[Filebeat][New Module] Threat intel module for filebeat #21795
Conversation
P1llus
added
in progress
|
Pinging @elastic/siem (Team:SIEM) |
botelastic
bot
added
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json
Outdated
Show resolved
Hide resolved
x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json
Outdated
Show resolved
Hide resolved
|
@FrankHassanabad and @leehinman Added in your comments, feel free to let me know if its anything else we should change as well. |
|
Looks like Might be a good idea to use a convert to store it as a boolean so it doesn't have to be converted when used. |
|
@P1llus - I have a threat intel ECS RFC in progress right now, and want to apply those ECS fields to this module. the mapping is available here https://github.com/elastic/security-team/issues/177 . Whats the best way to reconcile the mappings you have used with the one's in the RFC? |
|
@shimonmodi If we want to support the ECS RFC for threat intel whenever we release the module then I don't mind converting it. I was just unsure if this RFC was complete enough yet to use, if it is then I can convert this module before we proceed :) |
|
Sorry about that @leehinman . I only updated the field mapping and didn't actually convert it. Added the update now. Hopefully everything else is alright? :) |
|
Let's not merge it yet though, but good to know if its "LGTM" or not! |
LGTM |
|
@P1llus - perfect, lets chat about it on Wednesday when we meet. My goal is to validate that the proposed ECS fields work for this feed and identify gaps. |
|
I think I will leave this PR as draft for now, that way we can modify it a bit more while testing and discussing with different teams. There might be some breaking changes and temp content in here, so I think for any new content we can hold off new reviews for now. |
💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
|
The module is now ready for review! |
…wing for special characters
|
jenkins run tests please |
|
Added some fixes above for general feedback received outside of the PR. All planned changes has been applied. |
There was a problem hiding this comment.
I reviewed the module, but not the data mappings. It looks like it's in good shape with the exception of a few really minor comments below. Before merging please create a ticket to track the work necessary to add automated integration tests for the httpjson side of the filesets.
Co-authored-by: Adrian Serrano <[email protected]>
P1llus
added
enhancement
and removed
in progress
* inital MVP commit for threat intel module for filebeat * Fixing typos based on PR comments * adding converter for larted field * adding concept for a new MISP module * setting correct field type for misp group sharing id * setting timestamp to age of attribute timestamp * stashing initial support for AlienVault OTX * add threatintel.otx to timestamp bypass for testing * stashing upcoming changes for new httpjson format * updating settings with pagination * big overwrite of the whole module to fit the new TI ECS fields, add new test data, and make the ingest pipelines more sturdy * update default url for anomali * updating field names based on feedback * final commit fixing certain bugs, adding the missing field mapping etc * updating field defintion, it had a duplicate field * updating the anomali config to access the header in a safer way, allowing for special characters * added stripping of null values and made sure it looked at the correct document field * updating field mapping to default_field false * updating default config descriptions * disable default_field for top group * updating changelog * adding fallback for uri_parts when using older ES version * updating test_modules to ignore timestamps * adding support for uri_parts for all relevant ingest pipelines, and fallbacks * updating default config templates and docs based on PR comments * Update x-pack/filebeat/module/threatintel/_meta/docs.asciidoc Co-authored-by: Adrian Serrano <[email protected]> * mage update Co-authored-by: Adrian Serrano <[email protected]> (cherry picked from commit 70d00b9)
… for filebeat (#24039) * [Filebeat][New Module] Threat intel module for filebeat (#21795) * inital MVP commit for threat intel module for filebeat * Fixing typos based on PR comments * adding converter for larted field * adding concept for a new MISP module * setting correct field type for misp group sharing id * setting timestamp to age of attribute timestamp * stashing initial support for AlienVault OTX * add threatintel.otx to timestamp bypass for testing * stashing upcoming changes for new httpjson format * updating settings with pagination * big overwrite of the whole module to fit the new TI ECS fields, add new test data, and make the ingest pipelines more sturdy * update default url for anomali * updating field names based on feedback * final commit fixing certain bugs, adding the missing field mapping etc * updating field defintion, it had a duplicate field * updating the anomali config to access the header in a safer way, allowing for special characters * added stripping of null values and made sure it looked at the correct document field * updating field mapping to default_field false * updating default config descriptions * disable default_field for top group * updating changelog * adding fallback for uri_parts when using older ES version * updating test_modules to ignore timestamps * adding support for uri_parts for all relevant ingest pipelines, and fallbacks * updating default config templates and docs based on PR comments * Update x-pack/filebeat/module/threatintel/_meta/docs.asciidoc Co-authored-by: Adrian Serrano <[email protected]> * mage update Co-authored-by: Adrian Serrano <[email protected]> (cherry picked from commit 70d00b9) * mage fmt update
What does this PR do?
This PR adds a new module for threat intel, using each TI source as a fileset.
Why is it important?
Adds possibility to ingest Threat Intel data to be used for security usecases
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Resolves #23406