From 3311ec4c6cae508aa87b03526925f6703f131ff8 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 7 Oct 2020 16:44:28 -0500 Subject: [PATCH] Copy tag names from MISP data into events For each tag in the MISP data copy the name attribute into the `tags` array. --- CHANGELOG.next.asciidoc | 1 + .../module/misp/threat/config/pipeline.js | 14 +++++++++++++ .../misp/threat/test/misp-test.json.log | 1 + .../test/misp-test.json.log-expected.json | 21 +++++++++++++++++++ 4 files changed, 37 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 63e8d97ee743..d173e88a4524 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -647,6 +647,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add SSL option to checkpoint module {pull}19560[19560] - Add max_number_of_messages config into s3 input. {pull}21993[21993] - Update Okta documentation for new stateful restarts. {pull}22091[22091] +- Copy tag names from MISP data into events. {pull}21664[21664] *Heartbeat* diff --git a/x-pack/filebeat/module/misp/threat/config/pipeline.js b/x-pack/filebeat/module/misp/threat/config/pipeline.js index ff798a42d7f9..d5b2898b2fe0 100644 --- a/x-pack/filebeat/module/misp/threat/config/pipeline.js +++ b/x-pack/filebeat/module/misp/threat/config/pipeline.js @@ -37,6 +37,19 @@ var threat = (function () { ignore_missing: true, }); + // Copy tag names from MISP event to tags field. + var copyTags = function (evt) { + var mispTags = evt.Get("json.Tag"); + if (!mispTags) { + return; + } + mispTags.forEach(function (tag) { + if (tag.name) { + evt.AppendTo("tags", tag.name); + } + }); + }; + var setAttackPattern = function (evt) { var indicator_type = evt.Get("json.type"); var attackPattern; @@ -202,6 +215,7 @@ var threat = (function () { .Add(setThreatFeedField) .Add(convertFields) .Add(setAttackPattern) + .Add(copyTags) .Build(); return { diff --git a/x-pack/filebeat/module/misp/threat/test/misp-test.json.log b/x-pack/filebeat/module/misp/threat/test/misp-test.json.log index cba6c830428f..3096e9ceaa7b 100644 --- a/x-pack/filebeat/module/misp/threat/test/misp-test.json.log +++ b/x-pack/filebeat/module/misp/threat/test/misp-test.json.log @@ -2,3 +2,4 @@ {"id":"2","event_id":"2","object_id":"0","object_relation":null,"category":"Payload delivery","type":"md5","to_ids":true,"uuid":"5d159be2-d4b4-4d97-9e14-406a02de0b81","timestamp":"1490878466","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"value":"89357a1b2e32f2b9bddff94b8136810b","Event":{"org_id":"1","distribution":"3","id":"1","info":"OSINT - OSX/Linker: New Mac malware attempts zero-day Gatekeeper bypass","orgc_id":"2","uuid":"5d159be2-d4b4-4d97-9e14-406a02de0b81"}} {"id":"3","event_id":"3","object_id":"0","object_relation":null,"category":"Payload delivery","type":"filename","to_ids":true,"uuid":"5d159be2-d4b4-4d97-9e14-406a02de0b81","timestamp":"1490878466","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"value":"f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de","Event":{"org_id":"1","distribution":"3","id":"1","info":"OSINT - OSX/Linker: New Mac malware attempts zero-day Gatekeeper bypass","orgc_id":"2","uuid":"5d159be2-d4b4-4d97-9e14-406a02de0b81"}} {"id":"4","event_id":"4","object_id":"0","object_relation":null,"category":"Bad Domain","type":"domain","to_ids":true,"uuid":"563b3ea6-b26c-401f-a68b-4d84950d210b","timestamp":"1490878466","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"value":"f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de","Event":{"org_id":"4","distribution":"3","id":"4","info":"OSINT Expansion on Systematic cyber attacks against Israeli and Palestinian targets going on for a year by Norman","orgc_id":"2","uuid":"563b3ea6-b26c-401f-a68b-4d84950d210b"}} +{"Galaxy":[],"ShadowAttribute":[],"Tag":[{"colour":"#eb2323","exportable":true,"hide_tag":false,"id":"966","local":0,"name":"critical-ioc-quarantine","numerical_value":null,"user_id":"1"}],"category":"Network activity","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"693","first_seen":null,"id":"170814","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1602078120","to_ids":false,"type":"url","uuid":"83078f8c-3d38-4fec-87a1-8be22a0be0a6","value":"endgame.hungmnguyen.us"} diff --git a/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json b/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json index 163acbfd5448..7a1d9f95b409 100644 --- a/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json +++ b/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json @@ -105,5 +105,26 @@ "rule.id": "4", "rule.uuid": "563b3ea6-b26c-401f-a68b-4d84950d210b", "service.type": "misp" + }, + { + "@timestamp": "2020-10-07T13:42:00.000Z", + "event.category": "threat-intel", + "event.dataset": "misp.threat", + "event.id": "83078f8c-3d38-4fec-87a1-8be22a0be0a6", + "event.kind": "event", + "event.module": "misp", + "event.type": "indicator", + "fileset.name": "threat", + "input.type": "log", + "log.offset": 2149, + "message": "endgame.hungmnguyen.us", + "misp.threat_indicator.attack_pattern": "[url:full = 'endgame.hungmnguyen.us']", + "misp.threat_indicator.attack_pattern_kql": "url.full: \"endgame.hungmnguyen.us\"", + "misp.threat_indicator.feed": "misp", + "misp.threat_indicator.type": "url", + "rule.category": "Network activity", + "service.type": "misp", + "tags": "critical-ioc-quarantine", + "url.full": "endgame.hungmnguyen.us" } ] \ No newline at end of file