "riskString": "0/54", "riskSummary": "No Risk Rules are currently observed.", "rules": 0, "score": 0}, "timestamps": {"firstSeen": "2017-12-20T02:21:07.734Z", "lastSeen": "2021-06-19T19:39:43.160Z"}} +{"entity": {"id": "ip:203.0.113.198", "name": "203.0.113.198", "type": "IpAddress"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198", "location": {"asn": "AS9829", "cidr": {"id": "ip:59.93.20.0/22", "name": "59.93.20.0/22", "type": "IpAddress"}, "location": {"city": "Palakkad", "continent": "Asia", "country": "India"}, "organization": "National Internet Backbone"}, "risk": {"criticality": 1, "criticalityLabel": "Unusual", "evidenceDetails": [{"criticality": 1, "criticalityLabel": "Unusual", "evidenceString": "4 sightings on 1 source: AbuseIP Database. Most recent link (Dec 24, 2019): https://6900dkn8.network.local/pg6pd9jx/ip=203.0.113.198", "mitigationString": "", "rule": "Historical Multicategory Blocklist", "timestamp": "2019-12-24T09:53:13.546Z"}], "riskString": "1/54", "riskSummary": "1 of 54 Risk Rules currently observed.", "rules": 1, "score": 5}, "timestamps": {"firstSeen": "2019-12-24T09:54:02.935Z", "lastSeen": "2021-06-19T19:39:25.532Z"}} +{"entity": {"id": "ip:192.0.2.179", "name": "192.0.2.179", "type": "IpAddress"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179", "location": {"asn": "AS9829", "cidr": {"id": "ip:59.99.200.0/21", "name": "59.99.200.0/21", "type": "IpAddress"}, "location": {"city": "Bangalore", "continent": "Asia", "country": "India"}, "organization": "National Internet Backbone"}, "risk": {"criticality": 1, "criticalityLabel": "Unusual", "evidenceDetails": [{"criticality": 1, "criticalityLabel": "Unusual", "evidenceString": "4 sightings on 1 source: AbuseIP Database. Most recent link (Mar 3, 2020): https://f0go.network.local/c1c3m9rsl/ip=192.0.2.179", "mitigationString": "", "rule": "Historical Multicategory Blocklist", "timestamp": "2020-03-03T08:08:07.521Z"}, {"criticality": 1, "criticalityLabel": "Unusual", "evidenceString": "Previous sightings on 1 source: Recorded Future Fast Flux DNS IP List. Observed between Apr 7, 2020, and Apr 8, 2020.", "mitigationString": "", "rule": "Historically Reported in Threat List", "timestamp": "2021-06-21T19:53:19.897Z"}, {"criticality": 1, "criticalityLabel": "Unusual", "evidenceString": "High Risk activity in CIDR Block.", "mitigationString": "", "rule": "Recorded Future Predictive Risk Model", "timestamp": "2021-06-21T19:53:19.906Z"}], "riskString": "3/54", "riskSummary": "3 of 54 Risk Rules currently observed.", "rules": 3, "score": 15}, "timestamps": {"firstSeen": "2020-03-03T08:10:28.489Z", "lastSeen": "2021-06-19T19:39:11.694Z"}} +{"entity": {"id": "ip:192.0.2.245", "name": "192.0.2.245", "type": "IpAddress"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245", "location": {"asn": "AS45899", "cidr": {"id": "ip:113.170.96.0/20", "name": "113.170.96.0/20", "type": "IpAddress"}, "location": {"city": "Long Phu", "continent": "Asia", "country": "Vietnam"}, "organization": "VNPT Corp"}, "risk": {"criticality": 1, "criticalityLabel": "Unusual", "evidenceDetails": [{"criticality": 1, "criticalityLabel": "Unusual", "evidenceString": "Previous sightings on 1 source: Recorded Future Fast Flux DNS IP List. Observed between May 25, 2021, and May 25, 2021.", "mitigationString": "", "rule": "Historically Reported in Threat List", "timestamp": "2021-06-19T19:50:20.162Z"}], "riskString": "1/54", "riskSummary": "1 of 54 Risk Rules currently observed.", "rules": 1, "score": 5}, "timestamps": {"firstSeen": "2021-06-19T19:38:57.372Z", "lastSeen": "2021-06-19T19:38:57.372Z"}} diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json new file mode 100644 index 000000000000..ed121c0a4187 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json @@ -0,0 +1,414 @@ +[ + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "event.risk_score": 0.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 0, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.as.number": 31287, + "threatintel.indicator.as.organization.name": "IPACCT CABLE Ltd", + "threatintel.indicator.first_seen": "2021-04-18T00:11:48.512Z", + "threatintel.indicator.geo.city_name": "Radnevo", + "threatintel.indicator.geo.continent_name": "Europe", + "threatintel.indicator.geo.country_name": "Bulgaria", + "threatintel.indicator.last_seen": "2021-06-19T19:40:32.897Z", + "threatintel.indicator.type": "ipv6-addr", + "threatintel.recordedfuture.entity.id": "ip:2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "threatintel.recordedfuture.entity.name": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "threatintel.recordedfuture.entity.type": "IpAddress", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "threatintel.recordedfuture.ip_range": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "threatintel.recordedfuture.risk.criticality": 0, + "threatintel.recordedfuture.risk.criticalityLabel": "None", + "threatintel.recordedfuture.risk.evidenceDetails": [], + "threatintel.recordedfuture.risk.riskString": "0/54", + "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "threatintel.recordedfuture.risk.rules": 0, + "threatintel.recordedfuture.risk.score": 0 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", + "event.risk_score": 0.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 763, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.as.number": 197207, + "threatintel.indicator.as.organization.name": "Mobile Communication Company of Iran PLC", + "threatintel.indicator.first_seen": "2021-06-19T17:55:58.019Z", + "threatintel.indicator.geo.city_name": null, + "threatintel.indicator.geo.continent_name": "Asia", + "threatintel.indicator.geo.country_name": "Iran", + "threatintel.indicator.ip": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", + "threatintel.indicator.last_seen": "2021-06-19T19:40:32.839Z", + "threatintel.indicator.type": "ipv6-addr", + "threatintel.recordedfuture.entity.id": "ip:2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", + "threatintel.recordedfuture.entity.type": "IpAddress", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", + "threatintel.recordedfuture.ip_range": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071/128", + "threatintel.recordedfuture.risk.criticality": 0, + "threatintel.recordedfuture.risk.criticalityLabel": "None", + "threatintel.recordedfuture.risk.evidenceDetails": [], + "threatintel.recordedfuture.risk.riskString": "0/54", + "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "threatintel.recordedfuture.risk.rules": 0, + "threatintel.recordedfuture.risk.score": 0 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55", + "event.risk_score": 0.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 1531, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.as.organization.name": null, + "threatintel.indicator.first_seen": "2021-06-19T19:40:30.596Z", + "threatintel.indicator.geo.city_name": null, + "threatintel.indicator.geo.continent_name": null, + "threatintel.indicator.geo.country_name": null, + "threatintel.indicator.ip": "203.0.113.55", + "threatintel.indicator.last_seen": "2021-06-19T19:40:30.596Z", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.recordedfuture.entity.id": "ip:203.0.113.55", + "threatintel.recordedfuture.entity.type": "IpAddress", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55", + "threatintel.recordedfuture.ip_range": "203.0.113.55/32", + "threatintel.recordedfuture.risk.criticality": 0, + "threatintel.recordedfuture.risk.criticalityLabel": "None", + "threatintel.recordedfuture.risk.evidenceDetails": [], + "threatintel.recordedfuture.risk.riskString": "0/54", + "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "threatintel.recordedfuture.risk.rules": 0, + "threatintel.recordedfuture.risk.score": 0 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108", + "event.risk_score": 0.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 2161, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.as.number": 17622, + "threatintel.indicator.as.organization.name": "China Unicom Guangzhou network", + "threatintel.indicator.first_seen": "2021-06-19T19:40:20.534Z", + "threatintel.indicator.geo.city_name": "Guangzhou", + "threatintel.indicator.geo.continent_name": "Asia", + "threatintel.indicator.geo.country_name": "China", + "threatintel.indicator.ip": "203.0.113.108", + "threatintel.indicator.last_seen": "2021-06-19T19:40:20.534Z", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.recordedfuture.entity.id": "ip:203.0.113.108", + "threatintel.recordedfuture.entity.type": "IpAddress", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108", + "threatintel.recordedfuture.ip_range": "203.0.113.108/32", + "threatintel.recordedfuture.risk.criticality": 0, + "threatintel.recordedfuture.risk.criticalityLabel": "None", + "threatintel.recordedfuture.risk.evidenceDetails": [], + "threatintel.recordedfuture.risk.riskString": "0/54", + "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "threatintel.recordedfuture.risk.rules": 0, + "threatintel.recordedfuture.risk.score": 0 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139", + "event.risk_score": 0.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 2851, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.as.number": 7713, + "threatintel.indicator.as.organization.name": "PT Telekomunikasi Indonesia", + "threatintel.indicator.first_seen": "2016-06-23T07:39:06.418Z", + "threatintel.indicator.geo.city_name": null, + "threatintel.indicator.geo.continent_name": "Asia", + "threatintel.indicator.geo.country_name": "Indonesia", + "threatintel.indicator.ip": "203.0.113.139", + "threatintel.indicator.last_seen": "2021-06-19T19:40:03.882Z", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.recordedfuture.entity.id": "ip:203.0.113.139", + "threatintel.recordedfuture.entity.type": "IpAddress", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139", + "threatintel.recordedfuture.ip_range": "203.0.113.139/32", + "threatintel.recordedfuture.risk.criticality": 0, + "threatintel.recordedfuture.risk.criticalityLabel": "None", + "threatintel.recordedfuture.risk.evidenceDetails": [], + "threatintel.recordedfuture.risk.riskString": "0/54", + "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "threatintel.recordedfuture.risk.rules": 0, + "threatintel.recordedfuture.risk.score": 0 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a", + "event.risk_score": 0.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 3532, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.as.number": 17622, + "threatintel.indicator.as.organization.name": "China Unicom Guangzhou network", + "threatintel.indicator.first_seen": "2021-06-19T19:40:02.557Z", + "threatintel.indicator.geo.city_name": "Guangzhou", + "threatintel.indicator.geo.continent_name": "Asia", + "threatintel.indicator.geo.country_name": "China", + "threatintel.indicator.ip": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a", + "threatintel.indicator.last_seen": "2021-06-19T19:40:02.557Z", + "threatintel.indicator.type": "ipv6-addr", + "threatintel.recordedfuture.entity.id": "ip:2001:db8:bf58:c5c3:7a06:5267:82e0:621a", + "threatintel.recordedfuture.entity.type": "IpAddress", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a", + "threatintel.recordedfuture.ip_range": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a/128", + "threatintel.recordedfuture.risk.criticality": 0, + "threatintel.recordedfuture.risk.criticalityLabel": "None", + "threatintel.recordedfuture.risk.evidenceDetails": [], + "threatintel.recordedfuture.risk.riskString": "0/54", + "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "threatintel.recordedfuture.risk.rules": 0, + "threatintel.recordedfuture.risk.score": 0 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147", + "event.risk_score": 0.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 4295, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.as.number": 4837, + "threatintel.indicator.as.organization.name": "CHINA UNICOM China169 Backbone", + "threatintel.indicator.first_seen": "2017-12-20T02:21:07.734Z", + "threatintel.indicator.geo.city_name": "Zhengzhou", + "threatintel.indicator.geo.continent_name": "Asia", + "threatintel.indicator.geo.country_name": "China", + "threatintel.indicator.ip": "192.0.2.147", + "threatintel.indicator.last_seen": "2021-06-19T19:39:43.160Z", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.recordedfuture.entity.id": "ip:192.0.2.147", + "threatintel.recordedfuture.entity.type": "IpAddress", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147", + "threatintel.recordedfuture.ip_range": "192.0.2.147/32", + "threatintel.recordedfuture.risk.criticality": 0, + "threatintel.recordedfuture.risk.criticalityLabel": "None", + "threatintel.recordedfuture.risk.evidenceDetails": [], + "threatintel.recordedfuture.risk.riskString": "0/54", + "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "threatintel.recordedfuture.risk.rules": 0, + "threatintel.recordedfuture.risk.score": 0 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198", + "event.risk_score": 5.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 4972, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.as.number": 9829, + "threatintel.indicator.as.organization.name": "National Internet Backbone", + "threatintel.indicator.first_seen": "2019-12-24T09:54:02.935Z", + "threatintel.indicator.geo.city_name": "Palakkad", + "threatintel.indicator.geo.continent_name": "Asia", + "threatintel.indicator.geo.country_name": "India", + "threatintel.indicator.ip": "203.0.113.198", + "threatintel.indicator.last_seen": "2021-06-19T19:39:25.532Z", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.recordedfuture.entity.id": "ip:203.0.113.198", + "threatintel.recordedfuture.entity.type": "IpAddress", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198", + "threatintel.recordedfuture.ip_range": "203.0.113.198/32", + "threatintel.recordedfuture.risk.criticality": 1, + "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 1, + "criticalityLabel": "Unusual", + "evidenceString": "4 sightings on 1 source: AbuseIP Database. Most recent link (Dec 24, 2019): https://6900dkn8.network.local/pg6pd9jx/ip=203.0.113.198", + "mitigationString": "", + "rule": "Historical Multicategory Blocklist", + "timestamp": "2019-12-24T09:53:13.546Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "1/54", + "threatintel.recordedfuture.risk.riskSummary": "1 of 54 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 1, + "threatintel.recordedfuture.risk.score": 5 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179", + "event.risk_score": 15.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 5970, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.as.number": 9829, + "threatintel.indicator.as.organization.name": "National Internet Backbone", + "threatintel.indicator.first_seen": "2020-03-03T08:10:28.489Z", + "threatintel.indicator.geo.city_name": "Bangalore", + "threatintel.indicator.geo.continent_name": "Asia", + "threatintel.indicator.geo.country_name": "India", + "threatintel.indicator.ip": "192.0.2.179", + "threatintel.indicator.last_seen": "2021-06-19T19:39:11.694Z", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.recordedfuture.entity.id": "ip:192.0.2.179", + "threatintel.recordedfuture.entity.type": "IpAddress", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179", + "threatintel.recordedfuture.ip_range": "192.0.2.179/32", + "threatintel.recordedfuture.risk.criticality": 1, + "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 1, + "criticalityLabel": "Unusual", + "evidenceString": "4 sightings on 1 source: AbuseIP Database. Most recent link (Mar 3, 2020): https://f0go.network.local/c1c3m9rsl/ip=192.0.2.179", + "mitigationString": "", + "rule": "Historical Multicategory Blocklist", + "timestamp": "2020-03-03T08:08:07.521Z" + }, + { + "criticality": 1, + "criticalityLabel": "Unusual", + "evidenceString": "High Risk activity in CIDR Block.", + "mitigationString": "", + "rule": "Recorded Future Predictive Risk Model", + "timestamp": "2021-06-21T19:53:19.906Z" + }, + { + "criticality": 1, + "criticalityLabel": "Unusual", + "evidenceString": "Previous sightings on 1 source: Recorded Future Fast Flux DNS IP List. Observed between Apr 7, 2020, and Apr 8, 2020.", + "mitigationString": "", + "rule": "Historically Reported in Threat List", + "timestamp": "2021-06-21T19:53:19.897Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "3/54", + "threatintel.recordedfuture.risk.riskSummary": "3 of 54 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 3, + "threatintel.recordedfuture.risk.score": 15 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245", + "event.risk_score": 5.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 7483, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.as.number": 45899, + "threatintel.indicator.as.organization.name": "VNPT Corp", + "threatintel.indicator.first_seen": "2021-06-19T19:38:57.372Z", + "threatintel.indicator.geo.city_name": "Long Phu", + "threatintel.indicator.geo.continent_name": "Asia", + "threatintel.indicator.geo.country_name": "Vietnam", + "threatintel.indicator.ip": "192.0.2.245", + "threatintel.indicator.last_seen": "2021-06-19T19:38:57.372Z", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.recordedfuture.entity.id": "ip:192.0.2.245", + "threatintel.recordedfuture.entity.type": "IpAddress", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245", + "threatintel.recordedfuture.ip_range": "192.0.2.245/32", + "threatintel.recordedfuture.risk.criticality": 1, + "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 1, + "criticalityLabel": "Unusual", + "evidenceString": "Previous sightings on 1 source: Recorded Future Fast Flux DNS IP List. Observed between May 25, 2021, and May 25, 2021.", + "mitigationString": "", + "rule": "Historically Reported in Threat List", + "timestamp": "2021-06-19T19:50:20.162Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "1/54", + "threatintel.recordedfuture.risk.riskSummary": "1 of 54 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 1, + "threatintel.recordedfuture.risk.score": 5 + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log b/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log new file mode 100644 index 000000000000..2016b319f60a --- /dev/null +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log @@ -0,0 +1,10 @@ +{"entity": {"id": "url:https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", "name": "https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", "type": "URL"}, "risk": {"criticality": 1, "criticalityLabel": "Unusual", "evidenceDetails": [{"criticality": 1, "criticalityLabel": "Unusual", "evidenceString": "1 sighting on 1 source: URLHaus. Malware: Qakbot, qbot, zip. Most recent link (Apr 15, 2021): https://jc6.network.local/hnwdzm1k3?url=cdb14", "mitigationString": "", "rule": "Historically Detected Malware Distribution", "timestamp": "2021-04-15T00:00:00.000Z"}], "riskString": "1/25", "riskSummary": "1 of 25 Risk Rules currently observed.", "rules": 1, "score": 5}, "timestamps": {"firstSeen": "2021-06-20T00:00:00.000Z", "lastSeen": "2021-06-20T23:59:59.000Z"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj"} +{"entity": {"id": "url:https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", "name": "https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", "type": "URL"}, "risk": {"criticality": 1, "criticalityLabel": "Unusual", "evidenceDetails": [{"criticality": 1, "criticalityLabel": "Unusual", "evidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Feb 14, 2021.", "mitigationString": "", "rule": "Historically Detected Phishing Techniques", "timestamp": "2021-02-14T00:00:00.000Z"}], "riskString": "1/25", "riskSummary": "1 of 25 Risk Rules currently observed.", "rules": 1, "score": 5}, "timestamps": {"firstSeen": "2021-06-20T00:00:00.000Z", "lastSeen": "2021-06-20T23:59:59.000Z"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61"} +{"entity": {"id": "url:https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", "name": "https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", "type": "URL"}, "risk": {"criticality": 1, "criticalityLabel": "Unusual", "evidenceDetails": [{"criticality": 1, "criticalityLabel": "Unusual", "evidenceString": "1 sighting on 1 source: URLHaus. Malware: gafgyt, elf. Most recent link (May 15, 2021): https://bm1.network.local/82p3t?url=12b56", "mitigationString": "", "rule": "Historically Detected Malware Distribution", "timestamp": "2021-05-15T00:00:00.000Z"}], "riskString": "1/25", "riskSummary": "1 of 25 Risk Rules currently observed.", "rules": 1, "score": 5}, "timestamps": {"firstSeen": "2021-06-20T00:00:00.000Z", "lastSeen": "2021-06-20T23:59:59.000Z"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc"} +{"entity": {"id": "url:https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", "name": "https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", "type": "URL"}, "risk": {"criticality": 1, "criticalityLabel": "Unusual", "evidenceDetails": [{"criticality": 1, "criticalityLabel": "Unusual", "evidenceString": "1 sighting on 1 source: URLHaus. Malware: elf, Mozi. Most recent link (Feb 14, 2021): https://ois8bq4.network.local/4lf?url=3f7c2", "mitigationString": "", "rule": "Historically Detected Malware Distribution", "timestamp": "2021-02-14T00:00:00.000Z"}], "riskString": "1/25", "riskSummary": "1 of 25 Risk Rules currently observed.", "rules": 1, "score": 5}, "timestamps": {"firstSeen": "2021-06-20T00:00:00.000Z", "lastSeen": "2021-06-20T23:59:59.000Z"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0"} +{"entity": {"id": "url:http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", "name": "http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", "type": "URL"}, "risk": {"criticality": 1, "criticalityLabel": "Unusual", "evidenceDetails": [{"criticality": 1, "criticalityLabel": "Unusual", "evidenceString": "1 sighting on 1 source: @Sh1ttyKids. Most recent tweet: https://8g7zl.network.local/v5hcdo?url=efed5", "mitigationString": "", "rule": "Historically Reported as a Defanged URL", "timestamp": "2020-06-24T12:01:33.000Z"}], "riskString": "1/25", "riskSummary": "1 of 25 Risk Rules currently observed.", "rules": 1, "score": 5}, "timestamps": {"firstSeen": "2021-06-20T00:00:00.000Z", "lastSeen": "2021-06-20T23:59:59.000Z"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii"} +{"entity": {"id": "url:http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", "name": "http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", "type": "URL"}, "risk": {"criticality": 1, "criticalityLabel": "Unusual", "evidenceDetails": [{"criticality": 1, "criticalityLabel": "Unusual", "evidenceString": "1 sighting on 1 source: URLHaus. Malware: . Most recent link (Feb 14, 2021): https://w6l3t5s.network.local/dr2rg5o?url=7b29d", "mitigationString": "", "rule": "Historically Detected Malware Distribution", "timestamp": "2021-02-14T00:00:00.000Z"}], "riskString": "1/25", "riskSummary": "1 of 25 Risk Rules currently observed.", "rules": 1, "score": 5}, "timestamps": {"firstSeen": "2021-06-20T00:00:00.000Z", "lastSeen": "2021-06-20T23:59:59.000Z"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont"} +{"entity": {"id": "url:http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", "name": "http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", "type": "URL"}, "risk": {"criticality": 1, "criticalityLabel": "Unusual", "evidenceDetails": [{"criticality": 1, "criticalityLabel": "Unusual", "evidenceString": "1 sighting on 1 source: URLHaus. Malware: elf, mips. Most recent link (Nov 16, 2020): https://0c39b.network.local/tcxah?url=0d1b9", "mitigationString": "", "rule": "Historically Detected Malware Distribution", "timestamp": "2020-11-16T00:00:00.000Z"}], "riskString": "1/25", "riskSummary": "1 of 25 Risk Rules currently observed.", "rules": 1, "score": 5}, "timestamps": {"firstSeen": "2021-06-20T00:00:00.000Z", "lastSeen": "2021-06-20T23:59:59.000Z"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513"} +{"entity": {"id": "url:https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", "name": "https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", "type": "URL"}, "risk": {"criticality": 1, "criticalityLabel": "Unusual", "evidenceDetails": [{"criticality": 1, "criticalityLabel": "Unusual", "evidenceString": "1 sighting on 1 source: URLHaus. Malware: elf, Mozi. Most recent link (May 15, 2021): https://i1-yo.network.local/8-w8hhq2p?url=f7769", "mitigationString": "", "rule": "Historically Detected Malware Distribution", "timestamp": "2021-05-15T00:00:00.000Z"}], "riskString": "1/25", "riskSummary": "1 of 25 Risk Rules currently observed.", "rules": 1, "score": 5}, "timestamps": {"firstSeen": "2021-06-20T00:00:00.000Z", "lastSeen": "2021-06-20T23:59:59.000Z"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r"} +{"entity": {"id": "url:http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", "name": "http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", "type": "URL"}, "risk": {"criticality": 1, "criticalityLabel": "Unusual", "evidenceDetails": [{"criticality": 1, "criticalityLabel": "Unusual", "evidenceString": "1 sighting on 1 source: URLHaus. Malware: elf, mips. Most recent link (Feb 14, 2021): https://ysn.network.local/5p-09h7b?url=ff1c3", "mitigationString": "", "rule": "Historically Detected Malware Distribution", "timestamp": "2021-02-14T00:00:00.000Z"}], "riskString": "1/25", "riskSummary": "1 of 25 Risk Rules currently observed.", "rules": 1, "score": 5}, "timestamps": {"firstSeen": "2021-06-20T00:00:00.000Z", "lastSeen": "2021-06-20T23:59:59.000Z"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2"} +{"entity": {"id": "url:http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", "name": "http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", "type": "URL"}, "risk": {"criticality": 1, "criticalityLabel": "Unusual", "evidenceDetails": [{"criticality": 1, "criticalityLabel": "Unusual", "evidenceString": "1 sighting on 1 source: URLHaus. Malware: elf, Mozi. Most recent link (Feb 14, 2021): https://j-8uc.network.local/2odpjhia?url=1a2ba", "mitigationString": "", "rule": "Historically Detected Malware Distribution", "timestamp": "2021-02-14T00:00:00.000Z"}], "riskString": "1/25", "riskSummary": "1 of 25 Risk Rules currently observed.", "rules": 1, "score": 5}, "timestamps": {"firstSeen": "2021-06-20T00:00:00.000Z", "lastSeen": "2021-06-20T23:59:59.000Z"}, "intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1"} diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json new file mode 100644 index 000000000000..b341365e428f --- /dev/null +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json @@ -0,0 +1,442 @@ +[ + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", + "event.risk_score": 5.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 0, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "d6s.example.net", + "threatintel.indicator.url.original": "https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", + "threatintel.indicator.url.path": "/nzy/vvc68ke", + "threatintel.indicator.url.query": "p5uxwn=1bj", + "threatintel.indicator.url.scheme": "https", + "threatintel.recordedfuture.entity.id": "url:https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", + "threatintel.recordedfuture.entity.type": "URL", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", + "threatintel.recordedfuture.risk.criticality": 1, + "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 1, + "criticalityLabel": "Unusual", + "evidenceString": "1 sighting on 1 source: URLHaus. Malware: Qakbot, qbot, zip. Most recent link (Apr 15, 2021): https://jc6.network.local/hnwdzm1k3?url=cdb14", + "mitigationString": "", + "rule": "Historically Detected Malware Distribution", + "timestamp": "2021-04-15T00:00:00.000Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "1/25", + "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 1, + "threatintel.recordedfuture.risk.score": 5 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", + "event.risk_score": 5.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 874, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "ga7v9u.example.org", + "threatintel.indicator.url.original": "https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", + "threatintel.indicator.url.path": "/bnqv8e2v8/qb49", + "threatintel.indicator.url.query": "7kq=iw61", + "threatintel.indicator.url.scheme": "https", + "threatintel.recordedfuture.entity.id": "url:https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", + "threatintel.recordedfuture.entity.type": "URL", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", + "threatintel.recordedfuture.risk.criticality": 1, + "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 1, + "criticalityLabel": "Unusual", + "evidenceString": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Feb 14, 2021.", + "mitigationString": "", + "rule": "Historically Detected Phishing Techniques", + "timestamp": "2021-02-14T00:00:00.000Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "1/25", + "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 1, + "threatintel.recordedfuture.risk.score": 5 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", + "event.risk_score": 5.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 1760, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "cdmw.example.net", + "threatintel.indicator.url.original": "https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", + "threatintel.indicator.url.path": "/c20fwa/wwn", + "threatintel.indicator.url.query": "dlz53=z6ovc", + "threatintel.indicator.url.scheme": "https", + "threatintel.recordedfuture.entity.id": "url:https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", + "threatintel.recordedfuture.entity.type": "URL", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", + "threatintel.recordedfuture.risk.criticality": 1, + "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 1, + "criticalityLabel": "Unusual", + "evidenceString": "1 sighting on 1 source: URLHaus. Malware: gafgyt, elf. Most recent link (May 15, 2021): https://bm1.network.local/82p3t?url=12b56", + "mitigationString": "", + "rule": "Historically Detected Malware Distribution", + "timestamp": "2021-05-15T00:00:00.000Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "1/25", + "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 1, + "threatintel.recordedfuture.risk.score": 5 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", + "event.risk_score": 5.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 2627, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "4mne.example.local", + "threatintel.indicator.url.original": "https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", + "threatintel.indicator.url.path": "/ns2rk8f/wngtk2xz", + "threatintel.indicator.url.query": "vceuk7wl6=3p0", + "threatintel.indicator.url.scheme": "https", + "threatintel.recordedfuture.entity.id": "url:https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", + "threatintel.recordedfuture.entity.type": "URL", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", + "threatintel.recordedfuture.risk.criticality": 1, + "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 1, + "criticalityLabel": "Unusual", + "evidenceString": "1 sighting on 1 source: URLHaus. Malware: elf, Mozi. Most recent link (Feb 14, 2021): https://ois8bq4.network.local/4lf?url=3f7c2", + "mitigationString": "", + "rule": "Historically Detected Malware Distribution", + "timestamp": "2021-02-14T00:00:00.000Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "1/25", + "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 1, + "threatintel.recordedfuture.risk.score": 5 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", + "event.risk_score": 5.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 3524, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "z198hloc8.example.com", + "threatintel.indicator.url.original": "http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", + "threatintel.indicator.url.path": "/f8ih39/f6kou", + "threatintel.indicator.url.query": "f6-u3=uwhii", + "threatintel.indicator.url.scheme": "http", + "threatintel.recordedfuture.entity.id": "url:http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", + "threatintel.recordedfuture.entity.type": "URL", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", + "threatintel.recordedfuture.risk.criticality": 1, + "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 1, + "criticalityLabel": "Unusual", + "evidenceString": "1 sighting on 1 source: @Sh1ttyKids. Most recent tweet: https://8g7zl.network.local/v5hcdo?url=efed5", + "mitigationString": "", + "rule": "Historically Reported as a Defanged URL", + "timestamp": "2020-06-24T12:01:33.000Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "1/25", + "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 1, + "threatintel.recordedfuture.risk.score": 5 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", + "event.risk_score": 5.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 4377, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "y484j-fb6.example.local", + "threatintel.indicator.url.original": "http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", + "threatintel.indicator.url.path": "/b97s24xf/prz", + "threatintel.indicator.url.query": "sg-x1do=4myont", + "threatintel.indicator.url.scheme": "http", + "threatintel.recordedfuture.entity.id": "url:http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", + "threatintel.recordedfuture.entity.type": "URL", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", + "threatintel.recordedfuture.risk.criticality": 1, + "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 1, + "criticalityLabel": "Unusual", + "evidenceString": "1 sighting on 1 source: URLHaus. Malware: . Most recent link (Feb 14, 2021): https://w6l3t5s.network.local/dr2rg5o?url=7b29d", + "mitigationString": "", + "rule": "Historically Detected Malware Distribution", + "timestamp": "2021-02-14T00:00:00.000Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "1/25", + "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 1, + "threatintel.recordedfuture.risk.score": 5 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", + "event.risk_score": 5.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 5272, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "sp2xyqq82.example.local", + "threatintel.indicator.url.original": "http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", + "threatintel.indicator.url.path": "/zxvm093/kat1rcz", + "threatintel.indicator.url.query": "vaev0aeod=rc0513", + "threatintel.indicator.url.scheme": "http", + "threatintel.recordedfuture.entity.id": "url:http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", + "threatintel.recordedfuture.entity.type": "URL", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", + "threatintel.recordedfuture.risk.criticality": 1, + "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 1, + "criticalityLabel": "Unusual", + "evidenceString": "1 sighting on 1 source: URLHaus. Malware: elf, mips. Most recent link (Nov 16, 2020): https://0c39b.network.local/tcxah?url=0d1b9", + "mitigationString": "", + "rule": "Historically Detected Malware Distribution", + "timestamp": "2020-11-16T00:00:00.000Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "1/25", + "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 1, + "threatintel.recordedfuture.risk.score": 5 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", + "event.risk_score": 5.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 6187, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "zh4o7xc.example.com", + "threatintel.indicator.url.original": "https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", + "threatintel.indicator.url.path": "/-yiq/vg2whtxif", + "threatintel.indicator.url.query": "cb0-knk=s6poib5r", + "threatintel.indicator.url.scheme": "https", + "threatintel.recordedfuture.entity.id": "url:https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", + "threatintel.recordedfuture.entity.type": "URL", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", + "threatintel.recordedfuture.risk.criticality": 1, + "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 1, + "criticalityLabel": "Unusual", + "evidenceString": "1 sighting on 1 source: URLHaus. Malware: elf, Mozi. Most recent link (May 15, 2021): https://i1-yo.network.local/8-w8hhq2p?url=f7769", + "mitigationString": "", + "rule": "Historically Detected Malware Distribution", + "timestamp": "2021-05-15T00:00:00.000Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "1/25", + "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 1, + "threatintel.recordedfuture.risk.score": 5 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", + "event.risk_score": 5.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 7094, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "fiivf4s.example.org", + "threatintel.indicator.url.original": "http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", + "threatintel.indicator.url.path": "/8u2qi/86vfcfq7m", + "threatintel.indicator.url.query": "pfb2ensc0=h7imk8io2", + "threatintel.indicator.url.scheme": "http", + "threatintel.recordedfuture.entity.id": "url:http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", + "threatintel.recordedfuture.entity.type": "URL", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", + "threatintel.recordedfuture.risk.criticality": 1, + "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 1, + "criticalityLabel": "Unusual", + "evidenceString": "1 sighting on 1 source: URLHaus. Malware: elf, mips. Most recent link (Feb 14, 2021): https://ysn.network.local/5p-09h7b?url=ff1c3", + "mitigationString": "", + "rule": "Historically Detected Malware Distribution", + "timestamp": "2021-02-14T00:00:00.000Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "1/25", + "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 1, + "threatintel.recordedfuture.risk.score": 5 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.recordedfuture", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", + "event.risk_score": 5.0, + "event.type": "indicator", + "fileset.name": "recordedfuture", + "input.type": "log", + "log.offset": 8007, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "abav9v.example.org", + "threatintel.indicator.url.original": "http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", + "threatintel.indicator.url.path": "/gj93q/7fs7", + "threatintel.indicator.url.query": "kcq7=pjaj1", + "threatintel.indicator.url.scheme": "http", + "threatintel.recordedfuture.entity.id": "url:http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", + "threatintel.recordedfuture.entity.type": "URL", + "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", + "threatintel.recordedfuture.risk.criticality": 1, + "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", + "threatintel.recordedfuture.risk.evidenceDetails": [ + { + "criticality": 1, + "criticalityLabel": "Unusual", + "evidenceString": "1 sighting on 1 source: URLHaus. Malware: elf, Mozi. Most recent link (Feb 14, 2021): https://j-8uc.network.local/2odpjhia?url=1a2ba", + "mitigationString": "", + "rule": "Historically Detected Malware Distribution", + "timestamp": "2021-02-14T00:00:00.000Z" + } + ], + "threatintel.recordedfuture.risk.riskString": "1/25", + "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "threatintel.recordedfuture.risk.rules": 1, + "threatintel.recordedfuture.risk.score": 5 + } +] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/threatintel.yml.disabled b/x-pack/filebeat/modules.d/threatintel.yml.disabled index d6e759e6a5cc..d8572327c51c 100644 --- a/x-pack/filebeat/modules.d/threatintel.yml.disabled +++ b/x-pack/filebeat/modules.d/threatintel.yml.disabled @@ -140,3 +140,35 @@ # # var.ssl_certificate: path/to/server_ssl_cert.pem # var.ssl_key: path/to/ssl_key.pem + + recordedfuture: + enabled: true + + # Input used for ingesting threat intel data + var.input: httpjson + + # The interval to poll the API for updates + var.interval: 5m + + # How far back in time to start fetching intelligence when run for the + # first time. Value must be in hours. Default: 168h (1 week). + var.first_interval: 168h + + # The URL used for Threat Intel API calls. + # Must include the `limit` parameter and at least `entity` and `timestamps` fields. + # See the Connect API Explorer for a list of possible parameters. + # + # For `ip` entities: + var.url: "https://api.recordedfuture.com/v2/ip/search?limit=200&fields=entity,timestamps,risk,intelCard,location&metadata=false" + + # For `domain` entities: + # var.url: "https://api.recordedfuture.com/v2/domain/search?limit=200&fields=entity,timestamps,risk,intelCard,location&metadata=false" + + # For `hash` entities: + # var.url: "https://api.recordedfuture.com/v2/hash/search?limit=200&fields=entity,fileHashes,timestamps,risk,intelCard,location&metadata=false" + + # For `url` entities: + # var.url: "https://api.recordedfuture.com/v2/url/search?limit=200&fields=entity,timestamps,risk&metadata=false" + + # Set your API Token. + var.api_token: ""