Add attack_pattern_kql field to MISP threat indicators (#14470)

* Add attach_pattern_kql to MISP threat intel input

CHANGELOG.next.asciidoc

@@ -398,6 +398,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add more filesets to Zeek module. {pull}14150[14150]
 - Add `index` option to all inputs to directly set a per-input index value. {pull}14010[14010]
 - Remove beta flag for some filebeat modules. {pull}14374[14374]
+- Add attack_pattern_kql field to MISP threat indicators. {pull}14470[14470]
 
 *Heartbeat*
 - Add non-privileged icmp on linux and darwin(mac). {pull}13795[13795] {issue}11498[11498]

filebeat/docs/fields.asciidoc

@@ -11827,7 +11827,20 @@ The attack_pattern for this indicator is a STIX Pattern as specified in STIX Ver
 
 type: keyword
 
-example: [source.ip = '198.51.100.1/32']
+example: [destination:ip = '91.219.29.188/32']
+
+
+--
+
+*`misp.threat_indicator.attack_pattern_kql`*::
++
+--
+The attack_pattern for this indicator is KQL query that matches the attack_pattern specified in the STIX Pattern format. 
+
+
+type: keyword
+
+example: destination.ip: "91.219.29.188/32"
 
 
 --

x-pack/filebeat/module/misp/threat/_meta/fields.yml

@@ -409,7 +409,15 @@
     description: >
       The attack_pattern for this indicator is a STIX Pattern as specified in STIX Version 2.0 Part 5 - STIX Patterning. 
     example: >
-      [source.ip = '198.51.100.1/32']
+      [destination:ip = '91.219.29.188/32']
+
+  - name: attack_pattern_kql
+    level: core
+    type: keyword
+    description: >
+      The attack_pattern for this indicator is KQL query that matches the attack_pattern specified in the STIX Pattern format. 
+    example: >
+      destination.ip: "91.219.29.188/32"
 
   - name: negate
     level: core