Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Threat Intel Module - Adjust Anomali Fields #24746

Closed
peasead opened this issue Mar 24, 2021 · 5 comments · Fixed by #27141
Closed

[Filebeat] Threat Intel Module - Adjust Anomali Fields #24746

peasead opened this issue Mar 24, 2021 · 5 comments · Fixed by #27141
Assignees
@P1llus
Labels
enhancement Filebeat Filebeat

Comments

@peasead
Copy link
Contributor

peasead commented Mar 24, 2021

Describe the enhancement:

The Anomali dataset has fields that I think should be adjusted.

  1. Move threatintel.anomali.labels to tags
  "anomali": {
...
        "labels": [
          "anomalous-activity",
          "threatstream-severity-low",
          "threatstream-confidence-100"
        ]
...
}

Possibly add in x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml?

- rename:
    field: labels
    target_field: tags
    ignore_missing: true
  1. Move threatintel.anomali.description.source to threatintel.indicator.provider
  "anomali": {
...
    "description": "TS ID: 56790822922; iType: bot_ip; State: active; 
     Org: Tencent Cloud Computing (Beijing) Co.; Source: Emerging Threats - Compromised",
...
}

So threatintel.indicator.provider:Emerging Threats - Compromised

Describe a specific use case for the enhancement or feature:
This would populate the tags field from this dataset the same way the MISP dataset is populated and also to populate the threatintel.indicator.provider field like the Abuse URL data is.
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Mar 24, 2021
@peasead peasead added Team:Security-External Integrations and removed needs_team Indicates that the issue/PR needs a Team:* label labels Mar 24, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@P1llus P1llus self-assigned this Apr 19, 2021
@legoguy1000
Copy link
Contributor

I can implement this if it's wanted.

@peasead
Copy link
Contributor Author

peasead commented Jul 29, 2021
edited
Loading

Yeah, I think any help would be appreciated.

@P1llus may have some unchecked-in code though, so I'll let him make the call.

@P1llus
Copy link
Member

P1llus commented Jul 29, 2021

Feel free @legoguy1000 :)

@legoguy1000 legoguy1000 mentioned this issue Jul 29, 2021
Merged
6 tasks
@legoguy1000
Copy link
Contributor

PR Ready

legoguy1000 added a commit to legoguy1000/beats that referenced this issue Aug 6, 2021
@legoguy1000
elastic#24746: Update Threatinteal Anomali pipeline
141ac7b
P1llus pushed a commit that referenced this issue Aug 10, 2021
@legoguy1000
#24746: Update Threatinteal Anomali pipeline (#27141)
7fa146c
mergify bot pushed a commit that referenced this issue Aug 10, 2021
@legoguy1000
#24746: Update Threatinteal Anomali pipeline (#27141)
39fa875 
(cherry picked from commit 7fa146c)
P1llus added a commit that referenced this issue Aug 21, 2021
@mergify @legoguy1000 @P1llus
#24746: Update Threatinteal Anomali pipeline (#27141) (#27298)
7c86623 
(cherry picked from commit 7fa146c)

Co-authored-by: Alex Resnick <[email protected]>
Co-authored-by: Marius Iversen <[email protected]>
mergify bot pushed a commit that referenced this issue Aug 21, 2021
@legoguy1000
#24746: Update Threatinteal Anomali pipeline (#27141)
7666cb3 
(cherry picked from commit 7fa146c)
P1llus pushed a commit that referenced this issue Aug 21, 2021
@mergify @legoguy1000
#24746: Update Threatinteal Anomali pipeline (#27141) (#27542)
e36eb8f 
(cherry picked from commit 7fa146c)

Co-authored-by: Alex Resnick <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@P1llus P1llus

Labels
enhancement Filebeat Filebeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Filebeat] Update Threatinteal Anomali pipeline legoguy1000/beats
4 participants
@peasead @P1llus @legoguy1000 @elasticmachine